You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
os_hibernate_mode_apple_silicon_enable check doesn't run on MacBook Air M2 13 and even if it were to run it would've tested only “Battery Power” profile, allowing other profiles to be misconfigured. Here is the relevant code:
CIS “2.9.1.2 Ensure the OS Is Not Active When Resuming from Sleep and Display Sleep (Apple Silicon) (Automated)” uses a different command to find out whether the device is a MacBook or not:
I'm not actually sure why this check is even needed. If the rule is not supposed to apply to desktop Macs, the fix should use pmset -b -c instead of pmset -a.
The following awk script validates the values of all power profiles
Despite CIS “2.9.3 Ensure Wake for Network Access Is Disabled (Automated)” having a note about com.apple.EnergySaver.*:
Note: … This profile will only apply the setting at installation and is not sticky.
in my tests, even though pmset parameters can be changed, they revert to profile values after a restart (including the womp that CIS note is talking about (see system_settings_wake_network_access_disable)).
If the profile approach is adopted, then the awk script should validate only the hibernatemode. Sleep timers can be checked by grepping the output of profiles.
The text was updated successfully, but these errors were encountered:
Summary
os_hibernate_mode_apple_silicon_enable
check doesn't run on MacBook Air M2 13 and even if it were to run it would've tested only “Battery Power” profile, allowing other profiles to be misconfigured. Here is the relevant code:Steps to reproduce
Misconfigure all the profiles by running
Run the above code on a MacBook Air M2 13 (I think other devices are no different, but I have access only to this one.)
Operating System version
macOS 14.2.1
Intel or Apple Silicon
Apple Silicon
What is the current bug behavior?
The check with my debugging additions prints
The number of errors is 0, despite all profiles having a long sleep, display sleep that is lower than sleep, and hibernate mode that is not 25.
What is the expected correct behavior?
The first line is just for debugging:
Relevant logs and/or screenshots
/usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice
with everything that looks like a serial numbers removed:The output has no
MacBook
string in it, and thusfails.
Possible fixes
CIS “2.9.1.2 Ensure the OS Is Not Active When Resuming from Sleep and Display Sleep (Apple Silicon) (Automated)” uses a different command to find out whether the device is a MacBook or not:
/usr/bin/sudo /usr/sbin/system_profiler SPHardwareDataType | /usr/bin/grep -e MacBook
I'm not actually sure why this check is even needed. If the rule is not supposed to apply to desktop Macs, the fix should use
pmset -b -c
instead ofpmset -a
.The following awk script validates the values of all power profiles
Every
displaysleep
andsleep
line gets its own entry in the arrays; entries at the same index are assumed to come from the same power profile.Also, it looks like sleep and display sleep timers are enforceable with a profile:
Despite CIS “2.9.3 Ensure Wake for Network Access Is Disabled (Automated)” having a note about
com.apple.EnergySaver.*
:in my tests, even though
pmset
parameters can be changed, they revert to profile values after a restart (including thewomp
that CIS note is talking about (seesystem_settings_wake_network_access_disable
)).If the profile approach is adopted, then the awk script should validate only the
hibernatemode
. Sleep timers can be checked by grepping the output ofprofiles
.The text was updated successfully, but these errors were encountered: