usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

fix for os_ssh_server_alive_interval_configure.yaml is not successful #74

New Issue
Closed
opened 2026-01-19 18:29:08 +00:00 by michael · 5 comments
michael commented 2026-01-19 18:29:08 +00:00
Owner
Copy Link

Originally created by @jeolsen on GitHub.

Summary

When running the fix code supplied by STIG and included in the yaml, an error is generated. This does not seem to be an issue from the mSCP side, but from the code STIG provides.

Steps to reproduce

run fix text script

Operating System version

macOS 15.2

Intel or Apple Silicon

Apple Silicon

What is the current bug behavior?

fix is not applied

What is the expected correct behavior?

ServerAliveInterval should be set to 900 (or value determined by organization)

Relevant logs and/or screenshots

(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise.)

Output of checks

line 15: ${(f)configfiles}: bad substitution

Possible fixes

(If you can, link to the line of code that might be responsible for the problem)

Originally created by @jeolsen on GitHub. ### Summary When running the fix code supplied by STIG and included in the yaml, an error is generated. This does not seem to be an issue from the mSCP side, but from the code STIG provides. ### Steps to reproduce run fix text script ### Operating System version macOS 15.2 ### Intel or Apple Silicon Apple Silicon ### What is the current *bug* behavior? fix is not applied ### What is the expected *correct* behavior? ServerAliveInterval should be set to 900 (or value determined by organization) ### Relevant logs and/or screenshots (Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise.) ### Output of checks line 15: ${(f)configfiles}: bad substitution ### Possible fixes (If you can, link to the line of code that might be responsible for the problem)
michael commented 2026-01-19 18:29:09 +00:00
Author
Owner
Copy Link

@jeolsen commented on GitHub:

That looks like the issue. Running with zsh worked. Thank you

@jeolsen commented on GitHub: That looks like the issue. Running with zsh worked. Thank you
michael commented 2026-01-19 18:29:09 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

can the shell at the top to /bin/zsh it's not a bash shell script...it's a zsh script.

@robertgendler commented on GitHub: can the shell at the top to `/bin/zsh` it's not a bash shell script...it's a zsh script.
michael commented 2026-01-19 18:29:09 +00:00
Author
Owner
Copy Link

@jeolsen commented on GitHub:

@robertgendler I'm copying into an empty script.sh file for testing, adding #!/bin/sh to the top, and then running sudo sh ~/script.sh to execute it.
Screenshot 2024-11-13 at 10 25 20 AM
Screenshot 2024-11-13 at 10 25 00 AM

@jeolsen commented on GitHub: @robertgendler I'm copying into an empty script.sh file for testing, adding #!/bin/sh to the top, and then running sudo sh ~/script.sh to execute it. <img width="697" alt="Screenshot 2024-11-13 at 10 25 20 AM" src="https://github.com/user-attachments/assets/9db9016e-e0ce-46f7-81f2-476298ff9daf"> <img width="912" alt="Screenshot 2024-11-13 at 10 25 00 AM" src="https://github.com/user-attachments/assets/a18df8fc-85c9-45e1-826b-ee9501c6b5e6">
michael commented 2026-01-19 18:29:09 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

Are you copying and pasting the fix text directly into terminal?

If so are you in ZSH or BASH?

@robertgendler commented on GitHub: Are you copying and pasting the fix text directly into terminal? If so are you in ZSH or BASH?
michael commented 2026-01-19 18:29:09 +00:00
Author
Owner
Copy Link

@georgalis commented on GitHub:

FWIW - Apple ships with /bin/bash from 2007, version 3.2.57(1), an update for that is not expected due to GNU licensing. While that version is generally compatible with the 2022 current bash release, 5.2.37(1), there have been changes. I have chosen bash as the "common denominator" for shell functions and tooling across systems because of it's wide acceptance and availability across platforms. However, that tooling includes environmental qualification checks to validate, and bash commands such as "declare -f _function_name | cksum" return different values in the different versions of bash.

I use pkgsrc package manager to install software dependency stacks across Mac, Linux, and BSD systems without root, it was designed for that and does it well. With that I have 5.2.37(1) installed but no prescription to enable as my default shell. This comment highlights the challenges and how I solved them.

With the current bash installed as a user, and the default shell set as /bin/bash the user profile is loaded as usual for login shells. This environment includes PATH management which makes the new bash available, and also checks if the current process is bash, if so and the current process is a different version then the bash identified by "which" then an exec is preformed to invoke a login shell from the current bash according to the user PATH.

This process does initialize login environment twice but in practice that is of no consequence. The benefit of user installed software dependencies, with versions that align across OS platforms, and which successfully qualify their dependency expectations with hash checks has enabled continued development of this operational tooling and qualifications.

@georgalis commented on GitHub: FWIW - Apple ships with /bin/bash from 2007, version 3.2.57(1), an update for that is not expected due to GNU licensing. While that version is generally compatible with the 2022 current bash release, 5.2.37(1), there have been changes. I have chosen bash as the "common denominator" for shell functions and tooling across systems because of it's wide acceptance and availability across platforms. However, that tooling includes environmental qualification checks to validate, and bash commands such as "declare -f _function_name | cksum" return different values in the different versions of bash. I use pkgsrc package manager to install software dependency stacks across Mac, Linux, and BSD systems without root, it was designed for that and does it well. With that I have 5.2.37(1) installed but no prescription to enable as my default shell. This comment highlights the challenges and how I solved them. With the current bash installed as a user, and the default shell set as /bin/bash the user profile is loaded as usual for login shells. This environment includes PATH management which makes the new bash available, and also checks if the current process is bash, if so and the current process is a different version then the bash identified by "which" then an exec is preformed to invoke a login shell from the current bash according to the user PATH. This process does initialize login environment twice but in practice that is of no consequence. The benefit of user installed software dependencies, with versions that align across OS platforms, and which successfully qualify their dependency expectations with hash checks has enabled continued development of this operational tooling and qualifications.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#74
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?