Commit c3ac9ed6 authored by Oliver Lowe's avatar Oliver Lowe

intial commit. Fleshing out the concepts.

A traditional company in 2008 likely provides PC workstations running
Windows. The workstation periodically polls a central server which
dictates how the workstation should be configured.
A company like OlinData in 2018 consists of employees who understand
how to configure IT systems and why devices should be configured in a
particular way. They also prefer to manage their own devices'
configuration. Maybe this is to avoid the technical frustration of a
mandatory network connection to a server which, like any network link,
can be unreliable. Or it could be to avoid the frustration of not
being allowed to use their preferred operating system or userspace
software, since configuration is unconditionally enforced to ease
administration across several devices.
Regardless of the type of company, any company needs to know if
employee's devices' configuration is compliant with a standard in the
interest of security.
comply is a small system composed out of basic tools to inform the
user if their device adheres to defined standards. It does this
quickly and unintrusively, without the need for a centralised server.
comply takes inspiration from Netflix's Stethoscope and the plumber(4)
file system from Plan 9. comply differs from Stethoscope in that it
uses native programs to gather system configuration. comply differs
from the plumber system in not being as flexible or well implemented.
The simplest usage of comply is to pass data to it via the standard
input stream. For example, to see if our system operating system
complies with accepted standards, send data from uname(1):
uname -a | comply
The default firewall in macOS is configured in System Preferences. The
plutil(1) program can print configuration set in System Preferences
from the underlying plist files.
plutil -p /Library/Preferences/ | comply
comply reads input text and tests for a match against a rule. On a
match, the matching rule's 'policy' program is executed. The exit code
returned by the program determines if the configuration is compliant.
Comply is configured with a rules file. Here is a sample file which
can be used for the previous macOS firewall example:
data matches 'globalstate => [0-9]'
comply to macfirewall
If the input data contained 'globalstate => 0' or 'globalstate => 2'
then the policy 'macfirewall' would be executed with the same input
data passed to it.
'Policies' can be written in any language. In fact they do not even
need to be real programs.
While developing this idea I was testing the output of uname(1) on a
couple of my laptops. The output was in this form:
OpenBSD 6.2 GENERIC.MP#7 amd64
A matching comply rule would be:
data matches 'OpenBSD.*GENERIC'
comply to uname_openbsd
The policy 'uname_openbsd' is just a grep(1) script:
#!/usr/bin/egrep -f
If my laptop was running OpenBSD 6.1 (i.e. an old version), then
'uname_openbsd' would exit with error, since neither of the numbers
would be present in the input data. comply interprets the returned
error as a non-compliant configuration and informs the user.
# sample input:
# plutil -convert json -o - /Library/Preferences/
import sys
import json
d = json.load(sys.stdin)
# globalstate from the /Library/Preferences/com.appple.alf.plist holds
# the state of the firewall as an integer.
fwstate = d["globalstate"]
if fwstate > 0:
print("alf firewall enabled")
print ("alf firewall disabled")
data matches 'OpenBSD'
comply to uname_openbsd
data matches 'Darwin Kernel Version'
comply to uname_darwin
data matches 'FMMEnabled'
comply to findmymac
data matches 'LastAttemptSystemVersion'
comply to softwareupdate
data matches 'GuestEnabled'
comply to darwinguest
data matches '\"globalstate\":[0-9],\"firewall\":'
comply to macfirewall
#!/usr/bin/egrep -f
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment