usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

fixtext commands are broken; have newline chars instead of spaces #296

New Issue
Closed
opened 2026-01-19 18:29:58 +00:00 by michael · 4 comments
michael commented 2026-01-19 18:29:58 +00:00
Owner
Copy Link

Originally created by @securevia1 on GitHub.

Summary

(Summarize the bug encountered concisely)

fixtext commands are broken; have newline chars instead of spaces. for example, see the fix command below

/usr/bin/sed 
-i.bak_
$(date"+%Y-%m-%d_%H:%M")"s|#PasswordAuthentication
yes|PasswordAuthentication no|; s|#ChallengeResponseAuthentication
yes|ChallengeResponseAuthentication no|"
/etc/ssh/sshd_config
; /bin/launchctl kickstart 
-k system/com.openssh.sshd

Same issue is there for description fields of rules. See below:

Smartcard authentication
MUST be enforced.

The use of smartcard credentials facilitates standardization and reduces the risk of unauthorized access.
When enforceSmartCard is set to “true”, the smartcard must be used for login, authorization, and unlocking the screensaver.
To check the state of the system, run the following command(s):


/usr/bin/profiles

-P-o stdout | /usr/bin/grep

-c'enforceSmartCard = 1'

If the result is not
1, this is a finding.

Steps to reproduce

(How one can reproduce the issue - this is very important)

Open the XML file and see fixtext

Operating System version

(macOS Version and build)

What is the current bug behavior?

(What actually happens)

What is the expected correct behavior?

(What you should see instead)

Relevant logs and/or screenshots

(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise.)

Output of checks

(Paste any output that occurs with the bug)

Possible fixes

(If you can, link to the line of code that might be responsible for the problem)

Originally created by @securevia1 on GitHub. <!--- Please read this! Before opening a new issue, make sure to search for keywords in the issues filtered by the "regression" or "bug" label and verify the issue you're about to submit isn't a duplicate. ---> ### Summary (Summarize the bug encountered concisely) fixtext commands are broken; have newline chars instead of spaces. for example, see the fix command below <div><pre> /usr/bin/sed -i.bak_ $(date"+%Y-%m-%d_%H:%M")"s|#PasswordAuthentication yes|PasswordAuthentication no|; s|#ChallengeResponseAuthentication yes|ChallengeResponseAuthentication no|" /etc/ssh/sshd_config ; /bin/launchctl kickstart -k system/com.openssh.sshd </pre></div> Same issue is there for description fields of rules. See below: <Rule id="xccdf_gov.nist.mscp.content_rule_auth_smartcard_enforce" selected="false" role="full" severity="unknown" weight="1.0"><title>Enforce Smartcard Authentication</title><description><div xmlns="http://www.w3.org/1999/xhtml"><div><p>Smartcard authentication MUST be enforced.</p></div><div>The use of smartcard credentials facilitates standardization and reduces the risk of unauthorized access.</div><div>When enforceSmartCard is set to “true”, the smartcard must be used for login, authorization, and unlocking the screensaver.</div><div>To check the state of the system, run the following command(s):</div><div><div><pre> /usr/bin/profiles -P-o stdout | /usr/bin/grep -c'enforceSmartCard = 1' </pre></div></div><div><p>If the result is not 1, this is a finding.</p></div></div></description> ### Steps to reproduce (How one can reproduce the issue - this is very important) Open the XML file and see fixtext ### Operating System version (macOS Version and build) ### What is the current *bug* behavior? (What actually happens) ### What is the expected *correct* behavior? (What you should see instead) ### Relevant logs and/or screenshots (Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise.) ### Output of checks (Paste any output that occurs with the bug) ### Possible fixes (If you can, link to the line of code that might be responsible for the problem)
michael commented 2026-01-19 18:29:58 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

This was resolved with the generate_scap.py script.

@robertgendler commented on GitHub: This was resolved with the `generate_scap.py` script.
michael commented 2026-01-19 18:29:58 +00:00
Author
Owner
Copy Link

@GaryGapinski commented on GitHub:

@securevia1 what XML document did you inspect? Would you please provide (or link to) a copy?

What you noticed is incorrect content in the fixtext and description elements.

