Open alvarnell opened 4 years ago
Thanks for reporting! I'm also aware of this bug thanks to @chall68. I wasn't sure if it was isolated to just him.
I'll take a look at some point this week.
Are you using zsh
as your shell?
On Nov 25, 2019, at 12:29, Mikey notifications@github.com wrote:
Thanks for reporting! I'm also aware of this bug thanks to @chall68 https://github.com/chall68. I wasn't sure if it was isolated to just him.
I'll take a look at some point this week.
Are you using zsh as your shell?
Yes, I switched over around June, but the results were exactly the same using bash prior to that.
-Al-
I can't reproduce this on my machine.
I suspect the issue is something to do with parsing the network service names.
My machine only has:
Wi-Fi
Bluetooth PAN
Thunderbolt Bridge
With set -x
they appear as below when expanded:
+ networksetup -getinfo Wi-Fi
+ networksetup -getinfo 'Bluetooth PAN'
+ networksetup -getinfo 'Thunderbolt Bridge'
@alvarnell I noticed that you have two "Thunderbolt Ethernet Slot" services. The second one appears to have a double space in it Thunderbolt\ Ethernet\ Slot\ \ 1
. I think that might something to do with it.
Would you mind modifying you local version of Lockdown
to print a trace of commands being run by disable_ipv6
so we can see the values of arguments after they are expanded and before they are executed?
I would need you to make the following alterations:
set -x
to line 547set +x
under line 560 creating line 561Here's patch you can apply to your version of Lockdown
which will make the changes for you.
Assuming you're in the same directory as Lockdown
, executing the following will apply the patch.
patch Lockdown 0001-disable_ipv6-Enable-ipv6-debug.-Disable-sig-check.patch
Once those changes have been made can you reply with the output of ./Lockdown audit
please?
Here's the patch in a gist if anyone else is experiencing this bug and wants to help debug it
Sorry, I know I replied to this last week, but it seems to have vanished.
My time is limited right now and I'm spending it in Mojave, so don't know when I'll get a chance to get back to some version of Catalina, but I went ahead and applied the same patches to v2.4, ran it and got the following results:
β mOSL-2.4.0 % ./Lockdown audit
[β οΈ ] Password required to run some commands with 'sudo':
Results:
[β] Enable Automatic System Updates
[β] Enable Automatic App Store Updates
[β
] Enable Gatekeeper
[β
] Enable Firewall
[β
] Require an administrator password to access system-wide preferences
[β
] Enable Terminal.app secure keyboard entry
[β
] Enable System Integrity Protection (SIP)
[β
] Enable FileVault
[β] Disable built-in software from being auto-permitted to listen through firewall
[β] Disable downloaded signed software from being auto-permitted to listen through firewall
+ local mode=audit
+ local title
+ local audit_command
+ local fix_command
+ title='Disable IPv6'
+ audit_command='while IFS= read -r i; do if networksetup -getinfo "${i}" | grep -q "IPv6: Off"; then :; else exit 1; fi; done <<< $(networksetup -listallnetworkservices | tail -n $(( $(networksetup -listallnetworkservices | wc -l) - 1 )))'
+ fix_command='while read -r i; do networksetup -setv6off "${i}"; done <<< "$(networksetup -listallnetworkservices | tail -n $(( $(networksetup -listallnetworkservices | wc -l) - 1 )))"'
+ mode_check audit 'Disable IPv6' 'while IFS= read -r i; do if networksetup -getinfo "${i}" | grep -q "IPv6: Off"; then :; else exit 1; fi; done <<< $(networksetup -listallnetworkservices | tail -n $(( $(networksetup -listallnetworkservices | wc -l) - 1 )))' 'while read -r i; do networksetup -setv6off "${i}"; done <<< "$(networksetup -listallnetworkservices | tail -n $(( $(networksetup -listallnetworkservices | wc -l) - 1 )))"'
