sysprefs_wifi_disable.yaml ignored for STIG compliance #263

New Issue

Closed

opened 2026-01-19 18:29:51 +00:00 by michael · 7 comments

michael commented 2026-01-19 18:29:51 +00:00

Owner

Copy Link

Originally created by @grismemj on GitHub.

Summary

The sysprefs_wifi_disable.yaml file is ignored in the generated STIG compliance script. No wifi check is done, even though the yaml file is listed as a rule in the baseline.

Steps to reproduce

1. Generate a new baseline based on the DISA STIG.
2. Verify sysprefs_wifi_disable is listed as a rule.
3. Generate a compliance script from this baseline.
4. Run the compliance script with --check, no wifi test is done.

Operating System version

macOS 11.6.2

What is the current bug behavior?

As far as a can tell the wifi rule is completely ignored in the generated compliance script. There is no reference to it that I can find, and no wifi check is performed.

What is the expected correct behavior?

The wifi check is the last one that should be done, as it is the last check before the supplemental section (at least that is the order in the current STIG baseline). The user should see it as the last check done by the script.

Relevant logs and/or screenshots

Output of checks

Here is the end of a compliance check I just ran after verifying the wifi rule is in the baseline and generating the compliance script:

Thu Jan 20 21:41:25 UTC 2022 sysprefs_wallet_applepay_prefpane_disable passed (Result: 1, Expected: {integer: 1})
Thu Jan 20 21:41:25 UTC 2022 sysprefs_wallet_applepay_prefpane_hide passed (Result: 1, Expected: {integer: 1})
Results written to /Library/Preferences/org.AFRLRQ-STIG.audit.plist

The last rule checked is sysprefs_wallet_applepay_prefpane_hide, which is the rule right before sysprefs_wifi_disable.

Possible fixes

I thought perhaps there was an issue with the sysprefs_wifi_disable.yaml file, but I cannot find any issues. I also tried changing the order of the rules listed in the baseline so this wasn't the last one, but that made no difference.

Originally created by @grismemj on GitHub. <!--- Please read this! Before opening a new issue, make sure to search for keywords in the issues filtered by the "regression" or "bug" label and verify the issue you're about to submit isn't a duplicate. ---> ### Summary The sysprefs_wifi_disable.yaml file is ignored in the generated STIG compliance script. No wifi check is done, even though the yaml file is listed as a rule in the baseline. ### Steps to reproduce 1. Generate a new baseline based on the DISA STIG. 2. Verify sysprefs_wifi_disable is listed as a rule. 3. Generate a compliance script from this baseline. 4. Run the compliance script with --check, no wifi test is done. ### Operating System version macOS 11.6.2 ### What is the current *bug* behavior? As far as a can tell the wifi rule is completely ignored in the generated compliance script. There is no reference to it that I can find, and no wifi check is performed. ### What is the expected *correct* behavior? The wifi check is the last one that should be done, as it is the last check before the supplemental section (at least that is the order in the current STIG baseline). The user should see it as the last check done by the script. ### Relevant logs and/or screenshots ### Output of checks Here is the end of a compliance check I just ran after verifying the wifi rule is in the baseline and generating the compliance script: Thu Jan 20 21:41:25 UTC 2022 sysprefs_wallet_applepay_prefpane_disable passed (Result: 1, Expected: {integer: 1}) Thu Jan 20 21:41:25 UTC 2022 sysprefs_wallet_applepay_prefpane_hide passed (Result: 1, Expected: {integer: 1}) Results written to /Library/Preferences/org.AFRLRQ-STIG.audit.plist The last rule checked is sysprefs_wallet_applepay_prefpane_hide, which is the rule right before sysprefs_wifi_disable. ### Possible fixes I thought perhaps there was an issue with the sysprefs_wifi_disable.yaml file, but I cannot find any issues. I also tried changing the order of the rules listed in the baseline so this wasn't the last one, but that made no difference.

michael closed this issue 2026-01-19 18:29:51 +00:00

michael commented 2026-01-19 18:29:52 +00:00

Author

Owner

Copy Link

@brodjieski commented on GitHub:

Yes, it will make it work... but if you are running the script remotely over Wi-Fi, you will get disconnected when it gets disabled. It's marked as manual as a precaution.

