@@ -391,34 +391,46 @@ def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, sign
391391
392392 for sections in baseline_yaml ['profile' ]:
393393 for profile_rule in sections ['rules' ]:
394- for rule in glob .glob ('../rules/*/{}.yaml' .format (profile_rule )) + glob .glob ('../custom/rules/**/{}.yaml' .format (profile_rule ),recursive = True ):
395- rule_yaml = get_rule_yaml (rule , False )
394+ logging .debug (f"checking for rule file for { profile_rule } )
395+ if glob .glob ('../custom/rules/**/{}.yaml' .format (profile_rule ),recursive = True ):
396+ rule = glob .glob ('../custom/rules/**/{}.yaml' .format (profile_rule ),recursive = True )[0 ]
397+ custom = True
398+ logging .debug (f"{ rule } )
399+ elif glob .glob ('../rules/*/{}.yaml' .format (profile_rule )):
400+ rule = glob .glob ('../rules/*/{}.yaml' .format (profile_rule ))[0 ]
401+ custom = False
402+ logging .debug (f"{ rule } )
403+
404+ #for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True):
405+ rule_yaml = get_rule_yaml (rule , custom )
396406
397- if rule_yaml ['mobileconfig' ]:
398- for payload_type , info in rule_yaml ['mobileconfig_info' ].items ():
399- try :
400- if payload_type not in manifests ['payloads_types' ]:
401- profile_errors .append (rule )
402- raise ValueError (
403- "{}: Payload Type is not supported" .format (payload_type ))
404- else :
405- pass
406- except (KeyError , ValueError ) as e :
407+ if rule_yaml ['mobileconfig' ]:
408+ for payload_type , info in rule_yaml ['mobileconfig_info' ].items ():
409+ valid = True
410+ try :
411+ if payload_type not in manifests ['payloads_types' ]:
407412 profile_errors .append (rule )
408- #print(e)
413+ raise ValueError (
414+ "{}: Payload Type is not supported" .format (payload_type ))
415+ else :
409416 pass
417+ except (KeyError , ValueError ) as e :
418+ profile_errors .append (rule )
419+ logging .debug (e )
420+ valid = False
410421
411- try :
412- if isinstance (info , list ):
413- raise ValueError (
414- "Payload key is non-conforming" )
415- else :
416- pass
417- except (KeyError , ValueError ) as e :
418- profile_errors .append (rule )
419- #print(e)
422+ try :
423+ if isinstance (info , list ):
424+ raise ValueError (
425+ "Payload key is non-conforming" )
426+ else :
420427 pass
421-
428+ except (KeyError , ValueError ) as e :
429+ profile_errors .append (rule )
430+ logging .debug (e )
431+ valid = False
432+
433+ if valid :
422434 if payload_type == "com.apple.ManagedClient.preferences" :
423435 for payload_domain , settings in info .items ():
424436 for key , value in settings .items ():
@@ -571,6 +583,9 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference):
571583CURRENT_USER=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {{ print $3 }}')
572584CURR_USER_UID=$(/usr/bin/id -u $CURR_USER)
573585
586+ # get system architecture
587+ arch=$(/usr/bin/arch)
588+
574589# configure colors for text
575590RED='\e[31m'
576591STD='\e[39m'
@@ -744,8 +759,6 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference):
744759defaults write "$audit_plist" lastComplianceCheck "$(date)"
745760 """
746761
747- #compliance_script_file.write(check_zsh_header)
748-
749762 # Read all rules in the section and output the check functions
750763 for sections in baseline_yaml ['profile' ]:
751764 for profile_rule in sections ['rules' ]:
@@ -759,13 +772,20 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference):
759772 custom = False
760773 logging .debug (f"{ rule } )
761774
762- #for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True):
763775 rule_yaml = get_rule_yaml (rule , custom )
764776
765777 if rule_yaml ['id' ].startswith ("supplemental" ):
766778 continue
767779 if "manual" in rule_yaml ['tags' ]:
768780 continue
781+
782+ if "arm64" in rule_yaml ['tags' ]:
783+ arch = "arm64"
784+ elif "intel" in rule_yaml ['tags' ]:
785+ arch = "i386"
786+ else :
787+ arch = ""
788+
769789 # grab the 800-53 controls
770790 try :
771791 rule_yaml ['references' ]['800-53r5' ]
@@ -774,21 +794,6 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference):
774794 else :
775795 nist_80053r5 = rule_yaml ['references' ]['800-53r5' ]
776796
777- #try:
778- # rule_yaml['references']['disa_stig']
779- #except KeyError:
780- # stig_ref = rule_yaml['id']
781- #else:
782- # if rule_yaml['references']['disa_stig'][0] == "N/A":
783- # stig_ref = [rule_yaml['id']]
784- # else:
785- # stig_ref = rule_yaml['references']['disa_stig']
786- #
787- #if "STIG" in baseline_yaml['title']:
788- # logging.debug(f'Setting STIG reference for logging: {stig_ref}')
789- # log_reference_id = stig_ref
790- #else:
791- # log_reference_id = [rule_yaml['id']]
792797 if reference == "default" :
793798 log_reference_id = [rule_yaml ['id' ]]
794799 else :
@@ -847,31 +852,40 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference):
847852 zsh_check_text = """
848853#####----- Rule: {0} -----#####
849854## Addresses the following NIST 800-53 controls: {1}
850- #echo 'Running the command to check the settings for: {0} ...' | tee -a "$audit_log"
851- unset result_value
852- result_value=$({2})
853- # expected result {3}
854-
855- # check to see if rule is exempt
856- unset exempt
857- unset exempt_reason
858- exempt=$($plb -c "print {0}:exempt" "$audit_plist_managed" 2>/dev/null)
859- exempt_reason=$($plb -c "print {0}:exempt_reason" "$audit_plist_managed" 2>/dev/null)
860-
861- if [[ ! $exempt == "true" ]] || [[ -z $exempt ]];then
862- if [[ $result_value == "{4}" ]]; then
863- echo "$(date -u) {5} passed (Result: $result_value, Expected: "{3}")" | tee -a "$audit_log"
855+ rule_arch="{6}"
856+ if [[ "$arch" == "$rule_arch" ]] || [[ -z "$rule_arch" ]]; then
857+ #echo 'Running the command to check the settings for: {0} ...' | tee -a "$audit_log"
858+ unset result_value
859+ result_value=$({2})
860+ # expected result {3}
861+
862+
863+ # check to see if rule is exempt
864+ unset exempt
865+ unset exempt_reason
866+ exempt=$($plb -c "print {0}:exempt" "$audit_plist_managed" 2>/dev/null)
867+ exempt_reason=$($plb -c "print {0}:exempt_reason" "$audit_plist_managed" 2>/dev/null)
868+
869+
870+
871+ if [[ ! $exempt == "true" ]] || [[ -z $exempt ]];then
872+ if [[ $result_value == "{4}" ]]; then
873+ echo "$(date -u) {5} passed (Result: $result_value, Expected: "{3}")" | tee -a "$audit_log"
874+ defaults write "$audit_plist" {0} -dict-add finding -bool NO
875+ else
876+ echo "$(date -u) {5} failed (Result: $result_value, Expected: "{3}")" | tee -a "$audit_log"
877+ defaults write "$audit_plist" {0} -dict-add finding -bool YES
878+ fi
879+ elif [[ ! -z "$exempt_reason" ]];then
880+ echo "$(date -u) {5} has an exemption (Reason: "$exempt_reason")" | tee -a "$audit_log"
864881 defaults write "$audit_plist" {0} -dict-add finding -bool NO
865- else
866- echo "$(date -u) {5} failed (Result: $result_value, Expected: "{3}")" | tee -a "$audit_log"
867- defaults write "$audit_plist" {0} -dict-add finding -bool YES
882+ /bin/sleep 1
868883 fi
869- elif [[ ! -z "$exempt_reason" ]];then
870- echo "$(date -u) {5} has an exemption (Reason: "$exempt_reason") " | tee -a "$audit_log"
884+ else
885+ echo "$(date -u) {5} does not apply to this architechture " | tee -a "$audit_log"
871886 defaults write "$audit_plist" {0} -dict-add finding -bool NO
872- /bin/sleep 1
873887fi
874- """ .format (rule_yaml ['id' ], nist_controls .replace ("\n " , "\n #" ), check .strip (), result , result_value , ' ' .join (log_reference_id ))
888+ """ .format (rule_yaml ['id' ], nist_controls .replace ("\n " , "\n #" ), check .strip (), result , result_value , ' ' .join (log_reference_id ), arch )
875889
876890 check_function_string = check_function_string + zsh_check_text
877891
0 commit comments