+ local mode=audit
+ local 'title=Disable IPv6'
+ local 'audit_command=while IFS= read -r i; do if networksetup -getinfo "${i}" | grep -q "IPv6: Off"; then :; else exit 1; fi; done <<< $(networksetup -listallnetworkservices | tail -n $(( $(networksetup -listallnetworkservices | wc -l) - 1 )))'
+ local 'fix_command=while read -r i; do networksetup -setv6off "${i}"; done <<< "$(networksetup -listallnetworkservices | tail -n $(( $(networksetup -listallnetworkservices | wc -l) - 1 )))"'
+ [[ audit == \a\u\d\i\t ]]
+ audit 'Disable IPv6' 'while IFS= read -r i; do if networksetup -getinfo "${i}" | grep -q "IPv6: Off"; then :; else exit 1; fi; done <<< $(networksetup -listallnetworkservices | tail -n $(( $(networksetup -listallnetworkservices | wc -l) - 1 )))'
+ local 'title=Disable IPv6'
+ local 'command=while IFS= read -r i; do if networksetup -getinfo "${i}" | grep -q "IPv6: Off"; then :; else exit 1; fi; done <<< $(networksetup -listallnetworkservices | tail -n $(( $(networksetup -listallnetworkservices | wc -l) - 1 )))'
+ bash -c 'while IFS= read -r i; do if networksetup -getinfo "${i}" | grep -q "IPv6: Off"; then :; else exit 1; fi; done <<< $(networksetup -listallnetworkservices | tail -n $(( $(networksetup -listallnetworkservices | wc -l) - 1 )))'
+ echo ' [β] Disable IPv6'
[β] Disable IPv6
+ return 1
+ set +x
[β
] Disable automatic loading of remote content by Mail.app
[β
] Disable Remote Apple Events
[β
] Disable Remote Login
[β
] Disable Safari Auto Open 'safe' Files
[β
] Set AirDrop Discoverability to 'Contacts Only'
[β
] Set AppStore update check to every one (1) day
[β] Set a firmware password
[β
] Check Kernel Extension User Consent required
[β
] Check EFI Firmware Integrity
[β] avarnell should not be an administrator
[β] 6/21 settings failed π’
Only bugs related to the latest macOS release, Catalina (
10.15.x
), will be fixed mOSL is being rewritten in Swift and the Bash version will be deprecated See: https://0xmachos.github.io/2019-09-21-The-Future-of-mOSL.Output of
./Lockdown debug
:Describe the bug Sorry that I'm just getting around to documenting this, but I've had this issue for at least a couple of years through multiple macOS versions.
I had manually disabled IPv6 long before I started using mOSL using networksetup for all network services, but Audit always shows [β] Disable IPv6, even after running a Fix.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
A clear and concise description of what you expected to happen. Observe [β ] Disable IPv6 Terminal Output
If applicable, copy and paste your terminal output to help explain your problem. β mOSL-3.1.0-beta.2 % networksetup -listallnetworkservices
An asterisk (*) denotes that a network service is disabled. Ethernet iPad USB Thunderbolt FireWire Wi-Fi iPhone USB Thunderbolt Bridge Thunderbolt Ethernet Slot 1 Thunderbolt Ethernet Slot 1 β mOSL-3.1.0-beta.2 % networksetup -getinfo Ethernet DHCP Configuration Client ID: IPv6: Off Ethernet Address: 78:7b:8a:db:a6:4c β mOSL-3.1.0-beta.2 % networksetup -getinfo Thunderbolt\ FireWire DHCP Configuration Client ID: IPv6: Off β mOSL-3.1.0-beta.2 % networksetup -getinfo Thunderbolt\ Bridge
DHCP Configuration Client ID: IPv6: Off β mOSL-3.1.0-beta.2 % networksetup -getinfo Thunderbolt\ Ethernet\ Slot\ 1 DHCP Configuration Client ID: IPv6: Off Ethernet Address: (null) β mOSL-3.1.0-beta.2 % networksetup -getinfo Thunderbolt\ Ethernet\ Slot\ \ 1 DHCP Configuration Client ID: IPv6: Off Ethernet Address: 64:4b:f0:12:b9:c0 β mOSL-3.1.0-beta.2 % networksetup -getinfo Wi-Fi Manually Using DHCP Router Configuration IP address: 10.0.1.157 Subnet mask: 255.255.255.0 Router: 10.0.1.1 IPv6: Off Wi-Fi ID: 14:20:5e:04:8c:90 Additional context
Add any other context about the problem here.