Many false positives - Githubissues

sametsazak / mergen

Mergen is an open-source, native macOS application for auditing and checking the security of your MacOS.

MIT License

151 stars 10 forks source link

Many false positives #1

Open mnrkbys opened 1 year ago

mnrkbys commented 1 year ago

First of all, thanks for releasing a nice tool. However, this tool detects many false positives.

For example, "Check If SSH Is Enabled" tries to find '"com.openssh.sshd" => disabled' from the result of "/bin/launchctl print-disabled system". But this check module also decides "SSH is Enabled" if SSH is disabled. In my environment (macOS 12.6.5), "/bin/launchctl print-disabled system" returns like below:

% /bin/launchctl print-disabled system         
disabled services = {
    "com.apple.screensharing" => false
    "com.apple.CSCSupportd" => true
    "com.apple.ftpd" => true
    "com.apple.mdmclient.daemon.runatboot" => true
    "com.apple.dhcp6d" => true
    "com.apple.bootpd" => true
    "com.microsoft.autoupdate.helper" => false
    "com.apple.ftp-proxy" => true
}

Actually, I have never enable SSH on this macOS. So, I guess that "com.openssh.sshd" item does not exist. Therefore, this check module should determine "SSH is Enabled" only if '"com.openssh.sshd" => enabled' exists.

mnrkbys commented 1 year ago

By the way, I have realized another point. The result of "/bin/launchctl print-disabled system" depends on the macOS version. In macOS 12.6.5, a feature is enabled as "true". On the other hand, in macOS 13.2.1, a feature is enabled as "enabled". Therefore, check modules have to recognize the macOS version.

GenoMyb commented 1 year ago

I have also picked up a few iets that say its enabled but its disabled eg. Remote Apple Events is enabled , but its turned off

DamienSchreurs commented 1 year ago

Congrats and thank you for starting this endeavour.

Regarding the many false positives that I encountered, did you know that it's possible to configure System Preferences (I'm still on macOS Monterey) such that system-wide preferences can only be accessed and changed after entering an admin password?

Require admin password to access system-wide preferences

You can set that from the Security & Privacy pane by clicking on the "Advanced" button (bottom right corner).

This is, in fact, a great security feature because it will prevent "standard" users configured on the same machine from tampering with important settings.

I suspect that this setting might interfere with the ability of your app to properly scan some settings without asking the user to enter an admin password.

PS: If you need help better understanding Mac-security overall, just let me know since that's what I do as part of my day job.

sametsazak commented 1 year ago

It is excellent information for this tool. Thank you. @DamienSchreurs, I'll try to implement this and of course, I'm open to discussion, I'll send an email about the issues that I'm facing right now.