usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

False failures with os_unlock_active_user_session_disable (Sequioa Branch) #36

New Issue
Closed
opened 2026-01-19 18:29:00 +00:00 by michael · 1 comment
michael commented 2026-01-19 18:29:00 +00:00
Owner
Copy Link

Originally created by @ryan-baier-nih on GitHub.

Summary

I am leveraging the tool to create a CIS Level 1 v1.1.0 baseline for macOS 15. The rule os_unlock_active_user_session_disable has transitioned from a grep -c for a value to a PASS/FAIL for the output strings patching. The rule sets the variable SS_RULE to the output of the command and compares it to the $ODV to set the result to either PASS or FAIL.

The issue results in the expected outcome, which is the string "pass". Due to the code used, "PASS" does not equal "pass" and the control fails. The rule needs the expected result string updated from "pass" to "PASS"

Steps to reproduce

Look at the discrepancy of the output of the check to the expected result in the rule yaml or create a baseline that uses this rule and it will never pass.

Operating System version

macOS 15.6.1 (24G90)

Intel or Apple Silicon

Apple Silicon Mac (m3 Max)

What is the current bug behavior?

The check around rule os_unlock_active_user_session_disable fails when it is not actually failing the control set.

What is the expected correct behavior?

For the control to pass

Relevant logs and/or screenshots

N/A

Output of checks

Mon Aug 25 12:25:50 UTC 2025 os_unlock_active_user_session_disable failed (Result: PASS, Expected: "{'string': 'pass'}")

Possible fixes

Update the result: string: "pass" --> result: string: "PASS"

Originally created by @ryan-baier-nih on GitHub. ### Summary I am leveraging the tool to create a CIS Level 1 v1.1.0 baseline for macOS 15. The rule os_unlock_active_user_session_disable has transitioned from a grep -c for a value to a PASS/FAIL for the output strings patching. The rule sets the variable SS_RULE to the output of the command and compares it to the $ODV to set the result to either PASS or FAIL. The issue results in the expected outcome, which is the string "pass". Due to the code used, "PASS" does not equal "pass" and the control fails. The rule needs the expected result string updated from "pass" to "PASS" ### Steps to reproduce Look at the discrepancy of the output of the check to the expected result in the rule yaml or create a baseline that uses this rule and it will never pass. ### Operating System version macOS 15.6.1 (24G90) ### Intel or Apple Silicon Apple Silicon Mac (m3 Max) ### What is the current *bug* behavior? The check around rule os_unlock_active_user_session_disable fails when it is not actually failing the control set. ### What is the expected *correct* behavior? For the control to pass ### Relevant logs and/or screenshots N/A ### Output of checks Mon Aug 25 12:25:50 UTC 2025 os_unlock_active_user_session_disable failed (Result: PASS, Expected: "{'string': 'pass'}") ### Possible fixes Update the result: string: "pass" --> result: string: "PASS"
michael commented 2026-01-19 18:29:00 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

Should be fixed. Thanks for bringing this to our attention.

@robertgendler commented on GitHub: Should be fixed. Thanks for bringing this to our attention.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#36
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?