Update munki_script_checks.tf #5
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Terraform Plan OutputClick to expandTerraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# zentral_munki_script_check.mcs-auditing-audit_acls_files_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_acls_files_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit log files _MUST_ not contain access control lists (ACLs).
This rule ensures that audit information and audit files are configured to be readable and writable only by system administrators, thereby preventing unauthorized access, modification, and deletion of files.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files to Not Contain Access Control Lists"
+ source = "/bin/ls -le $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $1}' | /usr/bin/grep -c \":\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_acls_folders_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_acls_folders_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit log folder _MUST_ not contain access control lists (ACLs).
Audit logs contain sensitive data about the system and users. This rule ensures that the audit service is configured to create log folders that are readable and writable only by system administrators in order to prevent normal users from reading audit logs.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Folder to Not Contain Access Control Lists"
+ source = "/bin/ls -lde /var/audit | /usr/bin/awk '{print $1}' | /usr/bin/grep -c \":\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_auditd_enabled will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_auditd_enabled" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The information system _MUST_ be configured to generate audit records.
Audit records establish what types of events have occurred, when they occurred, and which users were involved. These records aid an organization in their efforts to establish, correlate, and investigate the events leading up to an outage or attack.
The content required to be captured in an audit record varies based on the impact level of an organization's system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success/fail indications, filenames involved, and access or flow control rules invoked.
The information system initiates session audits at system start-up.
NOTE: Security auditing is NOT enabled by default on macOS Sonoma.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "pass"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Enable Security Auditing"
+ source = <<-EOT
LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd)
AUDITD_RUNNING=$(/usr/sbin/audit -c | /usr/bin/grep -c "AUC_AUDITING")
if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]] && [[ $AUDITD_RUNNING == 1 ]]; then
echo "pass"
else
echo "fail"
fi
EOT
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_failure_halt will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_failure_halt" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit service _MUST_ be configured to shut down the computer if it is unable to audit system events.
Once audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "1"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure System to Shut Down Upon Audit Failure"
+ source = "/usr/bin/awk -F':' '/^policy/ {print $NF}' /etc/security/audit_control | /usr/bin/tr ',' '\\n' | /usr/bin/grep -Ec 'ahlt'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_files_group_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_files_group_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Audit log files _MUST_ have the group set to wheel.
The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files Group to Wheel"
+ source = "/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$4} END {print s}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_files_mode_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_files_mode_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "The audit service _MUST_ be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files _MUST_ be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files to Mode 440 or Less Permissive"
+ source = "/bin/ls -l $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '!/-r--r-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_files_owner_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_files_owner_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Audit log files _MUST_ be owned by root.
The audit service _MUST_ be configured to create log files with the correct ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files to be Owned by Root"
+ source = "/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_flags_aa_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_flags_aa_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The auditing system _MUST_ be configured to flag authorization and authentication (aa) events.
Authentication events contain information about the identity of a user, server, or client. Authorization events contain information about permissions, rights, and rules. If audit records do not include aa events, it is difficult to identify incidents and to correlate incidents to subsequent events.
Audit records can be generated from various components within the information system (e.g., via a module or policy filter).
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "1"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure System to Audit All Authorization and Authentication Events"
+ source = "/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\\n' | /usr/bin/grep -Ec 'aa'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_flags_ad_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_flags_ad_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The auditing system _MUST_ be configured to flag administrative action (ad) events.
Administrative action events include changes made to the system (e.g. modifying authentication policies). If audit records do not include ad events, it is difficult to identify incidents and to correlate incidents to subsequent events.
Audit records can be generated from various components within the information system (e.g., via a module or policy filter).
The information system audits the execution of privileged functions.
NOTE: We recommend changing the line "43127:AUE_MAC_SYSCALL:mac_syscall(2):ad" to "43127:AUE_MAC_SYSCALL:mac_syscall(2):zz" in the file /etc/security/audit_event. This will prevent sandbox violations from being audited by the ad flag.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "1"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure System to Audit All Administrative Action Events"
+ source = "/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\\n' | /usr/bin/grep -Ec 'ad'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_flags_ex_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_flags_ex_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit system _MUST_ be configured to record enforcement actions of access restrictions, including failed program execute (-ex) attempts.
Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using program execution restrictions (e.g., denying users access to execute certain processes).
This configuration ensures that audit lists include events in which program execution has failed.
Without auditing the enforcement of program execution, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "1"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure System to Audit All Failed Program Execution on the System"
+ source = "/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\\n' | /usr/bin/grep -Ec '\\-ex'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_flags_fd_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_flags_fd_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit system _MUST_ be configured to record enforcement actions of attempts to delete file attributes (fd).
***Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions).
This configuration ensures that audit lists include events in which enforcement actions prevent attempts to delete a file.
Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "1"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure System to Audit All Deletions of Object Attributes"
+ source = "/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\\n' | /usr/bin/grep -Ec '\\-fd'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_flags_fm_failed_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_flags_fm_failed_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit system _MUST_ be configured to record enforcement actions of failed attempts to modify file attributes (-fm).
Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions).
This configuration ensures that audit lists include events in which enforcement actions prevent attempts to modify a file.
Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "1"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure System to Audit All Failed Change of Object Attributes"
+ source = "/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\\n' | /usr/bin/grep -Ec '\\-fm'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_flags_fr_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_flags_fr_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit system _MUST_ be configured to record enforcement actions of access restrictions, including failed file read (-fr) attempts.
Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using access restrictions (e.g., denying access to a file by applying file permissions).
This configuration ensures that audit lists include events in which enforcement actions prevent attempts to read a file.
Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "1"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure System to Audit All Failed Read Actions on the System"
+ source = "/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\\n' | /usr/bin/grep -Ec '\\-fr'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_flags_fw_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_flags_fw_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit system _MUST_ be configured to record enforcement actions of access restrictions, including failed file write (-fw) attempts.
Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using access restrictions (e.g., denying users access to edit a file by applying file permissions).
This configuration ensures that audit lists include events in which enforcement actions prevent attempts to change a file.
Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "1"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure System to Audit All Failed Write Actions on the System"
+ source = "/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\\n' | /usr/bin/grep -Ec '\\-fw'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_flags_lo_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_flags_lo_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit system _MUST_ be configured to record all attempts to log in and out of the system (lo).
Frequently, an attacker that successfully gains access to a system has only gained access to an account with limited privileges, such as a guest account or a service account. The attacker must attempt to change to another user account with normal or elevated privileges in order to proceed. Auditing both successful and unsuccessful attempts to switch to another user account (by way of monitoring login and logout events) mitigates this risk.
The information system monitors login and logout events.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "1"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure System to Audit All Log In and Log Out Events"
+ source = "/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\\n' | /usr/bin/grep -Ec '^lo'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_folder_group_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_folder_group_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Audit log files _MUST_ have the group set to wheel.
The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Folders Group to Wheel"
+ source = "/bin/ls -dn $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $4}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_folder_owner_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_folder_owner_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Audit log folders _MUST_ be owned by root.
The audit service _MUST_ be configured to create log folders with the correct ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log folders are set to only be readable and writable by system administrators, the risk is mitigated.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Folders to be Owned by Root"
+ source = "/bin/ls -dn $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $3}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_folders_mode_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_folders_mode_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit log folder _MUST_ be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders.
Because audit logs contain sensitive data about the system and users, the audit service _MUST_ be configured to mode 700 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "700"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Folders to Mode 700 or Less Permissive"
+ source = "/usr/bin/stat -f %A $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_retention_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_retention_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit service _MUST_ be configured to require records be kept for a organizational defined value before deletion, unless the system uses a central audit record storage facility.
When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data criteria is met.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "7d"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Retention to 7d"
+ source = "/usr/bin/awk -F: '/expire-after/{print $2}' /etc/security/audit_control"
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_settings_failure_notify will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_settings_failure_notify" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit service _MUST_ be configured to immediately print messages to the console or email administrator users when an auditing failure occurs.
It is critical for the appropriate personnel to be made aware immediately if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of a potentially harmful failure in the auditing system's capability, and system operation may be adversely affected.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "1"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Failure Notification"
+ source = "/usr/bin/grep -c \"logger -s -p\" /etc/security/audit_warn"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-authentication-auth_pam_login_smartcard_enforce will be created
+ resource "zentral_munki_script_check" "mcs-authentication-auth_pam_login_smartcard_enforce" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The system _MUST_ be configured to enforce multifactor authentication.
All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.
IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now require user authorization, or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access.
NOTE: /etc/pam.d/login will be automatically modified to its original state following any update or major upgrade to the operating system.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "2"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Authentication - Enforce Multifactor Authentication for Login"
+ source = "/usr/bin/grep -Ec '^(auth\\s+sufficient\\s+pam_smartcard.so|auth\\s+required\\s+pam_deny.so)' /etc/pam.d/login"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-authentication-auth_pam_su_smartcard_enforce will be created
+ resource "zentral_munki_script_check" "mcs-authentication-auth_pam_su_smartcard_enforce" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The system _MUST_ be configured such that, when the su command is used, multifactor authentication is enforced.
All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.
IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now require user authorization, or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access.
NOTE: /etc/pam.d/su will be automatically modified to its original state following any update or major upgrade to the operating system.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "2"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Authentication - Enforce Multifactor Authentication for the su Command"
+ source = "/usr/bin/grep -Ec '^(auth\\s+sufficient\\s+pam_smartcard.so|auth\\s+required\\s+pam_rootok.so)' /etc/pam.d/su"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-authentication-auth_pam_sudo_smartcard_enforce will be created
+ resource "zentral_munki_script_check" "mcs-authentication-auth_pam_sudo_smartcard_enforce" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The system _MUST_ be configured to enforce multifactor authentication when the sudo command is used to elevate privilege.
All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.
IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now require user authorization, or use of a Privacy Preferences Policy Control (PPPC) profil
--- TRUNCATED --- |
headmin
approved these changes
Jul 9, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.