Update tf-plan-apply.yml #13
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Terraform Plan OutputClick to expandTerraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
~ update in-place
Terraform will perform the following actions:
# zentral_mdm_artifact.mscp-firewall will be created
+ resource "zentral_mdm_artifact" "mscp-firewall" {
+ auto_update = true
+ channel = "Device"
+ id = (known after apply)
+ install_during_setup_assistant = false
+ name = "mSCP - firewall"
+ platforms = [
+ "macOS",
]
+ reinstall_interval = 0
+ reinstall_on_os_update = "No"
+ requires = (known after apply)
+ type = "Profile"
}
# zentral_mdm_blueprint_artifact.mscp-firewall will be created
+ resource "zentral_mdm_blueprint_artifact" "mscp-firewall" {
+ artifact_id = (known after apply)
+ blueprint_id = 1
+ default_shard = 100
+ excluded_tag_ids = []
+ id = (known after apply)
+ ios = false
+ ios_max_version = ""
+ ios_min_version = ""
+ ipados = false
+ ipados_max_version = ""
+ ipados_min_version = ""
+ macos = true
+ macos_max_version = ""
+ macos_min_version = ""
+ shard_modulo = 100
+ tag_shards = []
+ tvos = false
+ tvos_max_version = ""
+ tvos_min_version = ""
}
# zentral_mdm_profile.mscp-firewall-1 will be created
+ resource "zentral_mdm_profile" "mscp-firewall-1" {
+ artifact_id = (known after apply)
+ default_shard = 100
+ excluded_tag_ids = []
+ id = (known after apply)
+ ios = false
+ ios_max_version = ""
+ ios_min_version = ""
+ ipados = false
+ ipados_max_version = ""
+ ipados_min_version = ""
+ macos = true
+ macos_max_version = ""
+ macos_min_version = ""
+ shard_modulo = 100
+ source = "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUWVBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI+CjxwbGlzdCB2ZXJzaW9uPSIxLjAiPgo8ZGljdD4KCTxrZXk+Q29uc2VudFRleHQ8L2tleT4KCTxkaWN0PgoJCTxrZXk+ZGVmYXVsdDwva2V5PgoJCTxzdHJpbmc+VEhFIFNPRlRXQVJFIElTIFBST1ZJREVEICdBUyBJUycgV0lUSE9VVCBBTlkgV0FSUkFOVFkgT0YgQU5ZIEtJTkQsIEVJVEhFUiBFWFBSRVNTRUQsIElNUExJRUQsIE9SIFNUQVRVVE9SWSwgSU5DTFVESU5HLCBCVVQgTk9UIExJTUlURUQgVE8sIEFOWSBXQVJSQU5UWSBUSEFUIFRIRSBTT0ZUV0FSRSBXSUxMIENPTkZPUk0gVE8gU1BFQ0lGSUNBVElPTlMsIEFOWSBJTVBMSUVEIFdBUlJBTlRJRVMgT0YgTUVSQ0hBTlRBQklMSVRZLCBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIgUFVSUE9TRSwgQU5EIEZSRUVET00gRlJPTSBJTkZSSU5HRU1FTlQsIEFORCBBTlkgV0FSUkFOVFkgVEhBVCBUSEUgRE9DVU1FTlRBVElPTiBXSUxMIENPTkZPUk0gVE8gVEhFIFNPRlRXQVJFLCBPUiBBTlkgV0FSUkFOVFkgVEhBVCBUSEUgU09GVFdBUkUgV0lMTCBCRSBFUlJPUiBGUkVFLiAgSU4gTk8gRVZFTlQgU0hBTEwgTklTVCBCRSBMSUFCTEUgRk9SIEFOWSBEQU1BR0VTLCBJTkNMVURJTkcsIEJVVCBOT1QgTElNSVRFRCBUTywgRElSRUNULCBJTkRJUkVDVCwgU1BFQ0lBTCBPUiBDT05TRVFVRU5USUFMIERBTUFHRVMsIEFSSVNJTkcgT1VUIE9GLCBSRVNVTFRJTkcgRlJPTSwgT1IgSU4gQU5ZIFdBWSBDT05ORUNURUQgV0lUSCBUSElTIFNPRlRXQVJFLCBXSEVUSEVSIE9SIE5PVCBCQVNFRCBVUE9OIFdBUlJBTlRZLCBDT05UUkFDVCwgVE9SVCwgT1IgT1RIRVJXSVNFLCBXSEVUSEVSIE9SIE5PVCBJTkpVUlkgV0FTIFNVU1RBSU5FRCBCWSBQRVJTT05TIE9SIFBST1BFUlRZIE9SIE9USEVSV0lTRSwgQU5EIFdIRVRIRVIgT1IgTk9UIExPU1MgV0FTIFNVU1RBSU5FRCBGUk9NLCBPUiBBUk9TRSBPVVQgT0YgVEhFIFJFU1VMVFMgT0YsIE9SIFVTRSBPRiwgVEhFIFNPRlRXQVJFIE9SIFNFUlZJQ0VTIFBST1ZJREVEIEhFUkVVTkRFUi48L3N0cmluZz4KCTwvZGljdD4KCTxrZXk+UGF5bG9hZENvbnRlbnQ8L2tleT4KCTxhcnJheT4KCQk8ZGljdD4KCQkJPGtleT5FbmFibGVGaXJld2FsbDwva2V5PgoJCQk8dHJ1ZS8+CgkJCTxrZXk+RW5hYmxlTG9nZ2luZzwva2V5PgoJCQk8dHJ1ZS8+CgkJCTxrZXk+RW5hYmxlU3RlYWx0aE1vZGU8L2tleT4KCQkJPHRydWUvPgoJCQk8a2V5PkxvZ2dpbmdPcHRpb248L2tleT4KCQkJPHN0cmluZz5kZXRhaWw8L3N0cmluZz4KCQkJPGtleT5QYXlsb2FkSWRlbnRpZmllcjwva2V5PgoJCQk8c3RyaW5nPmFsYWNhcnRlLm1hY09TLllvbG8uOTgxNjk2YmYtYWVkZS00ODhiLTk2MTMtNDllMmY1YjRiOTgxPC9zdHJpbmc+CgkJCTxrZXk+UGF5bG9hZFR5cGU8L2tleT4KCQkJPHN0cmluZz5jb20uYXBwbGUuc2VjdXJpdHkuZmlyZXdhbGw8L3N0cmluZz4KCQkJPGtleT5QYXlsb2FkVVVJRDwva2V5PgoJCQk8c3RyaW5nPjk4MTY5NmJmLWFlZGUtNDg4Yi05NjEzLTQ5ZTJmNWI0Yjk4MTwvc3RyaW5nPgoJCQk8a2V5PlBheWxvYWRWZXJzaW9uPC9rZXk+CgkJCTxpbnRlZ2VyPjE8L2ludGVnZXI+CgkJPC9kaWN0PgoJPC9hcnJheT4KCTxrZXk+UGF5bG9hZERlc2NyaXB0aW9uPC9rZXk+Cgk8c3RyaW5nPkNyZWF0ZWQ6IDIwMjQtMDctMDkKQ29uZmlndXJhdGlvbiBzZXR0aW5ncyBmb3IgdGhlIGNvbS5hcHBsZS5zZWN1cml0eS5maXJld2FsbCBwcmVmZXJlbmNlIGRvbWFpbi48L3N0cmluZz4KCTxrZXk+UGF5bG9hZERpc3BsYXlOYW1lPC9rZXk+Cgk8c3RyaW5nPltZb2xvXSBjb20uYXBwbGUuc2VjdXJpdHkuZmlyZXdhbGwgc2V0dGluZ3M8L3N0cmluZz4KCTxrZXk+UGF5bG9hZElkZW50aWZpZXI8L2tleT4KCTxzdHJpbmc+Y29tLmFwcGxlLnNlY3VyaXR5LmZpcmV3YWxsLllvbG88L3N0cmluZz4KCTxrZXk+UGF5bG9hZE9yZ2FuaXphdGlvbjwva2V5PgoJPHN0cmluZz5tYWNPUyBTZWN1cml0eSBDb21wbGlhbmNlIFByb2plY3Q8L3N0cmluZz4KCTxrZXk+UGF5bG9hZFNjb3BlPC9rZXk+Cgk8c3RyaW5nPlN5c3RlbTwvc3RyaW5nPgoJPGtleT5QYXlsb2FkVHlwZTwva2V5PgoJPHN0cmluZz5Db25maWd1cmF0aW9uPC9zdHJpbmc+Cgk8a2V5PlBheWxvYWRVVUlEPC9rZXk+Cgk8c3RyaW5nPjcxYzJlOWJiLTQxYzEtNDlkYy04NWUwLWZmNGRmYmM3ZDJhZTwvc3RyaW5nPgoJPGtleT5QYXlsb2FkVmVyc2lvbjwva2V5PgoJPGludGVnZXI+MTwvaW50ZWdlcj4KPC9kaWN0Pgo8L3BsaXN0Pgo="
+ tag_shards = []
+ tvos = false
+ tvos_max_version = ""
+ tvos_min_version = ""
+ version = 1
}
# zentral_monolith_manifest_sub_manifest.default-apps will be created
+ resource "zentral_monolith_manifest_sub_manifest" "default-apps" {
+ id = (known after apply)
+ manifest_id = 1
+ sub_manifest_id = (known after apply)
+ tag_ids = (known after apply)
}
# zentral_monolith_sub_manifest.apps will be created
+ resource "zentral_monolith_sub_manifest" "apps" {
+ description = "The mandatory apps for our standard macOS client"
+ id = (known after apply)
+ name = "Mandatory apps"
}
# zentral_monolith_sub_manifest_pkg_info.onepassword will be created
+ resource "zentral_monolith_sub_manifest_pkg_info" "onepassword" {
+ default_shard = 100
+ excluded_tag_ids = []
+ featured_item = false
+ id = (known after apply)
+ key = "managed_installs"
+ pkg_info_name = "1Password"
+ shard_modulo = 100
+ sub_manifest_id = (known after apply)
+ tag_shards = []
}
# zentral_munki_configuration.default will be updated in-place
~ resource "zentral_munki_configuration" "default" {
id = 1
~ name = "Default" -> "Default 🫁"
~ version = 0 -> (known after apply)
# (9 unchanged attributes hidden)
}
# zentral_munki_script_check.mcs-auditing-audit_acls_files_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_acls_files_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit log files _MUST_ not contain access control lists (ACLs).
This rule ensures that audit information and audit files are configured to be readable and writable only by system administrators, thereby preventing unauthorized access, modification, and deletion of files.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files to Not Contain Access Control Lists"
+ source = "/bin/ls -le $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $1}' | /usr/bin/grep -c \":\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_acls_folders_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_acls_folders_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit log folder _MUST_ not contain access control lists (ACLs).
Audit logs contain sensitive data about the system and users. This rule ensures that the audit service is configured to create log folders that are readable and writable only by system administrators in order to prevent normal users from reading audit logs.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Folder to Not Contain Access Control Lists"
+ source = "/bin/ls -lde /var/audit | /usr/bin/awk '{print $1}' | /usr/bin/grep -c \":\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_auditd_enabled will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_auditd_enabled" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The information system _MUST_ be configured to generate audit records.
Audit records establish what types of events have occurred, when they occurred, and which users were involved. These records aid an organization in their efforts to establish, correlate, and investigate the events leading up to an outage or attack.
The content required to be captured in an audit record varies based on the impact level of an organization's system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success/fail indications, filenames involved, and access or flow control rules invoked.
The information system initiates session audits at system start-up.
NOTE: Security auditing is NOT enabled by default on macOS Sonoma.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "pass"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Enable Security Auditing"
+ source = <<-EOT
LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd)
AUDITD_RUNNING=$(/usr/sbin/audit -c | /usr/bin/grep -c "AUC_AUDITING")
if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]] && [[ $AUDITD_RUNNING == 1 ]]; then
echo "pass"
else
echo "fail"
fi
EOT
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_control_acls_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_control_acls_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "/etc/security/audit_control _MUST_ not contain Access Control Lists (ACLs)."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit_Control to Not Contain Access Control Lists"
+ source = "/bin/ls -le /etc/security/audit_control | /usr/bin/awk '{print $1}' | /usr/bin/grep -c \":\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_control_group_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_control_group_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "/etc/security/audit_control _MUST_ have the group set to wheel."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit_Control Group to Wheel"
+ source = "/bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $4}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_control_mode_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_control_mode_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "/etc/security/audit_control _MUST_ be configured so that it is readable only by the root user and group wheel."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit_Control Owner to Mode 440 or Less Permissive"
+ source = "/bin/ls -l /etc/security/audit_control | /usr/bin/awk '!/-r--[r-]-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/xargs"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_control_owner_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_control_owner_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "/etc/security/audit_control _MUST_ have the owner set to root."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit_Control Owner to Root"
+ source = "/bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $3}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_files_group_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_files_group_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Audit log files _MUST_ have the group set to wheel.
The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files Group to Wheel"
+ source = "/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$4} END {print s}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_files_mode_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_files_mode_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "The audit service _MUST_ be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files _MUST_ be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files to Mode 440 or Less Permissive"
+ source = "/bin/ls -l $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '!/-r--r-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_files_owner_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_files_owner_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Audit log files _MUST_ be owned by root.
The audit service _MUST_ be configured to create log files with the correct ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files to be Owned by Root"
+ source = "/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_folder_group_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_folder_group_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Audit log files _MUST_ have the group set to wheel.
The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Folders Group to Wheel"
+ source = "/bin/ls -dn $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $4}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_folder_owner_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_folder_owner_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Audit log folders _MUST_ be owned by root.
The audit service _MUST_ be configured to create log folders with the correct ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log folders are set to only be readable and writable by system administrators, the risk is mitigated.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Folders to be Owned by Root"
+ source = "/bin/ls -dn $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $3}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_folders_mode_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_folders_mode_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit log folder _MUST_ be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders.
Because audit logs contain sensitive data about the system and users, the audit service _MUST_ be configured to mode 700 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "700"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Folders to Mode 700 or Less Permissive"
+ source = "/usr/bin/stat -f %A $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_retention_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_retention_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit service _MUST_ be configured to require records be kept for a organizational defined value before deletion, unless the system uses a central audit record storage facility.
When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data criteria is met.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "7d"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Retention to 7d"
+ source = "/usr/bin/awk -F: '/expire-after/{print $2}' /etc/security/audit_control"
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_airdrop_disable will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_airdrop_disable" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
AirDrop _MUST_ be disabled to prevent file transfers to or from unauthorized devices.
AirDrop allows users to share and receive files from other nearby Apple devices.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "false"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Disable AirDrop"
+ source = <<-EOT
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowAirDrop').js
EOS
EOT
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_anti_virus_installed will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_anti_virus_installed" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
An approved antivirus product _MUST_ be installed and configured to run.
Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.'
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "2"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Must Use an Approved Antivirus Program"
+ source = "/bin/launchctl list | /usr/bin/grep -cE \"(com.apple.XprotectFramework.PluginService$|com.apple.XProtect.daemon.scan$)\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_authenticated_root_enable will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_authenticated_root_enable" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Authenticated Root _MUST_ be enabled.
When Authenticated Root is enabled the macOS is booted from a signed volume that is cryptographically protected to prevent tampering with the system volume.
NOTE: Authenticated Root is enabled by default on macOS systems.
WARNING: If more than one partition with macOS is detected, the csrutil command will hang awaiting input.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "1"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Enable Authenticated Root"
+ source = "/usr/bin/csrutil authenticated-root | /usr/bin/grep -c 'enabled'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_config_data_install_enforce will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_config_data_install_enforce" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Software Update _MUST_ be configured to update XProtect Remediator and Gatekeeper automatically.
This setting enforces definition updates for XProtect Remediator and Gatekeeper; with this setting in place, new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require the computer to be restarted.
link:https://support.apple.com/en-us/HT207005[]
NOTE: Software update will automatically update XProtect Remediator and Gatekeeper by default in the macOS.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "true"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Enforce Installation of XProtect Remediator and Gatekeeper Updates Automatically"
+ source = <<-EOT
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\
.objectForKey('ConfigDataInstall').js
EOS
EOT
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_firewall_log_enable will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_firewall_log_enable" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Firewall logging _MUST_ be enabled.
Firewall logging ensures that malicious network activity will be logged to the system.
NOTE: The firewall data is logged to Apple's Unified Logging with the subsystem `com.apple.alf` and the data is marked as private. In order to enable private data, review the `com.apple.alf.private_data.mobileconfig` file in the project's `includes` folder.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "true"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Enable Firewall Logging"
+ source = <<-EOT
/usr/bin/osascript -l JavaScript << EOS
function run() {
let pref1 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\
.objectForKey('EnableLogging').js
let pref2 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\
.objectForKey('LoggingOption').js
if ( pref1 == true && pref2 == "detail" ){
return("true")
} else {
return("false")
}
}
EOS
EOT
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_gatekeeper_enable will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_gatekeeper_enable" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Gatekeeper _MUST_ be enabled.
Gatekeeper is a security feature that ensures that applications are digitally signed by an Apple-issued certificate before they are permitted to run. Digital signatures allow the macOS host to verify that the application has not been modified by a malicious third party.
