def __init__(self, config, environ, logdispatcher, statechglogger): RuleKVEditor.__init__(self, config, environ, logdispatcher, statechglogger) self.rulenumber = 270 self.rulename = 'DisableOpenSafeSafari' self.formatDetailedResults("initialize") self.mandatory = True self.rootrequired = False # for compatibility with logging in rule.py's undo() method... self.logger = self.logdispatch self.guidance = [] self.applicable = { 'type': 'white', 'os': { 'Mac OS X': ['10.15', 'r', '10.15.10'] } } # init CIs datatype = 'bool' key = 'SAFESAFARI' instructions = "To prevent the open safe file after downloading " + \ "feature being disabled, set the value of SAFESAFARI to False." default = True self.ci = self.initCi(datatype, key, instructions, default) self.addKVEditor("DisableOpenSafeSafari", "defaults", "~/Library/Preferences/com.apple.Safari.plist", "", {"AutoOpenSafeDownloads": ["0", "-bool no"]}, "present", "", "Disable open safe files after download in safari") self.sethelptext()
def __init__(self, config, environ, logger, statechglogger): RuleKVEditor.__init__(self, config, environ, logger, statechglogger) self.rulenumber = 164 self.rulename = 'DisableAFPFileSharing' self.formatDetailedResults("initialize") self.mandatory = True self.logger = logger self.rootrequired = True self.guidance = ['CIS 1.4.14.3'] self.applicable = { 'type': 'white', 'os': { 'Mac OS X': ['10.15', 'r', '10.15.10'] } } if self.environ.getostype() == "Mac OS X": self.addKVEditor( "DisableAFPFileSharing", "defaults", "/System/Library/LaunchDaemons/com.apple.AppleFileServer", "", {"Disabled": ["1", "-bool True"]}, "present", "", "Disable AFP File Sharing", None, False, {}) self.initObjs() self.determineOrigAFPstatus() self.sethelptext()
def __init__(self, config, environ, logger, statechglogger): RuleKVEditor.__init__(self, config, environ, logger, statechglogger) self.rulenumber = 174 self.rulename = 'DisableGuestAccess' self.formatDetailedResults("initialize") self.mandatory = True self.helptext = "Configures the Apple File Server (AFS) and " + \ "the Samba (SMB) server to prohibit anonymous guest access." self.applicable = {'type': 'white', 'os': {'Mac OS X': ['10.15', 'r', '10.15.10']}} self.rootrequired = True self.guidance = [] self.addKVEditor("disableGuestSharingAFP", "defaults", "/Library/Preferences/com.apple.AppleFileServer", "", {"guestAccess": ["0", "-bool no"]}, "present", "", "Do not allow guests to access AppleShare volumes.", None, False, {}) self.addKVEditor("disableGuestSharingSMB", "defaults", "/Library/Preferences/SystemConfiguration/com.apple.smb.server", "", {"AllowGuestAccess": ["0", "-bool no"]}, "present", "", "Do not allow guest to access SMB Shares.", None, False, {})
def __init__(self, config, environ, logdispatcher, statechglogger): ''' Constructor ''' RuleKVEditor.__init__(self, config, environ, logdispatcher, statechglogger) self.rulenumber = 170 self.rulename = 'ConfigureLoginWindow' self.formatDetailedResults("initialize") self.mandatory = True self.sethelptext() self.rootrequired = True self.guidance = ['CCE-28310-1'] self.applicable = { 'type': 'white', 'os': { 'Mac OS X': ['10.15', 'r', '10.15.10'] } } self.addKVEditor( "LoginNamePassword", "defaults", "/Library/Preferences/com.apple.loginwindow", "", {"SHOWFULLNAME": ["1", "-bool yes"]}, "present", "", "Forces the user to enter a username and " + "password at the login window when enabled.", None, False, {"SHOWFULLNAME": ["0", "-bool no"]}) self.addKVEditor( "DisableConsoleAccess", "defaults", "/Library/Preferences/com.apple.loginwindow", "", {"DisableConsoleAccess": ["1", "-bool yes"]}, "present", "", 'If console login is enabled, the user can type ' + '">console" for the user name to get a console ' + 'login.', None, False, {"DisableConsoleAccess": ["0", "-bool no"]})