I just did a build from the main branch and see the following in the SCAP datastream:

<Rule id="xccdf_gov.nist.mscp.content_rule_auth_ssh_smartcard_enforce" selected="false" role="full" severity="unknown" weight="1.0"><title>Enforce
Smartcard Authentication for SSH</title><description><div xmlns="http://www.w3.org/1999/xhtml"><div><p>If remote login through SSH is enabled, smartcard authentication

MUST be enforced for user login.</p></div><div><p>All users 
MUST go through multifactor authentication to prevent
unauthenticated access and potential compromise to the system.</p></div><div>To check the state of the system, run the following command(s):</div><div><div><pre>
/usr/bin/grep 
-Ec'^(PasswordAuthentication\s+no|ChallengeResponseAuthentication\s+no)'
/etc/ssh/sshd_config
</pre></div></div><div><p>If the result is not 
2, this is a finding.</p></div></div></description><warning category="general"><div xmlns="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config will be automatically
modified to its original state following any update or major
upgrade to the operating system.</div></warning><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2">NIST SP 800-53r4 IA-2</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-1">NIST SP 800-53r4 IA-2(1)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-11">NIST SP 800-53r4 IA-2(11)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-2">NIST SP 800-53r4 IA-2(2)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-3">NIST SP 800-53r4 IA-2(3)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-4">NIST SP 800-53r4 IA-2(4)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-6">NIST SP 800-53r4 IA-2(6)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-5#enhancement-11">NIST SP 800-53r4 IA-5(11)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-5#enhancement-2">NIST SP 800-53r4 IA-5(2)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/MA-4">NIST SP 800-53r4 MA-4</reference><ident system="http://cce.mitre.org/">CCE-85281-4</ident><fixtext><div xmlns="http://www.w3.org/1999/xhtml"><div>The following commands must be run to disable passcode based authentication for SSHD:</div><div><div><pre>
/usr/bin/sed 
-i.bak_
$(date"+%Y-%m-%d_%H:%M")"s|#PasswordAuthentication
yes|PasswordAuthentication no|; s|#ChallengeResponseAuthentication
yes|ChallengeResponseAuthentication no|"
/etc/ssh/sshd_config
; /bin/launchctl kickstart 
-k system/com.openssh.sshd
</pre></div></div></div></fixtext><check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"><check-content-ref href="oval.xml" name="oval:mscp:def:4"/></check></Rule>

and

<Rule id="xccdf_gov.nist.mscp.content_rule_auth_smartcard_allow" selected="false" role="full" severity="unknown" weight="1.0"><title>Allow Smartcard
Authentication</title><description><div xmlns="http://www.w3.org/1999/xhtml"><div><p>Smartcard authentication 
MUST be allowed.</p></div><div>The use of smartcard credentials facilitates standardization and reduces the risk of unauthorized access.</div><div>When enabled, the smartcard can be used for login, authorization, and screen saver unlocking.</div><div>To check the state of the system, run the following command(s):</div><div><div><pre>
/usr/bin/profiles 
-P-o stdout | /usr/bin/grep 
-c'allowSmartCard = 1'
</pre></div></div><div><p>If the result is not 
1, this is a finding.</p></div></div></description><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-12">NIST SP 800-53r4 IA-2(12)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-5#enhancement-11">NIST SP 800-53r4 IA-5(11)</reference><ident system="http://cce.mitre.org/">CCE-85277-2</ident><fixtext><div xmlns="http://www.w3.org/1999/xhtml"><div>Create a configuration profile containing the following keys in the (com.apple.security.smartcard) payload type:</div><div><div><pre>
&lt;key&gt;allowSmartCard
&lt;/key&gt;&lt;true/&gt;
</pre></div></div></div></fixtext><check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"><check-content-ref href="oval.xml" name="oval:mscp:def:2"/></check></Rule>

In both cases the <fixtext> element contains HTML which encapsulates the shell commands in a <pre> element (and would be rendered as separate lines).

The <description> and <fixtext> content of the first rule looks wrong as if it was arbitrarily wrapped . The companion HTML and PDF of the first rule are also incorrect.

The <description> of the second rule is incorrect and looks arbitrarily wrapped. It appears to be an error in the build process translation from HTML to XHTML.

