Open alvarnell opened 4 years ago
0xmachos
commented
4 years ago Thanks for reporting! I'm also aware of this bug thanks to @chall68. I wasn't sure if it was isolated to just him.
I'll take a look at some point this week.
Are you using zsh as your shell?
alvarnell
commented
4 years ago On Nov 25, 2019, at 12:29, Mikey notifications@github.com wrote:
Thanks for reporting! I'm also aware of this bug thanks to @chall68 https://github.com/chall68. I wasn't sure if it was isolated to just him.
I'll take a look at some point this week.
Are you using zsh as your shell?
Yes, I switched over around June, but the results were exactly the same using bash prior to that.
-Al-
0xmachos
commented
4 years ago I can't reproduce this on my machine.
I suspect the issue is something to do with parsing the network service names.
My machine only has:
Wi-Fi
Bluetooth PAN
Thunderbolt BridgeWith set -x they appear as below when expanded:
+ networksetup -getinfo Wi-Fi
+ networksetup -getinfo 'Bluetooth PAN'
+ networksetup -getinfo 'Thunderbolt Bridge'@alvarnell I noticed that you have two "Thunderbolt Ethernet Slot" services. The second one appears to have a double space in it Thunderbolt\ Ethernet\ Slot\ \ 1. I think that might something to do with it.
Would you mind modifying you local version of Lockdown to print a trace of commands being run by disable_ipv6 so we can see the values of arguments after they are expanded and before they are executed?
I would need you to make the following alterations:
set -x to line 547set +x under line 560 creating line 561Here's patch you can apply to your version of Lockdown which will make the changes for you.
Assuming you're in the same directory as Lockdown, executing the following will apply the patch.
patch Lockdown 0001-disable_ipv6-Enable-ipv6-debug.-Disable-sig-check.patchOnce those changes have been made can you reply with the output of ./Lockdown audit please?
0xmachos
commented
4 years ago Here's the patch in a gist if anyone else is experiencing this bug and wants to help debug it
alvarnell
commented
4 years ago Sorry, I know I replied to this last week, but it seems to have vanished.
My time is limited right now and I'm spending it in Mojave, so don't know when I'll get a chance to get back to some version of Catalina, but I went ahead and applied the same patches to v2.4, ran it and got the following results:
β mOSL-2.4.0 % ./Lockdown audit
[β οΈ ] Password required to run some commands with 'sudo':
Results:
[β] Enable Automatic System Updates
[β] Enable Automatic App Store Updates
[β
] Enable Gatekeeper
[β
] Enable Firewall
[β
] Require an administrator password to access system-wide preferences
[β
] Enable Terminal.app secure keyboard entry
[β
] Enable System Integrity Protection (SIP)
[β
] Enable FileVault
[β] Disable built-in software from being auto-permitted to listen through firewall
[β] Disable downloaded signed software from being auto-permitted to listen through firewall
+ local mode=audit
+ local title
+ local audit_command
+ local fix_command
+ title='Disable IPv6'
+ audit_command='while IFS= read -r i; do if networksetup -getinfo "${i}" | grep -q "IPv6: Off"; then :; else exit 1; fi; done <<< $(networksetup -listallnetworkservices | tail -n $(( $(networksetup -listallnetworkservices | wc -l) - 1 )))'
+ fix_command='while read -r i; do networksetup -setv6off "${i}"; done <<< "$(networksetup -listallnetworkservices | tail -n $(( $(networksetup -listallnetworkservices | wc -l) - 1 )))"'
+ mode_check audit 'Disable IPv6' 'while IFS= read -r i; do if networksetup -getinfo "${i}" | grep -q "IPv6: Off"; then :; else exit 1; fi; done <<< $(networksetup -listallnetworkservices | tail -n $(( $(networksetup -listallnetworkservices | wc -l) - 1 )))' 'while read -r i; do networksetup -setv6off "${i}"; done <<< "$(networksetup -listallnetworkservices | tail -n $(( $(networksetup -listallnetworkservices | wc -l) - 1 )))"'