Administrator users will still have the option to override these settings on a case-by-case basis.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "1"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Enable Gatekeeper"
+ source = "/usr/sbin/spctl --status | /usr/bin/grep -c \"assessments enabled\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_guest_folder_removed will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_guest_folder_removed" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "The guest folder _MUST_ be deleted if present."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Remove Guest Folder if Present"
+ source = "/bin/ls /Users/ | /usr/bin/grep -c \"Guest\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_home_folders_secure will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_home_folders_secure" {
--- TRUNCATED --- |
Terraform Plan OutputClick to expandTerraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
~ update in-place
Terraform will perform the following actions:
# zentral_mdm_artifact.mscp-firewall will be created
+ resource "zentral_mdm_artifact" "mscp-firewall" {
+ auto_update = true
+ channel = "Device"
+ id = (known after apply)
+ install_during_setup_assistant = false
+ name = "mSCP - firewall"
+ platforms = [
+ "macOS",
]
+ reinstall_interval = 0
+ reinstall_on_os_update = "No"
+ requires = (known after apply)
+ type = "Profile"
}
# zentral_mdm_blueprint_artifact.mscp-firewall will be created
+ resource "zentral_mdm_blueprint_artifact" "mscp-firewall" {
+ artifact_id = (known after apply)
+ blueprint_id = 1
+ default_shard = 100
+ excluded_tag_ids = []
+ id = (known after apply)
+ ios = false
+ ios_max_version = ""
+ ios_min_version = ""
+ ipados = false
+ ipados_max_version = ""
+ ipados_min_version = ""
+ macos = true
+ macos_max_version = ""
+ macos_min_version = ""
+ shard_modulo = 100
+ tag_shards = []
+ tvos = false
+ tvos_max_version = ""
+ tvos_min_version = ""
}
# zentral_mdm_profile.mscp-firewall-1 will be created
+ resource "zentral_mdm_profile" "mscp-firewall-1" {
+ artifact_id = (known after apply)
+ default_shard = 100
+ excluded_tag_ids = []
+ id = (known after apply)
+ ios = false
+ ios_max_version = ""
+ ios_min_version = ""
+ ipados = false
+ ipados_max_version = ""
+ ipados_min_version = ""
+ macos = true
+ macos_max_version = ""
+ macos_min_version = ""
+ shard_modulo = 100
+ source = "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUWVBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI+CjxwbGlzdCB2ZXJzaW9uPSIxLjAiPgo8ZGljdD4KCTxrZXk+Q29uc2VudFRleHQ8L2tleT4KCTxkaWN0PgoJCTxrZXk+ZGVmYXVsdDwva2V5PgoJCTxzdHJpbmc+VEhFIFNPRlRXQVJFIElTIFBST1ZJREVEICdBUyBJUycgV0lUSE9VVCBBTlkgV0FSUkFOVFkgT0YgQU5ZIEtJTkQsIEVJVEhFUiBFWFBSRVNTRUQsIElNUExJRUQsIE9SIFNUQVRVVE9SWSwgSU5DTFVESU5HLCBCVVQgTk9UIExJTUlURUQgVE8sIEFOWSBXQVJSQU5UWSBUSEFUIFRIRSBTT0ZUV0FSRSBXSUxMIENPTkZPUk0gVE8gU1BFQ0lGSUNBVElPTlMsIEFOWSBJTVBMSUVEIFdBUlJBTlRJRVMgT0YgTUVSQ0hBTlRBQklMSVRZLCBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIgUFVSUE9TRSwgQU5EIEZSRUVET00gRlJPTSBJTkZSSU5HRU1FTlQsIEFORCBBTlkgV0FSUkFOVFkgVEhBVCBUSEUgRE9DVU1FTlRBVElPTiBXSUxMIENPTkZPUk0gVE8gVEhFIFNPRlRXQVJFLCBPUiBBTlkgV0FSUkFOVFkgVEhBVCBUSEUgU09GVFdBUkUgV0lMTCBCRSBFUlJPUiBGUkVFLiAgSU4gTk8gRVZFTlQgU0hBTEwgTklTVCBCRSBMSUFCTEUgRk9SIEFOWSBEQU1BR0VTLCBJTkNMVURJTkcsIEJVVCBOT1QgTElNSVRFRCBUTywgRElSRUNULCBJTkRJUkVDVCwgU1BFQ0lBTCBPUiBDT05TRVFVRU5USUFMIERBTUFHRVMsIEFSSVNJTkcgT1VUIE9GLCBSRVNVTFRJTkcgRlJPTSwgT1IgSU4gQU5ZIFdBWSBDT05ORUNURUQgV0lUSCBUSElTIFNPRlRXQVJFLCBXSEVUSEVSIE9SIE5PVCBCQVNFRCBVUE9OIFdBUlJBTlRZLCBDT05UUkFDVCwgVE9SVCwgT1IgT1RIRVJXSVNFLCBXSEVUSEVSIE9SIE5PVCBJTkpVUlkgV0FTIFNVU1RBSU5FRCBCWSBQRVJTT05TIE9SIFBST1BFUlRZIE9SIE9USEVSV0lTRSwgQU5EIFdIRVRIRVIgT1IgTk9UIExPU1MgV0FTIFNVU1RBSU5FRCBGUk9NLCBPUiBBUk9TRSBPVVQgT0YgVEhFIFJFU1VMVFMgT0YsIE9SIFVTRSBPRiwgVEhFIFNPRlRXQVJFIE9SIFNFUlZJQ0VTIFBST1ZJREVEIEhFUkVVTkRFUi48L3N0cmluZz4KCTwvZGljdD4KCTxrZXk+UGF5bG9hZENvbnRlbnQ8L2tleT4KCTxhcnJheT4KCQk8ZGljdD4KCQkJPGtleT5FbmFibGVGaXJld2FsbDwva2V5PgoJCQk8dHJ1ZS8+CgkJCTxrZXk+RW5hYmxlTG9nZ2luZzwva2V5PgoJCQk8dHJ1ZS8+CgkJCTxrZXk+RW5hYmxlU3RlYWx0aE1vZGU8L2tleT4KCQkJPHRydWUvPgoJCQk8a2V5PkxvZ2dpbmdPcHRpb248L2tleT4KCQkJPHN0cmluZz5kZXRhaWw8L3N0cmluZz4KCQkJPGtleT5QYXlsb2FkSWRlbnRpZmllcjwva2V5PgoJCQk8c3RyaW5nPmFsYWNhcnRlLm1hY09TLllvbG8uOTgxNjk2YmYtYWVkZS00ODhiLTk2MTMtNDllMmY1YjRiOTgxPC9zdHJpbmc+CgkJCTxrZXk+UGF5bG9hZFR5cGU8L2tleT4KCQkJPHN0cmluZz5jb20uYXBwbGUuc2VjdXJpdHkuZmlyZXdhbGw8L3N0cmluZz4KCQkJPGtleT5QYXlsb2FkVVVJRDwva2V5PgoJCQk8c3RyaW5nPjk4MTY5NmJmLWFlZGUtNDg4Yi05NjEzLTQ5ZTJmNWI0Yjk4MTwvc3RyaW5nPgoJCQk8a2V5PlBheWxvYWRWZXJzaW9uPC9rZXk+CgkJCTxpbnRlZ2VyPjE8L2ludGVnZXI+CgkJPC9kaWN0PgoJPC9hcnJheT4KCTxrZXk+UGF5bG9hZERlc2NyaXB0aW9uPC9rZXk+Cgk8c3RyaW5nPkNyZWF0ZWQ6IDIwMjQtMDctMDkKQ29uZmlndXJhdGlvbiBzZXR0aW5ncyBmb3IgdGhlIGNvbS5hcHBsZS5zZWN1cml0eS5maXJld2FsbCBwcmVmZXJlbmNlIGRvbWFpbi48L3N0cmluZz4KCTxrZXk+UGF5bG9hZERpc3BsYXlOYW1lPC9rZXk+Cgk8c3RyaW5nPltZb2xvXSBjb20uYXBwbGUuc2VjdXJpdHkuZmlyZXdhbGwgc2V0dGluZ3M8L3N0cmluZz4KCTxrZXk+UGF5bG9hZElkZW50aWZpZXI8L2tleT4KCTxzdHJpbmc+Y29tLmFwcGxlLnNlY3VyaXR5LmZpcmV3YWxsLllvbG88L3N0cmluZz4KCTxrZXk+UGF5bG9hZE9yZ2FuaXphdGlvbjwva2V5PgoJPHN0cmluZz5tYWNPUyBTZWN1cml0eSBDb21wbGlhbmNlIFByb2plY3Q8L3N0cmluZz4KCTxrZXk+UGF5bG9hZFNjb3BlPC9rZXk+Cgk8c3RyaW5nPlN5c3RlbTwvc3RyaW5nPgoJPGtleT5QYXlsb2FkVHlwZTwva2V5PgoJPHN0cmluZz5Db25maWd1cmF0aW9uPC9zdHJpbmc+Cgk8a2V5PlBheWxvYWRVVUlEPC9rZXk+Cgk8c3RyaW5nPjcxYzJlOWJiLTQxYzEtNDlkYy04NWUwLWZmNGRmYmM3ZDJhZTwvc3RyaW5nPgoJPGtleT5QYXlsb2FkVmVyc2lvbjwva2V5PgoJPGludGVnZXI+MTwvaW50ZWdlcj4KPC9kaWN0Pgo8L3BsaXN0Pgo="
+ tag_shards = []
+ tvos = false
+ tvos_max_version = ""
+ tvos_min_version = ""
+ version = 1
}
# zentral_monolith_manifest_sub_manifest.default-apps will be created
+ resource "zentral_monolith_manifest_sub_manifest" "default-apps" {
+ id = (known after apply)
+ manifest_id = 1
+ sub_manifest_id = (known after apply)
+ tag_ids = (known after apply)
}
# zentral_monolith_sub_manifest.apps will be created
+ resource "zentral_monolith_sub_manifest" "apps" {
+ description = "The mandatory apps for our standard macOS client"
+ id = (known after apply)
+ name = "Mandatory apps"
}
# zentral_monolith_sub_manifest_pkg_info.onepassword will be created
+ resource "zentral_monolith_sub_manifest_pkg_info" "onepassword" {
+ default_shard = 100
+ excluded_tag_ids = []
+ featured_item = false
+ id = (known after apply)
+ key = "managed_installs"
+ pkg_info_name = "1Password"
+ shard_modulo = 100
+ sub_manifest_id = (known after apply)
+ tag_shards = []
}
# zentral_munki_configuration.default will be updated in-place
~ resource "zentral_munki_configuration" "default" {
id = 1
~ name = "Default" -> "Default 🫁"
~ version = 0 -> (known after apply)
# (9 unchanged attributes hidden)
}
# zentral_munki_script_check.mcs-auditing-audit_acls_files_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_acls_files_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit log files _MUST_ not contain access control lists (ACLs).
This rule ensures that audit information and audit files are configured to be readable and writable only by system administrators, thereby preventing unauthorized access, modification, and deletion of files.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files to Not Contain Access Control Lists"
+ source = "/bin/ls -le $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $1}' | /usr/bin/grep -c \":\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_acls_folders_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_acls_folders_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit log folder _MUST_ not contain access control lists (ACLs).
Audit logs contain sensitive data about the system and users. This rule ensures that the audit service is configured to create log folders that are readable and writable only by system administrators in order to prevent normal users from reading audit logs.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Folder to Not Contain Access Control Lists"
+ source = "/bin/ls -lde /var/audit | /usr/bin/awk '{print $1}' | /usr/bin/grep -c \":\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_auditd_enabled will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_auditd_enabled" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The information system _MUST_ be configured to generate audit records.
Audit records establish what types of events have occurred, when they occurred, and which users were involved. These records aid an organization in their efforts to establish, correlate, and investigate the events leading up to an outage or attack.
The content required to be captured in an audit record varies based on the impact level of an organization's system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success/fail indications, filenames involved, and access or flow control rules invoked.
The information system initiates session audits at system start-up.
NOTE: Security auditing is NOT enabled by default on macOS Sonoma.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "pass"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Enable Security Auditing"
+ source = <<-EOT
LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd)
AUDITD_RUNNING=$(/usr/sbin/audit -c | /usr/bin/grep -c "AUC_AUDITING")
if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]] && [[ $AUDITD_RUNNING == 1 ]]; then
echo "pass"
else
echo "fail"
fi
EOT
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_control_acls_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_control_acls_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "/etc/security/audit_control _MUST_ not contain Access Control Lists (ACLs)."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit_Control to Not Contain Access Control Lists"
+ source = "/bin/ls -le /etc/security/audit_control | /usr/bin/awk '{print $1}' | /usr/bin/grep -c \":\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_control_group_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_control_group_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "/etc/security/audit_control _MUST_ have the group set to wheel."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit_Control Group to Wheel"
+ source = "/bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $4}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_control_mode_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_control_mode_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "/etc/security/audit_control _MUST_ be configured so that it is readable only by the root user and group wheel."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit_Control Owner to Mode 440 or Less Permissive"
+ source = "/bin/ls -l /etc/security/audit_control | /usr/bin/awk '!/-r--[r-]-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/xargs"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_control_owner_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_control_owner_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "/etc/security/audit_control _MUST_ have the owner set to root."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit_Control Owner to Root"
+ source = "/bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $3}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_files_group_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_files_group_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Audit log files _MUST_ have the group set to wheel.
The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files Group to Wheel"
+ source = "/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$4} END {print s}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_files_mode_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_files_mode_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "The audit service _MUST_ be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files _MUST_ be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files to Mode 440 or Less Permissive"
+ source = "/bin/ls -l $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '!/-r--r-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_files_owner_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_files_owner_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Audit log files _MUST_ be owned by root.
The audit service _MUST_ be configured to create log files with the correct ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files to be Owned by Root"
+ source = "/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_folder_group_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_folder_group_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Audit log files _MUST_ have the group set to wheel.
The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Folders Group to Wheel"
+ source = "/bin/ls -dn $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $4}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_folder_owner_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_folder_owner_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Audit log folders _MUST_ be owned by root.
The audit service _MUST_ be configured to create log folders with the correct ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log folders are set to only be readable and writable by system administrators, the risk is mitigated.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Folders to be Owned by Root"
+ source = "/bin/ls -dn $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $3}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_folders_mode_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_folders_mode_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit log folder _MUST_ be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders.
Because audit logs contain sensitive data about the system and users, the audit service _MUST_ be configured to mode 700 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "700"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Folders to Mode 700 or Less Permissive"
+ source = "/usr/bin/stat -f %A $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_retention_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_retention_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit service _MUST_ be configured to require records be kept for a organizational defined value before deletion, unless the system uses a central audit record storage facility.
When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data criteria is met.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "7d"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Retention to 7d"
+ source = "/usr/bin/awk -F: '/expire-after/{print $2}' /etc/security/audit_control"
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_airdrop_disable will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_airdrop_disable" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
AirDrop _MUST_ be disabled to prevent file transfers to or from unauthorized devices.
AirDrop allows users to share and receive files from other nearby Apple devices.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "false"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Disable AirDrop"
+ source = <<-EOT
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowAirDrop').js
EOS
EOT
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_anti_virus_installed will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_anti_virus_installed" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
An approved antivirus product _MUST_ be installed and configured to run.
Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.'
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "2"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Must Use an Approved Antivirus Program"
+ source = "/bin/launchctl list | /usr/bin/grep -cE \"(com.apple.XprotectFramework.PluginService$|com.apple.XProtect.daemon.scan$)\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_authenticated_root_enable will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_authenticated_root_enable" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Authenticated Root _MUST_ be enabled.
When Authenticated Root is enabled the macOS is booted from a signed volume that is cryptographically protected to prevent tampering with the system volume.
NOTE: Authenticated Root is enabled by default on macOS systems.
WARNING: If more than one partition with macOS is detected, the csrutil command will hang awaiting input.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "1"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Enable Authenticated Root"
+ source = "/usr/bin/csrutil authenticated-root | /usr/bin/grep -c 'enabled'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_config_data_install_enforce will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_config_data_install_enforce" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Software Update _MUST_ be configured to update XProtect Remediator and Gatekeeper automatically.
This setting enforces definition updates for XProtect Remediator and Gatekeeper; with this setting in place, new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require the computer to be restarted.
link:https://support.apple.com/en-us/HT207005[]
NOTE: Software update will automatically update XProtect Remediator and Gatekeeper by default in the macOS.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "true"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Enforce Installation of XProtect Remediator and Gatekeeper Updates Automatically"
+ source = <<-EOT
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\
.objectForKey('ConfigDataInstall').js
EOS
EOT
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_firewall_log_enable will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_firewall_log_enable" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Firewall logging _MUST_ be enabled.
Firewall logging ensures that malicious network activity will be logged to the system.
NOTE: The firewall data is logged to Apple's Unified Logging with the subsystem `com.apple.alf` and the data is marked as private. In order to enable private data, review the `com.apple.alf.private_data.mobileconfig` file in the project's `includes` folder.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "true"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Enable Firewall Logging"
+ source = <<-EOT
/usr/bin/osascript -l JavaScript << EOS
function run() {
let pref1 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\
.objectForKey('EnableLogging').js
let pref2 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\
.objectForKey('LoggingOption').js
if ( pref1 == true && pref2 == "detail" ){
return("true")
} else {
return("false")
}
}
EOS
EOT
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_gatekeeper_enable will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_gatekeeper_enable" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Gatekeeper _MUST_ be enabled.
Gatekeeper is a security feature that ensures that applications are digitally signed by an Apple-issued certificate before they are permitted to run. Digital signatures allow the macOS host to verify that the application has not been modified by a malicious third party.
Administrator users will still have the option to override these settings on a case-by-case basis.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "1"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Enable Gatekeeper"
+ source = "/usr/sbin/spctl --status | /usr/bin/grep -c \"assessments enabled\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_guest_folder_removed will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_guest_folder_removed" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "The guest folder _MUST_ be deleted if present."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Remove Guest Folder if Present"
+ source = "/bin/ls /Users/ | /usr/bin/grep -c \"Guest\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_home_folders_secure will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_home_folders_secure" {
--- TRUNCATED --- |
1 similar comment
Terraform Plan OutputClick to expandTerraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
~ update in-place
Terraform will perform the following actions:
# zentral_mdm_artifact.mscp-firewall will be created
+ resource "zentral_mdm_artifact" "mscp-firewall" {
+ auto_update = true
+ channel = "Device"
+ id = (known after apply)
+ install_during_setup_assistant = false
+ name = "mSCP - firewall"
+ platforms = [
+ "macOS",
]
+ reinstall_interval = 0
+ reinstall_on_os_update = "No"
+ requires = (known after apply)
+ type = "Profile"
}
# zentral_mdm_blueprint_artifact.mscp-firewall will be created
+ resource "zentral_mdm_blueprint_artifact" "mscp-firewall" {
+ artifact_id = (known after apply)
+ blueprint_id = 1
+ default_shard = 100
+ excluded_tag_ids = []
+ id = (known after apply)
+ ios = false
+ ios_max_version = ""
+ ios_min_version = ""
+ ipados = false
+ ipados_max_version = ""
+ ipados_min_version = ""
+ macos = true
+ macos_max_version = ""
+ macos_min_version = ""
+ shard_modulo = 100
+ tag_shards = []
+ tvos = false
+ tvos_max_version = ""
+ tvos_min_version = ""
}
# zentral_mdm_profile.mscp-firewall-1 will be created
+ resource "zentral_mdm_profile" "mscp-firewall-1" {
+ artifact_id = (known after apply)
+ default_shard = 100
+ excluded_tag_ids = []
+ id = (known after apply)
+ ios = false
+ ios_max_version = ""
+ ios_min_version = ""
+ ipados = false
+ ipados_max_version = ""
+ ipados_min_version = ""
+ macos = true
+ macos_max_version = ""
+ macos_min_version = ""
+ shard_modulo = 100
+ source = "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUWVBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI+CjxwbGlzdCB2ZXJzaW9uPSIxLjAiPgo8ZGljdD4KCTxrZXk+Q29uc2VudFRleHQ8L2tleT4KCTxkaWN0PgoJCTxrZXk+ZGVmYXVsdDwva2V5PgoJCTxzdHJpbmc+VEhFIFNPRlRXQVJFIElTIFBST1ZJREVEICdBUyBJUycgV0lUSE9VVCBBTlkgV0FSUkFOVFkgT0YgQU5ZIEtJTkQsIEVJVEhFUiBFWFBSRVNTRUQsIElNUExJRUQsIE9SIFNUQVRVVE9SWSwgSU5DTFVESU5HLCBCVVQgTk9UIExJTUlURUQgVE8sIEFOWSBXQVJSQU5UWSBUSEFUIFRIRSBTT0ZUV0FSRSBXSUxMIENPTkZPUk0gVE8gU1BFQ0lGSUNBVElPTlMsIEFOWSBJTVBMSUVEIFdBUlJBTlRJRVMgT0YgTUVSQ0hBTlRBQklMSVRZLCBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIgUFVSUE9TRSwgQU5EIEZSRUVET00gRlJPTSBJTkZSSU5HRU1FTlQsIEFORCBBTlkgV0FSUkFOVFkgVEhBVCBUSEUgRE9DVU1FTlRBVElPTiBXSUxMIENPTkZPUk0gVE8gVEhFIFNPRlRXQVJFLCBPUiBBTlkgV0FSUkFOVFkgVEhBVCBUSEUgU09GVFdBUkUgV0lMTCBCRSBFUlJPUiBGUkVFLiAgSU4gTk8gRVZFTlQgU0hBTEwgTklTVCBCRSBMSUFCTEUgRk9SIEFOWSBEQU1BR0VTLCBJTkNMVURJTkcsIEJVVCBOT1QgTElNSVRFRCBUTywgRElSRUNULCBJTkRJUkVDVCwgU1BFQ0lBTCBPUiBDT05TRVFVRU5USUFMIERBTUFHRVMsIEFSSVNJTkcgT1VUIE9GLCBSRVNVTFRJTkcgRlJPTSwgT1IgSU4gQU5ZIFdBWSBDT05ORUNURUQgV0lUSCBUSElTIFNPRlRXQVJFLCBXSEVUSEVSIE9SIE5PVCBCQVNFRCBVUE9OIFdBUlJBTlRZLCBDT05UUkFDVCwgVE9SVCwgT1IgT1RIRVJXSVNFLCBXSEVUSEVSIE9SIE5PVCBJTkpVUlkgV0FTIFNVU1RBSU5FRCBCWSBQRVJTT05TIE9SIFBST1BFUlRZIE9SIE9USEVSV0lTRSwgQU5EIFdIRVRIRVIgT1IgTk9UIExPU1MgV0FTIFNVU1RBSU5FRCBGUk9NLCBPUiBBUk9TRSBPVVQgT0YgVEhFIFJFU1VMVFMgT0YsIE9SIFVTRSBPRiwgVEhFIFNPRlRXQVJFIE9SIFNFUlZJQ0VTIFBST1ZJREVEIEhFUkVVTkRFUi48L3N0cmluZz4KCTwvZGljdD4KCTxrZXk+UGF5bG9hZENvbnRlbnQ8L2tleT4KCTxhcnJheT4KCQk8ZGljdD4KCQkJPGtleT5FbmFibGVGaXJld2FsbDwva2V5PgoJCQk8dHJ1ZS8+CgkJCTxrZXk+RW5hYmxlTG9nZ2luZzwva2V5PgoJCQk8dHJ1ZS8+CgkJCTxrZXk+RW5hYmxlU3RlYWx0aE1vZGU8L2tleT4KCQkJPHRydWUvPgoJCQk8a2V5PkxvZ2dpbmdPcHRpb248L2tleT4KCQkJPHN0cmluZz5kZXRhaWw8L3N0cmluZz4KCQkJPGtleT5QYXlsb2FkSWRlbnRpZmllcjwva2V5PgoJCQk8c3RyaW5nPmFsYWNhcnRlLm1hY09TLllvbG8uOTgxNjk2YmYtYWVkZS00ODhiLTk2MTMtNDllMmY1YjRiOTgxPC9zdHJpbmc+CgkJCTxrZXk+UGF5bG9hZFR5cGU8L2tleT4KCQkJPHN0cmluZz5jb20uYXBwbGUuc2VjdXJpdHkuZmlyZXdhbGw8L3N0cmluZz4KCQkJPGtleT5QYXlsb2FkVVVJRDwva2V5PgoJCQk8c3RyaW5nPjk4MTY5NmJmLWFlZGUtNDg4Yi05NjEzLTQ5ZTJmNWI0Yjk4MTwvc3RyaW5nPgoJCQk8a2V5PlBheWxvYWRWZXJzaW9uPC9rZXk+CgkJCTxpbnRlZ2VyPjE8L2ludGVnZXI+CgkJPC9kaWN0PgoJPC9hcnJheT4KCTxrZXk+UGF5bG9hZERlc2NyaXB0aW9uPC9rZXk+Cgk8c3RyaW5nPkNyZWF0ZWQ6IDIwMjQtMDctMDkKQ29uZmlndXJhdGlvbiBzZXR0aW5ncyBmb3IgdGhlIGNvbS5hcHBsZS5zZWN1cml0eS5maXJld2FsbCBwcmVmZXJlbmNlIGRvbWFpbi48L3N0cmluZz4KCTxrZXk+UGF5bG9hZERpc3BsYXlOYW1lPC9rZXk+Cgk8c3RyaW5nPltZb2xvXSBjb20uYXBwbGUuc2VjdXJpdHkuZmlyZXdhbGwgc2V0dGluZ3M8L3N0cmluZz4KCTxrZXk+UGF5bG9hZElkZW50aWZpZXI8L2tleT4KCTxzdHJpbmc+Y29tLmFwcGxlLnNlY3VyaXR5LmZpcmV3YWxsLllvbG88L3N0cmluZz4KCTxrZXk+UGF5bG9hZE9yZ2FuaXphdGlvbjwva2V5PgoJPHN0cmluZz5tYWNPUyBTZWN1cml0eSBDb21wbGlhbmNlIFByb2plY3Q8L3N0cmluZz4KCTxrZXk+UGF5bG9hZFNjb3BlPC9rZXk+Cgk8c3RyaW5nPlN5c3RlbTwvc3RyaW5nPgoJPGtleT5QYXlsb2FkVHlwZTwva2V5PgoJPHN0cmluZz5Db25maWd1cmF0aW9uPC9zdHJpbmc+Cgk8a2V5PlBheWxvYWRVVUlEPC9rZXk+Cgk8c3RyaW5nPjcxYzJlOWJiLTQxYzEtNDlkYy04NWUwLWZmNGRmYmM3ZDJhZTwvc3RyaW5nPgoJPGtleT5QYXlsb2FkVmVyc2lvbjwva2V5PgoJPGludGVnZXI+MTwvaW50ZWdlcj4KPC9kaWN0Pgo8L3BsaXN0Pgo="
+ tag_shards = []
+ tvos = false
+ tvos_max_version = ""
+ tvos_min_version = ""
+ version = 1
}
# zentral_monolith_manifest_sub_manifest.default-apps will be created
+ resource "zentral_monolith_manifest_sub_manifest" "default-apps" {
+ id = (known after apply)
+ manifest_id = 1
+ sub_manifest_id = (known after apply)
+ tag_ids = (known after apply)
}
# zentral_monolith_sub_manifest.apps will be created
+ resource "zentral_monolith_sub_manifest" "apps" {
+ description = "The mandatory apps for our standard macOS client"
+ id = (known after apply)
+ name = "Mandatory apps"
}
# zentral_monolith_sub_manifest_pkg_info.onepassword will be created
+ resource "zentral_monolith_sub_manifest_pkg_info" "onepassword" {
+ default_shard = 100
+ excluded_tag_ids = []
+ featured_item = false
+ id = (known after apply)
+ key = "managed_installs"
+ pkg_info_name = "1Password"
+ shard_modulo = 100
+ sub_manifest_id = (known after apply)
+ tag_shards = []
}
# zentral_munki_configuration.default will be updated in-place
~ resource "zentral_munki_configuration" "default" {
id = 1
~ name = "Default" -> "Default 🫁"
~ version = 0 -> (known after apply)
# (9 unchanged attributes hidden)
}
# zentral_munki_script_check.mcs-auditing-audit_acls_files_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_acls_files_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit log files _MUST_ not contain access control lists (ACLs).