@brodjieski commented on GitHub: Yes, it will make it work... but if you are running the script remotely over Wi-Fi, you will get disconnected when it gets disabled. It's marked as manual as a precaution.

michael commented 2026-01-19 18:29:52 +00:00

Author

Owner

Copy Link

@brodjieski commented on GitHub:

The rule for sysprefs_wifi_disable is identified as a "manual" control (as listed in the tags: field). This means that there is no automated check or fix generated for the compliance script. Controls like this are typically difficult to automate and would need an administrator or auditor to check them while at the system.

In this case, as its written, it's checking for the name Wi-Fi in the network services. There is no guarantee that the wireless interface will be called Wi-Fi, and thus the check could result in an incorrect finding. Also, with this control, automated remediation could lead to an inadvertent disconnect from the network if no other connection is present.

Perhaps this control could be rewritten to better facilitate automation, but for now it is a manual control.

@brodjieski commented on GitHub: The rule for sysprefs_wifi_disable is identified as a "manual" control (as listed in the tags: field). This means that there is no automated check or fix generated for the compliance script. Controls like this are typically difficult to automate and would need an administrator or auditor to check them while at the system. In this case, as its written, it's checking for the name Wi-Fi in the network services. There is no guarantee that the wireless interface will be called Wi-Fi, and thus the check could result in an incorrect finding. Also, with this control, automated remediation could lead to an inadvertent disconnect from the network if no other connection is present. Perhaps this control could be rewritten to better facilitate automation, but for now it is a manual control.

michael commented 2026-01-19 18:29:52 +00:00

Author

Owner

Copy Link

@brodjieski commented on GitHub:

I agree. The way the current check is written, it only accounts for the network interface named "Wi-Fi". If the name of the interface is anything else, it will produce incorrect results. One could even duplicate the Wi-Fi interface, call it "Wireless", disable the "Wi-Fi" and pass the check... even though a wireless interface is active and connected.

Unless there is a better way to ensure that wifi is disabled, we should keep it manual to not give admins a false sense of security with the control.

@brodjieski commented on GitHub: I agree. The way the current check is written, it only accounts for the network interface named "Wi-Fi". If the name of the interface is anything else, it will produce incorrect results. One could even duplicate the Wi-Fi interface, call it "Wireless", disable the "Wi-Fi" and pass the check... even though a wireless interface is active and connected. Unless there is a better way to ensure that wifi is disabled, we should keep it manual to not give admins a false sense of security with the control.

michael commented 2026-01-19 18:29:52 +00:00

Author

Owner

Copy Link

@erefneb commented on GitHub:

If I have a disable wifi rule on my baseline, I would expect it to disable wifi.

--
Eric Benfer
@.***

On Jan 21, 2022, at 12:13 PM, Dan Brodjieski @.***> wrote:


Yes, it will make it work... but if you are running the script remotely over Wi-Fi, you will get disconnected when it gets disabled. It's marked as manual as a precaution.

—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you commented.

@erefneb commented on GitHub: If I have a disable wifi rule on my baseline, I would expect it to disable wifi. -- Eric Benfer ***@***.*** > On Jan 21, 2022, at 12:13 PM, Dan Brodjieski ***@***.***> wrote: > >  > Yes, it will make it work... but if you are running the script remotely over Wi-Fi, you will get disconnected when it gets disabled. It's marked as manual as a precaution. > > — > Reply to this email directly, view it on GitHub, or unsubscribe. > Triage notifications on the go with GitHub Mobile for iOS or Android. > You are receiving this because you commented.

michael commented 2026-01-19 18:29:52 +00:00

Author

Owner

Copy Link

@erefneb commented on GitHub:

This is incorrectly marked as manual. The rule does in fact have a working fix.
Simply removing the manual tag from the rule will make this work.

