✨ Add macOS FileVault, Gatekeeper, and SIP resources#7059
Merged
Conversation
Add three new macOS security resources to the OS provider for compliance checking of core macOS security controls: - macos.filevault: FileVault full-disk encryption status via fdesetup - macos.gatekeeper: Gatekeeper app execution policy via spctl - macos.sip: System Integrity Protection status via csrutil Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![mondoo-code-review[bot]](https://avatars.githubusercontent.com/in/2834902?s=60&v=4){kind=small}
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
tas50
force-pushed
the
feat/macos-security-resources
branch
from
c83fa37 to
ea6a9ae
Compare
tas50
force-pushed
the
feat/macos-security-resources
branch
from
ea6a9ae to
6e2393f
Compare
Contributor
- Use Internal struct caching to avoid double command execution - Use command resource pattern instead of conn.RunCommand - Use more specific SIP enabled check (status: enabled) - Add filevault to spelling expect.txt - Add hasPersonalRecoveryKey, hasInstitutionalRecoveryKey, users fields to filevault Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
tas50
force-pushed
the
feat/macos-security-resources
branch
from
6e2393f to
e41ffed
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
macos.filevaultresource for FileVault full-disk encryption status (fdesetup status)enabled,status,hasPersonalRecoveryKey,hasInstitutionalRecoveryKey,usersmacos.gatekeeperresource for Gatekeeper app execution policy (spctl --status)macos.sipresource for System Integrity Protection status (csrutil status)Each resource exposes
enabled(bool) andstatus(string) as default fields, following the same patterns as existing macOS resources. All resources use Internal struct caching to avoid duplicate command execution and thecommandresource pattern for proper execution context.Example usage
Test plan
mql run local -c "macos.filevault"— verify FileVault status is reportedmql run local -c "macos.filevault { hasPersonalRecoveryKey hasInstitutionalRecoveryKey users }"— verify recovery key and user fieldsmql run local -c "macos.gatekeeper"— verify Gatekeeper assessment statusmql run local -c "macos.sip"— verify SIP statusmake mql/generate && git diff --exit-code)🤖 Generated with Claude Code