usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 05:53:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Time Machine encryption check fails with space in mount point - system_settings_time_machine_encrypted_configure #33

New Issue
Closed
opened 2026-01-19 18:28:59 +00:00 by michael · 1 comment
michael commented 2026-01-19 18:28:59 +00:00
Owner
Copy Link

Originally created by @phaninder-scalefusion on GitHub.

Summary

The compliance rule for encrypted Time Machine backups fails when the backup drive has a space in its mount point.

Steps to reproduce

  1. Configure a Time Machine backup on a drive with a space in its name (e.g., "Backup Disk").
  2. Run the compliance script.
  3. Observe parsing failure.

Operating System version

(macOS 13 / 14 / 15)

Intel or Apple Silicon

Both

Current behavior

Script cannot parse mount points with spaces, leading to false results.

Expected behavior

Script should handle spaces correctly and report encryption status accurately.

Possible fix

Update check script to use a safe loop:

  error_count=0
  while IFS= read -r mountPoint; do
      tmMounted=$(/usr/sbin/diskutil info "$mountPoint" 2>/dev/null | awk '/Mounted/{print $2}')
      tmEncrypted=$(/usr/sbin/diskutil info "$mountPoint" 2>/dev/null | awk '/FileVault/{print $2}')
      [[ "$tmMounted" == "Yes" && "$tmEncrypted" == "No" ]] && error_count=$((error_count + 1))
  done < <(/usr/bin/tmutil destinationinfo 2>/dev/null | /usr/bin/awk -F': ' '/Mount Point/{print $2}')
  echo "$error_count"
Originally created by @phaninder-scalefusion on GitHub. ### Summary The compliance rule for encrypted Time Machine backups fails when the backup drive has a space in its mount point. ### Steps to reproduce 1. Configure a Time Machine backup on a drive with a space in its name (e.g., "Backup Disk"). 2. Run the compliance script. 3. Observe parsing failure. ### Operating System version (macOS 13 / 14 / 15) ### Intel or Apple Silicon Both ### Current behavior Script cannot parse mount points with spaces, leading to false results. ### Expected behavior Script should handle spaces correctly and report encryption status accurately. ### Possible fix Update check script to use a safe loop: ``` error_count=0 while IFS= read -r mountPoint; do tmMounted=$(/usr/sbin/diskutil info "$mountPoint" 2>/dev/null | awk '/Mounted/{print $2}') tmEncrypted=$(/usr/sbin/diskutil info "$mountPoint" 2>/dev/null | awk '/FileVault/{print $2}') [[ "$tmMounted" == "Yes" && "$tmEncrypted" == "No" ]] && error_count=$((error_count + 1)) done < <(/usr/bin/tmutil destinationinfo 2>/dev/null | /usr/bin/awk -F': ' '/Mount Point/{print $2}') echo "$error_count" ```
michael commented 2026-01-19 18:28:59 +00:00
Author
Owner
Copy Link

@brodjieski commented on GitHub:

It looks like CIS is doing the following command for their method of auditing:
/usr/bin/sudo /usr/bin/defaults read /Library/Preferences/com.apple.TimeMachine.plist | grep -c NotEncrypted

And reviewing the output to make sure it isn't 0.

This may be a simpler approach and something to consider.

@brodjieski commented on GitHub: It looks like CIS is doing the following command for their method of auditing: `/usr/bin/sudo /usr/bin/defaults read /Library/Preferences/com.apple.TimeMachine.plist | grep -c NotEncrypted` And reviewing the output to make sure it isn't 0. This may be a simpler approach and something to consider.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#33
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?