This rule ensures that audit information and audit files are configured to be readable and writable only by system administrators, thereby preventing unauthorized access, modification, and deletion of files.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files to Not Contain Access Control Lists"
+ source = "/bin/ls -le $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $1}' | /usr/bin/grep -c \":\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_acls_folders_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_acls_folders_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit log folder _MUST_ not contain access control lists (ACLs).
Audit logs contain sensitive data about the system and users. This rule ensures that the audit service is configured to create log folders that are readable and writable only by system administrators in order to prevent normal users from reading audit logs.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Folder to Not Contain Access Control Lists"
+ source = "/bin/ls -lde /var/audit | /usr/bin/awk '{print $1}' | /usr/bin/grep -c \":\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_auditd_enabled will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_auditd_enabled" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The information system _MUST_ be configured to generate audit records.
Audit records establish what types of events have occurred, when they occurred, and which users were involved. These records aid an organization in their efforts to establish, correlate, and investigate the events leading up to an outage or attack.
The content required to be captured in an audit record varies based on the impact level of an organization's system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success/fail indications, filenames involved, and access or flow control rules invoked.
The information system initiates session audits at system start-up.
NOTE: Security auditing is NOT enabled by default on macOS Sonoma.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "pass"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Enable Security Auditing"
+ source = <<-EOT
LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd)
AUDITD_RUNNING=$(/usr/sbin/audit -c | /usr/bin/grep -c "AUC_AUDITING")
if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]] && [[ $AUDITD_RUNNING == 1 ]]; then
echo "pass"
else
echo "fail"
fi
EOT
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_control_acls_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_control_acls_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "/etc/security/audit_control _MUST_ not contain Access Control Lists (ACLs)."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit_Control to Not Contain Access Control Lists"
+ source = "/bin/ls -le /etc/security/audit_control | /usr/bin/awk '{print $1}' | /usr/bin/grep -c \":\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_control_group_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_control_group_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "/etc/security/audit_control _MUST_ have the group set to wheel."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit_Control Group to Wheel"
+ source = "/bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $4}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_control_mode_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_control_mode_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "/etc/security/audit_control _MUST_ be configured so that it is readable only by the root user and group wheel."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit_Control Owner to Mode 440 or Less Permissive"
+ source = "/bin/ls -l /etc/security/audit_control | /usr/bin/awk '!/-r--[r-]-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/xargs"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_control_owner_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_control_owner_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "/etc/security/audit_control _MUST_ have the owner set to root."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit_Control Owner to Root"
+ source = "/bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $3}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_files_group_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_files_group_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Audit log files _MUST_ have the group set to wheel.
The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files Group to Wheel"
+ source = "/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$4} END {print s}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_files_mode_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_files_mode_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "The audit service _MUST_ be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files _MUST_ be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files to Mode 440 or Less Permissive"
+ source = "/bin/ls -l $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '!/-r--r-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_files_owner_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_files_owner_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Audit log files _MUST_ be owned by root.
The audit service _MUST_ be configured to create log files with the correct ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files to be Owned by Root"
+ source = "/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_folder_group_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_folder_group_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Audit log files _MUST_ have the group set to wheel.
The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Folders Group to Wheel"
+ source = "/bin/ls -dn $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $4}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_folder_owner_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_folder_owner_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Audit log folders _MUST_ be owned by root.
The audit service _MUST_ be configured to create log folders with the correct ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log folders are set to only be readable and writable by system administrators, the risk is mitigated.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Folders to be Owned by Root"
+ source = "/bin/ls -dn $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $3}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_folders_mode_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_folders_mode_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit log folder _MUST_ be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders.
Because audit logs contain sensitive data about the system and users, the audit service _MUST_ be configured to mode 700 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "700"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Folders to Mode 700 or Less Permissive"
+ source = "/usr/bin/stat -f %A $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_retention_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_retention_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit service _MUST_ be configured to require records be kept for a organizational defined value before deletion, unless the system uses a central audit record storage facility.
When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data criteria is met.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "7d"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Retention to 7d"
+ source = "/usr/bin/awk -F: '/expire-after/{print $2}' /etc/security/audit_control"
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_airdrop_disable will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_airdrop_disable" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
AirDrop _MUST_ be disabled to prevent file transfers to or from unauthorized devices.
AirDrop allows users to share and receive files from other nearby Apple devices.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "false"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Disable AirDrop"
+ source = <<-EOT
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowAirDrop').js
EOS
EOT
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_anti_virus_installed will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_anti_virus_installed" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
An approved antivirus product _MUST_ be installed and configured to run.
Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.'
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "2"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Must Use an Approved Antivirus Program"
+ source = "/bin/launchctl list | /usr/bin/grep -cE \"(com.apple.XprotectFramework.PluginService$|com.apple.XProtect.daemon.scan$)\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_authenticated_root_enable will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_authenticated_root_enable" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Authenticated Root _MUST_ be enabled.
When Authenticated Root is enabled the macOS is booted from a signed volume that is cryptographically protected to prevent tampering with the system volume.
NOTE: Authenticated Root is enabled by default on macOS systems.
WARNING: If more than one partition with macOS is detected, the csrutil command will hang awaiting input.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "1"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Enable Authenticated Root"
+ source = "/usr/bin/csrutil authenticated-root | /usr/bin/grep -c 'enabled'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_config_data_install_enforce will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_config_data_install_enforce" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Software Update _MUST_ be configured to update XProtect Remediator and Gatekeeper automatically.
This setting enforces definition updates for XProtect Remediator and Gatekeeper; with this setting in place, new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require the computer to be restarted.
link:https://support.apple.com/en-us/HT207005[]
NOTE: Software update will automatically update XProtect Remediator and Gatekeeper by default in the macOS.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "true"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Enforce Installation of XProtect Remediator and Gatekeeper Updates Automatically"
+ source = <<-EOT
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\
.objectForKey('ConfigDataInstall').js
EOS
EOT
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_firewall_log_enable will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_firewall_log_enable" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Firewall logging _MUST_ be enabled.
Firewall logging ensures that malicious network activity will be logged to the system.
NOTE: The firewall data is logged to Apple's Unified Logging with the subsystem `com.apple.alf` and the data is marked as private. In order to enable private data, review the `com.apple.alf.private_data.mobileconfig` file in the project's `includes` folder.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "true"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Enable Firewall Logging"
+ source = <<-EOT
/usr/bin/osascript -l JavaScript << EOS
function run() {
let pref1 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\
.objectForKey('EnableLogging').js
let pref2 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\
.objectForKey('LoggingOption').js
if ( pref1 == true && pref2 == "detail" ){
return("true")
} else {
return("false")
}
}
EOS
EOT
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_gatekeeper_enable will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_gatekeeper_enable" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Gatekeeper _MUST_ be enabled.
Gatekeeper is a security feature that ensures that applications are digitally signed by an Apple-issued certificate before they are permitted to run. Digital signatures allow the macOS host to verify that the application has not been modified by a malicious third party.
Administrator users will still have the option to override these settings on a case-by-case basis.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "1"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Enable Gatekeeper"
+ source = "/usr/sbin/spctl --status | /usr/bin/grep -c \"assessments enabled\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_guest_folder_removed will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_guest_folder_removed" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "The guest folder _MUST_ be deleted if present."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Remove Guest Folder if Present"
+ source = "/bin/ls /Users/ | /usr/bin/grep -c \"Guest\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_home_folders_secure will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_home_folders_secure" {
--- TRUNCATED --- |
Terraform Plan OutputClick to expandTerraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
~ update in-place
Terraform will perform the following actions:
# zentral_mdm_artifact.mscp-firewall will be created
+ resource "zentral_mdm_artifact" "mscp-firewall" {
+ auto_update = true
+ channel = "Device"
+ id = (known after apply)
+ install_during_setup_assistant = false
+ name = "mSCP - firewall"
+ platforms = [
+ "macOS",
]
+ reinstall_interval = 0
+ reinstall_on_os_update = "No"
+ requires = (known after apply)
+ type = "Profile"
}
# zentral_mdm_blueprint_artifact.mscp-firewall will be created
+ resource "zentral_mdm_blueprint_artifact" "mscp-firewall" {
+ artifact_id = (known after apply)
+ blueprint_id = 1
+ default_shard = 100
+ excluded_tag_ids = []
+ id = (known after apply)
+ ios = false
+ ios_max_version = ""
+ ios_min_version = ""
+ ipados = false
+ ipados_max_version = ""
+ ipados_min_version = ""
+ macos = true
+ macos_max_version = ""
+ macos_min_version = ""
+ shard_modulo = 100
+ tag_shards = []
+ tvos = false
+ tvos_max_version = ""
+ tvos_min_version = ""
}
# zentral_mdm_profile.mscp-firewall-1 will be created
+ resource "zentral_mdm_profile" "mscp-firewall-1" {
+ artifact_id = (known after apply)
+ default_shard = 100
+ excluded_tag_ids = []
+ id = (known after apply)
+ ios = false
+ ios_max_version = ""
+ ios_min_version = ""
+ ipados = false
+ ipados_max_version = ""
+ ipados_min_version = ""
+ macos = true
+ macos_max_version = ""
+ macos_min_version = ""
+ shard_modulo = 100
+ source = "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUWVBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI+CjxwbGlzdCB2ZXJzaW9uPSIxLjAiPgo8ZGljdD4KCTxrZXk+Q29uc2VudFRleHQ8L2tleT4KCTxkaWN0PgoJCTxrZXk+ZGVmYXVsdDwva2V5PgoJCTxzdHJpbmc+VEhFIFNPRlRXQVJFIElTIFBST1ZJREVEICdBUyBJUycgV0lUSE9VVCBBTlkgV0FSUkFOVFkgT0YgQU5ZIEtJTkQsIEVJVEhFUiBFWFBSRVNTRUQsIElNUExJRUQsIE9SIFNUQVRVVE9SWSwgSU5DTFVESU5HLCBCVVQgTk9UIExJTUlURUQgVE8sIEFOWSBXQVJSQU5UWSBUSEFUIFRIRSBTT0ZUV0FSRSBXSUxMIENPTkZPUk0gVE8gU1BFQ0lGSUNBVElPTlMsIEFOWSBJTVBMSUVEIFdBUlJBTlRJRVMgT0YgTUVSQ0hBTlRBQklMSVRZLCBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIgUFVSUE9TRSwgQU5EIEZSRUVET00gRlJPTSBJTkZSSU5HRU1FTlQsIEFORCBBTlkgV0FSUkFOVFkgVEhBVCBUSEUgRE9DVU1FTlRBVElPTiBXSUxMIENPTkZPUk0gVE8gVEhFIFNPRlRXQVJFLCBPUiBBTlkgV0FSUkFOVFkgVEhBVCBUSEUgU09GVFdBUkUgV0lMTCBCRSBFUlJPUiBGUkVFLiAgSU4gTk8gRVZFTlQgU0hBTEwgTklTVCBCRSBMSUFCTEUgRk9SIEFOWSBEQU1BR0VTLCBJTkNMVURJTkcsIEJVVCBOT1QgTElNSVRFRCBUTywgRElSRUNULCBJTkRJUkVDVCwgU1BFQ0lBTCBPUiBDT05TRVFVRU5USUFMIERBTUFHRVMsIEFSSVNJTkcgT1VUIE9GLCBSRVNVTFRJTkcgRlJPTSwgT1IgSU4gQU5ZIFdBWSBDT05ORUNURUQgV0lUSCBUSElTIFNPRlRXQVJFLCBXSEVUSEVSIE9SIE5PVCBCQVNFRCBVUE9OIFdBUlJBTlRZLCBDT05UUkFDVCwgVE9SVCwgT1IgT1RIRVJXSVNFLCBXSEVUSEVSIE9SIE5PVCBJTkpVUlkgV0FTIFNVU1RBSU5FRCBCWSBQRVJTT05TIE9SIFBST1BFUlRZIE9SIE9USEVSV0lTRSwgQU5EIFdIRVRIRVIgT1IgTk9UIExPU1MgV0FTIFNVU1RBSU5FRCBGUk9NLCBPUiBBUk9TRSBPVVQgT0YgVEhFIFJFU1VMVFMgT0YsIE9SIFVTRSBPRiwgVEhFIFNPRlRXQVJFIE9SIFNFUlZJQ0VTIFBST1ZJREVEIEhFUkVVTkRFUi48L3N0cmluZz4KCTwvZGljdD4KCTxrZXk+UGF5bG9hZENvbnRlbnQ8L2tleT4KCTxhcnJheT4KCQk8ZGljdD4KCQkJPGtleT5FbmFibGVGaXJld2FsbDwva2V5PgoJCQk8dHJ1ZS8+CgkJCTxrZXk+RW5hYmxlTG9nZ2luZzwva2V5PgoJCQk8dHJ1ZS8+CgkJCTxrZXk+RW5hYmxlU3RlYWx0aE1vZGU8L2tleT4KCQkJPHRydWUvPgoJCQk8a2V5PkxvZ2dpbmdPcHRpb248L2tleT4KCQkJPHN0cmluZz5kZXRhaWw8L3N0cmluZz4KCQkJPGtleT5QYXlsb2FkSWRlbnRpZmllcjwva2V5PgoJCQk8c3RyaW5nPmFsYWNhcnRlLm1hY09TLllvbG8uOTgxNjk2YmYtYWVkZS00ODhiLTk2MTMtNDllMmY1YjRiOTgxPC9zdHJpbmc+CgkJCTxrZXk+UGF5bG9hZFR5cGU8L2tleT4KCQkJPHN0cmluZz5jb20uYXBwbGUuc2VjdXJpdHkuZmlyZXdhbGw8L3N0cmluZz4KCQkJPGtleT5QYXlsb2FkVVVJRDwva2V5PgoJCQk8c3RyaW5nPjk4MTY5NmJmLWFlZGUtNDg4Yi05NjEzLTQ5ZTJmNWI0Yjk4MTwvc3RyaW5nPgoJCQk8a2V5PlBheWxvYWRWZXJzaW9uPC9rZXk+CgkJCTxpbnRlZ2VyPjE8L2ludGVnZXI+CgkJPC9kaWN0PgoJPC9hcnJheT4KCTxrZXk+UGF5bG9hZERlc2NyaXB0aW9uPC9rZXk+Cgk8c3RyaW5nPkNyZWF0ZWQ6IDIwMjQtMDctMDkKQ29uZmlndXJhdGlvbiBzZXR0aW5ncyBmb3IgdGhlIGNvbS5hcHBsZS5zZWN1cml0eS5maXJld2FsbCBwcmVmZXJlbmNlIGRvbWFpbi48L3N0cmluZz4KCTxrZXk+UGF5bG9hZERpc3BsYXlOYW1lPC9rZXk+Cgk8c3RyaW5nPltZb2xvXSBjb20uYXBwbGUuc2VjdXJpdHkuZmlyZXdhbGwgc2V0dGluZ3M8L3N0cmluZz4KCTxrZXk+UGF5bG9hZElkZW50aWZpZXI8L2tleT4KCTxzdHJpbmc+Y29tLmFwcGxlLnNlY3VyaXR5LmZpcmV3YWxsLllvbG88L3N0cmluZz4KCTxrZXk+UGF5bG9hZE9yZ2FuaXphdGlvbjwva2V5PgoJPHN0cmluZz5tYWNPUyBTZWN1cml0eSBDb21wbGlhbmNlIFByb2plY3Q8L3N0cmluZz4KCTxrZXk+UGF5bG9hZFNjb3BlPC9rZXk+Cgk8c3RyaW5nPlN5c3RlbTwvc3RyaW5nPgoJPGtleT5QYXlsb2FkVHlwZTwva2V5PgoJPHN0cmluZz5Db25maWd1cmF0aW9uPC9zdHJpbmc+Cgk8a2V5PlBheWxvYWRVVUlEPC9rZXk+Cgk8c3RyaW5nPjcxYzJlOWJiLTQxYzEtNDlkYy04NWUwLWZmNGRmYmM3ZDJhZTwvc3RyaW5nPgoJPGtleT5QYXlsb2FkVmVyc2lvbjwva2V5PgoJPGludGVnZXI+MTwvaW50ZWdlcj4KPC9kaWN0Pgo8L3BsaXN0Pgo="
+ tag_shards = []
+ tvos = false
+ tvos_max_version = ""
+ tvos_min_version = ""
+ version = 1
}
# zentral_monolith_manifest_sub_manifest.default-apps will be created
+ resource "zentral_monolith_manifest_sub_manifest" "default-apps" {
+ id = (known after apply)
+ manifest_id = 1
+ sub_manifest_id = (known after apply)
+ tag_ids = (known after apply)
}
# zentral_monolith_sub_manifest.apps will be created
+ resource "zentral_monolith_sub_manifest" "apps" {
+ description = "The mandatory apps for our standard macOS client"
+ id = (known after apply)
+ name = "Mandatory apps"
}
# zentral_monolith_sub_manifest_pkg_info.onepassword will be created
+ resource "zentral_monolith_sub_manifest_pkg_info" "onepassword" {
+ default_shard = 100
+ excluded_tag_ids = []
+ featured_item = false
+ id = (known after apply)
+ key = "managed_installs"
+ pkg_info_name = "1Password"
+ shard_modulo = 100
+ sub_manifest_id = (known after apply)
+ tag_shards = []
}
# zentral_munki_configuration.default will be updated in-place
~ resource "zentral_munki_configuration" "default" {
id = 1
~ name = "Default" -> "Default 🫁"
~ version = 0 -> (known after apply)
# (9 unchanged attributes hidden)
}
# zentral_munki_script_check.mcs-auditing-audit_acls_files_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_acls_files_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit log files _MUST_ not contain access control lists (ACLs).
This rule ensures that audit information and audit files are configured to be readable and writable only by system administrators, thereby preventing unauthorized access, modification, and deletion of files.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files to Not Contain Access Control Lists"
+ source = "/bin/ls -le $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $1}' | /usr/bin/grep -c \":\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_acls_folders_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_acls_folders_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit log folder _MUST_ not contain access control lists (ACLs).
Audit logs contain sensitive data about the system and users. This rule ensures that the audit service is configured to create log folders that are readable and writable only by system administrators in order to prevent normal users from reading audit logs.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Folder to Not Contain Access Control Lists"
+ source = "/bin/ls -lde /var/audit | /usr/bin/awk '{print $1}' | /usr/bin/grep -c \":\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_auditd_enabled will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_auditd_enabled" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The information system _MUST_ be configured to generate audit records.
Audit records establish what types of events have occurred, when they occurred, and which users were involved. These records aid an organization in their efforts to establish, correlate, and investigate the events leading up to an outage or attack.
The content required to be captured in an audit record varies based on the impact level of an organization's system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success/fail indications, filenames involved, and access or flow control rules invoked.
The information system initiates session audits at system start-up.
