Merge pull request mvdbent#27 from grahampugh/dev

Various fixes and improvements
monodata · Oct 24, 2022 · 64e84d0 · 64e84d0
2 parents 4a945c5 + bc45e5f
commit 64e84d0
Show file tree

Hide file tree

Showing 135 changed files with 644 additions and 330 deletions.
diff --git a/Fragments/Footer.sh b/Fragments/Footer.sh
@@ -1,9 +1,12 @@
+#!/bin/zsh
+# shellcheck shell=bash
+# NOTE: this script is not designed to be run standalone. It is assembled by ./Assemble.sh
 
 ####################################################################################################
 ####################################################################################################
 
 # Creation date CISBenchmarkReport
-if [[ "${argumentHeaderFunctionName}" ==  "fullHeader" ]] || [[ "${reportSetting}" == "full" ]]; then
+if [[ "${argumentHeaderFunctionName}" == "fullHeader" ]] || [[ "${reportSetting}" == "full" ]]; then
 		## add creation date
 		echo ";;;;;;;;;;" >> "${CISBenchmarkReport}"
 		if [[ "$osVersion" = "10.15."* ]]; then

diff --git a/Fragments/Header.sh b/Fragments/Header.sh
@@ -1,3 +1,7 @@
+#!/bin/zsh
+# shellcheck shell=bash
+# NOTE: this script is not designed to be run standalone. It is assembled by ./Assemble.sh
+
 ####################################################################################################
 #        License information
 ####################################################################################################
@@ -40,15 +44,15 @@ export PATH=/usr/bin:/bin:/usr/sbin:/sbin
 ####################################################################################################
 
 CISBenchmarkReportPath="/Library/Security/Reports"
-CISBenchmarkReport=${CISBenchmarkReportPath}/CISBenchmarkReport.csv
+CISBenchmarkReport="${CISBenchmarkReportPath}/CISBenchmarkReport.csv"
 plistlocation="/Library/Managed Preferences/com.cis.benchmark.plist"
 currentUser=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ { print $3 }')
 
 ####################################################################################################
 #        Functions
 ####################################################################################################
 
-function help(){
+function help() {
   echo
   echo "The following options are available:"
   echo 
@@ -97,7 +101,7 @@ esac
 
 function runAudit() {
 	## Check if scoring file is present
-	if [[ ! -e ${plistlocation} ]]; then
+	if [[ ! -f "${plistlocation}" ]]; then
 		## No scoring file present, reporting all
 		auditResult="1"
 		scored=""
@@ -149,7 +153,7 @@ EndOfScript
 }
 
 function getPrefIsManagedrunAsUser() { # $1: domain, $2: key
-	runAsUser     osascript -l JavaScript << EndOfScript
+	runAsUser osascript -l JavaScript << EndOfScript
     ObjC.import('Foundation')
     ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('$1').objectIsForcedForKey('$2'))
 EndOfScript
@@ -164,25 +168,25 @@ function CISBenchmarkReportFolder() {
 	fi
 }
 
-function shortHeader(){
+function shortHeader() {
 	echo "Audit Number;Level;Scoring;Result;Managed;Method;Comments" >> "${CISBenchmarkReport}"
 }
 
-function fullHeader(){
+function fullHeader() {
 	echo "Audit Number;Level;Scoring;Result;Managed;Preference domain;Option;Value;Method;Comments;Remediate" >> "${CISBenchmarkReport}"
 }
 
-function shortReport(){
-	echo "${audit};${CISLevel};${scored};${result};${prefIsManaged};${method};${comment}">>"${CISBenchmarkReport}"
+function shortReport() {
+	echo "${audit};${CISLevel};${scored};${result};${prefIsManaged};${method};${comment}" >> "${CISBenchmarkReport}"
 }
 
-function fullReport(){
-	echo "${audit};${CISLevel};${scored};${result};${prefIsManaged};${appidentifier};${value};${prefValue};${method};${comment};${remediate}">>"${CISBenchmarkReport}"
+function fullReport() {
+	echo "${audit};${CISLevel};${scored};${result};${prefIsManaged};${appidentifier};${value};${prefValue};${method};${comment};${remediate}" >> "${CISBenchmarkReport}"
 }
 
-function printReport(){
+function printReport() {
 	## Check if scoring file is present
-	if [[ ! -e ${plistlocation} ]]; then
+	if [[ ! -f "${plistlocation}" ]]; then
 		## No scoring file present, check arguments
 		${argumentReportFunctionName}
 	else
@@ -195,9 +199,9 @@ function printReport(){
 	fi
 }
 