def __init__(self, config, environ, logdispatcher, statechglogger): RuleKVEditor.__init__(self, config, environ, logdispatcher, statechglogger) self.rulenumber = 131 self.rulename = 'ShowBluetoothIcon' self.formatDetailedResults("initialize") self.mandatory = False self.sethelptext() self.rootrequired = False self.guidance = [] self.statechglogger = statechglogger self.applicable = { 'type': 'white', 'os': { 'Mac OS X': ['10.15', 'r', '10.15.10'] } } self.ch = CommandHelper(self.logdispatch) self.systemuiserver = "" self.bluetoothmenu = "" if self.environ.geteuid() != 0: user = pwd.getpwuid(os.getuid())[0] self.systemuiserver = "/Users/" + user + "/Library/Preferences/com.apple.systemuiserver" self.bluetoothmenu = "\"/System/Library/CoreServices/Menu Extras/Bluetooth.menu\"" self.addKVEditor( "ShowBluetoothIcon", "defaults", self.systemuiserver, "", { "menuExtras": [self.bluetoothmenu, "-array-add " + self.bluetoothmenu] }, "present", "", "Show Bluetooth Icon in the Menu Bar.", None, False, {})
def __init__(self, config, environ, logger, statechglogger): """ :param config: :param environ: :param logger: :param statechglogger: """ RuleKVEditor.__init__(self, config, environ, logger, statechglogger) self.logger = logger self.environ = environ self.rulenumber = 145 self.rootrequired = True self.mandatory = True self.rulename = 'LinuxPackageSigning' self.formatDetailedResults("initialize") self.sethelptext() self.guidance = ['CNSSI 1253: cm-5(3)'] # init CIs datatype = 'bool' key = 'LINUXPACKAGESIGNING' instructions = 'If you wish to disable this rule, set the value ' + \ 'of LinuxPackageSigning to False.' default = True self.ci = self.initCi(datatype, key, instructions, default) self.ostype = self.environ.getostype() self.applicable = self.isapplicable() self.localize()
def __init__(self, config, environ, logdispatcher, statechglogger): ''' Constructor ''' RuleKVEditor.__init__(self, config, environ, logdispatcher, statechglogger) self.rulenumber = 171 self.rulename = 'DisablePasswordHints' self.formatDetailedResults("initialize") self.mandatory = True self.rootrequired = True self.applicable = { 'type': 'white', 'os': { 'Mac OS X': ['10.15', 'r', '10.15.10'] } } self.addKVEditor("DisablePasswordHints", "defaults", "/Library/Preferences/com.apple.loginwindow", "", {"RetriesUntilHint": ["0", "-int 0"]}, "present", "", "This variable is to determine number of " + \ "tries until password hints are displayed at " + \ "the login window. Zero indicates no password " + \ "hints will be given.", None, False, {}) self.sethelptext()
def fix(self): '''choose which fix method to run, based on OS archetype''' self.detailedresults = "" if self.DisableCloudServices.getcurrvalue(): if self.environ.getosfamily() == 'darwin': RuleKVEditor.fix(self, False) elif re.search('Ubuntu', self.environ.getostype()): self.fixUbuntu()
def report(self): '''choose which report method to run based on OS archetype''' self.detailedresults = "" if self.environ.getosfamily() == 'darwin': RuleKVEditor.report(self, False) elif re.search('Ubuntu', self.environ.getostype()): retval = self.reportUbuntu() return retval
def __init__(self, config, environ, logger, statechglogger): ''' Constructor ''' RuleKVEditor.__init__(self, config, environ, logger, statechglogger) self.logger = logger self.rulenumber = 261 self.rulename = 'ConfigureRemoteManagement' self.compliant = True self.formatDetailedResults("initialize") self.sethelptext() self.rootrequired = True self.guidance = ['CIS 2.4.9', 'Apple HT201710'] self.applicable = { 'type': 'white', 'os': { 'Mac OS X': ['10.15', 'r', '10.15.10'] } } if self.environ.getostype() == "Mac OS X": self.addKVEditor( "ARD_AllLocalUsers", "defaults", "/Library/Preferences/com.apple.RemoteManagement", "", {"ARD_AllLocalUsers": ["0", "-bool no"]}, "present", "", "Do not allow