macos_security icon indicating copy to clipboard operation
macos_security copied to clipboard
verified publisher icon usnistgov

Disabled launchctl reports incorrectly (Ventura)

Open jmahlman opened this issue 3 years ago • 1 comments

Summary

MacOS Ventura changes how launchctl reports disabled services. Previously, the check /bin/launchctl print-disabled system for a service would return => true if it was disabled. Ventura has changed this to => disabled. For example:

The check for ssh on Monterey /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => true' would work but on Ventura this will now be /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => disabled'.

The affected rules are: os_httpd_disable, os_nfsd_disable, os_tftpd_disable, os_uucp_disable, system_settings_screen_sharing_disable, system_settings_smbd_disable, system_settings_ssh_disable

Steps to reproduce

  1. Build a baseline script with the Ventura guidance that includes any of the following checks: os_httpd_disable, os_nfsd_disable, os_tftpd_disable, os_uucp_disable, system_settings_screen_sharing_disable, system_settings_smbd_disable, system_settings_ssh_disable
  2. Run the baseline script and then audit the system

Operating System version

macOS 13 Ventura Beta (22A5331f)

What is the current bug behavior?

The scan will successfully run and remediate but the audit will not report properly.

What is the expected correct behavior?

The audit should report correctly.

Output of checks

Sample check on Monterey:

➜  ~ /bin/launchctl print-disabled system | grep apple
	"com.apple.atrun" => false
	"com.apple.AEServer" => true
	"com.apple.ManagedClientAgent.enrollagent" => false
	"com.apple.screensharing" => true
	"com.apple.CSCSupportd" => true
	"com.apple.ftpd" => true
	"com.apple.mdmclient.daemon.runatboot" => false
	"com.apple.nfsd" => true
	"com.apple.smbd" => true
	"com.apple.bootpd" => true
	"com.apple.ftp-proxy" => true

Sample check on Ventura:

➜  ~ /bin/launchctl print-disabled system | grep apple
	"com.apple.atrun" => disabled
	"com.apple.AEServer" => enabled
	"com.apple.ManagedClientAgent.enrollagent" => enabled
	"com.apple.screensharing" => disabled
	"com.apple.CSCSupportd" => disabled
	"com.apple.ftpd" => disablked
	"com.apple.mdmclient.daemon.runatboot" => enabled
	"com.apple.nfsd" => disabled
	"com.apple.smbd" => disabled

Possible fixes

Update the following rules: os_httpd_disable, os_nfsd_disable, os_tftpd_disable, os_uucp_disable, system_settings_screen_sharing_disable, system_settings_smbd_disable, system_settings_ssh_disable

Replace any instance of => true with => disabled.

jmahlman avatar Sep 06 '22 19:09 jmahlman

Forgot to add system_settings_rae_disable :)

jmahlman avatar Sep 13 '22 17:09 jmahlman

The fixes have been merged into dev_ventura. Closing issue.

golbiga avatar Sep 29 '22 13:09 golbiga