-function printReportHeaders(){
+function printReportHeaders() {
 	## Check if scoring file is present
-	if [[ ! -e ${plistlocation} ]]; then
+	if [[ ! -f "${plistlocation}" ]]; then
 		## No scoring file present, check arguments
 		${argumentHeaderFunctionName}
 	else
@@ -212,7 +216,7 @@ function printReportHeaders(){
 
 function runRemediate() {
 	## Check if scoring file is present
-	if [[ ! -e ${plistlocation} ]]; then
+	if [[ ! -f "${plistlocation}" ]]; then
 		## No scoring file present, check arguments
 		remediateResult="${argumentRemediateVariable}"
 	else
@@ -225,7 +229,7 @@ function runRemediate() {
 	fi
 }
 
-function emptyVariables(){
+function emptyVariables() {
 	prefIsManaged=""
 	appidentifier=""
 	value=""
@@ -236,7 +240,7 @@ function emptyVariables(){
 	remediate=""
 }
 
-function killcfpref(){
+function killcfpref() {
 	## Restart daemon responsible for prefrence caching
 	echo "Killing cfprefs daemon "
 	killall cfprefsd
@@ -252,25 +256,27 @@ echo "*** Security report started - $(date -u)"
 # Check for macOS version
 osVersion=$(sw_vers -productVersion)
 buildVersion=$(sw_vers -buildVersion)
-if [[ "$osVersion" != "10.15."* ]] && [[ "$osVersion" != "11."* ]] && [[ "$osVersion" != "12."* ]]; then
-		echo ""
-		echo "*** This script support macOS Catalina, Big Sur and Monterey only"
-		echo
-		echo "*** Quitting..."
-		echo ""
-		exit 1
-	else
-		if [[ "$osVersion" = "10.15."* ]]; then
-			echo "*** Current version - macOS Catalina ${osVersion} (${buildVersion})"
-			echo "" 1>&2
-		elif [[ "$osVersion" = "11."* ]]; then
-			echo "*** Current version - macOS Big Sur ${osVersion} (${buildVersion})"
-			echo "" 1>&2
-		elif [[ "$osVersion" = "12."* ]]; then
-			echo "*** Current version - macOS Monterey ${osVersion} (${buildVersion})"
-			echo "" 1>&2
-		fi
-	fi
+if [[ "$osVersion" = "10.15."* ]]; then
+    echo "*** Current version - macOS Catalina ${osVersion} (${buildVersion})"
+    echo "" 1>&2
+elif [[ "$osVersion" = "11."* ]]; then
+    echo "*** Current version - macOS Big Sur ${osVersion} (${buildVersion})"
+    echo "" 1>&2
+elif [[ "$osVersion" = "12."* ]]; then
+    echo "*** Current version - macOS Monterey ${osVersion} (${buildVersion})"
+    echo "" 1>&2
+elif [[ "$osVersion" = "13."* ]]; then
+    echo "*** Current version - macOS Ventura ${osVersion} (${buildVersion})"
+    echo "*** NOTE: experimental support only - based on Monterey benchmarks"
+    echo "" 1>&2
+else
+    echo ""
+    echo "*** This script supports macOS Catalina, Big Sur, Monterey and Ventura only"
+    echo
+    echo "*** Quitting..."
+    echo ""
+    exit 1
+fi
 
 # Check for admin/root permissions
 if [[ "$(id -u)" != "0" ]]; then

diff --git a/Fragments/OrgScores/OrgScore1_1.sh b/Fragments/OrgScores/OrgScore1_1.sh
@@ -1,9 +1,10 @@
 #!/bin/zsh
+# shellcheck shell=bash
 
 script_dir=$(dirname ${0:A})
 projectfolder=$(dirname $script_dir)
 
-source ${projectfolder}/Header.sh
+source "${projectfolder}/Header.sh"
 
 CISLevel="1"
 audit="1.1 Ensure All Apple-provided Software Is Current (Automated)"
@@ -15,7 +16,7 @@ remediate="Script > sudo /usr/sbin/softwareupdate --install --restart --recommen
 runAudit
 # If organizational score is 1 or true, check status of client
 if [[ "${auditResult}" == "1" ]]; then
-	countAvailableSUS=$(softwareupdate --list 2>&1 | grep -c "*") # add --no-scan to review the local softwareupdate database
+	countAvailableSUS=$(/usr/bin/defaults read "/Library/Preferences/com.apple.SoftwareUpdate.plist" LastRecommendedUpdatesAvailable)
 	if [[ "${countAvailableSUS}" == "0" ]]; then
 		result="Passed"
 		comment="Apple Software is Current"

diff --git a/Fragments/OrgScores/OrgScore1_2.sh b/Fragments/OrgScores/OrgScore1_2.sh
@@ -1,9 +1,10 @@
 #!/bin/zsh
+# shellcheck shell=bash
 
 script_dir=$(dirname ${0:A})
 projectfolder=$(dirname $script_dir)
 