NOTE: Security auditing is NOT enabled by default on macOS Sonoma.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "pass"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Enable Security Auditing"
+ source = <<-EOT
LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd)
AUDITD_RUNNING=$(/usr/sbin/audit -c | /usr/bin/grep -c "AUC_AUDITING")
if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]] && [[ $AUDITD_RUNNING == 1 ]]; then
echo "pass"
else
echo "fail"
fi
EOT
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_control_acls_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_control_acls_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "/etc/security/audit_control _MUST_ not contain Access Control Lists (ACLs)."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit_Control to Not Contain Access Control Lists"
+ source = "/bin/ls -le /etc/security/audit_control | /usr/bin/awk '{print $1}' | /usr/bin/grep -c \":\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_control_group_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_control_group_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "/etc/security/audit_control _MUST_ have the group set to wheel."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit_Control Group to Wheel"
+ source = "/bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $4}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_control_mode_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_control_mode_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "/etc/security/audit_control _MUST_ be configured so that it is readable only by the root user and group wheel."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit_Control Owner to Mode 440 or Less Permissive"
+ source = "/bin/ls -l /etc/security/audit_control | /usr/bin/awk '!/-r--[r-]-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/xargs"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_control_owner_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_control_owner_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "/etc/security/audit_control _MUST_ have the owner set to root."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit_Control Owner to Root"
+ source = "/bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $3}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_files_group_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_files_group_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Audit log files _MUST_ have the group set to wheel.
The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files Group to Wheel"
+ source = "/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$4} END {print s}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_files_mode_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_files_mode_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "The audit service _MUST_ be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files _MUST_ be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files to Mode 440 or Less Permissive"
+ source = "/bin/ls -l $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '!/-r--r-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_files_owner_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_files_owner_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Audit log files _MUST_ be owned by root.
The audit service _MUST_ be configured to create log files with the correct ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files to be Owned by Root"
+ source = "/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_folder_group_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_folder_group_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Audit log files _MUST_ have the group set to wheel.
The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Folders Group to Wheel"
+ source = "/bin/ls -dn $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $4}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_folder_owner_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_folder_owner_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Audit log folders _MUST_ be owned by root.
The audit service _MUST_ be configured to create log folders with the correct ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log folders are set to only be readable and writable by system administrators, the risk is mitigated.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Folders to be Owned by Root"
+ source = "/bin/ls -dn $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $3}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_folders_mode_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_folders_mode_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit log folder _MUST_ be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders.
Because audit logs contain sensitive data about the system and users, the audit service _MUST_ be configured to mode 700 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "700"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Folders to Mode 700 or Less Permissive"
+ source = "/usr/bin/stat -f %A $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_retention_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_retention_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit service _MUST_ be configured to require records be kept for a organizational defined value before deletion, unless the system uses a central audit record storage facility.
When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data criteria is met.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "7d"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Retention to 7d"
+ source = "/usr/bin/awk -F: '/expire-after/{print $2}' /etc/security/audit_control"
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_airdrop_disable will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_airdrop_disable" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
AirDrop _MUST_ be disabled to prevent file transfers to or from unauthorized devices.
AirDrop allows users to share and receive files from other nearby Apple devices.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "false"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Disable AirDrop"
+ source = <<-EOT
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowAirDrop').js
EOS
EOT
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_anti_virus_installed will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_anti_virus_installed" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
An approved antivirus product _MUST_ be installed and configured to run.
Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.'
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "2"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Must Use an Approved Antivirus Program"
+ source = "/bin/launchctl list | /usr/bin/grep -cE \"(com.apple.XprotectFramework.PluginService$|com.apple.XProtect.daemon.scan$)\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_authenticated_root_enable will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_authenticated_root_enable" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Authenticated Root _MUST_ be enabled.
When Authenticated Root is enabled the macOS is booted from a signed volume that is cryptographically protected to prevent tampering with the system volume.
NOTE: Authenticated Root is enabled by default on macOS systems.
WARNING: If more than one partition with macOS is detected, the csrutil command will hang awaiting input.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "1"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Enable Authenticated Root"
+ source = "/usr/bin/csrutil authenticated-root | /usr/bin/grep -c 'enabled'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_config_data_install_enforce will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_config_data_install_enforce" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Software Update _MUST_ be configured to update XProtect Remediator and Gatekeeper automatically.
This setting enforces definition updates for XProtect Remediator and Gatekeeper; with this setting in place, new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require the computer to be restarted.
link:https://support.apple.com/en-us/HT207005[]
NOTE: Software update will automatically update XProtect Remediator and Gatekeeper by default in the macOS.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "true"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Enforce Installation of XProtect Remediator and Gatekeeper Updates Automatically"
+ source = <<-EOT
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\
.objectForKey('ConfigDataInstall').js
EOS
EOT
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_firewall_log_enable will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_firewall_log_enable" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Firewall logging _MUST_ be enabled.
Firewall logging ensures that malicious network activity will be logged to the system.
NOTE: The firewall data is logged to Apple's Unified Logging with the subsystem `com.apple.alf` and the data is marked as private. In order to enable private data, review the `com.apple.alf.private_data.mobileconfig` file in the project's `includes` folder.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "true"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Enable Firewall Logging"
+ source = <<-EOT
/usr/bin/osascript -l JavaScript << EOS
function run() {
let pref1 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\
.objectForKey('EnableLogging').js
let pref2 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\
.objectForKey('LoggingOption').js
if ( pref1 == true && pref2 == "detail" ){
return("true")
} else {
return("false")
}
}
EOS
EOT
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_gatekeeper_enable will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_gatekeeper_enable" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Gatekeeper _MUST_ be enabled.
Gatekeeper is a security feature that ensures that applications are digitally signed by an Apple-issued certificate before they are permitted to run. Digital signatures allow the macOS host to verify that the application has not been modified by a malicious third party.
Administrator users will still have the option to override these settings on a case-by-case basis.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "1"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Enable Gatekeeper"
+ source = "/usr/sbin/spctl --status | /usr/bin/grep -c \"assessments enabled\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_guest_folder_removed will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_guest_folder_removed" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "The guest folder _MUST_ be deleted if present."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Remove Guest Folder if Present"
+ source = "/bin/ls /Users/ | /usr/bin/grep -c \"Guest\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_home_folders_secure will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_home_folders_secure" {
--- TRUNCATED --- |
Terraform Plan OutputClick to expandTerraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
~ update in-place
Terraform will perform the following actions:
# zentral_mdm_artifact.mscp-firewall will be created
+ resource "zentral_mdm_artifact" "mscp-firewall" {
+ auto_update = true
+ channel = "Device"
+ id = (known after apply)
+ install_during_setup_assistant = false
+ name = "mSCP - firewall"
+ platforms = [
+ "macOS",
]
+ reinstall_interval = 0
+ reinstall_on_os_update = "No"
+ requires = (known after apply)
+ type = "Profile"
}
# zentral_mdm_blueprint_artifact.mscp-firewall will be created
+ resource "zentral_mdm_blueprint_artifact" "mscp-firewall" {
+ artifact_id = (known after apply)
+ blueprint_id = 1
+ default_shard = 100
+ excluded_tag_ids = []
+ id = (known after apply)
+ ios = false
+ ios_max_version = ""
+ ios_min_version = ""
+ ipados = false
+ ipados_max_version = ""
+ ipados_min_version = ""
+ macos = true
+ macos_max_version = ""
+ macos_min_version = ""
+ shard_modulo = 100
+ tag_shards = []
+ tvos = false
+ tvos_max_version = ""
+ tvos_min_version = ""
}
# zentral_mdm_profile.mscp-firewall-1 will be created
+ resource "zentral_mdm_profile" "mscp-firewall-1" {
+ artifact_id = (known after apply)
+ default_shard = 100
+ excluded_tag_ids = []
+ id = (known after apply)
+ ios = false
+ ios_max_version = ""
+ ios_min_version = ""
+ ipados = false
+ ipados_max_version = ""
+ ipados_min_version = ""
+ macos = true
+ macos_max_version = ""
+ macos_min_version = ""
+ shard_modulo = 100
+ source = "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUWVBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI+CjxwbGlzdCB2ZXJzaW9uPSIxLjAiPgo8ZGljdD4KCTxrZXk+Q29uc2VudFRleHQ8L2tleT4KCTxkaWN0PgoJCTxrZXk+ZGVmYXVsdDwva2V5PgoJCTxzdHJpbmc+VEhFIFNPRlRXQVJFIElTIFBST1ZJREVEICdBUyBJUycgV0lUSE9VVCBBTlkgV0FSUkFOVFkgT0YgQU5ZIEtJTkQsIEVJVEhFUiBFWFBSRVNTRUQsIElNUExJRUQsIE9SIFNUQVRVVE9SWSwgSU5DTFVESU5HLCBCVVQgTk9UIExJTUlURUQgVE8sIEFOWSBXQVJSQU5UWSBUSEFUIFRIRSBTT0ZUV0FSRSBXSUxMIENPTkZPUk0gVE8gU1BFQ0lGSUNBVElPTlMsIEFOWSBJTVBMSUVEIFdBUlJBTlRJRVMgT0YgTUVSQ0hBTlRBQklMSVRZLCBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIgUFVSUE9TRSwgQU5EIEZSRUVET00gRlJPTSBJTkZSSU5HRU1FTlQsIEFORCBBTlkgV0FSUkFOVFkgVEhBVCBUSEUgRE9DVU1FTlRBVElPTiBXSUxMIENPTkZPUk0gVE8gVEhFIFNPRlRXQVJFLCBPUiBBTlkgV0FSUkFOVFkgVEhBVCBUSEUgU09GVFdBUkUgV0lMTCBCRSBFUlJPUiBGUkVFLiAgSU4gTk8gRVZFTlQgU0hBTEwgTklTVCBCRSBMSUFCTEUgRk9SIEFOWSBEQU1BR0VTLCBJTkNMVURJTkcsIEJVVCBOT1QgTElNSVRFRCBUTywgRElSRUNULCBJTkRJUkVDVCwgU1BFQ0lBTCBPUiBDT05TRVFVRU5USUFMIERBTUFHRVMsIEFSSVNJTkcgT1VUIE9GLCBSRVNVTFRJTkcgRlJPTSwgT1IgSU4gQU5ZIFdBWSBDT05ORUNURUQgV0lUSCBUSElTIFNPRlRXQVJFLCBXSEVUSEVSIE9SIE5PVCBCQVNFRCBVUE9OIFdBUlJBTlRZLCBDT05UUkFDVCwgVE9SVCwgT1IgT1RIRVJXSVNFLCBXSEVUSEVSIE9SIE5PVCBJTkpVUlkgV0FTIFNVU1RBSU5FRCBCWSBQRVJTT05TIE9SIFBST1BFUlRZIE9SIE9USEVSV0lTRSwgQU5EIFdIRVRIRVIgT1IgTk9UIExPU1MgV0FTIFNVU1RBSU5FRCBGUk9NLCBPUiBBUk9TRSBPVVQgT0YgVEhFIFJFU1VMVFMgT0YsIE9SIFVTRSBPRiwgVEhFIFNPRlRXQVJFIE9SIFNFUlZJQ0VTIFBST1ZJREVEIEhFUkVVTkRFUi48L3N0cmluZz4KCTwvZGljdD4KCTxrZXk+UGF5bG9hZENvbnRlbnQ8L2tleT4KCTxhcnJheT4KCQk8ZGljdD4KCQkJPGtleT5FbmFibGVGaXJld2FsbDwva2V5PgoJCQk8dHJ1ZS8+CgkJCTxrZXk+RW5hYmxlTG9nZ2luZzwva2V5PgoJCQk8dHJ1ZS8+CgkJCTxrZXk+RW5hYmxlU3RlYWx0aE1vZGU8L2tleT4KCQkJPHRydWUvPgoJCQk8a2V5PkxvZ2dpbmdPcHRpb248L2tleT4KCQkJPHN0cmluZz5kZXRhaWw8L3N0cmluZz4KCQkJPGtleT5QYXlsb2FkSWRlbnRpZmllcjwva2V5PgoJCQk8c3RyaW5nPmFsYWNhcnRlLm1hY09TLllvbG8uOTgxNjk2YmYtYWVkZS00ODhiLTk2MTMtNDllMmY1YjRiOTgxPC9zdHJpbmc+CgkJCTxrZXk+UGF5bG9hZFR5cGU8L2tleT4KCQkJPHN0cmluZz5jb20uYXBwbGUuc2VjdXJpdHkuZmlyZXdhbGw8L3N0cmluZz4KCQkJPGtleT5QYXlsb2FkVVVJRDwva2V5PgoJCQk8c3RyaW5nPjk4MTY5NmJmLWFlZGUtNDg4Yi05NjEzLTQ5ZTJmNWI0Yjk4MTwvc3RyaW5nPgoJCQk8a2V5PlBheWxvYWRWZXJzaW9uPC9rZXk+CgkJCTxpbnRlZ2VyPjE8L2ludGVnZXI+CgkJPC9kaWN0PgoJPC9hcnJheT4KCTxrZXk+UGF5bG9hZERlc2NyaXB0aW9uPC9rZXk+Cgk8c3RyaW5nPkNyZWF0ZWQ6IDIwMjQtMDctMDkKQ29uZmlndXJhdGlvbiBzZXR0aW5ncyBmb3IgdGhlIGNvbS5hcHBsZS5zZWN1cml0eS5maXJld2FsbCBwcmVmZXJlbmNlIGRvbWFpbi48L3N0cmluZz4KCTxrZXk+UGF5bG9hZERpc3BsYXlOYW1lPC9rZXk+Cgk8c3RyaW5nPltZb2xvXSBjb20uYXBwbGUuc2VjdXJpdHkuZmlyZXdhbGwgc2V0dGluZ3M8L3N0cmluZz4KCTxrZXk+UGF5bG9hZElkZW50aWZpZXI8L2tleT4KCTxzdHJpbmc+Y29tLmFwcGxlLnNlY3VyaXR5LmZpcmV3YWxsLllvbG88L3N0cmluZz4KCTxrZXk+UGF5bG9hZE9yZ2FuaXphdGlvbjwva2V5PgoJPHN0cmluZz5tYWNPUyBTZWN1cml0eSBDb21wbGlhbmNlIFByb2plY3Q8L3N0cmluZz4KCTxrZXk+UGF5bG9hZFNjb3BlPC9rZXk+Cgk8c3RyaW5nPlN5c3RlbTwvc3RyaW5nPgoJPGtleT5QYXlsb2FkVHlwZTwva2V5PgoJPHN0cmluZz5Db25maWd1cmF0aW9uPC9zdHJpbmc+Cgk8a2V5PlBheWxvYWRVVUlEPC9rZXk+Cgk8c3RyaW5nPjcxYzJlOWJiLTQxYzEtNDlkYy04NWUwLWZmNGRmYmM3ZDJhZTwvc3RyaW5nPgoJPGtleT5QYXlsb2FkVmVyc2lvbjwva2V5PgoJPGludGVnZXI+MTwvaW50ZWdlcj4KPC9kaWN0Pgo8L3BsaXN0Pgo="
+ tag_shards = []
+ tvos = false
+ tvos_max_version = ""
+ tvos_min_version = ""
+ version = 1
}
# zentral_monolith_manifest_sub_manifest.default-apps will be created
+ resource "zentral_monolith_manifest_sub_manifest" "default-apps" {
+ id = (known after apply)
+ manifest_id = 1
+ sub_manifest_id = (known after apply)
+ tag_ids = (known after apply)
}
# zentral_monolith_sub_manifest.apps will be created
+ resource "zentral_monolith_sub_manifest" "apps" {
+ description = "The mandatory apps for our standard macOS client"
+ id = (known after apply)
+ name = "Mandatory apps"
}
# zentral_monolith_sub_manifest_pkg_info.onepassword will be created
+ resource "zentral_monolith_sub_manifest_pkg_info" "onepassword" {
+ default_shard = 100
+ excluded_tag_ids = []
+ featured_item = false
+ id = (known after apply)
+ key = "managed_installs"
+ pkg_info_name = "1Password"
+ shard_modulo = 100
+ sub_manifest_id = (known after apply)
+ tag_shards = []
}
# zentral_munki_configuration.default will be updated in-place
~ resource "zentral_munki_configuration" "default" {
id = 1
~ name = "Default" -> "Default 🫁"
~ version = 0 -> (known after apply)
# (9 unchanged attributes hidden)
}
# zentral_munki_script_check.mcs-auditing-audit_acls_files_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_acls_files_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit log files _MUST_ not contain access control lists (ACLs).
This rule ensures that audit information and audit files are configured to be readable and writable only by system administrators, thereby preventing unauthorized access, modification, and deletion of files.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files to Not Contain Access Control Lists"
+ source = "/bin/ls -le $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $1}' | /usr/bin/grep -c \":\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_acls_folders_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_acls_folders_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit log folder _MUST_ not contain access control lists (ACLs).
Audit logs contain sensitive data about the system and users. This rule ensures that the audit service is configured to create log folders that are readable and writable only by system administrators in order to prevent normal users from reading audit logs.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Folder to Not Contain Access Control Lists"
+ source = "/bin/ls -lde /var/audit | /usr/bin/awk '{print $1}' | /usr/bin/grep -c \":\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_auditd_enabled will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_auditd_enabled" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The information system _MUST_ be configured to generate audit records.
Audit records establish what types of events have occurred, when they occurred, and which users were involved. These records aid an organization in their efforts to establish, correlate, and investigate the events leading up to an outage or attack.
The content required to be captured in an audit record varies based on the impact level of an organization's system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success/fail indications, filenames involved, and access or flow control rules invoked.
The information system initiates session audits at system start-up.
NOTE: Security auditing is NOT enabled by default on macOS Sonoma.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "pass"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Enable Security Auditing"
+ source = <<-EOT
LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd)
AUDITD_RUNNING=$(/usr/sbin/audit -c | /usr/bin/grep -c "AUC_AUDITING")
if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]] && [[ $AUDITD_RUNNING == 1 ]]; then
echo "pass"
else
echo "fail"
fi
EOT
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_control_acls_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_control_acls_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "/etc/security/audit_control _MUST_ not contain Access Control Lists (ACLs)."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit_Control to Not Contain Access Control Lists"
+ source = "/bin/ls -le /etc/security/audit_control | /usr/bin/awk '{print $1}' | /usr/bin/grep -c \":\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_control_group_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_control_group_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "/etc/security/audit_control _MUST_ have the group set to wheel."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit_Control Group to Wheel"
+ source = "/bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $4}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_control_mode_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_control_mode_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "/etc/security/audit_control _MUST_ be configured so that it is readable only by the root user and group wheel."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit_Control Owner to Mode 440 or Less Permissive"
+ source = "/bin/ls -l /etc/security/audit_control | /usr/bin/awk '!/-r--[r-]-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/xargs"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_control_owner_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_control_owner_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "/etc/security/audit_control _MUST_ have the owner set to root."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit_Control Owner to Root"
+ source = "/bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $3}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_files_group_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_files_group_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Audit log files _MUST_ have the group set to wheel.
The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files Group to Wheel"
+ source = "/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$4} END {print s}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_files_mode_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_files_mode_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "The audit service _MUST_ be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files _MUST_ be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files to Mode 440 or Less Permissive"
+ source = "/bin/ls -l $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '!/-r--r-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_files_owner_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_files_owner_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Audit log files _MUST_ be owned by root.
The audit service _MUST_ be configured to create log files with the correct ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files to be Owned by Root"
+ source = "/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_folder_group_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_folder_group_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Audit log files _MUST_ have the group set to wheel.
The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Folders Group to Wheel"
+ source = "/bin/ls -dn $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $4}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_folder_owner_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_folder_owner_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Audit log folders _MUST_ be owned by root.
The audit service _MUST_ be configured to create log folders with the correct ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log folders are set to only be readable and writable by system administrators, the risk is mitigated.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Folders to be Owned by Root"
+ source = "/bin/ls -dn $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $3}'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_folders_mode_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_folders_mode_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit log folder _MUST_ be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders.
Because audit logs contain sensitive data about the system and users, the audit service _MUST_ be configured to mode 700 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "700"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Folders to Mode 700 or Less Permissive"
+ source = "/usr/bin/stat -f %A $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-auditing-audit_retention_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_retention_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit service _MUST_ be configured to require records be kept for a organizational defined value before deletion, unless the system uses a central audit record storage facility.
When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data criteria is met.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "7d"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Retention to 7d"
+ source = "/usr/bin/awk -F: '/expire-after/{print $2}' /etc/security/audit_control"
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_airdrop_disable will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_airdrop_disable" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
AirDrop _MUST_ be disabled to prevent file transfers to or from unauthorized devices.
AirDrop allows users to share and receive files from other nearby Apple devices.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "false"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Disable AirDrop"
+ source = <<-EOT
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowAirDrop').js
EOS
EOT
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_anti_virus_installed will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_anti_virus_installed" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
An approved antivirus product _MUST_ be installed and configured to run.
Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.'
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "2"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Must Use an Approved Antivirus Program"
+ source = "/bin/launchctl list | /usr/bin/grep -cE \"(com.apple.XprotectFramework.PluginService$|com.apple.XProtect.daemon.scan$)\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_authenticated_root_enable will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_authenticated_root_enable" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Authenticated Root _MUST_ be enabled.
When Authenticated Root is enabled the macOS is booted from a signed volume that is cryptographically protected to prevent tampering with the system volume.
NOTE: Authenticated Root is enabled by default on macOS systems.
WARNING: If more than one partition with macOS is detected, the csrutil command will hang awaiting input.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "1"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Enable Authenticated Root"
+ source = "/usr/bin/csrutil authenticated-root | /usr/bin/grep -c 'enabled'"
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_config_data_install_enforce will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_config_data_install_enforce" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Software Update _MUST_ be configured to update XProtect Remediator and Gatekeeper automatically.
This setting enforces definition updates for XProtect Remediator and Gatekeeper; with this setting in place, new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require the computer to be restarted.
link:https://support.apple.com/en-us/HT207005[]
NOTE: Software update will automatically update XProtect Remediator and Gatekeeper by default in the macOS.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "true"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Enforce Installation of XProtect Remediator and Gatekeeper Updates Automatically"
+ source = <<-EOT
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\
.objectForKey('ConfigDataInstall').js
EOS
EOT
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_firewall_log_enable will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_firewall_log_enable" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Firewall logging _MUST_ be enabled.
