Creating Shell Script for STIG Checklist MAC OSX 10.6

john3j04 · October 18, 2011, 1:01pm

Hello,

I am new to Mac OSX and shell scripting all together. I was wondering if anyone could help get me started in a few scenarios so that I would be able to automate checking a system against a STIG checklist. A STIG Checklist is a DoD Guideline for securing systems. Here is the first instance I would like to learn how to automate:

Open a terminal session and use the following command to view the setting for password history.

sudo pwpolicy -n -getglobalpolicy | tr " " "\n" | grep usingHistory

If the value of usingHistory is less than 15, this is a finding.

NOTE: If the command returns a response of password server is not configured, the system is not managed. Use the following command for non-managed systems.

pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep usingHistory

Now, I know that it tells you what to check and makes it so that anyone can perform this check, so please excuse my stupidity. We all have to start somewhere.

I am not interested in fixing a system, just running a script against a system to see if it conforms to the guideline or not. It would be nice if output could be printed telling me if it passes or not, or even print the output into a log file. There will be a couple of hundred checks that I will have to do, so all output will have to go to a log file.

Thank you for your time and assistance!

bcarter5876 · October 20, 2011, 3:12pm

A great deal of effort has been put in by people at cisecurity.org in creating tools to do just what you are looking for. There is a spreadsheet of security guidelines, as well as the Unix bash commands that will allow you to check for compliance. They even have a compliance tool that you can customize and run against your systems. I recommend checking their material out. For purpose of full disclosure, I am a member of the working group for Mac OS X security guidelines.

p.s. This looks like a direct quote from the 18 Aug 2011 DISA STIG, are you actively working on this project?

Corona688 · October 20, 2011, 6:53pm

Well, for starters, does that line you pasted work when you type it into Terminal? I have my doubts. Macintosh machines don't allow easy access to root, which that line of code appears to need access to. ('sudo commandname' runs 'commandname' as root, if the user has permissions.)

Modifications to OSX's setup may be necessary to make OSX insecure enough to run your security testing script.

jackie_singh · January 26, 2012, 3:02am

I thought someone on this board may be able to use a set of scripts I've developed to check and remediate OS X 10.6 machines using the draft STIG guidance released in August. It is available at MacSTIG . com

There is further information on its use available in the readme.txt.

Thanks
Jackie