--
Eric Benfer
@.***

On Jan 21, 2022, at 11:14 AM, Dan Brodjieski @.***> wrote:

The rule for sysprefs_wifi_disable is identified as a "manual" control (as listed in the tags: field). This means that there is no automated check or fix generated for the compliance script. Controls like this are typically difficult to automate and would need an administrator or auditor to check them while at the system.

In this case, as its written, it's checking for the name Wi-Fi in the network services. There is no guarantee that the wireless interface will be called Wi-Fi, and thus the check could result in an incorrect finding. Also, with this control, automated remediation could lead to an inadvertent disconnect from the network if no other connection is present.

Perhaps this control could be rewritten to better facilitate automation, but for now it is a manual control.

—
Reply to this email directly, view it on GitHub https://github.com/usnistgov/macos_security/issues/114#issuecomment-1018652840, or unsubscribe https://github.com/notifications/unsubscribe-auth/AN53OA2SP3WZRE4LSCPJXFTUXGA5VANCNFSM5MN5UHIQ.
Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you are subscribed to this thread.

@erefneb commented on GitHub: This is incorrectly marked as manual. The rule does in fact have a working fix. Simply removing the manual tag from the rule will make this work. -- Eric Benfer ***@***.*** > On Jan 21, 2022, at 11:14 AM, Dan Brodjieski ***@***.***> wrote: > > > The rule for sysprefs_wifi_disable is identified as a "manual" control (as listed in the tags: field). This means that there is no automated check or fix generated for the compliance script. Controls like this are typically difficult to automate and would need an administrator or auditor to check them while at the system. > > In this case, as its written, it's checking for the name Wi-Fi in the network services. There is no guarantee that the wireless interface will be called Wi-Fi, and thus the check could result in an incorrect finding. Also, with this control, automated remediation could lead to an inadvertent disconnect from the network if no other connection is present. > > Perhaps this control could be rewritten to better facilitate automation, but for now it is a manual control. > > — > Reply to this email directly, view it on GitHub <https://github.com/usnistgov/macos_security/issues/114#issuecomment-1018652840>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AN53OA2SP3WZRE4LSCPJXFTUXGA5VANCNFSM5MN5UHIQ>. > Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. > You are receiving this because you are subscribed to this thread. >

michael commented 2026-01-19 18:29:52 +00:00

Author

Owner

Copy Link

@brodjieski commented on GitHub:

Documentation on the manual tag has been added to the wiki.

@brodjieski commented on GitHub: Documentation on the manual tag has been added to the wiki.

michael commented 2026-01-19 18:29:52 +00:00

Author

Owner

Copy Link

@grismemj commented on GitHub:

I would argue the point of being able to customize the rules for your environment is to allow these types of differences to be handled. So I think it is reasonable to expect the rule to be used, and it is my job to make sure it is effective in my environment. As it is it was just dumb luck that I noticed it was not being used.

My other comment is I could not find any mention of the manual tag setting in the wiki, so had no idea that was an option…

Thanks.

---

Matt Grismer, PhD
AFRL/RQVC
937-713-7059

From: Dan Brodjieski @.>
Date: Friday, January 21, 2022 at 12:51 PM
To: usnistgov/macos_security @.>
Cc: GRISMER, MATTHEW J CIV USAF AFMC AFRL/RQVC @.>, Author @.>
Subject: [URL Verdict: Neutral][Non-DoD Source] Re: [usnistgov/macos_security] sysprefs_wifi_disable.yaml ignored for STIG compliance (Issue #114)

I agree. The way the current check is written, it only accounts for the network interface named "Wi-Fi". If the name of the interface is anything else, it will produce incorrect results. One could even duplicate the Wi-Fi interface, call it "Wireless", disable the "Wi-Fi" and pass the check... even though a wireless interface is active and connected.