Firewall logging ensures that malicious network activity will be logged to the system.
NOTE: The firewall data is logged to Apple's Unified Logging with the subsystem `com.apple.alf` and the data is marked as private. In order to enable private data, review the `com.apple.alf.private_data.mobileconfig` file in the project's `includes` folder.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "true"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Enable Firewall Logging"
+ source = <<-EOT
/usr/bin/osascript -l JavaScript << EOS
function run() {
let pref1 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\
.objectForKey('EnableLogging').js
let pref2 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\
.objectForKey('LoggingOption').js
if ( pref1 == true && pref2 == "detail" ){
return("true")
} else {
return("false")
}
}
EOS
EOT
+ tag_ids = (known after apply)
+ type = "ZSH_STR"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_gatekeeper_enable will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_gatekeeper_enable" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
Gatekeeper _MUST_ be enabled.
Gatekeeper is a security feature that ensures that applications are digitally signed by an Apple-issued certificate before they are permitted to run. Digital signatures allow the macOS host to verify that the application has not been modified by a malicious third party.
Administrator users will still have the option to override these settings on a case-by-case basis.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "1"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Enable Gatekeeper"
+ source = "/usr/sbin/spctl --status | /usr/bin/grep -c \"assessments enabled\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_guest_folder_removed will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_guest_folder_removed" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = "The guest folder _MUST_ be deleted if present."
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - macOS - Remove Guest Folder if Present"
+ source = "/bin/ls /Users/ | /usr/bin/grep -c \"Guest\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_munki_script_check.mcs-macos-os_home_folders_secure will be created
+ resource "zentral_munki_script_check" "mcs-macos-os_home_folders_secure" {
--- TRUNCATED --- |
Terraform Plan OutputClick to expandTerraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
~ update in-place
Terraform will perform the following actions:
# zentral_mdm_artifact.mscp-firewall will be created
+ resource "zentral_mdm_artifact" "mscp-firewall" {
+ auto_update = true
+ channel = "Device"
+ id = (known after apply)
+ install_during_setup_assistant = false
+ name = "mSCP - firewall"
+ platforms = [
+ "macOS",
]
+ reinstall_interval = 0
+ reinstall_on_os_update = "No"
+ requires = (known after apply)
+ type = "Profile"
}
# zentral_mdm_blueprint_artifact.mscp-firewall will be created
+ resource "zentral_mdm_blueprint_artifact" "mscp-firewall" {
+ artifact_id = (known after apply)
+ blueprint_id = 1
+ default_shard = 100
+ excluded_tag_ids = []
+ id = (known after apply)
+ ios = false
+ ios_max_version = ""
+ ios_min_version = ""
+ ipados = false
+ ipados_max_version = ""
+ ipados_min_version = ""
+ macos = true
+ macos_max_version = ""
+ macos_min_version = ""
+ shard_modulo = 100
+ tag_shards = []
+ tvos = false
+ tvos_max_version = ""
+ tvos_min_version = ""
}
# zentral_mdm_profile.mscp-firewall-1 will be created
+ resource "zentral_mdm_profile" "mscp-firewall-1" {
+ artifact_id = (known after apply)
+ default_shard = 100
+ excluded_tag_ids = []
+ id = (known after apply)
+ ios = false
+ ios_max_version = ""
+ ios_min_version = ""
+ ipados = false
+ ipados_max_version = ""
+ ipados_min_version = ""
+ macos = true
+ macos_max_version = ""
+ macos_min_version = ""
+ shard_modulo = 100
+ source = "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUWVBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI+CjxwbGlzdCB2ZXJzaW9uPSIxLjAiPgo8ZGljdD4KCTxrZXk+Q29uc2VudFRleHQ8L2tleT4KCTxkaWN0PgoJCTxrZXk+ZGVmYXVsdDwva2V5PgoJCTxzdHJpbmc+VEhFIFNPRlRXQVJFIElTIFBST1ZJREVEICdBUyBJUycgV0lUSE9VVCBBTlkgV0FSUkFOVFkgT0YgQU5ZIEtJTkQsIEVJVEhFUiBFWFBSRVNTRUQsIElNUExJRUQsIE9SIFNUQVRVVE9SWSwgSU5DTFVESU5HLCBCVVQgTk9UIExJTUlURUQgVE8sIEFOWSBXQVJSQU5UWSBUSEFUIFRIRSBTT0ZUV0FSRSBXSUxMIENPTkZPUk0gVE8gU1BFQ0lGSUNBVElPTlMsIEFOWSBJTVBMSUVEIFdBUlJBTlRJRVMgT0YgTUVSQ0hBTlRBQklMSVRZLCBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIgUFVSUE9TRSwgQU5EIEZSRUVET00gRlJPTSBJTkZSSU5HRU1FTlQsIEFORCBBTlkgV0FSUkFOVFkgVEhBVCBUSEUgRE9DVU1FTlRBVElPTiBXSUxMIENPTkZPUk0gVE8gVEhFIFNPRlRXQVJFLCBPUiBBTlkgV0FSUkFOVFkgVEhBVCBUSEUgU09GVFdBUkUgV0lMTCBCRSBFUlJPUiBGUkVFLiAgSU4gTk8gRVZFTlQgU0hBTEwgTklTVCBCRSBMSUFCTEUgRk9SIEFOWSBEQU1BR0VTLCBJTkNMVURJTkcsIEJVVCBOT1QgTElNSVRFRCBUTywgRElSRUNULCBJTkRJUkVDVCwgU1BFQ0lBTCBPUiBDT05TRVFVRU5USUFMIERBTUFHRVMsIEFSSVNJTkcgT1VUIE9GLCBSRVNVTFRJTkcgRlJPTSwgT1IgSU4gQU5ZIFdBWSBDT05ORUNURUQgV0lUSCBUSElTIFNPRlRXQVJFLCBXSEVUSEVSIE9SIE5PVCBCQVNFRCBVUE9OIFdBUlJBTlRZLCBDT05UUkFDVCwgVE9SVCwgT1IgT1RIRVJXSVNFLCBXSEVUSEVSIE9SIE5PVCBJTkpVUlkgV0FTIFNVU1RBSU5FRCBCWSBQRVJTT05TIE9SIFBST1BFUlRZIE9SIE9USEVSV0lTRSwgQU5EIFdIRVRIRVIgT1IgTk9UIExPU1MgV0FTIFNVU1RBSU5FRCBGUk9NLCBPUiBBUk9TRSBPVVQgT0YgVEhFIFJFU1VMVFMgT0YsIE9SIFVTRSBPRiwgVEhFIFNPRlRXQVJFIE9SIFNFUlZJQ0VTIFBST1ZJREVEIEhFUkVVTkRFUi48L3N0cmluZz4KCTwvZGljdD4KCTxrZXk+UGF5bG9hZENvbnRlbnQ8L2tleT4KCTxhcnJheT4KCQk8ZGljdD4KCQkJPGtleT5FbmFibGVGaXJld2FsbDwva2V5PgoJCQk8dHJ1ZS8+CgkJCTxrZXk+RW5hYmxlTG9nZ2luZzwva2V5PgoJCQk8dHJ1ZS8+CgkJCTxrZXk+RW5hYmxlU3RlYWx0aE1vZGU8L2tleT4KCQkJPHRydWUvPgoJCQk8a2V5PkxvZ2dpbmdPcHRpb248L2tleT4KCQkJPHN0cmluZz5kZXRhaWw8L3N0cmluZz4KCQkJPGtleT5QYXlsb2FkSWRlbnRpZmllcjwva2V5PgoJCQk8c3RyaW5nPmFsYWNhcnRlLm1hY09TLllvbG8uOTgxNjk2YmYtYWVkZS00ODhiLTk2MTMtNDllMmY1YjRiOTgxPC9zdHJpbmc+CgkJCTxrZXk+UGF5bG9hZFR5cGU8L2tleT4KCQkJPHN0cmluZz5jb20uYXBwbGUuc2VjdXJpdHkuZmlyZXdhbGw8L3N0cmluZz4KCQkJPGtleT5QYXlsb2FkVVVJRDwva2V5PgoJCQk8c3RyaW5nPjk4MTY5NmJmLWFlZGUtNDg4Yi05NjEzLTQ5ZTJmNWI0Yjk4MTwvc3RyaW5nPgoJCQk8a2V5PlBheWxvYWRWZXJzaW9uPC9rZXk+CgkJCTxpbnRlZ2VyPjE8L2ludGVnZXI+CgkJPC9kaWN0PgoJPC9hcnJheT4KCTxrZXk+UGF5bG9hZERlc2NyaXB0aW9uPC9rZXk+Cgk8c3RyaW5nPkNyZWF0ZWQ6IDIwMjQtMDctMDkKQ29uZmlndXJhdGlvbiBzZXR0aW5ncyBmb3IgdGhlIGNvbS5hcHBsZS5zZWN1cml0eS5maXJld2FsbCBwcmVmZXJlbmNlIGRvbWFpbi48L3N0cmluZz4KCTxrZXk+UGF5bG9hZERpc3BsYXlOYW1lPC9rZXk+Cgk8c3RyaW5nPltZb2xvXSBjb20uYXBwbGUuc2VjdXJpdHkuZmlyZXdhbGwgc2V0dGluZ3M8L3N0cmluZz4KCTxrZXk+UGF5bG9hZElkZW50aWZpZXI8L2tleT4KCTxzdHJpbmc+Y29tLmFwcGxlLnNlY3VyaXR5LmZpcmV3YWxsLllvbG88L3N0cmluZz4KCTxrZXk+UGF5bG9hZE9yZ2FuaXphdGlvbjwva2V5PgoJPHN0cmluZz5tYWNPUyBTZWN1cml0eSBDb21wbGlhbmNlIFByb2plY3Q8L3N0cmluZz4KCTxrZXk+UGF5bG9hZFNjb3BlPC9rZXk+Cgk8c3RyaW5nPlN5c3RlbTwvc3RyaW5nPgoJPGtleT5QYXlsb2FkVHlwZTwva2V5PgoJPHN0cmluZz5Db25maWd1cmF0aW9uPC9zdHJpbmc+Cgk8a2V5PlBheWxvYWRVVUlEPC9rZXk+Cgk8c3RyaW5nPjcxYzJlOWJiLTQxYzEtNDlkYy04NWUwLWZmNGRmYmM3ZDJhZTwvc3RyaW5nPgoJPGtleT5QYXlsb2FkVmVyc2lvbjwva2V5PgoJPGludGVnZXI+MTwvaW50ZWdlcj4KPC9kaWN0Pgo8L3BsaXN0Pgo="
+ tag_shards = []
+ tvos = false
+ tvos_max_version = ""
+ tvos_min_version = ""
+ version = 1
}
# zentral_monolith_manifest_sub_manifest.default-apps will be created
+ resource "zentral_monolith_manifest_sub_manifest" "default-apps" {
+ id = (known after apply)
+ manifest_id = 1
+ sub_manifest_id = (known after apply)
+ tag_ids = (known after apply)
}
# zentral_monolith_sub_manifest.apps will be created
+ resource "zentral_monolith_sub_manifest" "apps" {
+ description = "The mandatory apps for our standard macOS client"
+ id = (known after apply)
+ name = "Mandatory apps"
}
# zentral_monolith_sub_manifest_pkg_info.onepassword will be created
+ resource "zentral_monolith_sub_manifest_pkg_info" "onepassword" {
+ default_shard = 100
+ excluded_tag_ids = []
+ featured_item = false
+ id = (known after apply)
+ key = "managed_installs"
+ pkg_info_name = "1Password"
+ shard_modulo = 100
+ sub_manifest_id = (known after apply)
+ tag_shards = []
}
# zentral_munki_configuration.default will be updated in-place
~ resource "zentral_munki_configuration" "default" {
id = 1
~ name = "Default" -> "Default 🫁"
~ version = 0 -> (known after apply)
# (9 unchanged attributes hidden)
}
# zentral_munki_script_check.mcs-auditing-audit_acls_files_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_acls_files_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit log files _MUST_ not contain access control lists (ACLs).
This rule ensures that audit information and audit files are configured to be readable and writable only by system administrators, thereby preventing unauthorized access, modification, and deletion of files.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files to Not Contain Access Control Lists"
+ source = "/bin/ls -le $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $1}' | /usr/bin/grep -c \":\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_osquery_configuration.default will be updated in-place
~ resource "zentral_osquery_configuration" "default" {
id = 1
~ name = "Default" -> "Default 😛"
# (8 unchanged attributes hidden)
}
# zentral_osquery_configuration_pack.default-compliance-checks will be created
+ resource "zentral_osquery_configuration_pack" "default-compliance-checks" {
+ configuration_id = 1
+ id = (known after apply)
+ pack_id = (known after apply)
+ tag_ids = (known after apply)
}
# zentral_osquery_pack.compliance-checks will be created
+ resource "zentral_osquery_pack" "compliance-checks" {
+ description = "The compliance checks for our macOS client"
+ discovery_queries = (known after apply)
+ id = (known after apply)
+ name = "Compliance checks"
+ slug = (known after apply)
# (1 unchanged attribute hidden)
}
# zentral_osquery_query.santa-sysext-cc will be created
+ resource "zentral_osquery_query" "santa-sysext-cc" {
+ compliance_check_enabled = true
+ description = "Check if the Santa system extension is activated, running and up-to-date"
+ id = (known after apply)
+ name = "Santa system extension check"
+ platforms = [
+ "darwin",
]
+ scheduling = {
+ can_be_denylisted = true
+ interval = 3600
+ log_removed_actions = false
+ pack_id = (known after apply)
+ snapshot_mode = true
}
+ sql = <<-EOT
WITH expected_sysexts(team, identifier, min_version) AS (
VALUES ('EQHXZ8M8AV', 'com.google.santa.daemon', '2024.5')
), found_sysexts AS (
SELECT expected_sysexts.*, system_extensions.version, system_extensions.state,
CASE
WHEN system_extensions.version >= expected_sysexts.min_version
AND system_extensions.state == 'activated_enabled'
THEN 'OK'
ELSE 'FAILED'
END individual_ztl_status
FROM expected_sysexts
LEFT JOIN system_extensions ON (
system_extensions.team = expected_sysexts.team
AND system_extensions.identifier = expected_sysexts.identifier
)
) SELECT team, identifier, version, state, MAX(individual_ztl_status) OVER () ztl_status
FROM found_sysexts
EOT
+ value = ""
+ version = (known after apply)
}
# zentral_santa_configuration.default will be updated in-place
~ resource "zentral_santa_configuration" "default" {
id = 1
~ name = "Default" -> "Weird"
# (13 unchanged attributes hidden)
}
# zentral_santa_rule.signingid-yes will be created
+ resource "zentral_santa_rule" "signingid-yes" {
+ configuration_id = 1
+ custom_message = "No yes 🕶️"
+ description = "Say no to yes!"
+ excluded_primary_users = []
+ excluded_serial_numbers = []
+ excluded_tag_ids = []
+ id = (known after apply)
+ policy = "BLOCKLIST"
+ primary_users = []
+ ruleset_id = (known after apply)
+ serial_numbers = []
+ tag_ids = []
+ target_identifier = "platform:com.apple.yes"
+ target_type = "SIGNINGID"
+ version = (known after apply)
}
# zentral_santa_rule.teamid-macpaw will be created
+ resource "zentral_santa_rule" "teamid-macpaw" {
+ configuration_id = 1
+ custom_message = "No MacPaw apps are allowed!!!"
+ description = "Block MacPaw apps, mostly for demo purposes"
+ excluded_primary_users = []
+ excluded_serial_numbers = []
+ excluded_tag_ids = []
+ id = (known after apply)
+ policy = "BLOCKLIST"
+ primary_users = []
+ ruleset_id = (known after apply)
+ serial_numbers = []
+ tag_ids = []
+ target_identifier = "S8EX82NJP6"
+ target_type = "TEAMID"
+ version = (known after apply)
}
Plan: 12 to add, 3 to change, 0 to destroy. |
1 similar comment
Terraform Plan OutputClick to expandTerraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
~ update in-place
Terraform will perform the following actions:
# zentral_mdm_artifact.mscp-firewall will be created
+ resource "zentral_mdm_artifact" "mscp-firewall" {
+ auto_update = true
+ channel = "Device"
+ id = (known after apply)
+ install_during_setup_assistant = false
+ name = "mSCP - firewall"
+ platforms = [
+ "macOS",
]
+ reinstall_interval = 0
+ reinstall_on_os_update = "No"
+ requires = (known after apply)
+ type = "Profile"
}
# zentral_mdm_blueprint_artifact.mscp-firewall will be created
+ resource "zentral_mdm_blueprint_artifact" "mscp-firewall" {
+ artifact_id = (known after apply)
+ blueprint_id = 1
+ default_shard = 100
+ excluded_tag_ids = []
+ id = (known after apply)
+ ios = false
+ ios_max_version = ""
+ ios_min_version = ""
+ ipados = false
+ ipados_max_version = ""
+ ipados_min_version = ""
+ macos = true
+ macos_max_version = ""
+ macos_min_version = ""
+ shard_modulo = 100
+ tag_shards = []
+ tvos = false
+ tvos_max_version = ""
+ tvos_min_version = ""
}
# zentral_mdm_profile.mscp-firewall-1 will be created
+ resource "zentral_mdm_profile" "mscp-firewall-1" {
+ artifact_id = (known after apply)
+ default_shard = 100
+ excluded_tag_ids = []
+ id = (known after apply)
+ ios = false
+ ios_max_version = ""
+ ios_min_version = ""
+ ipados = false
+ ipados_max_version = ""
+ ipados_min_version = ""
+ macos = true
+ macos_max_version = ""
+ macos_min_version = ""
+ shard_modulo = 100
+ source = "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUWVBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI+CjxwbGlzdCB2ZXJzaW9uPSIxLjAiPgo8ZGljdD4KCTxrZXk+Q29uc2VudFRleHQ8L2tleT4KCTxkaWN0PgoJCTxrZXk+ZGVmYXVsdDwva2V5PgoJCTxzdHJpbmc+VEhFIFNPRlRXQVJFIElTIFBST1ZJREVEICdBUyBJUycgV0lUSE9VVCBBTlkgV0FSUkFOVFkgT0YgQU5ZIEtJTkQsIEVJVEhFUiBFWFBSRVNTRUQsIElNUExJRUQsIE9SIFNUQVRVVE9SWSwgSU5DTFVESU5HLCBCVVQgTk9UIExJTUlURUQgVE8sIEFOWSBXQVJSQU5UWSBUSEFUIFRIRSBTT0ZUV0FSRSBXSUxMIENPTkZPUk0gVE8gU1BFQ0lGSUNBVElPTlMsIEFOWSBJTVBMSUVEIFdBUlJBTlRJRVMgT0YgTUVSQ0hBTlRBQklMSVRZLCBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIgUFVSUE9TRSwgQU5EIEZSRUVET00gRlJPTSBJTkZSSU5HRU1FTlQsIEFORCBBTlkgV0FSUkFOVFkgVEhBVCBUSEUgRE9DVU1FTlRBVElPTiBXSUxMIENPTkZPUk0gVE8gVEhFIFNPRlRXQVJFLCBPUiBBTlkgV0FSUkFOVFkgVEhBVCBUSEUgU09GVFdBUkUgV0lMTCBCRSBFUlJPUiBGUkVFLiAgSU4gTk8gRVZFTlQgU0hBTEwgTklTVCBCRSBMSUFCTEUgRk9SIEFOWSBEQU1BR0VTLCBJTkNMVURJTkcsIEJVVCBOT1QgTElNSVRFRCBUTywgRElSRUNULCBJTkRJUkVDVCwgU1BFQ0lBTCBPUiBDT05TRVFVRU5USUFMIERBTUFHRVMsIEFSSVNJTkcgT1VUIE9GLCBSRVNVTFRJTkcgRlJPTSwgT1IgSU4gQU5ZIFdBWSBDT05ORUNURUQgV0lUSCBUSElTIFNPRlRXQVJFLCBXSEVUSEVSIE9SIE5PVCBCQVNFRCBVUE9OIFdBUlJBTlRZLCBDT05UUkFDVCwgVE9SVCwgT1IgT1RIRVJXSVNFLCBXSEVUSEVSIE9SIE5PVCBJTkpVUlkgV0FTIFNVU1RBSU5FRCBCWSBQRVJTT05TIE9SIFBST1BFUlRZIE9SIE9USEVSV0lTRSwgQU5EIFdIRVRIRVIgT1IgTk9UIExPU1MgV0FTIFNVU1RBSU5FRCBGUk9NLCBPUiBBUk9TRSBPVVQgT0YgVEhFIFJFU1VMVFMgT0YsIE9SIFVTRSBPRiwgVEhFIFNPRlRXQVJFIE9SIFNFUlZJQ0VTIFBST1ZJREVEIEhFUkVVTkRFUi48L3N0cmluZz4KCTwvZGljdD4KCTxrZXk+UGF5bG9hZENvbnRlbnQ8L2tleT4KCTxhcnJheT4KCQk8ZGljdD4KCQkJPGtleT5FbmFibGVGaXJld2FsbDwva2V5PgoJCQk8dHJ1ZS8+CgkJCTxrZXk+RW5hYmxlTG9nZ2luZzwva2V5PgoJCQk8dHJ1ZS8+CgkJCTxrZXk+RW5hYmxlU3RlYWx0aE1vZGU8L2tleT4KCQkJPHRydWUvPgoJCQk8a2V5PkxvZ2dpbmdPcHRpb248L2tleT4KCQkJPHN0cmluZz5kZXRhaWw8L3N0cmluZz4KCQkJPGtleT5QYXlsb2FkSWRlbnRpZmllcjwva2V5PgoJCQk8c3RyaW5nPmFsYWNhcnRlLm1hY09TLllvbG8uOTgxNjk2YmYtYWVkZS00ODhiLTk2MTMtNDllMmY1YjRiOTgxPC9zdHJpbmc+CgkJCTxrZXk+UGF5bG9hZFR5cGU8L2tleT4KCQkJPHN0cmluZz5jb20uYXBwbGUuc2VjdXJpdHkuZmlyZXdhbGw8L3N0cmluZz4KCQkJPGtleT5QYXlsb2FkVVVJRDwva2V5PgoJCQk8c3RyaW5nPjk4MTY5NmJmLWFlZGUtNDg4Yi05NjEzLTQ5ZTJmNWI0Yjk4MTwvc3RyaW5nPgoJCQk8a2V5PlBheWxvYWRWZXJzaW9uPC9rZXk+CgkJCTxpbnRlZ2VyPjE8L2ludGVnZXI+CgkJPC9kaWN0PgoJPC9hcnJheT4KCTxrZXk+UGF5bG9hZERlc2NyaXB0aW9uPC9rZXk+Cgk8c3RyaW5nPkNyZWF0ZWQ6IDIwMjQtMDctMDkKQ29uZmlndXJhdGlvbiBzZXR0aW5ncyBmb3IgdGhlIGNvbS5hcHBsZS5zZWN1cml0eS5maXJld2FsbCBwcmVmZXJlbmNlIGRvbWFpbi48L3N0cmluZz4KCTxrZXk+UGF5bG9hZERpc3BsYXlOYW1lPC9rZXk+Cgk8c3RyaW5nPltZb2xvXSBjb20uYXBwbGUuc2VjdXJpdHkuZmlyZXdhbGwgc2V0dGluZ3M8L3N0cmluZz4KCTxrZXk+UGF5bG9hZElkZW50aWZpZXI8L2tleT4KCTxzdHJpbmc+Y29tLmFwcGxlLnNlY3VyaXR5LmZpcmV3YWxsLllvbG88L3N0cmluZz4KCTxrZXk+UGF5bG9hZE9yZ2FuaXphdGlvbjwva2V5PgoJPHN0cmluZz5tYWNPUyBTZWN1cml0eSBDb21wbGlhbmNlIFByb2plY3Q8L3N0cmluZz4KCTxrZXk+UGF5bG9hZFNjb3BlPC9rZXk+Cgk8c3RyaW5nPlN5c3RlbTwvc3RyaW5nPgoJPGtleT5QYXlsb2FkVHlwZTwva2V5PgoJPHN0cmluZz5Db25maWd1cmF0aW9uPC9zdHJpbmc+Cgk8a2V5PlBheWxvYWRVVUlEPC9rZXk+Cgk8c3RyaW5nPjcxYzJlOWJiLTQxYzEtNDlkYy04NWUwLWZmNGRmYmM3ZDJhZTwvc3RyaW5nPgoJPGtleT5QYXlsb2FkVmVyc2lvbjwva2V5PgoJPGludGVnZXI+MTwvaW50ZWdlcj4KPC9kaWN0Pgo8L3BsaXN0Pgo="
+ tag_shards = []
+ tvos = false
+ tvos_max_version = ""
+ tvos_min_version = ""
+ version = 1
}
# zentral_monolith_manifest_sub_manifest.default-apps will be created
+ resource "zentral_monolith_manifest_sub_manifest" "default-apps" {
+ id = (known after apply)
+ manifest_id = 1
+ sub_manifest_id = (known after apply)
+ tag_ids = (known after apply)
}
# zentral_monolith_sub_manifest.apps will be created
+ resource "zentral_monolith_sub_manifest" "apps" {
+ description = "The mandatory apps for our standard macOS client"
+ id = (known after apply)
+ name = "Mandatory apps"
}
# zentral_monolith_sub_manifest_pkg_info.onepassword will be created
+ resource "zentral_monolith_sub_manifest_pkg_info" "onepassword" {
+ default_shard = 100
+ excluded_tag_ids = []
+ featured_item = false
+ id = (known after apply)
+ key = "managed_installs"
+ pkg_info_name = "1Password"
+ shard_modulo = 100
+ sub_manifest_id = (known after apply)
+ tag_shards = []
}
# zentral_munki_configuration.default will be updated in-place
~ resource "zentral_munki_configuration" "default" {
id = 1
~ name = "Default" -> "Default 🫁"
~ version = 0 -> (known after apply)
# (9 unchanged attributes hidden)
}
# zentral_munki_script_check.mcs-auditing-audit_acls_files_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_acls_files_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit log files _MUST_ not contain access control lists (ACLs).
