mirror of
https://github.com/usnistgov/macos_security.git
synced 2026-02-03 14:03:24 +00:00
Issue with generating pdf with generate_guidance script #6
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @nameitsa on GitHub.
Summary
Permission asked from screentime to generate guidance
Steps to reproduce
python ./scripts/generate_guidance.py baselines/all_rules.yaml
Operating System version
Mac 26.2
Intel or Apple Silicon
Intel
What is the current bug behavior?
python ./scripts/generate_guidance.py baselines/all_rules.yaml
Profile YAML: baselines/all_rules.yaml
Output path: /Users/user/dev/macos_security/build/all_rules/all_rules.adoc
Custom settings found for rule: os_network_storage_restriction
Custom settings found for rule: ../custom/rules/os_network_storage_restriction.yaml
Custom settings found for rule: os_screensaver_timeout_loginwindow_enforce
Custom settings found for rule: ../custom/rules/os_screensaver_timeout_loginwindow_enforce.yaml
Custom settings found for rule: os_ssh_server_alive_interval_configure
Custom settings found for rule: ../custom/rules/os_ssh_server_alive_interval_configure.yaml
Custom settings found for rule: os_sshd_channel_timeout_configure
Custom settings found for rule: ../custom/rules/os_sshd_channel_timeout_configure.yaml
Custom settings found for rule: os_sudo_timeout_configure
Custom settings found for rule: ../custom/rules/os_sudo_timeout_configure.yaml
Custom settings found for rule: system_settings_screensaver_timeout_enforce
Custom settings found for rule: ../custom/rules/system_settings_screensaver_timeout_enforce.yaml
Generating HTML file from AsciiDoc...
/bin/sh: ../bin/asciidoctor: /usr/bin/env: bad interpreter: Permission denied
Generating PDF file from AsciiDoc...
/bin/sh: ../bin/asciidoctor-pdf: /usr/bin/env: bad interpreter: Permission denied
I get a message saying asciidoctor is denied permission due to a configuration, and when hitting allow once a request to allow screentime to make changes.
What is the expected correct behavior?
generate guidance of pdf, html
(What you should see instead)
Relevant logs and/or screenshots
Output of checks
(Paste any output that occurs with the bug)
Possible fixes
issue with com.apple.ManagedClient.preferences generated profile?
com.apple.ManagedClient.preferences.mobileconfig.txt
Edit: Looks like the issue may be with one of the generated profiles where unsigned apps cannot run since asciidoctor isn't signed at all, don't understand though why screentime would need permission to work around this?
(If you can, link to the line of code that might be responsible for the problem)
@brodjieski commented on GitHub:
If you applied the setting in that rule, the com.apple.applicationaccess.new domain is tied to the screen time functionality. (It used to be parental controls, but those were migrated into screen time.) There is a note regarding the deprecation of this method, and is not recommended to be used.
@nameitsa commented on GitHub:
Good catch, yes I do, coming from a custom directory /Users/username/dev folder, though doesn't answer the quesstion why screentime needs permission to allow it?
@nameitsa commented on GitHub:
Thanks, will close this issue out as a nonissue.
@brodjieski commented on GitHub:
Based on the error message, it seems that your system is configured to prevent applications from launching from within your home folder. Do you have this rule applied to the system you are using? https://github.com/usnistgov/macos_security/blob/main/rules/os/os_user_app_installation_prohibit.yaml
If not, then I would check with your EDR to see if it's preventing execution of applications from home folders or other particular locations.