usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 05:53:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Rule system_settings_softwareupdate_current ODV missing interval #8

New Issue
Closed
opened 2026-01-19 18:28:55 +00:00 by michael · 0 comments
michael commented 2026-01-19 18:28:55 +00:00
Owner
Copy Link

Originally created by @jmahlman on GitHub.

Originally assigned to: @golbiga on GitHub.

Summary

The update to the rule system_settings_softwareupdate_current is missing the date interval for the ODV check. The /bin/date -v -$ODV "+%s" command expects more than a number ([-v[+|-]val[y|m|w|d|H|M|S]]), so the check will fail.

Steps to reproduce

Enable the system_settings_softwareupdate_current and note the failure. You can also manually see the issue by running the commands via terminal:

➜  ~ /bin/date -v -30 "+%s"         
-30: Cannot apply date adjustment
usage: date [-jnRu] [-I[date|hours|minutes|seconds|ns]] [-f input_fmt]
            [ -z output_zone ] [-r filename|seconds] [-v[+|-]val[y|m|w|d|H|M|S]]
            [[[[mm]dd]HH]MM[[cc]yy][.SS] | new_date] [+output_fmt]
➜  ~ /bin/date -v -30d "+%s"        
1763838774

Operating System version

macOS Tahoe

Intel or Apple Silicon

Apple Silicon

What is the current bug behavior?

The check will always fail as the thirty_days_epoch variable always returns a failure.

What is the expected correct behavior?

Epochs are compared.

Possible fixes

Update the ODV values:

odv:
  hint: Maximum Days of Deferral
  recommended: 30d
  cis_lvl1: 30d
  cis_lvl2: 30d
  stig: 30d
Originally created by @jmahlman on GitHub. Originally assigned to: @golbiga on GitHub. <!--- Please read this! Before opening a new issue, make sure to search for keywords in the issues filtered by the "regression" or "bug" label and verify the issue you're about to submit isn't a duplicate. ---> ### Summary The update to the rule `system_settings_softwareupdate_current` is missing the date interval for the ODV check. The `/bin/date -v -$ODV "+%s"` command expects more than a number (`[-v[+|-]val[y|m|w|d|H|M|S]]`), so the check will fail. ### Steps to reproduce Enable the `system_settings_softwareupdate_current` and note the failure. You can also manually see the issue by running the commands via terminal: ```bash ➜ ~ /bin/date -v -30 "+%s" -30: Cannot apply date adjustment usage: date [-jnRu] [-I[date|hours|minutes|seconds|ns]] [-f input_fmt] [ -z output_zone ] [-r filename|seconds] [-v[+|-]val[y|m|w|d|H|M|S]] [[[[mm]dd]HH]MM[[cc]yy][.SS] | new_date] [+output_fmt] ➜ ~ /bin/date -v -30d "+%s" 1763838774 ``` ### Operating System version macOS Tahoe ### Intel or Apple Silicon Apple Silicon ### What is the current *bug* behavior? The check will always fail as the `thirty_days_epoch` variable always returns a failure. ### What is the expected *correct* behavior? Epochs are compared. ### Possible fixes Update the ODV values: ```json odv: hint: Maximum Days of Deferral recommended: 30d cis_lvl1: 30d cis_lvl2: 30d stig: 30d ```
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#8
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?