This rule ensures that audit information and audit files are configured to be readable and writable only by system administrators, thereby preventing unauthorized access, modification, and deletion of files.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files to Not Contain Access Control Lists"
+ source = "/bin/ls -le $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $1}' | /usr/bin/grep -c \":\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_osquery_configuration.default will be updated in-place
~ resource "zentral_osquery_configuration" "default" {
id = 1
~ name = "Default" -> "Default 😛"
# (8 unchanged attributes hidden)
}
# zentral_osquery_configuration_pack.default-compliance-checks will be created
+ resource "zentral_osquery_configuration_pack" "default-compliance-checks" {
+ configuration_id = 1
+ id = (known after apply)
+ pack_id = (known after apply)
+ tag_ids = (known after apply)
}
# zentral_osquery_pack.compliance-checks will be created
+ resource "zentral_osquery_pack" "compliance-checks" {
+ description = "The compliance checks for our macOS client"
+ discovery_queries = (known after apply)
+ id = (known after apply)
+ name = "Compliance checks"
+ slug = (known after apply)
# (1 unchanged attribute hidden)
}
# zentral_osquery_query.santa-sysext-cc will be created
+ resource "zentral_osquery_query" "santa-sysext-cc" {
+ compliance_check_enabled = true
+ description = "Check if the Santa system extension is activated, running and up-to-date"
+ id = (known after apply)
+ name = "Santa system extension check"
+ platforms = [
+ "darwin",
]
+ scheduling = {
+ can_be_denylisted = true
+ interval = 3600
+ log_removed_actions = false
+ pack_id = (known after apply)
+ snapshot_mode = true
}
+ sql = <<-EOT
WITH expected_sysexts(team, identifier, min_version) AS (
VALUES ('EQHXZ8M8AV', 'com.google.santa.daemon', '2024.5')
), found_sysexts AS (
SELECT expected_sysexts.*, system_extensions.version, system_extensions.state,
CASE
WHEN system_extensions.version >= expected_sysexts.min_version
AND system_extensions.state == 'activated_enabled'
THEN 'OK'
ELSE 'FAILED'
END individual_ztl_status
FROM expected_sysexts
LEFT JOIN system_extensions ON (
system_extensions.team = expected_sysexts.team
AND system_extensions.identifier = expected_sysexts.identifier
)
) SELECT team, identifier, version, state, MAX(individual_ztl_status) OVER () ztl_status
FROM found_sysexts
EOT
+ value = ""
+ version = (known after apply)
}
# zentral_santa_configuration.default will be updated in-place
~ resource "zentral_santa_configuration" "default" {
id = 1
~ name = "Default" -> "Weird"
# (13 unchanged attributes hidden)
}
# zentral_santa_rule.signingid-yes will be created
+ resource "zentral_santa_rule" "signingid-yes" {
+ configuration_id = 1
+ custom_message = "No yes 🕶️"
+ description = "Say no to yes!"
+ excluded_primary_users = []
+ excluded_serial_numbers = []
+ excluded_tag_ids = []
+ id = (known after apply)
+ policy = "BLOCKLIST"
+ primary_users = []
+ ruleset_id = (known after apply)
+ serial_numbers = []
+ tag_ids = []
+ target_identifier = "platform:com.apple.yes"
+ target_type = "SIGNINGID"
+ version = (known after apply)
}
# zentral_santa_rule.teamid-macpaw will be created
+ resource "zentral_santa_rule" "teamid-macpaw" {
+ configuration_id = 1
+ custom_message = "No MacPaw apps are allowed!!!"
+ description = "Block MacPaw apps, mostly for demo purposes"
+ excluded_primary_users = []
+ excluded_serial_numbers = []
+ excluded_tag_ids = []
+ id = (known after apply)
+ policy = "BLOCKLIST"
+ primary_users = []
+ ruleset_id = (known after apply)
+ serial_numbers = []
+ tag_ids = []
+ target_identifier = "S8EX82NJP6"
+ target_type = "TEAMID"
+ version = (known after apply)
}
Plan: 12 to add, 3 to change, 0 to destroy. |
Terraform Plan OutputClick to expandTerraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
~ update in-place
Terraform will perform the following actions:
# zentral_mdm_artifact.mscp-firewall will be created
+ resource "zentral_mdm_artifact" "mscp-firewall" {
+ auto_update = true
+ channel = "Device"
+ id = (known after apply)
+ install_during_setup_assistant = false
+ name = "mSCP - firewall"
+ platforms = [
+ "macOS",
]
+ reinstall_interval = 0
+ reinstall_on_os_update = "No"
+ requires = (known after apply)
+ type = "Profile"
}
# zentral_mdm_blueprint_artifact.mscp-firewall will be created
+ resource "zentral_mdm_blueprint_artifact" "mscp-firewall" {
+ artifact_id = (known after apply)
+ blueprint_id = 1
+ default_shard = 100
+ excluded_tag_ids = []
+ id = (known after apply)
+ ios = false
+ ios_max_version = ""
+ ios_min_version = ""
+ ipados = false
+ ipados_max_version = ""
+ ipados_min_version = ""
+ macos = true
+ macos_max_version = ""
+ macos_min_version = ""
+ shard_modulo = 100
+ tag_shards = []
+ tvos = false
+ tvos_max_version = ""
+ tvos_min_version = ""
}
# zentral_mdm_profile.mscp-firewall-1 will be created
+ resource "zentral_mdm_profile" "mscp-firewall-1" {
+ artifact_id = (known after apply)
+ default_shard = 100
+ excluded_tag_ids = []
+ id = (known after apply)
+ ios = false
+ ios_max_version = ""
+ ios_min_version = ""
+ ipados = false
+ ipados_max_version = ""
+ ipados_min_version = ""
+ macos = true
+ macos_max_version = ""
+ macos_min_version = ""
+ shard_modulo = 100
+ source = "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUWVBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI+CjxwbGlzdCB2ZXJzaW9uPSIxLjAiPgo8ZGljdD4KCTxrZXk+Q29uc2VudFRleHQ8L2tleT4KCTxkaWN0PgoJCTxrZXk+ZGVmYXVsdDwva2V5PgoJCTxzdHJpbmc+VEhFIFNPRlRXQVJFIElTIFBST1ZJREVEICdBUyBJUycgV0lUSE9VVCBBTlkgV0FSUkFOVFkgT0YgQU5ZIEtJTkQsIEVJVEhFUiBFWFBSRVNTRUQsIElNUExJRUQsIE9SIFNUQVRVVE9SWSwgSU5DTFVESU5HLCBCVVQgTk9UIExJTUlURUQgVE8sIEFOWSBXQVJSQU5UWSBUSEFUIFRIRSBTT0ZUV0FSRSBXSUxMIENPTkZPUk0gVE8gU1BFQ0lGSUNBVElPTlMsIEFOWSBJTVBMSUVEIFdBUlJBTlRJRVMgT0YgTUVSQ0hBTlRBQklMSVRZLCBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIgUFVSUE9TRSwgQU5EIEZSRUVET00gRlJPTSBJTkZSSU5HRU1FTlQsIEFORCBBTlkgV0FSUkFOVFkgVEhBVCBUSEUgRE9DVU1FTlRBVElPTiBXSUxMIENPTkZPUk0gVE8gVEhFIFNPRlRXQVJFLCBPUiBBTlkgV0FSUkFOVFkgVEhBVCBUSEUgU09GVFdBUkUgV0lMTCBCRSBFUlJPUiBGUkVFLiAgSU4gTk8gRVZFTlQgU0hBTEwgTklTVCBCRSBMSUFCTEUgRk9SIEFOWSBEQU1BR0VTLCBJTkNMVURJTkcsIEJVVCBOT1QgTElNSVRFRCBUTywgRElSRUNULCBJTkRJUkVDVCwgU1BFQ0lBTCBPUiBDT05TRVFVRU5USUFMIERBTUFHRVMsIEFSSVNJTkcgT1VUIE9GLCBSRVNVTFRJTkcgRlJPTSwgT1IgSU4gQU5ZIFdBWSBDT05ORUNURUQgV0lUSCBUSElTIFNPRlRXQVJFLCBXSEVUSEVSIE9SIE5PVCBCQVNFRCBVUE9OIFdBUlJBTlRZLCBDT05UUkFDVCwgVE9SVCwgT1IgT1RIRVJXSVNFLCBXSEVUSEVSIE9SIE5PVCBJTkpVUlkgV0FTIFNVU1RBSU5FRCBCWSBQRVJTT05TIE9SIFBST1BFUlRZIE9SIE9USEVSV0lTRSwgQU5EIFdIRVRIRVIgT1IgTk9UIExPU1MgV0FTIFNVU1RBSU5FRCBGUk9NLCBPUiBBUk9TRSBPVVQgT0YgVEhFIFJFU1VMVFMgT0YsIE9SIFVTRSBPRiwgVEhFIFNPRlRXQVJFIE9SIFNFUlZJQ0VTIFBST1ZJREVEIEhFUkVVTkRFUi48L3N0cmluZz4KCTwvZGljdD4KCTxrZXk+UGF5bG9hZENvbnRlbnQ8L2tleT4KCTxhcnJheT4KCQk8ZGljdD4KCQkJPGtleT5FbmFibGVGaXJld2FsbDwva2V5PgoJCQk8dHJ1ZS8+CgkJCTxrZXk+RW5hYmxlTG9nZ2luZzwva2V5PgoJCQk8dHJ1ZS8+CgkJCTxrZXk+RW5hYmxlU3RlYWx0aE1vZGU8L2tleT4KCQkJPHRydWUvPgoJCQk8a2V5PkxvZ2dpbmdPcHRpb248L2tleT4KCQkJPHN0cmluZz5kZXRhaWw8L3N0cmluZz4KCQkJPGtleT5QYXlsb2FkSWRlbnRpZmllcjwva2V5PgoJCQk8c3RyaW5nPmFsYWNhcnRlLm1hY09TLllvbG8uOTgxNjk2YmYtYWVkZS00ODhiLTk2MTMtNDllMmY1YjRiOTgxPC9zdHJpbmc+CgkJCTxrZXk+UGF5bG9hZFR5cGU8L2tleT4KCQkJPHN0cmluZz5jb20uYXBwbGUuc2VjdXJpdHkuZmlyZXdhbGw8L3N0cmluZz4KCQkJPGtleT5QYXlsb2FkVVVJRDwva2V5PgoJCQk8c3RyaW5nPjk4MTY5NmJmLWFlZGUtNDg4Yi05NjEzLTQ5ZTJmNWI0Yjk4MTwvc3RyaW5nPgoJCQk8a2V5PlBheWxvYWRWZXJzaW9uPC9rZXk+CgkJCTxpbnRlZ2VyPjE8L2ludGVnZXI+CgkJPC9kaWN0PgoJPC9hcnJheT4KCTxrZXk+UGF5bG9hZERlc2NyaXB0aW9uPC9rZXk+Cgk8c3RyaW5nPkNyZWF0ZWQ6IDIwMjQtMDctMDkKQ29uZmlndXJhdGlvbiBzZXR0aW5ncyBmb3IgdGhlIGNvbS5hcHBsZS5zZWN1cml0eS5maXJld2FsbCBwcmVmZXJlbmNlIGRvbWFpbi48L3N0cmluZz4KCTxrZXk+UGF5bG9hZERpc3BsYXlOYW1lPC9rZXk+Cgk8c3RyaW5nPltZb2xvXSBjb20uYXBwbGUuc2VjdXJpdHkuZmlyZXdhbGwgc2V0dGluZ3M8L3N0cmluZz4KCTxrZXk+UGF5bG9hZElkZW50aWZpZXI8L2tleT4KCTxzdHJpbmc+Y29tLmFwcGxlLnNlY3VyaXR5LmZpcmV3YWxsLllvbG88L3N0cmluZz4KCTxrZXk+UGF5bG9hZE9yZ2FuaXphdGlvbjwva2V5PgoJPHN0cmluZz5tYWNPUyBTZWN1cml0eSBDb21wbGlhbmNlIFByb2plY3Q8L3N0cmluZz4KCTxrZXk+UGF5bG9hZFNjb3BlPC9rZXk+Cgk8c3RyaW5nPlN5c3RlbTwvc3RyaW5nPgoJPGtleT5QYXlsb2FkVHlwZTwva2V5PgoJPHN0cmluZz5Db25maWd1cmF0aW9uPC9zdHJpbmc+Cgk8a2V5PlBheWxvYWRVVUlEPC9rZXk+Cgk8c3RyaW5nPjcxYzJlOWJiLTQxYzEtNDlkYy04NWUwLWZmNGRmYmM3ZDJhZTwvc3RyaW5nPgoJPGtleT5QYXlsb2FkVmVyc2lvbjwva2V5PgoJPGludGVnZXI+MTwvaW50ZWdlcj4KPC9kaWN0Pgo8L3BsaXN0Pgo="
+ tag_shards = []
+ tvos = false
+ tvos_max_version = ""
+ tvos_min_version = ""
+ version = 1
}
# zentral_monolith_manifest_sub_manifest.default-apps will be created
+ resource "zentral_monolith_manifest_sub_manifest" "default-apps" {
+ id = (known after apply)
+ manifest_id = 1
+ sub_manifest_id = (known after apply)
+ tag_ids = (known after apply)
}
# zentral_monolith_sub_manifest.apps will be created
+ resource "zentral_monolith_sub_manifest" "apps" {
+ description = "The mandatory apps for our standard macOS client"
+ id = (known after apply)
+ name = "Mandatory apps"
}
# zentral_monolith_sub_manifest_pkg_info.onepassword will be created
+ resource "zentral_monolith_sub_manifest_pkg_info" "onepassword" {
+ default_shard = 100
+ excluded_tag_ids = []
+ featured_item = false
+ id = (known after apply)
+ key = "managed_installs"
+ pkg_info_name = "1Password"
+ shard_modulo = 100
+ sub_manifest_id = (known after apply)
+ tag_shards = []
}
# zentral_munki_configuration.default will be updated in-place
~ resource "zentral_munki_configuration" "default" {
id = 1
~ name = "Default" -> "Default 🫁"
~ version = 0 -> (known after apply)
# (9 unchanged attributes hidden)
}
# zentral_munki_script_check.mcs-auditing-audit_acls_files_configure will be created
+ resource "zentral_munki_script_check" "mcs-auditing-audit_acls_files_configure" {
+ arch_amd64 = true
+ arch_arm64 = true
+ description = <<-EOT
The audit log files _MUST_ not contain access control lists (ACLs).
This rule ensures that audit information and audit files are configured to be readable and writable only by system administrators, thereby preventing unauthorized access, modification, and deletion of files.
EOT
+ excluded_tag_ids = (known after apply)
+ expected_result = "0"
+ id = (known after apply)
+ max_os_version = "15"
+ min_os_version = "14"
+ name = "[mSCP] - Auditing - Configure Audit Log Files to Not Contain Access Control Lists"
+ source = "/bin/ls -le $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $1}' | /usr/bin/grep -c \":\""
+ tag_ids = (known after apply)
+ type = "ZSH_INT"
+ version = (known after apply)
}
# zentral_osquery_configuration.default will be updated in-place
~ resource "zentral_osquery_configuration" "default" {
id = 1
~ name = "Default" -> "Default 😛"
# (8 unchanged attributes hidden)
}
# zentral_osquery_configuration_pack.default-compliance-checks will be created
+ resource "zentral_osquery_configuration_pack" "default-compliance-checks" {
+ configuration_id = 1
+ id = (known after apply)
+ pack_id = (known after apply)
+ tag_ids = (known after apply)
}
# zentral_osquery_pack.compliance-checks will be created
+ resource "zentral_osquery_pack" "compliance-checks" {
+ description = "The compliance checks for our macOS client"
+ discovery_queries = (known after apply)
+ id = (known after apply)
+ name = "Compliance checks"
+ slug = (known after apply)
# (1 unchanged attribute hidden)
}
# zentral_osquery_query.santa-sysext-cc will be created
+ resource "zentral_osquery_query" "santa-sysext-cc" {
+ compliance_check_enabled = true
+ description = "Check if the Santa system extension is activated, running and up-to-date"
+ id = (known after apply)
+ name = "Santa system extension check"
+ platforms = [
+ "darwin",
]
+ scheduling = {
+ can_be_denylisted = true
+ interval = 3600
+ log_removed_actions = false
+ pack_id = (known after apply)
+ snapshot_mode = true
}
+ sql = <<-EOT
WITH expected_sysexts(team, identifier, min_version) AS (
VALUES ('EQHXZ8M8AV', 'com.google.santa.daemon', '2024.5')
), found_sysexts AS (
SELECT expected_sysexts.*, system_extensions.version, system_extensions.state,
CASE
WHEN system_extensions.version >= expected_sysexts.min_version
AND system_extensions.state == 'activated_enabled'
THEN 'OK'
ELSE 'FAILED'
END individual_ztl_status
FROM expected_sysexts
LEFT JOIN system_extensions ON (
system_extensions.team = expected_sysexts.team
AND system_extensions.identifier = expected_sysexts.identifier
)
) SELECT team, identifier, version, state, MAX(individual_ztl_status) OVER () ztl_status
FROM found_sysexts
EOT
+ value = ""
+ version = (known after apply)
}
# zentral_santa_configuration.default will be updated in-place
~ resource "zentral_santa_configuration" "default" {
id = 1
~ name = "Default" -> "Weird"
# (13 unchanged attributes hidden)
}
# zentral_santa_rule.signingid-yes will be created
+ resource "zentral_santa_rule" "signingid-yes" {
+ configuration_id = 1
+ custom_message = "No yes 🕶️"
+ description = "Say no to yes!"