@GaryGapinski commented on GitHub: @securevia1 what XML document did you inspect? Would you please provide (or link to) a copy? What you noticed is incorrect content in the fixtext and description elements. I just did a build from the `main` branch and see the following in the SCAP datastream: ``` <Rule id="xccdf_gov.nist.mscp.content_rule_auth_ssh_smartcard_enforce" selected="false" role="full" severity="unknown" weight="1.0"><title>Enforce Smartcard Authentication for SSH</title><description><div xmlns="http://www.w3.org/1999/xhtml"><div><p>If remote login through SSH is enabled, smartcard authentication MUST be enforced for user login.</p></div><div><p>All users MUST go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.</p></div><div>To check the state of the system, run the following command(s):</div><div><div><pre> /usr/bin/grep -Ec'^(PasswordAuthentication\s+no|ChallengeResponseAuthentication\s+no)' /etc/ssh/sshd_config </pre></div></div><div><p>If the result is not 2, this is a finding.</p></div></div></description><warning category="general"><div xmlns="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.</div></warning><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2">NIST SP 800-53r4 IA-2</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-1">NIST SP 800-53r4 IA-2(1)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-11">NIST SP 800-53r4 IA-2(11)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-2">NIST SP 800-53r4 IA-2(2)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-3">NIST SP 800-53r4 IA-2(3)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-4">NIST SP 800-53r4 IA-2(4)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-6">NIST SP 800-53r4 IA-2(6)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-5#enhancement-11">NIST SP 800-53r4 IA-5(11)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-5#enhancement-2">NIST SP 800-53r4 IA-5(2)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/MA-4">NIST SP 800-53r4 MA-4</reference><ident system="http://cce.mitre.org/">CCE-85281-4</ident><fixtext><div xmlns="http://www.w3.org/1999/xhtml"><div>The following commands must be run to disable passcode based authentication for SSHD:</div><div><div><pre> /usr/bin/sed -i.bak_ $(date"+%Y-%m-%d_%H:%M")"s|#PasswordAuthentication yes|PasswordAuthentication no|; s|#ChallengeResponseAuthentication yes|ChallengeResponseAuthentication no|" /etc/ssh/sshd_config ; /bin/launchctl kickstart -k system/com.openssh.sshd </pre></div></div></div></fixtext><check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"><check-content-ref href="oval.xml" name="oval:mscp:def:4"/></check></Rule> ``` and ``` <Rule id="xccdf_gov.nist.mscp.content_rule_auth_smartcard_allow" selected="false" role="full" severity="unknown" weight="1.0"><title>Allow Smartcard Authentication</title><description><div xmlns="http://www.w3.org/1999/xhtml"><div><p>Smartcard authentication MUST be allowed.</p></div><div>The use of smartcard credentials facilitates standardization and reduces the risk of unauthorized access.</div><div>When enabled, the smartcard can be used for login, authorization, and screen saver unlocking.</div><div>To check the state of the system, run the following command(s):</div><div><div><pre> /usr/bin/profiles -P-o stdout | /usr/bin/grep -c'allowSmartCard = 1' </pre></div></div><div><p>If the result is not 1, this is a finding.</p></div></div></description><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-12">NIST SP 800-53r4 IA-2(12)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-5#enhancement-11">NIST SP 800-53r4 IA-5(11)</reference><ident system="http://cce.mitre.org/">CCE-85277-2</ident><fixtext><div xmlns="http://www.w3.org/1999/xhtml"><div>Create a configuration profile containing the following keys in the (com.apple.security.smartcard) payload type:</div><div><div><pre> &lt;key&gt;allowSmartCard &lt;/key&gt;&lt;true/&gt; </pre></div></div></div></fixtext><check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"><check-content-ref href="oval.xml" name="oval:mscp:def:2"/></check></Rule> ``` In both cases the `<fixtext>` element contains HTML which encapsulates the shell commands in a `<pre>` element (and would be rendered as separate lines). The `<description>` and `<fixtext>` content of the first rule looks wrong as if it was arbitrarily wrapped . The companion HTML and PDF of the first rule are also incorrect. The `<description>` of the second rule is incorrect and looks arbitrarily wrapped. It appears to be an error in the build process translation from HTML to XHTML.
michael commented 2026-01-19 18:29:58 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

It turns out this may be an issue with how asciidoctor is transforming the adoc into HTML

Something like this in the adoc file
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowSmartCard = 1'

Gets turned into this
<pre class="rouge highlight"><code data-lang="bash">/usr/bin/profiles <span class="nt">-P</span> <span class="nt">-o</span> stdout | /usr/bin/grep <span class="nt">-c</span> <span class="s1">'allowSmartCard = 1'</span></code></pre>

So the XHTML and XML are not at fault, it seems to be adoc -> html. We may be able to figure out a way to parse this and remove it when it's converted to XHTML and XML.

@robertgendler commented on GitHub: It turns out this may be an issue with how asciidoctor is transforming the adoc into HTML Something like this in the adoc file `/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowSmartCard = 1'` Gets turned into this `<pre class="rouge highlight"><code data-lang="bash">/usr/bin/profiles <span class="nt">-P</span> <span class="nt">-o</span> stdout | /usr/bin/grep <span class="nt">-c</span> <span class="s1">'allowSmartCard = 1'</span></code></pre>` So the XHTML and XML are not at fault, it seems to be adoc -> html. We may be able to figure out a way to parse this and remove it when it's converted to XHTML and XML.
michael commented 2026-01-19 18:29:58 +00:00
Author
Owner
Copy Link

@securevia1 commented on GitHub:

We used this link to download the macOS benchmark:
https://github.com/usnistgov/macos_security/releases/download/big_sur_rev1/MSCP_Big_Sur_Rev_1.zip

@securevia1 commented on GitHub: We used this link to download the macOS benchmark: https://github.com/usnistgov/macos_security/releases/download/big_sur_rev1/MSCP_Big_Sur_Rev_1.zip
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#296
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?