Giter Club home page Giter Club logo

Comments (4)

GaryGapinski avatar GaryGapinski commented on August 25, 2024

@securevia1 what XML document did you inspect? Would you please provide (or link to) a copy?

What you noticed is incorrect content in the fixtext and description elements.

I just did a build from the main branch and see the following in the SCAP datastream:

<Rule id="xccdf_gov.nist.mscp.content_rule_auth_ssh_smartcard_enforce" selected="false" role="full" severity="unknown" weight="1.0"><title>Enforce
Smartcard Authentication for SSH</title><description><div xmlns="http://www.w3.org/1999/xhtml"><div><p>If remote login through SSH is enabled, smartcard authentication

MUST be enforced for user login.</p></div><div><p>All users 
MUST go through multifactor authentication to prevent
unauthenticated access and potential compromise to the system.</p></div><div>To check the state of the system, run the following command(s):</div><div><div><pre>
/usr/bin/grep 
-Ec'^(PasswordAuthentication\s+no|ChallengeResponseAuthentication\s+no)'
/etc/ssh/sshd_config
</pre></div></div><div><p>If the result is not 
2, this is a finding.</p></div></div></description><warning category="general"><div xmlns="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config will be automatically
modified to its original state following any update or major
upgrade to the operating system.</div></warning><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2">NIST SP 800-53r4 IA-2</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-1">NIST SP 800-53r4 IA-2(1)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-11">NIST SP 800-53r4 IA-2(11)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-2">NIST SP 800-53r4 IA-2(2)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-3">NIST SP 800-53r4 IA-2(3)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-4">NIST SP 800-53r4 IA-2(4)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-6">NIST SP 800-53r4 IA-2(6)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-5#enhancement-11">NIST SP 800-53r4 IA-5(11)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-5#enhancement-2">NIST SP 800-53r4 IA-5(2)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/MA-4">NIST SP 800-53r4 MA-4</reference><ident system="http://cce.mitre.org/">CCE-85281-4</ident><fixtext><div xmlns="http://www.w3.org/1999/xhtml"><div>The following commands must be run to disable passcode based authentication for SSHD:</div><div><div><pre>
/usr/bin/sed 
-i.bak_
$(date"+%Y-%m-%d_%H:%M")"s|#PasswordAuthentication
yes|PasswordAuthentication no|; s|#ChallengeResponseAuthentication
yes|ChallengeResponseAuthentication no|"
/etc/ssh/sshd_config
; /bin/launchctl kickstart 
-k system/com.openssh.sshd
</pre></div></div></div></fixtext><check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"><check-content-ref href="oval.xml" name="oval:mscp:def:4"/></check></Rule>

and

<Rule id="xccdf_gov.nist.mscp.content_rule_auth_smartcard_allow" selected="false" role="full" severity="unknown" weight="1.0"><title>Allow Smartcard
Authentication</title><description><div xmlns="http://www.w3.org/1999/xhtml"><div><p>Smartcard authentication 
MUST be allowed.</p></div><div>The use of smartcard credentials facilitates standardization and reduces the risk of unauthorized access.</div><div>When enabled, the smartcard can be used for login, authorization, and screen saver unlocking.</div><div>To check the state of the system, run the following command(s):</div><div><div><pre>
/usr/bin/profiles 
-P-o stdout | /usr/bin/grep 
-c'allowSmartCard = 1'
</pre></div></div><div><p>If the result is not 
1, this is a finding.</p></div></div></description><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-12">NIST SP 800-53r4 IA-2(12)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-5#enhancement-11">NIST SP 800-53r4 IA-5(11)</reference><ident system="http://cce.mitre.org/">CCE-85277-2</ident><fixtext><div xmlns="http://www.w3.org/1999/xhtml"><div>Create a configuration profile containing the following keys in the (com.apple.security.smartcard) payload type:</div><div><div><pre>
&lt;key&gt;allowSmartCard
&lt;/key&gt;&lt;true/&gt;
</pre></div></div></div></fixtext><check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"><check-content-ref href="oval.xml" name="oval:mscp:def:2"/></check></Rule>

In both cases the <fixtext> element contains HTML which encapsulates the shell commands in a <pre> element (and would be rendered as separate lines).

The <description> and <fixtext> content of the first rule looks wrong as if it was arbitrarily wrapped . The companion HTML and PDF of the first rule are also incorrect.

The <description> of the second rule is incorrect and looks arbitrarily wrapped. It appears to be an error in the build process translation from HTML to XHTML.

from macos_security.

securevia1 avatar securevia1 commented on August 25, 2024

We used this link to download the macOS benchmark:
https://github.com/usnistgov/macos_security/releases/download/big_sur_rev1/MSCP_Big_Sur_Rev_1.zip

from macos_security.

robertgendler avatar robertgendler commented on August 25, 2024

It turns out this may be an issue with how asciidoctor is transforming the adoc into HTML

Something like this in the adoc file
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowSmartCard = 1'

Gets turned into this
<pre class="rouge highlight"><code data-lang="bash">/usr/bin/profiles <span class="nt">-P</span> <span class="nt">-o</span> stdout | /usr/bin/grep <span class="nt">-c</span> <span class="s1">'allowSmartCard = 1'</span></code></pre>

So the XHTML and XML are not at fault, it seems to be adoc -> html. We may be able to figure out a way to parse this and remove it when it's converted to XHTML and XML.

from macos_security.

robertgendler avatar robertgendler commented on August 25, 2024

This was resolved with the generate_scap.py script.

from macos_security.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.