-source ${projectfolder}/Header.sh
+source "${projectfolder}/Header.sh"
 
 CISLevel="1"
 audit="1.2 Ensure Auto Update Is Enabled (Automated)"

diff --git a/Fragments/OrgScores/OrgScore1_3.sh b/Fragments/OrgScores/OrgScore1_3.sh
@@ -1,9 +1,10 @@
 #!/bin/zsh
+# shellcheck shell=bash
 
 script_dir=$(dirname ${0:A})
 projectfolder=$(dirname $script_dir)
 
-source ${projectfolder}/Header.sh
+source "${projectfolder}/Header.sh"
 
 CISLevel="1"
 audit="1.3 Ensure Download New Updates When Available is Enabled (Automated)"

diff --git a/Fragments/OrgScores/OrgScore1_4.sh b/Fragments/OrgScores/OrgScore1_4.sh
@@ -1,9 +1,10 @@
 #!/bin/zsh
+# shellcheck shell=bash
 
 script_dir=$(dirname ${0:A})
 projectfolder=$(dirname $script_dir)
 
-source ${projectfolder}/Header.sh
+source "${projectfolder}/Header.sh"
 
 CISLevel="1"
 audit="1.4 Ensure Installation of App Update Is Enabled (Automated)"

diff --git a/Fragments/OrgScores/OrgScore1_5.sh b/Fragments/OrgScores/OrgScore1_5.sh
@@ -1,9 +1,10 @@
 #!/bin/zsh
+# shellcheck shell=bash
 
 script_dir=$(dirname ${0:A})
 projectfolder=$(dirname $script_dir)
 
-source ${projectfolder}/Header.sh
+source "${projectfolder}/Header.sh"
 
 CISLevel="1"
 audit="1.5 Ensure System Data Files and Security Updates Are Downloaded Automatically Is Enabled (Automated)"

diff --git a/Fragments/OrgScores/OrgScore1_6.sh b/Fragments/OrgScores/OrgScore1_6.sh
@@ -1,9 +1,10 @@
 #!/bin/zsh
+# shellcheck shell=bash
 
 script_dir=$(dirname ${0:A})
 projectfolder=$(dirname $script_dir)
 
-source ${projectfolder}/Header.sh
+source "${projectfolder}/Header.sh"
 
 CISLevel="1"
 audit="1.6 Ensure Install of macOS Updates Is Enabled (Automated)"

diff --git a/Fragments/OrgScores/OrgScore2_10.sh b/Fragments/OrgScores/OrgScore2_10.sh
@@ -1,9 +1,10 @@
 #!/bin/zsh
+# shellcheck shell=bash
 
 script_dir=$(dirname ${0:A})
 projectfolder=$(dirname $script_dir)
 
-source ${projectfolder}/Header.sh
+source "${projectfolder}/Header.sh"
 
 CISLevel="1"
 audit="2.10 Ensure Secure Keyboard Entry terminal.app is Enabled (Automated)"

diff --git a/Fragments/OrgScores/OrgScore2_11.sh b/Fragments/OrgScores/OrgScore2_11.sh
@@ -1,9 +1,10 @@
 #!/bin/zsh
+# shellcheck shell=bash
 
 script_dir=$(dirname ${0:A})
 projectfolder=$(dirname $script_dir)
 
-source ${projectfolder}/Header.sh
+source "${projectfolder}/Header.sh"
 
 CISLevel="1"
 audit="2.11 Ensure EFI Version Is Valid and Checked Regularly (Automated)"
@@ -14,7 +15,7 @@ runAudit
 # If organizational score is 1 or true, check status of client
 if [[ "${auditResult}" == "1" ]]; then
 	method="Manual"
-	remediate="If EFI does not pass the integrity check you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended."
+	remediate="Manual > If EFI does not pass the integrity check you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended."
 
 	comment="EFI version: Valid"
 	# Check for Apple Silicon

diff --git a/Fragments/OrgScores/OrgScore2_1_1.sh b/Fragments/OrgScores/OrgScore2_1_1.sh
@@ -1,9 +1,10 @@
 #!/bin/zsh
+# shellcheck shell=bash
 
 script_dir=$(dirname ${0:A})
 projectfolder=$(dirname $script_dir)
 
-source ${projectfolder}/Header.sh
+source "${projectfolder}/Header.sh"
 