Unless there is a better way to ensure that wifi is disabled, we should keep it manual to not give admins a false sense of security with the control.

—
Reply to this email directly, view it on GitHubhttps://github.com/usnistgov/macos_security/issues/114#issuecomment-1018731313, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AW6OSZOCVHPPVEGPSA6PJ43UXGMH5ANCNFSM5MN5UHIQ.
Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you authored the thread.Message ID: @.***>

@grismemj commented on GitHub: I would argue the point of being able to customize the rules for your environment is to allow these types of differences to be handled. So I think it is reasonable to expect the rule to be used, and it is my job to make sure it is effective in my environment. As it is it was just dumb luck that I noticed it was not being used. My other comment is I could not find any mention of the manual tag setting in the wiki, so had no idea that was an option… Thanks. ------------------------------ Matt Grismer, PhD AFRL/RQVC 937-713-7059 From: Dan Brodjieski ***@***.***> Date: Friday, January 21, 2022 at 12:51 PM To: usnistgov/macos_security ***@***.***> Cc: GRISMER, MATTHEW J CIV USAF AFMC AFRL/RQVC ***@***.***>, Author ***@***.***> Subject: [URL Verdict: Neutral][Non-DoD Source] Re: [usnistgov/macos_security] sysprefs_wifi_disable.yaml ignored for STIG compliance (Issue #114) I agree. The way the current check is written, it only accounts for the network interface named "Wi-Fi". If the name of the interface is anything else, it will produce incorrect results. One could even duplicate the Wi-Fi interface, call it "Wireless", disable the "Wi-Fi" and pass the check... even though a wireless interface is active and connected. Unless there is a better way to ensure that wifi is disabled, we should keep it manual to not give admins a false sense of security with the control. — Reply to this email directly, view it on GitHub<https://github.com/usnistgov/macos_security/issues/114#issuecomment-1018731313>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AW6OSZOCVHPPVEGPSA6PJ43UXGMH5ANCNFSM5MN5UHIQ>. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you authored the thread.Message ID: ***@***.***>

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev_2.0_generate_mapping

dev_2.0

sequoia

sonoma

nist-pages

nist-pages-docs

ios_18

ios_26

ios_26_cmmc

dev_2.0_compliance_script

tahoe

visionos_26

dev_ios_26_stig

dev_visionOS_26_stig

dev_tahoe_adjustments

ios_17

dev_sequoia_bio

tahoe_578-typo-in-os_sshd_fips_compliantyaml-fix-code

ventura

ios_16

visionos_2

505-create-python-scp-library

monterey

big_sur

catalina

tahoe_rev2

sequoia_rev4

visionos26_rev2

ios26_rev2

tahoe_rev1

visionos26_rev1

ios26_rev1

sonoma_rev5

sequoia_rev3

ios18_rev3

ios17_rev4

ventura_rev6

sonoma_rev4

sequoia_rev2

visionos_rev2

ios18_rev2.0

ios16_rev4

sequoia_rev1.1

ventura_rev5.1

ios18_rev1.1

sonoma_rev3.1

sequoia_rev1

visionos_rev1

ios18_rev1

ios17_rev3

ios16_rev3

ventura_rev5

sonoma_rev3

ventura_rev4

sonoma_rev2

ios17_rev2

ios16_rev2

monterey_rev6

sonoma_rev1

ventura_rev3

monterey_rev5

ios16_rev1

ios17_rev1

big_sur_rev7

monterey_rev4

ventura_rev2

ventura_rev1.1

monterey_rev3.1

big_sur_rev6.1

ventura_rev1

monterey_rev3

big_sur_rev6

monterey_rev2

catalina_rev6

big_sur_rev5

monterey_rev1

big_sur_rev4

catalina_rev5

big_sur_rev3

catalina_rev4

big_sur_rev2

catalina_rev3

big_sur_rev1

catalina_rev2

catalina_rev1

v0.9

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

michael

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: usnistgov/macos_security#263