MACOSX_DEFAULTS_READ

The "MACOSX_DEFAULTS_READ" audit check examines the default system values on macOS. This check behaves differently if you set certain properties.

  • If you set plist_user to all, all user settings are audited, otherwise the specified user setting is audited. In other words, you can only audit all users or one specific user.

  • If you set byhost to YES in addition to the plist_user property being set, the following query runs:

    /usr/bin/defaults -currentHost read /Users/foo/Library/Preferences/ByHost/plist_name plist_item

  • If you do not set byhost and you set plist_user, the following query runs:

    /usr/bin/defaults -currentHost read /Users/foo/Library/Preferences/plist_name plist_item

  • If you do not set byhost or plist_user, the following query runs:

    /usr/bin/defaults -currentHost read plist_name plist_item

The following properties are supported:

Property Description Accepted Value
plist_name The plist that you want to query.

Example:

com.apple.digihub

plist_item The plist item that you want to audit.

Example:

com.apple.digihub.blank.cd.appeared

plist_option If you set this property to CANNOT_BE_NULL, the check fails if the setting being audited is not set. CANNOT_BE_NULL
byhost If you set this property YES, the query results are generated by host. YES
not_regex Ensures that all found items do no match a specified regex.

Example:

not_regex: ".* = 6"

managed_path Specifies a custom path that contains the plist.

Example:

managed_path: "/Library/Managed\ Preferences/"

Tip: For information about the parameters commonly found in Unix custom items, see Unix Configuration Keywords.

Examples

Example 1:

<custom_item>

system: "Darwin"

type: MACOSX_DEFAULTS_READ

description: "Automatic actions must be disabled for blank CDs - 'action=1;'"

plist_user: "all"

plist_name: "com.apple.digihub"

plist_item: "com.apple.digihub.blank.cd.appeared"

regex: "\\s*action\\s*=\\s*1;"

plist_option: CANNOT_BE_NULL

</custom_item>

 

<custom_item>

system: "Darwin"

type: MACOSX_DEFAULTS_READ

description: "System must have a password-protected screen saver configured to DoD"

plist_user: "all"

plist_name: "com.apple.screensaver"

byhost: YES

plist_item: "idleTime"

regex: "[A-Za-z0-9_-]+\\s*=\\s*(900|[2-8][0-9][0-9]|1[8-9][0-9])$"

plist_option: CANNOT_BE_NULL

</custom_item>

 

<custom_item>

system: "Darwin"

type: MACOSX_DEFAULTS_READ

description: "System must have a password-protected screen saver configured to DoD"

plist_name: "com.apple.screensaver"

plist_item: "idleTime"

regex: "[A-Za-z0-9_-]+\\s*=\\s*(900|[2-8][0-9][0-9]|1[8-9][0-9])$"

plist_option: CANNOT_BE_NULL

</custom_item>

Example 2:

<custom_item>

system : "Darwin"

type : MACOSX_DEFAULTS_READ

description : "Use a custom managed_path"

plist_name : "com.apple.Terminal"

plist_item : "HasMigratedDefaults"

regex : "1"

managed_path : "/Library/Managed\ Preferences/"

</custom_item>