search

usnistgov / macos_security

macOS Security Compliance Project
Other
1.68k stars 196 forks source link

Changing time server value is not respected, always, in the remediation section #397

Open JCSmillie opened 3 months ago

JCSmillie commented 3 months ago

Summary

In an Apple class right now where we are talking about this project and learning how to utilize it to change/implement security based on the NIST standards. We were asked to set the value of the timeserver to something different, run the report, and then confirm the change. In my report the documentation has updated to say "timesync.gatewayk12.org" is our time server and that it should be the result, BUT for remediation the code blob still said time.nist.gov.
(Summarize the bug encountered concisely)

Steps to reproduce

1.) Edit time server rule and change the server we want to use 2.) Generate report 3.) View either PDF or the excel document; remediation steps are wrong. (How one can reproduce the issue - this is very important)

Operating System version

MacOS 14.5. (23F79)

Intel or Apple Silicon

Apple Silicon M2 (Intel based process or Apple Silicon Mac)

What is the current bug behavior?

Wrong timeserver is shown in the remediation blob. Should be what I entered (time sync.gatewayk12.org instead off time.nist.gov.). I also am including the mobileconfig file generated because it too is wrong.

What is the expected correct behavior?

Time server manually entered should match both testing, confirmation, and remediation. Output mobileconfig com.apple.MCX should also match this change.

Relevant logs and/or screenshots

(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise.) NIST Report Time Server Section.pdf

com.apple.MCX.mobileconfig.txt

NOTE MOBILECONFIG just saved as text because file type was unsupported.

FWIW there is maybe 24-30 people in this room. We are all doing the same thing. I have 2 coworkers with me and we can't replicate this issue. I have also tried to modify a few times, save, check again. Quit, try again. Confirm. I'm stumped.

vaughnhart commented 1 month ago

I checked over what you posted and you have the wrong PDF page. And the mobilecpnfig.txt file you posted shows the correct time server for government machines which should be time.nist.gov which I've used for over 23 years in the private sector. I think the current servers are time-a.nist.gov and time-b.nist.gov.

I used a modified mobile config and those servers work. The server you posted seems "rogue" to me.

Dot those "i"s and cross those "t"s like crosshairs. And remember it's hip to be square. Though I'd rather be a polygon.

I digress.

robertgendler commented 1 month ago

@JCSmillie Coming around to this.

We are unable to replicate the bug either using the project directly. Can you try to re-create the issue with using just the command line version of the project and with Jamf Compliance Editor?