MACOSX_OSASCRIPT

The MACOSX_OSASCRIPT audit check uses the osascript command to return configured payload data.

Where payload_key and payload_type are specified in the check parameters, this check type sends the following command to the target:

echo $.NSUserDefaults.alloc.initWithSuiteName(PAYLOAD_TYPE).objectForKey(PAYLOAD_KEY).js" | /usr/bin/osascript -l Javascript

Usage

<custom_item>

type : MACOSX_OSASCRIPT

description : ["description"]

expect : ["response to evaluate"]

payload_key : ["string value"]

payload_type : ["string value"]

(optional) required : [YES|NO]

</custom_item>

The following properties are supported:

  • expect — The response to evaluate. Valid text includes strings and regex.

    • Examples: "false", "true", "^0$"

  • payload_key — The key name referenced in `objectForKey().js`.

    • Examples: "AutoBackup", "ShowSystemServices"

  • payload_type — The type referenced in `initWithSuiteName()`.

    • Examples: "com.apple.TimeMachine", "com.apple.locationmenu"

  • required — Defaults to yes. Setting no results in a PASS result if the response is empty.

Examples

<custom_item>

type : MACOSX_OSASCRIPT

description : "Require Alpha Numeric Password Policy"

expect : "true"

payload_key : "requireAlphanumeric"

payload_type : "com.apple.mobiledevice.passwordpolicy"

</custom_item>

<custom_item>

type : MACOSX_OSASCRIPT

description : "Require a minimum of 1 Complex Character Password Policy"

expect : "([1-9]|[0-9]{2,})"

payload_key : "minComplexChars"

payload_type : "com.apple.mobiledevice.passwordpolicy"

</custom_item>

<custom_item>

type : MACOSX_OSASCRIPT

description : "Disable iCloud Drive Document and Desktop Sync"

expect : "false"

payload_key : "allowCloudDesktopAndDocuments"

payload_type : "com.apple.applicationaccess"

</custom_item>