+ excluded_primary_users = []
+ excluded_serial_numbers = []
+ excluded_tag_ids = []
+ id = (known after apply)
+ policy = "BLOCKLIST"
+ primary_users = []
+ ruleset_id = (known after apply)
+ serial_numbers = []
+ tag_ids = []
+ target_identifier = "platform:com.apple.yes"
+ target_type = "SIGNINGID"
+ version = (known after apply)
}
# zentral_santa_rule.teamid-macpaw will be created
+ resource "zentral_santa_rule" "teamid-macpaw" {
+ configuration_id = 1
+ custom_message = "No MacPaw apps are allowed!!!"
+ description = "Block MacPaw apps, mostly for demo purposes"
+ excluded_primary_users = []
+ excluded_serial_numbers = []
+ excluded_tag_ids = []
+ id = (known after apply)
+ policy = "BLOCKLIST"
+ primary_users = []
+ ruleset_id = (known after apply)
+ serial_numbers = []
+ tag_ids = []
+ target_identifier = "S8EX82NJP6"
+ target_type = "TEAMID"
+ version = (known after apply)
}
Plan: 12 to add, 3 to change, 0 to destroy. |
Terraform Plan OutputClick to expandTerraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
~ update in-place
Terraform will perform the following actions:
# zentral_mdm_artifact.mscp-firewall will be created
+ resource "zentral_mdm_artifact" "mscp-firewall" {
+ auto_update = true
+ channel = "Device"
+ id = (known after apply)
+ install_during_setup_assistant = false
+ name = "mSCP - firewall"
+ platforms = [
+ "macOS",
]
+ reinstall_interval = 0
+ reinstall_on_os_update = "No"
+ requires = (known after apply)
+ type = "Profile"
}
# zentral_mdm_blueprint_artifact.mscp-firewall will be created
+ resource "zentral_mdm_blueprint_artifact" "mscp-firewall" {
+ artifact_id = (known after apply)
+ blueprint_id = 1
+ default_shard = 100
+ excluded_tag_ids = []
+ id = (known after apply)
+ ios = false
+ ios_max_version = ""
+ ios_min_version = ""
+ ipados = false
+ ipados_max_version = ""
+ ipados_min_version = ""
+ macos = true
+ macos_max_version = ""
+ macos_min_version = ""
+ shard_modulo = 100
+ tag_shards = []
+ tvos = false
+ tvos_max_version = ""
+ tvos_min_version = ""
}
# zentral_mdm_profile.mscp-firewall-1 will be created
+ resource "zentral_mdm_profile" "mscp-firewall-1" {
+ artifact_id = (known after apply)
+ default_shard = 100
+ excluded_tag_ids = []
+ id = (known after apply)
+ ios = false
+ ios_max_version = ""
+ ios_min_version = ""
+ ipados = false
+ ipados_max_version = ""
+ ipados_min_version = ""
+ macos = true
+ macos_max_version = ""
+ macos_min_version = ""
+ shard_modulo = 100
+ source = "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUWVBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI+CjxwbGlzdCB2ZXJzaW9uPSIxLjAiPgo8ZGljdD4KCTxrZXk+Q29uc2VudFRleHQ8L2tleT4KCTxkaWN0PgoJCTxrZXk+ZGVmYXVsdDwva2V5PgoJCTxzdHJpbmc+VEhFIFNPRlRXQVJFIElTIFBST1ZJREVEICdBUyBJUycgV0lUSE9VVCBBTlkgV0FSUkFOVFkgT0YgQU5ZIEtJTkQsIEVJVEhFUiBFWFBSRVNTRUQsIElNUExJRUQsIE9SIFNUQVRVVE9SWSwgSU5DTFVESU5HLCBCVVQgTk9UIExJTUlURUQgVE8sIEFOWSBXQVJSQU5UWSBUSEFUIFRIRSBTT0ZUV0FSRSBXSUxMIENPTkZPUk0gVE8gU1BFQ0lGSUNBVElPTlMsIEFOWSBJTVBMSUVEIFdBUlJBTlRJRVMgT0YgTUVSQ0hBTlRBQklMSVRZLCBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIgUFVSUE9TRSwgQU5EIEZSRUVET00gRlJPTSBJTkZSSU5HRU1FTlQsIEFORCBBTlkgV0FSUkFOVFkgVEhBVCBUSEUgRE9DVU1FTlRBVElPTiBXSUxMIENPTkZPUk0gVE8gVEhFIFNPRlRXQVJFLCBPUiBBTlkgV0FSUkFOVFkgVEhBVCBUSEUgU09GVFdBUkUgV0lMTCBCRSBFUlJPUiBGUkVFLiAgSU4gTk8gRVZFTlQgU0hBTEwgTklTVCBCRSBMSUFCTEUgRk9SIEFOWSBEQU1BR0VTLCBJTkNMVURJTkcsIEJVVCBOT1QgTElNSVRFRCBUTywgRElSRUNULCBJTkRJUkVDVCwgU1BFQ0lBTCBPUiBDT05TRVFVRU5USUFMIERBTUFHRVMsIEFSSVNJTkcgT1VUIE9GLCBSRVNVTFRJTkcgRlJPTSwgT1IgSU4gQU5ZIFdBWSBDT05ORUNURUQgV0lUSCBUSElTIFNPRlRXQVJFLCBXSEVUSEVSIE9SIE5PVCBCQVNFRCBVUE9OIFdBUlJBTlRZLCBDT05UUkFDVCwgVE9SVCwgT1IgT1RIRVJXSVNFLCBXSEVUSEVSIE9SIE5PVCBJTkpVUlkgV0FTIFNVU1RBSU5FRCBCWSBQRVJTT05TIE9SIFBST1BFUlRZIE9SIE9USEVSV0lTRSwgQU5EIFdIRVRIRVIgT1IgTk9UIExPU1MgV0FTIFNVU1RBSU5FRCBGUk9NLCBPUiBBUk9TRSBPVVQgT0YgVEhFIFJFU1VMVFMgT0YsIE9SIFVTRSBPRiwgVEhFIFNPRlRXQVJFIE9SIFNFUlZJQ0VTIFBST1ZJREVEIEhFUkVVTkRFUi48L3N0cmluZz4KCTwvZGljdD4KCTxrZXk+UGF5bG9hZENvbnRlbnQ8L2tleT4KCTxhcnJheT4KCQk8ZGljdD4KCQkJPGtleT5FbmFibGVGaXJld2FsbDwva2V5PgoJCQk8dHJ1ZS8+CgkJCTxrZXk+RW5hYmxlTG9nZ2luZzwva2V5PgoJCQk8dHJ1ZS8+CgkJCTxrZXk+RW5hYmxlU3RlYWx0aE1vZGU8L2tleT4KCQkJPHRydWUvPgoJCQk8a2V5PkxvZ2dpbmdPcHRpb248L2tleT4KCQkJPHN0cmluZz5kZXRhaWw8L3N0cmluZz4KCQkJPGtleT5QYXlsb2FkSWRlbnRpZmllcjwva2V5PgoJCQk8c3RyaW5nPmFsYWNhcnRlLm1hY09TLllvbG8uOTgxNjk2YmYtYWVkZS00ODhiLTk2MTMtNDllMmY1YjRiOTgxPC9zdHJpbmc+CgkJCTxrZXk+UGF5bG9hZFR5cGU8L2tleT4KCQkJPHN0cmluZz5jb20uYXBwbGUuc2VjdXJpdHkuZmlyZXdhbGw8L3N0cmluZz4KCQkJPGtleT5QYXlsb2FkVVVJRDwva2V5PgoJCQk8c3RyaW5nPjk4MTY5NmJmLWFlZGUtNDg4Yi05NjEzLTQ5ZTJmNWI0Yjk4MTwvc3RyaW5nPgoJCQk8a2V5PlBheWxvYWRWZXJzaW9uPC9rZXk+CgkJCTxpbnRlZ2VyPjE8L2ludGVnZXI+CgkJPC9kaWN0PgoJPC9hcnJheT4KCTxrZXk+UGF5bG9hZERlc2NyaXB0aW9uPC9rZXk+Cgk8c3RyaW5nPkNyZWF0ZWQ6IDIwMjQtMDctMDkKQ29uZmlndXJhdGlvbiBzZXR0aW5ncyBmb3IgdGhlIGNvbS5hcHBsZS5zZWN1cml0eS5maXJld2FsbCBwcmVmZXJlbmNlIGRvbWFpbi48L3N0cmluZz4KCTxrZXk+UGF5bG9hZERpc3BsYXlOYW1lPC9rZXk+Cgk8c3RyaW5nPltZb2xvXSBjb20uYXBwbGUuc2VjdXJpdHkuZmlyZXdhbGwgc2V0dGluZ3M8L3N0cmluZz4KCTxrZXk+UGF5bG9hZElkZW50aWZpZXI8L2tleT4KCTxzdHJpbmc+Y29tLmFwcGxlLnNlY3VyaXR5LmZpcmV3YWxsLllvbG88L3N0cmluZz4KCTxrZXk+UGF5bG9hZE9yZ2FuaXphdGlvbjwva2V5PgoJPHN0cmluZz5tYWNPUyBTZWN1cml0eSBDb21wbGlhbmNlIFByb2plY3Q8L3N0cmluZz4KCTxrZXk+UGF5bG9hZFNjb3BlPC9rZXk+Cgk8c3RyaW5nPlN5c3RlbTwvc3RyaW5nPgoJPGtleT5QYXlsb2FkVHlwZTwva2V5PgoJPHN0cmluZz5Db25maWd1cmF0aW9uPC9zdHJpbmc+Cgk8a2V5PlBheWxvYWRVVUlEPC9rZXk+Cgk8c3RyaW5nPjcxYzJlOWJiLTQxYzEtNDlkYy04NWUwLWZmNGRmYmM3ZDJhZTwvc3RyaW5nPgoJPGtleT5QYXlsb2FkVmVyc2lvbjwva2V5PgoJPGludGVnZXI+MTwvaW50ZWdlcj4KPC9kaWN0Pgo8L3BsaXN0Pgo="
+ tag_shards = []
+ tvos = false
+ tvos_max_version = ""
+ tvos_min_version = ""
+ version = 1
}
# zentral_monolith_manifest_sub_manifest.default-apps will be created
+ resource "zentral_monolith_manifest_sub_manifest" "default-apps" {
+ id = (known after apply)
+ manifest_id = 1
+ sub_manifest_id = (known after apply)
+ tag_ids = (known after apply)
}
# zentral_monolith_sub_manifest.apps will be created
+ resource "zentral_monolith_sub_manifest" "apps" {
+ description = "The mandatory apps for our standard macOS client"
+ id = (known after apply)
+ name = "Mandatory apps"
}
# zentral_monolith_sub_manifest_pkg_info.onepassword will be created
+ resource "zentral_monolith_sub_manifest_pkg_info" "onepassword" {
+ default_shard = 100
+ excluded_tag_ids = []
+ featured_item = false
+ id = (known after apply)
+ key = "managed_installs"
+ pkg_info_name = "1Password"
+ shard_modulo = 100
+ sub_manifest_id = (known after apply)
+ tag_shards = []
}
# zentral_munki_configuration.default will be updated in-place
~ resource "zentral_munki_configuration" "default" {
id = 1
~ name = "Default" -> "Default 🫁"
~ version = 0 -> (known after apply)
# (9 unchanged attributes hidden)
}
# zentral_osquery_configuration.default will be updated in-place
~ resource "zentral_osquery_configuration" "default" {
id = 1
~ name = "Default" -> "Default 😛"
# (8 unchanged attributes hidden)
}
# zentral_osquery_configuration_pack.default-compliance-checks will be created
+ resource "zentral_osquery_configuration_pack" "default-compliance-checks" {
+ configuration_id = 1
+ id = (known after apply)
+ pack_id = (known after apply)
+ tag_ids = (known after apply)
}
# zentral_osquery_pack.compliance-checks will be created
+ resource "zentral_osquery_pack" "compliance-checks" {
+ description = "The compliance checks for our macOS client"
+ discovery_queries = (known after apply)
+ id = (known after apply)
+ name = "Compliance checks"
+ slug = (known after apply)
# (1 unchanged attribute hidden)
}
# zentral_osquery_query.santa-sysext-cc will be created
+ resource "zentral_osquery_query" "santa-sysext-cc" {
+ compliance_check_enabled = true
+ description = "Check if the Santa system extension is activated, running and up-to-date"
+ id = (known after apply)
+ name = "Santa system extension check"
+ platforms = [
+ "darwin",
]
+ scheduling = {
+ can_be_denylisted = true
+ interval = 3600
+ log_removed_actions = false
+ pack_id = (known after apply)
+ snapshot_mode = true
}
+ sql = <<-EOT
WITH expected_sysexts(team, identifier, min_version) AS (
VALUES ('EQHXZ8M8AV', 'com.google.santa.daemon', '2024.5')
), found_sysexts AS (
SELECT expected_sysexts.*, system_extensions.version, system_extensions.state,
CASE
WHEN system_extensions.version >= expected_sysexts.min_version
AND system_extensions.state == 'activated_enabled'
THEN 'OK'
ELSE 'FAILED'
END individual_ztl_status
FROM expected_sysexts
LEFT JOIN system_extensions ON (
system_extensions.team = expected_sysexts.team
AND system_extensions.identifier = expected_sysexts.identifier
)
) SELECT team, identifier, version, state, MAX(individual_ztl_status) OVER () ztl_status
FROM found_sysexts
EOT
+ value = ""
+ version = (known after apply)
}
# zentral_santa_configuration.default will be updated in-place
~ resource "zentral_santa_configuration" "default" {
id = 1
~ name = "Default" -> "Weird"
# (13 unchanged attributes hidden)
}
# zentral_santa_rule.signingid-yes will be created
+ resource "zentral_santa_rule" "signingid-yes" {
+ configuration_id = 1
+ custom_message = "No yes 🕶️"
+ description = "Say no to yes!"
+ excluded_primary_users = []
+ excluded_serial_numbers = []
+ excluded_tag_ids = []
+ id = (known after apply)
+ policy = "BLOCKLIST"
+ primary_users = []
+ ruleset_id = (known after apply)
+ serial_numbers = []
+ tag_ids = []
+ target_identifier = "platform:com.apple.yes"
+ target_type = "SIGNINGID"
+ version = (known after apply)
}
# zentral_santa_rule.teamid-macpaw will be created
+ resource "zentral_santa_rule" "teamid-macpaw" {
+ configuration_id = 1
+ custom_message = "No MacPaw apps are allowed!!!"
+ description = "Block MacPaw apps, mostly for demo purposes"
+ excluded_primary_users = []
+ excluded_serial_numbers = []
+ excluded_tag_ids = []
+ id = (known after apply)
+ policy = "BLOCKLIST"
+ primary_users = []
+ ruleset_id = (known after apply)
+ serial_numbers = []
+ tag_ids = []
+ target_identifier = "S8EX82NJP6"
+ target_type = "TEAMID"
+ version = (known after apply)
}
Plan: 11 to add, 3 to change, 0 to destroy. |
Terraform Plan OutputClick to expandTerraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
~ update in-place
Terraform will perform the following actions:
# zentral_mdm_artifact.mscp-firewall will be created
+ resource "zentral_mdm_artifact" "mscp-firewall" {
+ auto_update = true
+ channel = "Device"
+ id = (known after apply)
+ install_during_setup_assistant = false
+ name = "mSCP - firewall"
+ platforms = [
+ "macOS",
]
+ reinstall_interval = 0
+ reinstall_on_os_update = "No"
+ requires = (known after apply)
+ type = "Profile"
}
# zentral_mdm_blueprint_artifact.mscp-firewall will be created
+ resource "zentral_mdm_blueprint_artifact" "mscp-firewall" {
+ artifact_id = (known after apply)
+ blueprint_id = 1
+ default_shard = 100
+ excluded_tag_ids = []
+ id = (known after apply)
+ ios = false
+ ios_max_version = ""
+ ios_min_version = ""
+ ipados = false
+ ipados_max_version = ""
+ ipados_min_version = ""
+ macos = true
+ macos_max_version = ""
+ macos_min_version = ""
+ shard_modulo = 100
+ tag_shards = []
+ tvos = false
+ tvos_max_version = ""
+ tvos_min_version = ""
}
# zentral_mdm_profile.mscp-firewall-1 will be created
+ resource "zentral_mdm_profile" "mscp-firewall-1" {
+ artifact_id = (known after apply)
+ default_shard = 100
+ excluded_tag_ids = []
+ id = (known after apply)
+ ios = false
+ ios_max_version = ""
+ ios_min_version = ""
+ ipados = false
+ ipados_max_version = ""
+ ipados_min_version = ""
+ macos = true
+ macos_max_version = ""
+ macos_min_version = ""
+ shard_modulo = 100
+ source = "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUWVBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI+CjxwbGlzdCB2ZXJzaW9uPSIxLjAiPgo8ZGljdD4KCTxrZXk+Q29uc2VudFRleHQ8L2tleT4KCTxkaWN0PgoJCTxrZXk+ZGVmYXVsdDwva2V5PgoJCTxzdHJpbmc+VEhFIFNPRlRXQVJFIElTIFBST1ZJREVEICdBUyBJUycgV0lUSE9VVCBBTlkgV0FSUkFOVFkgT0YgQU5ZIEtJTkQsIEVJVEhFUiBFWFBSRVNTRUQsIElNUExJRUQsIE9SIFNUQVRVVE9SWSwgSU5DTFVESU5HLCBCVVQgTk9UIExJTUlURUQgVE8sIEFOWSBXQVJSQU5UWSBUSEFUIFRIRSBTT0ZUV0FSRSBXSUxMIENPTkZPUk0gVE8gU1BFQ0lGSUNBVElPTlMsIEFOWSBJTVBMSUVEIFdBUlJBTlRJRVMgT0YgTUVSQ0hBTlRBQklMSVRZLCBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIgUFVSUE9TRSwgQU5EIEZSRUVET00gRlJPTSBJTkZSSU5HRU1FTlQsIEFORCBBTlkgV0FSUkFOVFkgVEhBVCBUSEUgRE9DVU1FTlRBVElPTiBXSUxMIENPTkZPUk0gVE8gVEhFIFNPRlRXQVJFLCBPUiBBTlkgV0FSUkFOVFkgVEhBVCBUSEUgU09GVFdBUkUgV0lMTCBCRSBFUlJPUiBGUkVFLiAgSU4gTk8gRVZFTlQgU0hBTEwgTklTVCBCRSBMSUFCTEUgRk9SIEFOWSBEQU1BR0VTLCBJTkNMVURJTkcsIEJVVCBOT1QgTElNSVRFRCBUTywgRElSRUNULCBJTkRJUkVDVCwgU1BFQ0lBTCBPUiBDT05TRVFVRU5USUFMIERBTUFHRVMsIEFSSVNJTkcgT1VUIE9GLCBSRVNVTFRJTkcgRlJPTSwgT1IgSU4gQU5ZIFdBWSBDT05ORUNURUQgV0lUSCBUSElTIFNPRlRXQVJFLCBXSEVUSEVSIE9SIE5PVCBCQVNFRCBVUE9OIFdBUlJBTlRZLCBDT05UUkFDVCwgVE9SVCwgT1IgT1RIRVJXSVNFLCBXSEVUSEVSIE9SIE5PVCBJTkpVUlkgV0FTIFNVU1RBSU5FRCBCWSBQRVJTT05TIE9SIFBST1BFUlRZIE9SIE9USEVSV0lTRSwgQU5EIFdIRVRIRVIgT1IgTk9UIExPU1MgV0FTIFNVU1RBSU5FRCBGUk9NLCBPUiBBUk9TRSBPVVQgT0YgVEhFIFJFU1VMVFMgT0YsIE9SIFVTRSBPRiwgVEhFIFNPRlRXQVJFIE9SIFNFUlZJQ0VTIFBST1ZJREVEIEhFUkVVTkRFUi48L3N0cmluZz4KCTwvZGljdD4KCTxrZXk+UGF5bG9hZENvbnRlbnQ8L2tleT4KCTxhcnJheT4KCQk8ZGljdD4KCQkJPGtleT5FbmFibGVGaXJld2FsbDwva2V5PgoJCQk8dHJ1ZS8+CgkJCTxrZXk+RW5hYmxlTG9nZ2luZzwva2V5PgoJCQk8dHJ1ZS8+CgkJCTxrZXk+RW5hYmxlU3RlYWx0aE1vZGU8L2tleT4KCQkJPHRydWUvPgoJCQk8a2V5PkxvZ2dpbmdPcHRpb248L2tleT4KCQkJPHN0cmluZz5kZXRhaWw8L3N0cmluZz4KCQkJPGtleT5QYXlsb2FkSWRlbnRpZmllcjwva2V5PgoJCQk8c3RyaW5nPmFsYWNhcnRlLm1hY09TLllvbG8uOTgxNjk2YmYtYWVkZS00ODhiLTk2MTMtNDllMmY1YjRiOTgxPC9zdHJpbmc+CgkJCTxrZXk+UGF5bG9hZFR5cGU8L2tleT4KCQkJPHN0cmluZz5jb20uYXBwbGUuc2VjdXJpdHkuZmlyZXdhbGw8L3N0cmluZz4KCQkJPGtleT5QYXlsb2FkVVVJRDwva2V5PgoJCQk8c3RyaW5nPjk4MTY5NmJmLWFlZGUtNDg4Yi05NjEzLTQ5ZTJmNWI0Yjk4MTwvc3RyaW5nPgoJCQk8a2V5PlBheWxvYWRWZXJzaW9uPC9rZXk+CgkJCTxpbnRlZ2VyPjE8L2ludGVnZXI+CgkJPC9kaWN0PgoJPC9hcnJheT4KCTxrZXk+UGF5bG9hZERlc2NyaXB0aW9uPC9rZXk+Cgk8c3RyaW5nPkNyZWF0ZWQ6IDIwMjQtMDctMDkKQ29uZmlndXJhdGlvbiBzZXR0aW5ncyBmb3IgdGhlIGNvbS5hcHBsZS5zZWN1cml0eS5maXJld2FsbCBwcmVmZXJlbmNlIGRvbWFpbi48L3N0cmluZz4KCTxrZXk+UGF5bG9hZERpc3BsYXlOYW1lPC9rZXk+Cgk8c3RyaW5nPltZb2xvXSBjb20uYXBwbGUuc2VjdXJpdHkuZmlyZXdhbGwgc2V0dGluZ3M8L3N0cmluZz4KCTxrZXk+UGF5bG9hZElkZW50aWZpZXI8L2tleT4KCTxzdHJpbmc+Y29tLmFwcGxlLnNlY3VyaXR5LmZpcmV3YWxsLllvbG88L3N0cmluZz4KCTxrZXk+UGF5bG9hZE9yZ2FuaXphdGlvbjwva2V5PgoJPHN0cmluZz5tYWNPUyBTZWN1cml0eSBDb21wbGlhbmNlIFByb2plY3Q8L3N0cmluZz4KCTxrZXk+UGF5bG9hZFNjb3BlPC9rZXk+Cgk8c3RyaW5nPlN5c3RlbTwvc3RyaW5nPgoJPGtleT5QYXlsb2FkVHlwZTwva2V5PgoJPHN0cmluZz5Db25maWd1cmF0aW9uPC9zdHJpbmc+Cgk8a2V5PlBheWxvYWRVVUlEPC9rZXk+Cgk8c3RyaW5nPjcxYzJlOWJiLTQxYzEtNDlkYy04NWUwLWZmNGRmYmM3ZDJhZTwvc3RyaW5nPgoJPGtleT5QYXlsb2FkVmVyc2lvbjwva2V5PgoJPGludGVnZXI+MTwvaW50ZWdlcj4KPC9kaWN0Pgo8L3BsaXN0Pgo="