local users remote management rights.", None, False, {"ARD_AllLocalUsers": ["1", "-bool yes"]}) self.addKVEditor( "ARD_AllLocalUsersPrivs", "defaults", "/Library/Preferences/com.apple.RemoteManagement", "", {"ARD_AllLocalUsersPrivs": ["1073742058", "-int 1073742058"]}, "present", "", "Set which privleges local users have access to", None, False, {"ARD_AllLocalUsersPrivs": ["0", "-int 0"]}) self.addKVEditor( "ScreenSharingReqPermEnabled", "defaults", "/Library/Preferences/com.apple.RemoteManagement", "", {"ScreenSharingReqPermEnabled": ["1", "-bool yes"]}, "present", "", "Enable remote users to request permissions for screen sharing.", None, False, {"ScreenSharingReqPermEnabled": ["0", "-bool no"]}) self.addKVEditor( "VNCLegacyConnectionsEnabled", "defaults", "/Library/Preferences/com.apple.RemoteManagement", "", {"VNCLegacyConnectionsEnabled": ["0", "-bool no"]}, "present", "", "Disable Legacy VNC Connections.", None, False, {"VNCLegacyConnectionsEnabled": ["1", "-bool yes"]}) self.addKVEditor( "LoadRemoteManagementMenuExtra", "defaults", "/Library/Preferences/com.apple.RemoteManagement", "", {"LoadRemoteManagementMenuExtra": ["1", "-bool yes"]}, "present", "", "Load the remote management menu item.", None, False, {"LoadRemoteManagementMenuExtra": ["0", "-bool no"]})
def __init__(self, config, environ, logdispatcher, statechglogger): RuleKVEditor.__init__(self, config, environ, logdispatcher, statechglogger) self.rulenumber = 122 self.rulename = 'ConfigureNetworks' self.formatDetailedResults("initialize") self.mandatory = True self.sethelptext() self.rootrequired = True self.guidance = [] self.iditerator = 0 self.statechglogger = statechglogger self.applicable = { 'type': 'white', 'os': { 'Mac OS X': ['10.15', 'r', '10.15.10'] } } ## this section added to prevent code, which relies on constants in localize.py, # from running if those constants are not defined or are set to 'None' # if DNS == None: # self.logdispatch.log(LogPriority.DEBUG, "Please ensure that the following constants, in localize.py, are correctly defined and are not None: DNS, PROXY, PROXYCONFIGURATIONFILE, PROXYDOMAIN. ConfigureNetworks will not function without these!") # exit # if PROXY == None: # self.logdispatch.log(LogPriority.DEBUG, "Please ensure that the following constants, in localize.py, are correctly defined and are not None: DNS, PROXY, PROXYCONFIGURATIONFILE, PROXYDOMAIN. ConfigureNetworks will not function without these!") # exit # if PROXYCONFIGURATIONFILE == None: # self.logdispatch.log(LogPriority.DEBUG, "Please ensure that the following constants, in localize.py, are correctly defined and are not None: DNS, PROXY, PROXYCONFIGURATIONFILE, PROXYDOMAIN. ConfigureNetworks will not function without these!") # exit # if PROXYDOMAIN == None: # self.logdispatch.log(LogPriority.DEBUG, "Please ensure that the following constants, in localize.py, are correctly defined and are not None: DNS, PROXY, PROXYCONFIGURATIONFILE, PROXYDOMAIN. ConfigureNetworks will not function without these!") # exit # this section added to prevent code, which relies on constants in localize.py, ## from running if those constants are not defined or are set to 'None' self.nsobject = None self.nsobject = networksetup(self.logdispatch) if self.nsobject != None: self.ch = CommandHelper(self.logdispatch) self.sh = ServiceHelper(self.environ, self.logdispatch) self.addKVEditor("DisableBluetoothUserInterface", "defaults", "/Library/Preferences/com.apple.Bluetooth", "", {"ControllerPowerState": ["0", "-int 0"]}, "present", "", "Disable Bluetooth User Interface.", None, False, {}) self.addKVEditor("DisableBluetoothInternetSharing", "defaults", "/Library/Preferences/com.apple.Bluetooth", "", {"PANServices": ["0", "-int 0"]}, "present", "", "Disable Bluetooth Internet Sharing.", None, False, {})
