search

usnistgov / macos_security

macOS Security Compliance Project
Other
1.72k stars 195 forks source link

CIS Lvl 1 6.1.1 failing false positives #291

Closed rbarlowtapestry closed 1 year ago

rbarlowtapestry commented 1 year ago

Summary

Running the compliance script in --check (audit) mode is generating false failures for CIS Lvl 1 control 6.1.1 Enable Show All Filename Extensions when no user is logged in.

Steps to reproduce

Leveraging Jamf and the --check mode on a once per day check in; when no user is logged in and the policy runs; it reports a failure as the expected output does not match the expected result.

Operating System version

macOS 13.5 and 13.5.1

Intel or Apple Silicon

Both

What is the current bug behavior?

The Check and Fix for this control is generating a sudu -u context/logic error

What is the expected correct behavior?

Either check is skipped as this is a user level check, or script logic modified to check all users plists (would be the more secure way). Would require changing the logic of the check, result, and fix to array based. --fix is unable to write to root/null user logged in when the Fix is run on a session with no user logged in.

Relevant logs and/or screenshots

Fix Script log 'Thu Aug 17 18:48:20 UTC 2023 Running the command to configure the settings for: os_show_filename_extensions_enable ... usage: sudo -h | -K | -k | -V usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user] usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command] usage: sudo [-AbEHknPS] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] [VAR=value] [-i|-s] [] usage: sudo -e [-AknS] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...'

Output of checks

'''os_show_filename_extensions_enable failed (Result: , Expected: {boolean: 1})'''

Possible fixes

Both check and fix will need adjustment. As root login is disabled per CIS lvl 1 5.6 Disable Root Login. I think it's preventing root from running the command it needs to as its a sudo -u command as the only active shell. This logic would need to be changed to escape if root is the only user session and/or check/fix all users plists.

'CHECK: /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults read .GlobalPreferences AppleShowAllExtensions 2>/dev/null FIX: [source,bash]

/usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults write /Users/"$CURRENT_USER"/Library/Preferences/.GlobalPreferences AppleShowAllExtensions -bool true'

robertgendler commented 1 year ago

When no one is logged in, CURRENT_USER would be blank

Also, the preferences Dameon isn't loaded for the user since there are no users logged in. Therefore the check will fail. The only solution is giving a full path to read the plist file.