+ tag_shards = []
+ tvos = false
+ tvos_max_version = ""
+ tvos_min_version = ""
+ version = 1
}
# zentral_monolith_manifest_sub_manifest.default-apps will be created
+ resource "zentral_monolith_manifest_sub_manifest" "default-apps" {
+ id = (known after apply)
+ manifest_id = 1
+ sub_manifest_id = (known after apply)
+ tag_ids = (known after apply)
}
# zentral_monolith_sub_manifest.apps will be created
+ resource "zentral_monolith_sub_manifest" "apps" {
+ description = "The mandatory apps for our standard macOS client"
+ id = (known after apply)
+ name = "Mandatory apps"
}
# zentral_monolith_sub_manifest_pkg_info.onepassword will be created
+ resource "zentral_monolith_sub_manifest_pkg_info" "onepassword" {
+ default_shard = 100
+ excluded_tag_ids = []
+ featured_item = false
+ id = (known after apply)
+ key = "managed_installs"
+ pkg_info_name = "1Password"
+ shard_modulo = 100
+ sub_manifest_id = (known after apply)
+ tag_shards = []
}
# zentral_munki_configuration.default will be updated in-place
~ resource "zentral_munki_configuration" "default" {
id = 1
~ name = "Default" -> "Default 🫁"
~ version = 0 -> (known after apply)
# (9 unchanged attributes hidden)
}
# zentral_osquery_configuration.default will be updated in-place
~ resource "zentral_osquery_configuration" "default" {
id = 1
~ name = "Default" -> "Default 😛"
# (8 unchanged attributes hidden)
}
# zentral_osquery_configuration_pack.default-compliance-checks will be created
+ resource "zentral_osquery_configuration_pack" "default-compliance-checks" {
+ configuration_id = 1
+ id = (known after apply)
+ pack_id = (known after apply)
+ tag_ids = (known after apply)
}
# zentral_osquery_pack.compliance-checks will be created
+ resource "zentral_osquery_pack" "compliance-checks" {
+ description = "The compliance checks for our macOS client"
+ discovery_queries = (known after apply)
+ id = (known after apply)
+ name = "Compliance checks"
+ slug = (known after apply)
# (1 unchanged attribute hidden)
}
# zentral_osquery_query.santa-sysext-cc will be created
+ resource "zentral_osquery_query" "santa-sysext-cc" {
+ compliance_check_enabled = true
+ description = "Check if the Santa system extension is activated, running and up-to-date"
+ id = (known after apply)
+ name = "Santa system extension check"
+ platforms = [
+ "darwin",
]
+ scheduling = {
+ can_be_denylisted = true
+ interval = 3600
+ log_removed_actions = false
+ pack_id = (known after apply)
+ snapshot_mode = true
}
+ sql = <<-EOT
WITH expected_sysexts(team, identifier, min_version) AS (
VALUES ('EQHXZ8M8AV', 'com.google.santa.daemon', '2024.5')
), found_sysexts AS (
SELECT expected_sysexts.*, system_extensions.version, system_extensions.state,
CASE
WHEN system_extensions.version >= expected_sysexts.min_version
AND system_extensions.state == 'activated_enabled'
THEN 'OK'
ELSE 'FAILED'
END individual_ztl_status
FROM expected_sysexts
LEFT JOIN system_extensions ON (
system_extensions.team = expected_sysexts.team
AND system_extensions.identifier = expected_sysexts.identifier
)
) SELECT team, identifier, version, state, MAX(individual_ztl_status) OVER () ztl_status
FROM found_sysexts
EOT
+ value = ""
+ version = (known after apply)
}
# zentral_santa_configuration.default will be updated in-place
~ resource "zentral_santa_configuration" "default" {
id = 1
~ name = "Default" -> "Weird"
# (13 unchanged attributes hidden)
}
# zentral_santa_rule.signingid-yes will be created
+ resource "zentral_santa_rule" "signingid-yes" {
+ configuration_id = 1
+ custom_message = "No yes 🕶️"
+ description = "Say no to yes!"
+ excluded_primary_users = []
+ excluded_serial_numbers = []
+ excluded_tag_ids = []
+ id = (known after apply)
+ policy = "BLOCKLIST"
+ primary_users = []
+ ruleset_id = (known after apply)
+ serial_numbers = []
+ tag_ids = []
+ target_identifier = "platform:com.apple.yes"
+ target_type = "SIGNINGID"
+ version = (known after apply)
}
# zentral_santa_rule.teamid-macpaw will be created
+ resource "zentral_santa_rule" "teamid-macpaw" {
+ configuration_id = 1
+ custom_message = "No MacPaw apps are allowed!!!"
+ description = "Block MacPaw apps, mostly for demo purposes"
+ excluded_primary_users = []
+ excluded_serial_numbers = []
+ excluded_tag_ids = []
+ id = (known after apply)
+ policy = "BLOCKLIST"
+ primary_users = []
+ ruleset_id = (known after apply)
+ serial_numbers = []
+ tag_ids = []
+ target_identifier = "S8EX82NJP6"
+ target_type = "TEAMID"
+ version = (known after apply)
}
Plan: 11 to add, 3 to change, 0 to destroy. |
Terraform Plan OutputClick to expandTerraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
~ update in-place
Terraform will perform the following actions:
# zentral_mdm_artifact.mscp-firewall will be created
+ resource "zentral_mdm_artifact" "mscp-firewall" {
+ auto_update = true
+ channel = "Device"
+ id = (known after apply)
+ install_during_setup_assistant = false
+ name = "mSCP - firewall"
+ platforms = [
+ "macOS",
]
+ reinstall_interval = 0
+ reinstall_on_os_update = "No"
+ requires = (known after apply)
+ type = "Profile"
}
# zentral_mdm_blueprint_artifact.mscp-firewall will be created
+ resource "zentral_mdm_blueprint_artifact" "mscp-firewall" {
+ artifact_id = (known after apply)
+ blueprint_id = 1
+ default_shard = 100
+ excluded_tag_ids = []
+ id = (known after apply)
+ ios = false
+ ios_max_version = ""
+ ios_min_version = ""
+ ipados = false
+ ipados_max_version = ""
+ ipados_min_version = ""
+ macos = true
+ macos_max_version = ""
+ macos_min_version = ""
+ shard_modulo = 100
+ tag_shards = []
+ tvos = false
+ tvos_max_version = ""
+ tvos_min_version = ""
}
# zentral_mdm_profile.mscp-firewall-1 will be created
+ resource "zentral_mdm_profile" "mscp-firewall-1" {
+ artifact_id = (known after apply)
+ default_shard = 100
+ excluded_tag_ids = []
+ id = (known after apply)
+ ios = false
+ ios_max_version = ""
+ ios_min_version = ""
+ ipados = false
+ ipados_max_version = ""
+ ipados_min_version = ""
+ macos = true
+ macos_max_version = ""
+ macos_min_version = ""
+ shard_modulo = 100
+ source = "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUWVBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI+CjxwbGlzdCB2ZXJzaW9uPSIxLjAiPgo8ZGljdD4KCTxrZXk+Q29uc2VudFRleHQ8L2tleT4KCTxkaWN0PgoJCTxrZXk+ZGVmYXVsdDwva2V5PgoJCTxzdHJpbmc+VEhFIFNPRlRXQVJFIElTIFBST1ZJREVEICdBUyBJUycgV0lUSE9VVCBBTlkgV0FSUkFOVFkgT0YgQU5ZIEtJTkQsIEVJVEhFUiBFWFBSRVNTRUQsIElNUExJRUQsIE9SIFNUQVRVVE9SWSwgSU5DTFVESU5HLCBCVVQgTk9UIExJTUlURUQgVE8sIEFOWSBXQVJSQU5UWSBUSEFUIFRIRSBTT0ZUV0FSRSBXSUxMIENPTkZPUk0gVE8gU1BFQ0lGSUNBVElPTlMsIEFOWSBJTVBMSUVEIFdBUlJBTlRJRVMgT0YgTUVSQ0hBTlRBQklMSVRZLCBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIgUFVSUE9TRSwgQU5EIEZSRUVET00gRlJPTSBJTkZSSU5HRU1FTlQsIEFORCBBTlkgV0FSUkFOVFkgVEhBVCBUSEUgRE9DVU1FTlRBVElPTiBXSUxMIENPTkZPUk0gVE8gVEhFIFNPRlRXQVJFLCBPUiBBTlkgV0FSUkFOVFkgVEhBVCBUSEUgU09GVFdBUkUgV0lMTCBCRSBFUlJPUiBGUkVFLiAgSU4gTk8gRVZFTlQgU0hBTEwgTklTVCBCRSBMSUFCTEUgRk9SIEFOWSBEQU1BR0VTLCBJTkNMVURJTkcsIEJVVCBOT1QgTElNSVRFRCBUTywgRElSRUNULCBJTkRJUkVDVCwgU1BFQ0lBTCBPUiBDT05TRVFVRU5USUFMIERBTUFHRVMsIEFSSVNJTkcgT1VUIE9GLCBSRVNVTFRJTkcgRlJPTSwgT1IgSU4gQU5ZIFdBWSBDT05ORUNURUQgV0lUSCBUSElTIFNPRlRXQVJFLCBXSEVUSEVSIE9SIE5PVCBCQVNFRCBVUE9OIFdBUlJBTlRZLCBDT05UUkFDVCwgVE9SVCwgT1IgT1RIRVJXSVNFLCBXSEVUSEVSIE9SIE5PVCBJTkpVUlkgV0FTIFNVU1RBSU5FRCBCWSBQRVJTT05TIE9SIFBST1BFUlRZIE9SIE9USEVSV0lTRSwgQU5EIFdIRVRIRVIgT1IgTk9UIExPU1MgV0FTIFNVU1RBSU5FRCBGUk9NLCBPUiBBUk9TRSBPVVQgT0YgVEhFIFJFU1VMVFMgT0YsIE9SIFVTRSBPRiwgVEhFIFNPRlRXQVJFIE9SIFNFUlZJQ0VTIFBST1ZJREVEIEhFUkVVTkRFUi48L3N0cmluZz4KCTwvZGljdD4KCTxrZXk+UGF5bG9hZENvbnRlbnQ8L2tleT4KCTxhcnJheT4KCQk8ZGljdD4KCQkJPGtleT5FbmFibGVGaXJld2FsbDwva2V5PgoJCQk8dHJ1ZS8+CgkJCTxrZXk+RW5hYmxlTG9nZ2luZzwva2V5PgoJCQk8dHJ1ZS8+CgkJCTxrZXk+RW5hYmxlU3RlYWx0aE1vZGU8L2tleT4KCQkJPHRydWUvPgoJCQk8a2V5PkxvZ2dpbmdPcHRpb248L2tleT4KCQkJPHN0cmluZz5kZXRhaWw8L3N0cmluZz4KCQkJPGtleT5QYXlsb2FkSWRlbnRpZmllcjwva2V5PgoJCQk8c3RyaW5nPmFsYWNhcnRlLm1hY09TLllvbG8uOTgxNjk2YmYtYWVkZS00ODhiLTk2MTMtNDllMmY1YjRiOTgxPC9zdHJpbmc+CgkJCTxrZXk+UGF5bG9hZFR5cGU8L2tleT4KCQkJPHN0cmluZz5jb20uYXBwbGUuc2VjdXJpdHkuZmlyZXdhbGw8L3N0cmluZz4KCQkJPGtleT5QYXlsb2FkVVVJRDwva2V5PgoJCQk8c3RyaW5nPjk4MTY5NmJmLWFlZGUtNDg4Yi05NjEzLTQ5ZTJmNWI0Yjk4MTwvc3RyaW5nPgoJCQk8a2V5PlBheWxvYWRWZXJzaW9uPC9rZXk+CgkJCTxpbnRlZ2VyPjE8L2ludGVnZXI+CgkJPC9kaWN0PgoJPC9hcnJheT4KCTxrZXk+UGF5bG9hZERlc2NyaXB0aW9uPC9rZXk+Cgk8c3RyaW5nPkNyZWF0ZWQ6IDIwMjQtMDctMDkKQ29uZmlndXJhdGlvbiBzZXR0aW5ncyBmb3IgdGhlIGNvbS5hcHBsZS5zZWN1cml0eS5maXJld2FsbCBwcmVmZXJlbmNlIGRvbWFpbi48L3N0cmluZz4KCTxrZXk+UGF5bG9hZERpc3BsYXlOYW1lPC9rZXk+Cgk8c3RyaW5nPltZb2xvXSBjb20uYXBwbGUuc2VjdXJpdHkuZmlyZXdhbGwgc2V0dGluZ3M8L3N0cmluZz4KCTxrZXk+UGF5bG9hZElkZW50aWZpZXI8L2tleT4KCTxzdHJpbmc+Y29tLmFwcGxlLnNlY3VyaXR5LmZpcmV3YWxsLllvbG88L3N0cmluZz4KCTxrZXk+UGF5bG9hZE9yZ2FuaXphdGlvbjwva2V5PgoJPHN0cmluZz5tYWNPUyBTZWN1cml0eSBDb21wbGlhbmNlIFByb2plY3Q8L3N0cmluZz4KCTxrZXk+UGF5bG9hZFNjb3BlPC9rZXk+Cgk8c3RyaW5nPlN5c3RlbTwvc3RyaW5nPgoJPGtleT5QYXlsb2FkVHlwZTwva2V5PgoJPHN0cmluZz5Db25maWd1cmF0aW9uPC9zdHJpbmc+Cgk8a2V5PlBheWxvYWRVVUlEPC9rZXk+Cgk8c3RyaW5nPjcxYzJlOWJiLTQxYzEtNDlkYy04NWUwLWZmNGRmYmM3ZDJhZTwvc3RyaW5nPgoJPGtleT5QYXlsb2FkVmVyc2lvbjwva2V5PgoJPGludGVnZXI+MTwvaW50ZWdlcj4KPC9kaWN0Pgo8L3BsaXN0Pgo="
+ tag_shards = []
+ tvos = false
+ tvos_max_version = ""
+ tvos_min_version = ""
+ version = 1
}
# zentral_monolith_manifest_sub_manifest.default-apps will be created
+ resource "zentral_monolith_manifest_sub_manifest" "default-apps" {
+ id = (known after apply)
+ manifest_id = 1
+ sub_manifest_id = (known after apply)
+ tag_ids = (known after apply)
}
# zentral_monolith_sub_manifest.apps will be created
+ resource "zentral_monolith_sub_manifest" "apps" {
+ description = "The mandatory apps for our standard macOS client"
+ id = (known after apply)
+ name = "Mandatory apps"
}
# zentral_monolith_sub_manifest_pkg_info.onepassword will be created
+ resource "zentral_monolith_sub_manifest_pkg_info" "onepassword" {
+ default_shard = 100
+ excluded_tag_ids = []
+ featured_item = false
+ id = (known after apply)
+ key = "managed_installs"
+ pkg_info_name = "1Password"
+ shard_modulo = 100
+ sub_manifest_id = (known after apply)
+ tag_shards = []
}
# zentral_munki_configuration.default will be updated in-place
~ resource "zentral_munki_configuration" "default" {
id = 1
~ name = "Default" -> "Default 🫁"
~ version = 0 -> (known after apply)
# (9 unchanged attributes hidden)
}
# zentral_osquery_configuration.default will be updated in-place
~ resource "zentral_osquery_configuration" "default" {
id = 1
~ name = "Default" -> "Default 😛"
# (8 unchanged attributes hidden)
}
# zentral_osquery_configuration_pack.default-compliance-checks will be created
+ resource "zentral_osquery_configuration_pack" "default-compliance-checks" {
+ configuration_id = 1
+ id = (known after apply)
+ pack_id = (known after apply)
+ tag_ids = (known after apply)
}
# zentral_osquery_pack.compliance-checks will be created
+ resource "zentral_osquery_pack" "compliance-checks" {
+ description = "The compliance checks for our macOS client"
+ discovery_queries = (known after apply)
+ id = (known after apply)
+ name = "Compliance checks"
+ slug = (known after apply)
# (1 unchanged attribute hidden)
}
# zentral_osquery_query.santa-sysext-cc will be created
+ resource "zentral_osquery_query" "santa-sysext-cc" {
+ compliance_check_enabled = true
+ description = "Check if the Santa system extension is activated, running and up-to-date"
+ id = (known after apply)
+ name = "Santa system extension check"
+ platforms = [
+ "darwin",
]
+ scheduling = {
+ can_be_denylisted = true
+ interval = 3600
+ log_removed_actions = false
+ pack_id = (known after apply)
+ snapshot_mode = true
}
+ sql = <<-EOT
WITH expected_sysexts(team, identifier, min_version) AS (
VALUES ('EQHXZ8M8AV', 'com.google.santa.daemon', '2024.5')
), found_sysexts AS (
SELECT expected_sysexts.*, system_extensions.version, system_extensions.state,
CASE
WHEN system_extensions.version >= expected_sysexts.min_version
AND system_extensions.state == 'activated_enabled'
THEN 'OK'
ELSE 'FAILED'
END individual_ztl_status
FROM expected_sysexts
LEFT JOIN system_extensions ON (
system_extensions.team = expected_sysexts.team
AND system_extensions.identifier = expected_sysexts.identifier
)
) SELECT team, identifier, version, state, MAX(individual_ztl_status) OVER () ztl_status
FROM found_sysexts
EOT
+ value = ""
+ version = (known after apply)
}
# zentral_santa_configuration.default will be updated in-place
~ resource "zentral_santa_configuration" "default" {
id = 1
~ name = "Default" -> "Weird"
# (13 unchanged attributes hidden)
}
# zentral_santa_rule.signingid-yes will be created
+ resource "zentral_santa_rule" "signingid-yes" {
+ configuration_id = 1
+ custom_message = "No yes 🕶️"
+ description = "Say no to yes!"
+ excluded_primary_users = []
+ excluded_serial_numbers = []
+ excluded_tag_ids = []
+ id = (known after apply)
+ policy = "BLOCKLIST"
+ primary_users = []
+ ruleset_id = (known after apply)
+ serial_numbers = []
+ tag_ids = []
+ target_identifier = "platform:com.apple.yes"
+ target_type = "SIGNINGID"
+ version = (known after apply)
}
# zentral_santa_rule.teamid-macpaw will be created
+ resource "zentral_santa_rule" "teamid-macpaw" {
+ configuration_id = 1
+ custom_message = "No MacPaw apps are allowed!!!"
+ description = "Block MacPaw apps, mostly for demo purposes"
+ excluded_primary_users = []
+ excluded_serial_numbers = []
+ excluded_tag_ids = []
+ id = (known after apply)
+ policy = "BLOCKLIST"
+ primary_users = []
+ ruleset_id = (known after apply)
+ serial_numbers = []
+ tag_ids = []
+ target_identifier = "S8EX82NJP6"
+ target_type = "TEAMID"
+ version = (known after apply)
}
Plan: 11 to add, 3 to change, 0 to destroy. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.