def __init__(self, config, environ, logger, statechglogger): """ Constructor """ RuleKVEditor.__init__(self, config, environ, logger, statechglogger) self.logger = logger self.rulenumber = 51 self.rulename = 'InstallBanners' self.formatDetailedResults("initialize") self.mandatory = True self.sethelptext() self.rootrequired = True self.compliant = False self.guidance = [ 'CIS', 'NSA 2.3.7.2', 'CCE 4188-9', 'CCE 4431-3', 'CCE 3717-6', 'CCE 4554-2', 'CCE 4603-7', 'CCE 4760-5', 'CCE 4301-8', 'CCE 4698-7', 'CCE 4222-6', 'CCE 4103-8', 'CCE 4870-2', 'CCE 4896-7' ] self.iditerator = 0 self.applicable = { 'type': 'white', 'family': ['linux', 'solaris', 'freebsd'], 'os': { 'Mac OS X': ['10.15', 'r', '10.15.10'] } } # init CIs datatype = 'bool' key = 'INSTALLBANNERS' instructions = "To prevent the installation of warning banners, " + \ "set the value of InstallBanners to False.\n\n!DEBIAN USERS! Due to " + \ "a bug in gdm3 (gnome 3) which has not been patched on debian, we are forced to " + \ "change the user's display manager to something else in order to be compliant " + \ "with the login banner requirement. As a result, the login banner changes will " + \ "only take effect after a system reboot." default = True self.ci = self.initCi(datatype, key, instructions, default) # Initial setup and deterministic resolution of variables constlist = [ WARNINGBANNER, GDMWARNINGBANNER, GDM3WARNINGBANNER, ALTWARNINGBANNER, OSXSHORTWARNINGBANNER ] if not self.checkConsts(constlist): self.applicable = {'type': 'white', 'family': []} return self.initobjs() self.setcommon() self.islinux() self.ismac()
def __init__(self, config, environ, logdispatcher, statechglogger): RuleKVEditor.__init__(self, config, environ, logdispatcher, statechglogger) self.rulenumber = 14 self.rulename = 'ConfigureFirewall' self.formatDetailedResults("initialize") self.mandatory = True self.sethelptext() self.rootrequired = True self.guidance = [] self.applicable = { 'type': 'white', 'os': { 'Mac OS X': ['10.12', 'r', '10.15.10'] } } self.ch = CommandHelper(self.logdispatch) self.sh = ServiceHelper(self.environ, self.logdispatch) self.fwcmd = "/usr/libexec/ApplicationFirewall/socketfilterfw" self.list = self.fwcmd + " --listapps" self.add = self.fwcmd + " --add " self.rmv = self.fwcmd + " --remove " self.iditerator = 0 datatype = 'bool' key = 'CONFIGUREFIREWALL' instructions = "To disable this rule set CONFIGUREFIREWALL to False\n" default = True self.ci = self.initCi(datatype, key, instructions, default) self.addKVEditor("FirewallOn", "defaults", "/Library/Preferences/com.apple.alf", "", {"globalstate": ["1", "-int 1"]}, "present", "", "Turn On Firewall. When enabled.", None, False, {"globalstate": ["0", "-int 0"]}) self.addKVEditor("FirewallLoginEnabled", "defaults", "/Library/Preferences/com.apple.alf", "", {"loggingenabled": ["1", "-int 1"]}, "present", "", "Login Enabled. When enabled.", None, False, {"loggingenabled": ["0", "-int 0"]}) self.addKVEditor("FirewallStealthDisabled", "defaults", "/Library/Preferences/com.apple.alf", "", {"stealthenabled": ["0", "-int 0"]}, "present", "", "Stealth Disabled. When enabled.", None, False, {"stealthenabled": ["1", "-int 1"]}) # self.currallowed = [] '''Any values inside stonix.conf overrule the values inserted in the text field unless changes are saved to stonix.conf''' '''There are no currently allowed apps for the fw''' datatype = 'list' key = 'ALLOWEDAPPS' instructions = "Comma separated list of Applications allowed by the firewall.\n" + \ "Most applications end with .app and must contain the full path to the application.\n" default = [] self.appci = self.initCi(datatype, key, instructions, default, ",")
