usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Incorrect MacBook detection logic in os_sleep_and_display_sleep_apple_silicon_enable check script on Apple Silicon #21

New Issue
Closed
opened 2026-01-19 18:28:57 +00:00 by michael · 0 comments
michael commented 2026-01-19 18:28:57 +00:00
Owner
Copy Link

Originally created by @phaninder-scalefusion on GitHub.

Summary

The rule os_sleep_and_display_sleep_apple_silicon_enable for macOS benchmark fails due to an incorrect check condition in the script. The current logic does not properly identify Apple Silicon Macs and fails to correctly detect MacBook systems on some Apple Silicon devices.

Steps to reproduce

  1. Run the os_sleep_and_display_sleep_apple_silicon_enable check script on an Apple Silicon MacBook.
  2. Observe that the condition '/usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice | grep -q "MacBook"' fails even though the device is a MacBook.
  3. Check that the rest of the logic executes incorrectly or produces unexpected results due to the failed condition.

Operating System version

macOS Sonoma / macOS Sequoia (any Apple Silicon MacBook)

Intel or Apple Silicon

Apple Silicon

What is the current bug behavior?

The /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice | grep -q "MacBook" check fails to detect Apple Silicon MacBooks correctly. As a result, the script does not proceed with evaluating sleepMode and displaysleepMode, leading to inaccurate benchmark results.

What is the expected correct behavior?

The script should correctly identify Apple Silicon MacBooks and validate both system type and CPU architecture as per CIS documentation.

Relevant logs and/or screenshots

$ /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice | grep -q "MacBook"
# Returns non-zero exit code on Apple Silicon MacBook

$ /usr/bin/sudo /usr/sbin/system_profiler SPHardwareDataType | grep -e MacBook
# Correctly detects MacBook on Apple Silicon

$ /usr/bin/sudo /usr/sbin/sysctl -n machdep.cpu.brand_string
# Returns: "Apple M3 Pro" or similar

Output of checks

The script returns 0 (no errors) even though the conditions for sleep and display sleep might not be correctly enforced, due to skipping the main check logic.

Possible fixes

Update the detection logic to align with CIS documentation:

# Replace:
if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then

# With:
if /usr/bin/sudo /usr/sbin/system_profiler SPHardwareDataType | /usr/bin/grep -q "MacBook"; then

# And add CPU architecture check:
cpuType=$(/usr/bin/sudo /usr/sbin/sysctl -n machdep.cpu.brand_string)
if echo "$cpuType" | grep -q "Apple"; then
  # Apple Silicon logic
fi
Originally created by @phaninder-scalefusion on GitHub. ### Summary The rule os_sleep_and_display_sleep_apple_silicon_enable for macOS benchmark fails due to an incorrect check condition in the script. The current logic does not properly identify Apple Silicon Macs and fails to correctly detect MacBook systems on some Apple Silicon devices. ### Steps to reproduce 1. Run the os_sleep_and_display_sleep_apple_silicon_enable check script on an Apple Silicon MacBook. 2. Observe that the condition '/usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice | grep -q "MacBook"' fails even though the device is a MacBook. 3. Check that the rest of the logic executes incorrectly or produces unexpected results due to the failed condition. ### Operating System version macOS Sonoma / macOS Sequoia (any Apple Silicon MacBook) ### Intel or Apple Silicon Apple Silicon ### What is the current bug behavior? The /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice | grep -q "MacBook" check fails to detect Apple Silicon MacBooks correctly. As a result, the script does not proceed with evaluating sleepMode and displaysleepMode, leading to inaccurate benchmark results. ### What is the expected correct behavior? The script should correctly identify Apple Silicon MacBooks and validate both system type and CPU architecture as per CIS documentation. ### Relevant logs and/or screenshots ``` $ /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice | grep -q "MacBook" # Returns non-zero exit code on Apple Silicon MacBook $ /usr/bin/sudo /usr/sbin/system_profiler SPHardwareDataType | grep -e MacBook # Correctly detects MacBook on Apple Silicon $ /usr/bin/sudo /usr/sbin/sysctl -n machdep.cpu.brand_string # Returns: "Apple M3 Pro" or similar ``` ### Output of checks The script returns 0 (no errors) even though the conditions for sleep and display sleep might not be correctly enforced, due to skipping the main check logic. ### Possible fixes Update the detection logic to align with CIS documentation: ``` # Replace: if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then # With: if /usr/bin/sudo /usr/sbin/system_profiler SPHardwareDataType | /usr/bin/grep -q "MacBook"; then # And add CPU architecture check: cpuType=$(/usr/bin/sudo /usr/sbin/sysctl -n machdep.cpu.brand_string) if echo "$cpuType" | grep -q "Apple"; then # Apple Silicon logic fi ```
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#21
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?