usnistgov
fixtext commands are broken; have newline chars instead of spaces
Summary
(Summarize the bug encountered concisely)
fixtext commands are broken; have newline chars instead of spaces. for example, see the fix command below
/usr/bin/sed -i.bak_ $(date"+%Y-%m-%d_%H:%M")"s|#PasswordAuthentication yes|PasswordAuthentication no|; s|#ChallengeResponseAuthentication yes|ChallengeResponseAuthentication no|" /etc/ssh/sshd_config ; /bin/launchctl kickstart -k system/com.openssh.sshd
Same issue is there for description fields of rules. See below: <Rule id="xccdf_gov.nist.mscp.content_rule_auth_smartcard_enforce" selected="false" role="full" severity="unknown" weight="1.0">
Smartcard authentication MUST be enforced.
/usr/bin/profiles -P-o stdout | /usr/bin/grep -c'enforceSmartCard = 1'
If the result is not 1, this is a finding.
Steps to reproduce
(How one can reproduce the issue - this is very important)
Open the XML file and see fixtext
Operating System version
(macOS Version and build)
What is the current bug behavior?
(What actually happens)
What is the expected correct behavior?
(What you should see instead)
Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise.)
Output of checks
(Paste any output that occurs with the bug)
Possible fixes
(If you can, link to the line of code that might be responsible for the problem)
@securevia1 what XML document did you inspect? Would you please provide (or link to) a copy?
What you noticed is incorrect content in the fixtext and description elements.
I just did a build from the main branch and see the following in the SCAP datastream:
<Rule id="xccdf_gov.nist.mscp.content_rule_auth_ssh_smartcard_enforce" selected="false" role="full" severity="unknown" weight="1.0"><title>Enforce
Smartcard Authentication for SSH</title><description><div xmlns="http://www.w3.org/1999/xhtml"><div><p>If remote login through SSH is enabled, smartcard authentication
MUST be enforced for user login.</p></div><div><p>All users
MUST go through multifactor authentication to prevent
unauthenticated access and potential compromise to the system.</p></div><div>To check the state of the system, run the following command(s):</div><div><div><pre>
/usr/bin/grep
-Ec'^(PasswordAuthentication\s+no|ChallengeResponseAuthentication\s+no)'
/etc/ssh/sshd_config
</pre></div></div><div><p>If the result is not
2, this is a finding.</p></div></div></description><warning category="general"><div xmlns="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config will be automatically
modified to its original state following any update or major
upgrade to the operating system.</div></warning><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2">NIST SP 800-53r4 IA-2</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-1">NIST SP 800-53r4 IA-2(1)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-11">NIST SP 800-53r4 IA-2(11)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-2">NIST SP 800-53r4 IA-2(2)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-3">NIST SP 800-53r4 IA-2(3)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-4">NIST SP 800-53r4 IA-2(4)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-6">NIST SP 800-53r4 IA-2(6)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-5#enhancement-11">NIST SP 800-53r4 IA-5(11)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-5#enhancement-2">NIST SP 800-53r4 IA-5(2)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/MA-4">NIST SP 800-53r4 MA-4</reference><ident system="http://cce.mitre.org/">CCE-85281-4</ident><fixtext><div xmlns="http://www.w3.org/1999/xhtml"><div>The following commands must be run to disable passcode based authentication for SSHD:</div><div><div><pre>
/usr/bin/sed
-i.bak_
$(date"+%Y-%m-%d_%H:%M")"s|#PasswordAuthentication
yes|PasswordAuthentication no|; s|#ChallengeResponseAuthentication
yes|ChallengeResponseAuthentication no|"
/etc/ssh/sshd_config
; /bin/launchctl kickstart
-k system/com.openssh.sshd
</pre></div></div></div></fixtext><check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"><check-content-ref href="oval.xml" name="oval:mscp:def:4"/></check></Rule>
and
<Rule id="xccdf_gov.nist.mscp.content_rule_auth_smartcard_allow" selected="false" role="full" severity="unknown" weight="1.0"><title>Allow Smartcard
Authentication</title><description><div xmlns="http://www.w3.org/1999/xhtml"><div><p>Smartcard authentication
MUST be allowed.</p></div><div>The use of smartcard credentials facilitates standardization and reduces the risk of unauthorized access.</div><div>When enabled, the smartcard can be used for login, authorization, and screen saver unlocking.</div><div>To check the state of the system, run the following command(s):</div><div><div><pre>
/usr/bin/profiles
-P-o stdout | /usr/bin/grep
-c'allowSmartCard = 1'
</pre></div></div><div><p>If the result is not
1, this is a finding.</p></div></div></description><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-2#enhancement-12">NIST SP 800-53r4 IA-2(12)</reference><reference href="https://nvd.nist.gov/800-53/Rev4/control/IA-5#enhancement-11">NIST SP 800-53r4 IA-5(11)</reference><ident system="http://cce.mitre.org/">CCE-85277-2</ident><fixtext><div xmlns="http://www.w3.org/1999/xhtml"><div>Create a configuration profile containing the following keys in the (com.apple.security.smartcard) payload type:</div><div><div><pre>
<key>allowSmartCard
</key><true/>
</pre></div></div></div></fixtext><check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"><check-content-ref href="oval.xml" name="oval:mscp:def:2"/></check></Rule>
In both cases the <fixtext> element contains HTML which encapsulates the shell commands in a <pre> element (and would be rendered as separate lines).
The <description> and <fixtext> content of the first rule looks wrong as if it was arbitrarily wrapped . The companion HTML and PDF of the first rule are also incorrect.
The <description> of the second rule is incorrect and looks arbitrarily wrapped. It appears to be an error in the build process translation from HTML to XHTML.
We used this link to download the macOS benchmark: https://github.com/usnistgov/macos_security/releases/download/big_sur_rev1/MSCP_Big_Sur_Rev_1.zip
It turns out this may be an issue with how asciidoctor is transforming the adoc into HTML
Something like this in the adoc file
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowSmartCard = 1'
Gets turned into this
<pre class="rouge highlight"><code data-lang="bash">/usr/bin/profiles <span class="nt">-P</span> <span class="nt">-o</span> stdout | /usr/bin/grep <span class="nt">-c</span> <span class="s1">'allowSmartCard = 1'</span></code></pre>
So the XHTML and XML are not at fault, it seems to be adoc -> html. We may be able to figure out a way to parse this and remove it when it's converted to XHTML and XML.