def fix(self): '''disable Apple File Sharing service :returns: success :rtype: bool @author: Breen Malmberg ''' success = True try: # if version = 10.10.*, then use KVEditor and ignore the other code if re.search("10\.10.*", self.environ.getosver(), re.IGNORECASE): RuleKVEditor.fix(self) else: clientfixpath1 = "/System/Library/LaunchDaemons/com.apple.AppleFileServer" clientfixtool = "launchctl" clientfixcmd1 = clientfixtool + " unload " + clientfixpath1 # the below 'path' is actually an alias # which is understood by launchctl. # in mac terminology, this is called a 'target' clientfixpath2 = "system/com.apple.AppleFileServer" clientfixcmd2 = clientfixtool + " disable " + clientfixpath2 self.cmdhelper.executeCommand(clientfixcmd1) retcode = self.cmdhelper.getReturnCode() if retcode != 0: errstr = self.cmdhelper.getErrorString() self.logger.log(LogPriority.DEBUG, errstr) success = False self.cmdhelper.executeCommand(clientfixcmd2) retcode = self.cmdhelper.getReturnCode() if retcode != 0: errstr = self.cmdhelper.getErrorString() self.logger.log(LogPriority.DEBUG, errstr) success = False if success: self.detailedresults += "\nApple File Server has successfully been disabled." self.formatDetailedResults('fix', success, self.detailedresults) return success except (KeyboardInterrupt, SystemExit): raise except Exception: self.detailedresults = traceback.format_exc() self.logger.log(LogPriority.ERROR, self.detailedresults)
def fixmac(self): '''run fix functionality for macintosh, or darwin-based systems :returns: success :rtype: boolean @author: Breen Malmberg ''' success = True try: if not RuleKVEditor.fix(self, True): success = False if not self.setFileContents(self.ftpwelcomefile, self.bannertext): success = False self.detailedresults += '\nUnable to set warning banner text in ' + str( self.ftpwelcomefile) if not self.setFileContents(self.policybanner, self.bannertext): success = False self.detailedresults += '\nUnable to set warning banner text in ' + str( self.policybanner) except Exception: raise return success
def fix(self): '''run fixed actions for ShowBluetoothIcon return True if all succeed :returns: fixed :rtype: bool @author: bgonz12 ''' self.detailedresults = "" fixed = True try: if not RuleKVEditor.fix(self, True): fixed = False self.logdispatch.log(LogPriority.DEBUG, "Kveditor fixed failed.") except (KeyboardInterrupt, SystemExit): # User initiated exit raise except Exception as err: self.rulesuccess = False fixed = False messagestring = str(err) + " - " + str(traceback.format_exc()) self.resultAppend(messagestring) self.logdispatch.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("fix", fixed, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return fixed
def fix(self): '''Disables Auto Login @author: Roy Nielsen ''' try: self.detailedresults = "" fixed = False self.kvfix = False self.fhfix = False self.kvfix = RuleKVEditor.fix(self) if self.kvfix: self.fhfix = self.fh.fixFiles() if self.fhfix: self.detailedresults = self.detailedresults + "\n" + \ self.fh.getFileMessage() if not self.kvfix or not self.fhfix: fixed = False except (KeyboardInterrupt, SystemExit): # User initiated exit raise except Exception as err: self.rulesuccess = False self.detailedresults = self.detailedresults + "\n" + str(err) + \ " - " + str(traceback.format_exc()) self.logdispatch.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("fix", fixed, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return fixed
def report(self): '''Report on the status of this rule @author: Roy Nielsen ''' try: self.detailedresults = "" self.kvcompliant = False self.fhcompliant = False self.kvcompliant = RuleKVEditor.report(self) if not self.kvcompliant: self.detailedresults = "DisableAutoLogin is not compliant!" else: self.detailedresults = "DisableAutoLogin is compliant!" self.fhcompliant = self.fh.evaluateFiles() if not self.fhcompliant: self.detailedresults = self.detailedresults + "\n" + \ self.fh.getFileMessage() if not self.fhcompliant or not self.kvcompliant: self.compliant = False except (KeyboardInterrupt, SystemExit): raise except Exception as err: self.rulesuccess = False self.detailedresults = self.detailedresults + "\n" + str(err) + \ " - " + str(traceback.format_exc()) self.logdispatch.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("report", self.compliant, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.compliant
