[Auditor] Custom Checks

Custom checks allow you to define your own rules using YAML files. This allows you to have your checks for what you deem necessary for your security. These are scoped to your own user account and can't run under sudo.

To enable them, you have to enable an option under Auditor preferences and create a folder ParetoAuditor in Documents and add a .yaml file that follows the US NIST specification. Note that each time you make a change or add a new check, you have to restart the app for it to pick up the changes.

For example, if you wanted to create a check that will report when you have outdated brew packages.

id: brew_outdated_packages
title: No Outdated Brew packages
# get list out outaded packages, count lines, if lines are found print 1
check: |
  brew outdated | wc -l | tr -d [:space:] | xargs | awk '{ if ($1 >= 1) {print "1"} else {print "0"}}'
result:
  integer: 0

The above example would have a strange check title, "No Outdated Brew packages are passing." You can add titleOn and titleOff parameters to describe your check better.

id: brew_outdated_packages
titlePass: No Outdated Brew packages found
titleFail: New Brew packages found
# get list out outaded packages, count lines, if lines are found print 1
check: |
  brew outdated | wc -l | tr -d [:space:] | xargs | awk '{ if ($1 >= 1) {print "1"} else {print "0"}}'
result:
  integer: 0

Now when you would click on the check in Pareto Auditor, it guides you to this page, which is not ideal. However, you can specify any valid url as a parameter that would link you to your docs.

id: brew_outdated_packages
titlePass: No Outdated Brew packages found
titleFail: New Brew packages found
url: https://docs.brew.sh/FAQ
# get list out outaded packages, count lines, if lines are found print 1
check: |
  brew outdated | wc -l | tr -d [:space:] | xargs | awk '{ if ($1 >= 1) {print "1"} else {print "0"}}'
result:
  integer: 0

For a lot more examples, check out NIST macOS Security Compliance Project on GitHub.