Set Root Password to resolve vuln in High Sierra - Apple Mac OS X TODO:testing! - superseded
Log In or Register to download the BES file, and more.

0 Votes

Versioning - This is an older version.

1Set Root Password to resolve vuln in High Sierra - Apple Mac OS X TODO:testing!11/28/2017 1:17:50 PM
2Set Root Password to resolve vuln in High Sierra - Apple Mac OS X11/28/2017 9:01:38 PM

Description

I have not tested this at all!

This should resolve a discovered issue with Apple Mac OS High Sierra.

https://github.com/jgstew/bigfix-content/blob/master/fixlet/Set%20Root%20Password%20to%20resolve%20vuln%20in%20High%20Sierra%20-%20Apple%20Mac%20OS%20X%20%20%20TODO_testing!.bes


Property Details

ID24857
StatusAlpha - Code that was just developed
TitleSet Root Password to resolve vuln in High Sierra - Apple Mac OS X TODO:testing!
SourceInternal
Source IDjgstew
Source Release Date11/28/2017 12:00:00 AM
Added by on 11/28/2017 1:17:50 PM
Last Modified by on 11/28/2017 1:49:43 PM
Counters 918 Views / 9 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 189 fixlets and 97 analyses   * Results in a true/false
Show indented relevance
mac of operating system
Used in 2 fixlets   * Results in a true/false
Show indented relevance
version of operating system >= "10.13"
Used in 1 fixlet   * Results in a true/false
Show indented relevance
not exists settings "_RootPasswordSetRandom" of client

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
action log command

wait sh -c "dscl . -passwd '/Users/root' { (it & "!A1") of first 27 of sha256 of ( (uptime of operating system / second) as string & now as string & computer id as string ) }"

continue if {exit code of action = 0}

setting "_RootPasswordSetRandom"="1" on "{ now }" for client

// - https://twitter.com/lemiorhan/status/935578694541770752
// - https://www.bigfix.me/fixlet/details/3671
// - http://krypted.com/mac-security/mac-os-x-changing-passwords-from-the-command-line/
// - https://developer.bigfix.com/action-script/reference/client/action-log-command.html
// -
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!
straffin -
Will do!
jgstew -
If root is already enabled and the password set, then this should reset the password to something random. I was working on some relevance to detect that, but I haven't completed that. Add to the discussion here: https://forum.bigfix.com/t/bigfix-solution-to-major-security-issue-in-apple-high-sierra/23761
straffin -
Any idea what this will do on machines where root has been enabled with the password already set?
jgstew -
the command this uses was taken directly from well tested scripts, so I have pretty high confidence in this, but don't take my word for it, test test test!
jgstew -
also here: https://github.com/jgstew/bigfix-content/blob/master/fixlet/Set%20Root%20Password%20to%20resolve%20vuln%20in%20High%20Sierra%20-%20Apple%20Mac%20OS%20X%20%20%20TODO_testing!.bes