Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a require_developer_id to macos:gatekeeper_item/state #104

Closed
solind opened this issue Jun 18, 2020 · 4 comments
Closed

Add a require_developer_id to macos:gatekeeper_item/state #104

solind opened this issue Jun 18, 2020 · 4 comments
Labels
Add to Existing Schema A proposal for the addition of a new Test/Object/State to an existing OVAL schema MacOS Issue related to the Mac schema.
Milestone
5.12

Comments

@solind
Copy link

solind commented Jun 18, 2020

Abstract
This security-relevant option for Gatekeeper is not currently accessible via OVAL. We should add an entity to capture the state of this field.

Link to Proposal
PR to come

Additional context
See attachment for sample content.

content.zip
solind pushed a commit to solind/OVAL that referenced this issue Jun 18, 2020
Addresses issues OVAL-Community#19, OVAL-Community#52, OVAL-Community#84
9330920 
, OVAL-Community#99, OVAL-Community#100, OVAL-Community#101, OVAL-Community#102, OVAL-Community#103, OVAL-Community#104, OVAL-Community#105, OVAL-Community#106.

These are all needed for NIST to implement complete FISMA benchmarks for macOS.
@wmunyan wmunyan added Add to Existing Schema A proposal for the addition of a new Test/Object/State to an existing OVAL schema MacOS Issue related to the Mac schema. labels Aug 6, 2020
@wmunyan wmunyan added this to the 5.12 milestone Aug 6, 2020
@wmunyan
Copy link
Contributor

wmunyan commented Aug 7, 2020

Question: What drives the value of this element? Is there something in the output of one of the spctl command options that will reveal whether Developer ID is required?

If there are values in the unlabeled element(s) and enabled is true, am I correct that implies that require_developer_id would be false? However, if enabled is true, but there are no unlabeled applications, that doesnt definitively say that require_developer_id is either true or false. I may be missing something, or our implementation of this collection is wrong to begin with...

@solind
Copy link
Author

solind commented Aug 7, 2020

Hi @wmunyan, the command spctl --status --verbose will tell you whether or not this is enabled. Basically, it is like a global setting that tells you whether Gatekeeper will deny execution of applications not signed with a valid Apple Developer ID. The unlabeled applications are exceptions that have been manually added by a user, and you can see what those are using sudo spctl --list | grep UNLABELED

@wmunyan
Copy link
Contributor

wmunyan commented Aug 7, 2020

AH! It was the --verbose I didn't see on the man page. Thank you!

No objections to this proposal.

solind pushed a commit that referenced this issue Sep 3, 2020
Merge pull request #96 from solind/develop
a5ae8d7 
Pull request for MacOS Issues: #19, #52, #84, #95, #99, #100, #101, #102, #103, #104, #105 and #106.
@solind
Copy link
Author

solind commented Sep 3, 2020

a5ae8d7

@solind solind closed this as completed Sep 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Add to Existing Schema A proposal for the addition of a new Test/Object/State to an existing OVAL schema MacOS Issue related to the Mac schema.
Projects
None yet
Milestone
5.12
Development

No branches or pull requests
2 participants
@solind @wmunyan