On my test Mac I have the test profile that I made installed. Because I'm doing things with policy, it doesn't exist in the plists or domains.
server:~ localadmin$ defaults -currentHost read com.apple.loginwindow
{
TALAppsToRelaunchAtLogin = (
{
BackgroundState = 2;
BundleID = "com.apple.terminal";
Hide = 0;
Path = "/Applications/Utilities/Terminal.app";
},
{
BackgroundState = 2;
BundleID = "com.apple.finder";
Hide = 0;
Path = "/System/Library/CoreServices/Finder.app";
}
);
}
Lets try another!
server:~ localadmin$ defaults read /Library/Preferences/com.apple.loginwindow.plist
{
OptimizerLastRunForBuild = 25364928;
OptimizerLastRunForSystem = 168297216;
lastUser = loggedIn;
lastUserName = localadmin;
}
Hmm. Not there either. Maybe just the basic domain?
server:~ localadmin$ defaults read com.apple.loginwindow
{
TALLogoutReason = Restart;
}
No. Not there either! Well crap. Logging out though shows me that the settings are applied!
I can't really check the mobileconfig files either since they get turned into a binary blob upon installation in /var/db/ConfigurationProfiles/Store
So what can I do?
Well the first thing is that we can ask if there are profiles installed!
server:~ localadmin$ profiles -H
profiles are installed on this system
Sweet! But now what?
Now we actually have several options, the easiest is to grab the profile data right from the profiles command as XML. You can also get this from system_profiler, and if you are using directory services based policy you can get it from dscl or mcxquerey as well.
server:~ localadmin$ sudo profiles -Pv -o Output.xml
profiles: verbose mode ON
profiles: outputPath = Output.xml
There are 1 configuration profiles installed
pass
server:~ localadmin$ less Output.xml
SNIP…
<dict>
<key>PayloadContent</key>
<dict>
<key>loginWindowIdleTime</key>
<integer>900</integer>
<key>loginWindowModulePath</key>
<string>/System/Library/Screen Savers/Flurry.saver</string>
</dict>
<key>PayloadDisplayName</key>
<string>Login Window: Screen Saver Preferences</string>
<key>PayloadIdentifier</key>
<string>com.apple.mdm.server.example.private.a55249a0-ab8d-0130-272f-001c42d3e5bf.alacarte.loginwindow.6e51c520-ab8e-0130-2731-001c42d3e5bf.screensaver</string>
<key>PayloadType</key>
<string>com.apple.screensaver</string>
<key>PayloadUUID</key>
<string>42a5182d-2af5-dfa8-16b8-d3a3a88c37fb</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
…SNIP
As we can see, the only way to tell if this policy has been applied with a modern method like a configuration profile is to check using tools that are configuration profile aware.
For settings that use profiles this makes everything much simpler. You can simply ask for the output of the profiles command and then parse it with XPath or what not. You get all the settings in one place and you don't need to run around tracking down config files.
Thanks,
Josh
--
Josh Wisenbaker
Consulting Engineer - Apple U.S. Commercial and Governmental Sales
Thanks for getting this discussion started Josh and Prabhu!
As Prahbu mentioned, we have the existing macos-def:plist510_test and the ind-def:xmlfilecontent_test that can support the assessment of plist files (including configuration profiles). There is also an experimental plist511_test in the OVAL Language Sandbox (https://github.com/OVALProject/Sandbox/blob/master/x-macos-plist-xpath.xsd) which utilizes xpath to reference the preference key of interest.
To help show how these three tests can be used, I have attached sample definitions that check for CCE-28300-2 idle_time_for_screen_saver.
Hope this helps!
Thanks,
Danny
Hi All,
Yes! I completely agree with Josh, on the usage configuration profiles.
Being the XML formatted content of these files can be easily parsed to fetch the composed policies values, to develop the
SCAP OVALl definitions, using available '< xmlfilecontent_test >' or '< plist510_test >' probes for better assessment.
And also, as these files can be easily deployed with customized values as per user's choice. Either by
* By physically connecting the device
* In an email message
* On a webpage
* Using over-the air configuration as described in this document
so I think it will be of great use in remediation part as well.
_______________________________________________________________________________________
In supportive to Josh, I have attached few Profile files, that were developed to address the Apple iOS Hardening Checklists
by The University Of Texas at Austin.
FMI :
https://wikis.utexas.edu/display/ISO/Apple+iOS+Hardening+Checklist
https://wikis.utexas.edu/display/ISO/iOS+Configuration+Profiles
--
Thanks !!
Prabhu S A
http://www.scaprepo.com
On 05/31/2013 02:50 AM, Josh Wisenbaker wrote:
Hi all,
I think that from an audit and remediation standpoint things can be greatly simplified by using Configuration Profiles.
You can easily get a XML formatted list of the composited policies that are on the Mac and you can easily apply settings by installing a profile. Using the policy mechanisms in OS X is highly recommended over messing with files.
As an example here is a profile I made that implements all of the settings for the initial loginwindow tickets that are in the tracker.
This profile allows for removal without authentication so it's easy to test with.
Consulting Engineer - Apple U.S. Commercial and Governmental Sales
_______________________________________________
SCAP-On-Apple-Dev mailing list
SCAP-On-Apple-Dev@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/scap-on-apple-dev
_______________________________________________
SCAP-On-Apple-Dev mailing list
SCAP-On-Apple-Dev@lists.macosforge.orghttps://lists.macosforge.org/mailman/listinfo/scap-on-apple-dev