Closed rbarlowtapestry closed 1 year ago
When no one is logged in, CURRENT_USER would be blank
Also, the preferences Dameon isn't loaded for the user since there are no users logged in. Therefore the check will fail. The only solution is giving a full path to read the plist file.
Summary
Running the compliance script in --check (audit) mode is generating false failures for CIS Lvl 1 control 6.1.1 Enable Show All Filename Extensions when no user is logged in.
Steps to reproduce
Leveraging Jamf and the --check mode on a once per day check in; when no user is logged in and the policy runs; it reports a failure as the expected output does not match the expected result.
Operating System version
macOS 13.5 and 13.5.1
Intel or Apple Silicon
Both
What is the current bug behavior?
The Check and Fix for this control is generating a sudu -u context/logic error
What is the expected correct behavior?
Either check is skipped as this is a user level check, or script logic modified to check all users plists (would be the more secure way). Would require changing the logic of the check, result, and fix to array based. --fix is unable to write to root/null user logged in when the Fix is run on a session with no user logged in.
Relevant logs and/or screenshots
Fix Script log 'Thu Aug 17 18:48:20 UTC 2023 Running the command to configure the settings for: os_show_filename_extensions_enable ... usage: sudo -h | -K | -k | -V usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user] usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command] usage: sudo [-AbEHknPS] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] [VAR=value] [-i|-s] []
usage: sudo -e [-AknS] [-C num] [-D directory] [-g group] [-h host] [-p prompt]
[-R directory] [-T timeout] [-u user] file ...'
Output of checks
'''os_show_filename_extensions_enable failed (Result: , Expected: {boolean: 1})'''
Possible fixes
Both check and fix will need adjustment. As root login is disabled per CIS lvl 1 5.6 Disable Root Login. I think it's preventing root from running the command it needs to as its a sudo -u command as the only active shell. This logic would need to be changed to escape if root is the only user session and/or check/fix all users plists.
'CHECK: /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults read .GlobalPreferences AppleShowAllExtensions 2>/dev/null FIX: [source,bash]
/usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults write /Users/"$CURRENT_USER"/Library/Preferences/.GlobalPreferences AppleShowAllExtensions -bool true'