72nomada
commented
2 years ago Hi @elwali10, @MiguelCasaresRobles
A draft for a solution to this is uploaded to https://github.com/wazuh/wazuh/blob/cis_bigsur/ruleset/sca/darwin/20/cis_apple_macOS_11.1.yml
To solve the username issue on different rules, we take this approach.
c:sh -c "dscl . list /Users | grep -v \"^_\" | egrep -v \"daemon|nobody|root|wazuh\" | while IFS= read -r username; do sudo -u $username read /Users/$username/Library/Preferences/.GlobalPreferences.plist AppleShowAllExtensions 2>&1 ; done" -> r:^0$|^The domain/default$'| where: | command section | description |
|---|---|---|
| dscl . list /Users | grep -v \"^_\" | list all valid users on the system. This includes default users like nobody, daemon, and root. | |
| egrep -v \"daemon|nobody|root|wazuh\" | remove the known users that shouldn't be tested. This may cause false positives with systems with additional known users | |
| while IFS= read -r username; do ... ; done | loop over users and command execution. |
We also changed this file's format, text description, and controls to match the latest benchmark.
With your ok feedback, we will propose this as PR to master, and we should open the issue so SCA can manage this kind of loop most straightforwardly.
The check https://github.com/wazuh/wazuh/blob/v4.2.1/ruleset/sca/darwin/20/cis_apple_macOS_11.1.yml#L341 is not using the username as requested in the benchmark causing the SCA to report false result
It is possible that the same issue applies to the following checks:
Regards, Elwali