def undo(self): '''restore Apple File Sharing service to its original state :returns: void @author: Breen Malmberg ''' success = True try: # if version = 10.10.*, then use KVEditor and ignore the other code if re.search("10\.10.*", self.environ.getosver(), re.IGNORECASE): RuleKVEditor.undo(self) else: if not self.afporigstatus: undocmd1 = "launchctl enable system/com.apple.AppleFileServer" undocmd2 = "launchctl load /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist" self.cmdhelper.executeCommand(undocmd1) retcode = self.cmdhelper.getReturnCode() if retcode != 0: success = False errstr = self.cmdhelper.getErrorString() self.logger.log(LogPriority.DEBUG, errstr) self.cmdhelper.executeCommand(undocmd2) retcode = self.cmdhelper.getReturnCode() if retcode != 0: success = False errstr = self.cmdhelper.getErrorString() self.logger.log(LogPriority.DEBUG, errstr) if not success: self.detailedresults += "\nUndo failed to restore Apple File Sharing to its original state on this system." else: self.detailedresults += "\nUndo has successfully restored Apple File Sharing to its original state on this system." except (KeyboardInterrupt, SystemExit): raise except Exception: self.detailedresults = traceback.format_exc() self.logger.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults('undo', success, self.detailedresults) return success
def __init__(self, config, environ, logdispatcher, statechglogger): ''' Constructor ''' RuleKVEditor.__init__(self, config, environ, logdispatcher, statechglogger) self.rulenumber = 169 self.rulename = 'DisableAutoLogin' self.formatDetailedResults("initialize") self.applicable = { 'type': 'white', 'os': { 'Mac OS X': ['10.15', 'r', '10.15.10'] } } self.mandatory = True self.rootrequired = True self.files = { "kcpassword": { "path": "/etc/kcpassword", "remove": True, "content": None, "permissions": None, "owner": None, "group": None, "eventid": str(self.rulenumber).zfill(4) + "kcpassword" } } self.addKVEditor( "DisableAutoLogin", "defaults", "/Library/Preferences/com.apple.loginwindow", "", { "autoLoginUser": [ re.escape( "The domain/default pair of (/Library/Preferences/com.apple.loginwindow, autoLoginUser) does not exist" ), None ] }, "present", "", "This variable is to determine whether or not to " + "disable auto login", None, False, {}) self.fh = FileHelper(self.logdispatch, self.statechglogger) self.ch = CommandHelper(self.logdispatch) for filelabel, fileinfo in sorted(self.files.items()): self.fh.addFile(filelabel, fileinfo["path"], fileinfo["remove"], fileinfo["content"], fileinfo["permissions"], fileinfo["owner"], fileinfo["group"], fileinfo["eventid"]) self.sethelptext()
def __init__(self, config, environ, logger, statechglogger): RuleKVEditor.__init__(self, config, environ, logger, statechglogger) self.rulenumber = 257 self.rulename = 'DisableMediaAutomaticActions' self.formatDetailedResults("initialize") self.mandatory = True self.rootrequired = True self.guidance = [] self.applicable = { 'type': 'white', 'os': { 'Mac OS X': ['10.15', 'r', '10.15.10'] } } self.addKVEditor( "DisableAutoCDAction", "defaults", "/Library/Preferences/com.apple.digihub", "", { "com.apple.digihub.blank.cd.appeared": ["Enabled = 0;", "-dict Enabled -int 0"] }, "present", "", "Disable Automatic mounting of CDs.", None, False, {}) self.addKVEditor( "DisableAutoMusicCDAction", "defaults", "/Library/Preferences/com.apple.digihub", "", { "com.apple.digihub.blank.dvd.appeared": ["Enabled = 0;", "-dict Enabled -int 0"] }, "present", "", "Disable Automatic mounting of Music CDs.", None, False, {}) self.addKVEditor( "DisableAutoPictureCDAction", "defaults", "/Library/Preferences/com.apple.digihub", "", { "com.apple.digihub.cd.picture.appeared": ["Enabled = 0;", "-dict Enabled -int 0"] }, "present", "", "Disable Automatic mounting of Picture CDs.", None, False, {}) self.addKVEditor( "DisableAutoVideoDVDAction", "defaults", "/Library/Preferences/com.apple.digihub", "", { "com.apple.digihub.dvd.video.appeared": ["Enabled = 0;", "-dict Enabled -int 0"] }, "present", "", "Disable Automatic mounting of DVDs.", None, False, {}) self.sethelptext()
def __init__(self, config, environ, logger, statechglogger): RuleKVEditor.__init__(self, config, environ, logger, statechglogger) self.rulenumber = 215 self.rulename = 'DisableInternetSharing' self.formatDetailedResults("initialize") self.rootrequired = True self.guidance = [] self.applicable = { 'type': 'white', 'os': { 'Mac OS X': ['10.15', 'r', '10.15.10'] } } self.addKVEditor( "DisabledInternetSharing", "defaults", "/Library/Preferences/SystemConfiguration/com.apple.nat", "", {"NAT": ["Enabled = 0;", "-dict Enabled -int 0"]}, "present", "", "Disable Internet sharing", None, False, {}) self.sethelptext()
def __init__(self, config, environ, logdispatcher, statechglogger): RuleKVEditor.__init__(self, config, environ, logdispatcher, statechglogger) self.rulenumber = 159 self.rulename = 'DisableCloudServices' self.formatDetailedResults("initialize") self.mandatory = True self.rootrequired = True self.logger = self.logdispatch self.guidance = [] self.applicable = {'type': 'white', 'os': {'Mac OS X': ['10.15', 'r', '10.15.10'], 'Ubuntu': ['12.04', '+']}} self.ch = CommandHelper(self.logdispatch) # init CIs datatype = 'bool' key = 'DISABLECLOUDSERVICES' instructions = "To prevent cloud services from being disabled, " + \ "set the value of DisableCloudServices to False." default = True self.DisableCloudServices = self.initCi(datatype, key, instructions, default) if self.environ.getosfamily() == 'darwin': self.addKVEditor("iCloudSaveNewDocumentsToDisk", "defaults", "NSGlobalDomain", "", {"NSDocumentSaveNewDocumentsToCloud": ["0", "-bool no"]}, "present", "", "Save new documents to disk not to iCloud.", None, False, {"NSDocumentSaveNewDocumentsToCloud": ["1", "-bool yes"]}) else: self.debianpkglist = ['unity-webapps-common', 'unity-lens-shopping'] self.sethelptext()
def reportMac(self): """Mac osx specific report submethod @author: dwalker :param self: essential if you override this definition :returns: bool - True if system is compliant, False if it isn't """ success = RuleKVEditor.report(self, True) return success
def fixMac(self): """Mac osx specific fix submethod @author: dwalker :param self: essential if you override this definition :returns: bool - True if system is successfully fix, False if it isn't """ success = RuleKVEditor.fix(self, True) return success
def fix(self): '''Make secure configuration changes to smb.conf :returns: self.rulesuccess :rtype: bool @author: Breen Malmberg ''' # defaults self.detailedresults = "" self.rulesuccess = True try: if self.SecureWinFileSharing.getcurrvalue(): if os.path.exists(self.smbconflocation): myid = '0142001' self.kvosmb.setEventID(myid) if not self.kvosmb.fix(): self.rulesuccess = False self.detailedresults += "KVEditor.fix() failed" if not self.kvosmb.commit(): self.rulesuccess = False self.detailedresults += "KVEditor.commit() failed" if self.environ.getostype() == "Mac OS X": if not RuleKVEditor.fix(self, True): self.rulesuccess = False self.detailedresults += "RuleKVEditor.fix() failed" else: self.logger.log( LogPriority.DEBUG, "The SecureWinFileSharing CI was disabled when fix() ran, so nothing was done." ) self.detailedresults += "\nThe CI for this rule was already set to disabled when the rule ran, so nothing was fixed." except (KeyboardInterrupt, SystemExit): raise except Exception: self.rulesuccess = False self.detailedresults = traceback.format_exc() self.logger.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.rulesuccess
def __init__(self, config, environ, logger, statechglogger): RuleKVEditor.__init__(self, config, environ, logger, statechglogger) self.logger = logger self.rulenumber = 101 self.formatDetailedResults("initialize") self.mandatory = True self.rulename = "EncryptSwap" self.applicable = {'type': 'white', 'os': {'Mac OS X': ['10.15', 'r', '10.15.10']}} self.addKVEditor("swapEncrypt", "defaults", "/Library/Preferences/com.apple.virtualMemory", "", {"UseEncryptedSwap": ["1", "-bool yes"]}, "present", "", "Secure Virtual memory.", None, False, {}) self.sethelptext()
def __init__(self, config, environ, logdispatcher, statechglogger): """ private method to initialize the module :param config: :param environ: :param logdispatcher: :param statechglogger: """ RuleKVEditor.__init__(self, config, environ, logdispatcher, statechglogger) self.rulenumber = 263 self.rulename = 'ConfigureAppleAppStore' self.formatDetailedResults("initialize") self.mandatory = True self.sethelptext() self.rootrequired = True self.guidance = [ 'CCE 14813-0', 'CCE 14914-6', 'CCE 4218-4', 'CCE 14440-2' ] self.applicable = { 'type': 'white', 'os': { 'Mac OS X': ['10.15', 'r', '10.15.10'] } } if self.environ.getostype() == "Mac OS X": self.addKVEditor( "EnableAutomaticAppUpdate", "defaults", "/Library/Preferences/com.apple.commerce", "", {"AutoUpdate": ["1", "-bool yes"]}, "present", "", "Enable Automatic Application Update. " + "This should be enabled.", None, False, {"AutoUpdate": ["0", "-bool no"]}) self.ch = CommandHelper(self.logdispatch) self.appstorehasnotrun = True
def __init__(self, config, environ, logdispatcher, statechglogger): RuleKVEditor.__init__(self, config, environ, logdispatcher, statechglogger) self.rulenumber = 3 self.rulename = 'ConfigureDiagnosticReporting' self.formatDetailedResults("initialize") self.mandatory = True self.sethelptext() self.rootrequired = True self.guidance = [] self.applicable = { 'type': 'white', 'os': { 'Mac OS X': ['10.15', 'r', '10.15.10'] } } self.addKVEditor( "AutoSubmit", "defaults", "/Library/Application Support/CrashReporter/" + "DiagnosticMessagesHistory.plist", "", {"AutoSubmit": ["0", "-bool no"]}, "present", "", "Automatically submits diagnostic information to " + "Apple", None, False, {"AutoSubmit": ["1", "-bool yes"]}) version = self.environ.getosver() versionsplit = version.split(".") if len(versionsplit) >= 2: minorversion = int(versionsplit[1]) else: minorversion = 0 if minorversion >= 10: self.addKVEditor( "ThirdPartyDataSubmit", "defaults", "/Library/Application Support/CrashReporter/" + "DiagnosticMessagesHistory.plist", "", {"ThirdPartyDataSubmit": ["0", "-bool no"]}, "present", "", "Automatically submits diagnostic information " + "to third-party developers", None, False, {"ThirdPartyDataSubmit": ["1", "-bool yes"]})
def __init__(self, config, environ, logger, statechglogger): RuleKVEditor.__init__(self, config, environ, logger, statechglogger) self.rulenumber = 202 self.rulename = "DisableIRReceiver" self.formatDetailedResults("initialize") self.mandatory = True self.rootrequired = True self.guidance = ['CIS 2.4.13.7'] self.applicable = {'type': 'white', 'os': {'Mac OS X': ['10.15', 'r', '10.15.10']}} self.addKVEditor("DisableIRReceiver", "defaults", "/Library/Preferences/com.apple.driver.AppleIRController.plist", "", {"DeviceEnabled": ["0", "-bool no"]}, "present", "", "Disable Infrared receiver. " + "This should be enabled.", None, False, {}) self.sethelptext()