 CISLevel="1"
 audit="2.1.1 Ensure Bluetooth Is Disabled If No Devices Are Paired (Automated)"
@@ -14,10 +15,10 @@ runAudit
 # If organizational score is 1 or true, check status of client
 if [[ "${auditResult}" == "1" ]]; then
 	method="Script"
-	remediate="Script - defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false"
+	remediate="Script > defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false"
 
 	connectable=$(system_profiler SPBluetoothDataType 2>&1 | grep -c "Paired: Yes")
-	bluetoothEnabled=$(defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool)
+	bluetoothEnabled=$(defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState 2>/dev/null)
 	comment="Paired Devices: ${connectable}"
 	# if [[ "$connectable" == 0 ]] && [[ "$bluetoothEnabled" == 0 ]]; then
 	if [[ "$bluetoothEnabled" == 0 ]]; then

diff --git a/Fragments/OrgScores/OrgScore2_1_2.sh b/Fragments/OrgScores/OrgScore2_1_2.sh
@@ -1,9 +1,10 @@
 #!/bin/zsh
+# shellcheck shell=bash
 
 script_dir=$(dirname ${0:A})
 projectfolder=$(dirname $script_dir)
 
-source ${projectfolder}/Header.sh
+source "${projectfolder}/Header.sh"
 
 CISLevel="1"
 audit="2.1.2 Ensure Show Bluetooth Status in Menu Bar Is Enabled (Automated)"

diff --git a/Fragments/OrgScores/OrgScore2_2_1.sh b/Fragments/OrgScores/OrgScore2_2_1.sh
@@ -1,9 +1,10 @@
 #!/bin/zsh
+# shellcheck shell=bash
 
 script_dir=$(dirname ${0:A})
 projectfolder=$(dirname $script_dir)
 
-source ${projectfolder}/Header.sh
+source "${projectfolder}/Header.sh"
 
 CISLevel="1"
 audit="2.2.1 Ensure 'Set time and date automatically' Is Enabled (Automated)"

diff --git a/Fragments/OrgScores/OrgScore2_2_2.sh b/Fragments/OrgScores/OrgScore2_2_2.sh
@@ -1,9 +1,10 @@
 #!/bin/zsh
+# shellcheck shell=bash
 
 script_dir=$(dirname ${0:A})
 projectfolder=$(dirname $script_dir)
 
-source ${projectfolder}/Header.sh
+source "${projectfolder}/Header.sh"
 
 CISLevel="1"
 audit="2.2.2 Ensure time set is within appropriate limits (Automated)"

diff --git a/Fragments/OrgScores/OrgScore2_3_1.sh b/Fragments/OrgScores/OrgScore2_3_1.sh
@@ -1,9 +1,10 @@
 #!/bin/zsh
+# shellcheck shell=bash
 
 script_dir=$(dirname ${0:A})
 projectfolder=$(dirname $script_dir)
 
-source ${projectfolder}/Header.sh
+source "${projectfolder}/Header.sh"
 
 CISLevel="1"
 audit="2.3.1 Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled (Automated)"

diff --git a/Fragments/OrgScores/OrgScore2_3_2.sh b/Fragments/OrgScores/OrgScore2_3_2.sh
@@ -1,9 +1,10 @@
 #!/bin/zsh
+# shellcheck shell=bash
 
 script_dir=$(dirname ${0:A})
 projectfolder=$(dirname $script_dir)
 
-source ${projectfolder}/Header.sh
+source "${projectfolder}/Header.sh"
 
 CISLevel="2"
 audit="2.3.2 Ensure Screen Saver Corners Are Secure (Automated)"

diff --git a/Fragments/OrgScores/OrgScore2_3_3.sh b/Fragments/OrgScores/OrgScore2_3_3.sh
@@ -1,9 +1,10 @@
 #!/bin/zsh
+# shellcheck shell=bash
 
 script_dir=$(dirname ${0:A})
 projectfolder=$(dirname $script_dir)
 
-source ${projectfolder}/Header.sh
+source "${projectfolder}/Header.sh"
 
 CISLevel="1"
 audit="2.3.3 Audit Lock Screen and Start Screen Saver Tools (Manual)"
@@ -14,7 +15,7 @@ runAudit
 # If organizational score is 1 or true, check status of client
 if [[ "${auditResult}" == "1" ]]; then
 	method="Manual"
-	remediate="Familiarise users with screen lock tools or corner to Start Screen Saver"
+	remediate="Manual > Familiarise users with screen lock tools or corner to Start Screen Saver"
 
 	appidentifier="com.apple.dock"
 	value="wvous-bl-corner"