+ local mode=audit
+ local 'title=Disable IPv6'
+ local 'audit_command=while IFS= read -r i; do if networksetup -getinfo "${i}" | grep -q "IPv6: Off"; then :; else exit 1; fi; done <<< $(networksetup -listallnetworkservices | tail -n $(( $(networksetup -listallnetworkservices | wc -l) - 1 )))'
+ local 'fix_command=while read -r i; do networksetup -setv6off "${i}"; done <<< "$(networksetup -listallnetworkservices | tail -n $(( $(networksetup -listallnetworkservices | wc -l) - 1 )))"'
+ [[ audit == \a\u\d\i\t ]]
+ audit 'Disable IPv6' 'while IFS= read -r i; do if networksetup -getinfo "${i}" | grep -q "IPv6: Off"; then :; else exit 1; fi; done <<< $(networksetup -listallnetworkservices | tail -n $(( $(networksetup -listallnetworkservices | wc -l) - 1 )))'
+ local 'title=Disable IPv6'
+ local 'command=while IFS= read -r i; do if networksetup -getinfo "${i}" | grep -q "IPv6: Off"; then :; else exit 1; fi; done <<< $(networksetup -listallnetworkservices | tail -n $(( $(networksetup -listallnetworkservices | wc -l) - 1 )))'
+ bash -c 'while IFS= read -r i; do if networksetup -getinfo "${i}" | grep -q "IPv6: Off"; then :; else exit 1; fi; done <<< $(networksetup -listallnetworkservices | tail -n $(( $(networksetup -listallnetworkservices | wc -l) - 1 )))'
+ echo ' [β] Disable IPv6'
[β] Disable IPv6
+ return 1
+ set +x
[β
] Disable automatic loading of remote content by Mail.app
[β
] Disable Remote Apple Events
[β
] Disable Remote Login
[β
] Disable Safari Auto Open 'safe' Files
[β
] Set AirDrop Discoverability to 'Contacts Only'
[β
] Set AppStore update check to every one (1) day
[β] Set a firmware password
[β
] Check Kernel Extension User Consent required
[β
] Check EFI Firmware Integrity
[β] avarnell should not be an administrator
[β] 6/21 settings failed π’
Only bugs related to the latest macOS release, Catalina (
10.15.x), will be fixed mOSL is being rewritten in Swift and the Bash version will be deprecated See: https://0xmachos.github.io/2019-09-21-The-Future-of-mOSL.Output of
./Lockdown debug:Describe the bug Sorry that I'm just getting around to documenting this, but I've had this issue for at least a couple of years through multiple macOS versions.
I had manually disabled IPv6 long before I started using mOSL using networksetup for all network services, but Audit always shows [β] Disable IPv6, even after running a Fix.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
A clear and concise description of what you expected to happen. Observe [β ] Disable IPv6 Terminal Output
If applicable, copy and paste your terminal output to help explain your problem. β mOSL-3.1.0-beta.2 % networksetup -listallnetworkservices
An asterisk (*) denotes that a network service is disabled. Ethernet iPad USB Thunderbolt FireWire Wi-Fi iPhone USB Thunderbolt Bridge Thunderbolt Ethernet Slot 1 Thunderbolt Ethernet Slot 1 β mOSL-3.1.0-beta.2 % networksetup -getinfo Ethernet DHCP Configuration Client ID: IPv6: Off Ethernet Address: 78:7b:8a:db:a6:4c β mOSL-3.1.0-beta.2 % networksetup -getinfo Thunderbolt\ FireWire DHCP Configuration Client ID: IPv6: Off β mOSL-3.1.0-beta.2 % networksetup -getinfo Thunderbolt\ Bridge
DHCP Configuration Client ID: IPv6: Off β mOSL-3.1.0-beta.2 % networksetup -getinfo Thunderbolt\ Ethernet\ Slot\ 1 DHCP Configuration Client ID: IPv6: Off Ethernet Address: (null) β mOSL-3.1.0-beta.2 % networksetup -getinfo Thunderbolt\ Ethernet\ Slot\ \ 1 DHCP Configuration Client ID: IPv6: Off Ethernet Address: 64:4b:f0:12:b9:c0 β mOSL-3.1.0-beta.2 % networksetup -getinfo Wi-Fi Manually Using DHCP Router Configuration IP address: 10.0.1.157 Subnet mask: 255.255.255.0 Router: 10.0.1.1 IPv6: Off Wi-Fi ID: 14:20:5e:04:8c:90 Additional context
Add any other context about the problem here.