This repository has been archived by the owner on Sep 16, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 47
LoginHook
Maxim Ermilov edited this page Sep 7, 2017
·
3 revisions
To enforce encryption compliance on your Mac workstations you will likely want to execute Cauliflower Vest as part of the user's login steps, perhaps by using a login hook.
To view more general information about login hooks, please refer to Apple login hook documentation.
This login hook serves as an example of one way you may wish to approach enforcement. It currently checks for any encrypted partition on the disk, rather than a specific partition (such as the boot partition).
Note: You will ultimately want to make modifications to this script.
As is, a local account named YOUR_LOCAL_ADMIN_ACCOUNT
is able to login
without being forced to encrypt.
#!/bin/bash
#
# Automatically starts Cauliflower Vest on unencrypted disks during login.
#
# Cauliflower Vest needs to run as the target login user, so $1 is passed in,
# as the current user, while the script is running as root.
readonly BINARY="/usr/local/bin/cauliflowervest"
readonly DISKUTIL="/usr/sbin/diskutil"
log() {
echo "${@}" >&2
logger -t request_encryption "${@}"
}
check_encryption_state() {
${DISKUTIL} cs list | grep -q -e 'Conversion\ Status.*Pending'
if [[ ${?} -eq 0 ]]; then
log "Disk encryption pending, skipping."
exit 0
fi
${DISKUTIL} cs list | grep -q -e 'Conversion\ Status.*Complete'
if [[ ${?} -eq 0 ]]; then
log "Disk encryption complete, skipping."
exit 0
fi
${DISKUTIL} cs list | grep -q -e 'Conversion\ Status.*Converting'
if [[ ${?} -eq 0 ]]; then
log "Disk encrypting or decrypting, skipping."
exit 0
fi
}
# Replace YOUR_LOCAL_ADMIN_ACCOUNT here if you want to allow such accounts to bypass this check.
main() {
check_encryption_state
if [[ $1 == "root" || $1 == "YOUR_LOCAL_ADMIN_ACCOUNT" ]]; then
log "Exiting Cauliflower Vest hook for $1 logging in."
exit 0
fi
# Uncomment the following three lines for use with iHook
#echo "%WINDOWLEVEL NORMAL"
#echo "%BEGINPOLE"
#echo "%RESIGNKEY"
if [ -f ${BINARY} ]; then
cd /tmp
${BINARY} --username ${1}
BINARY_EXIT=${?}
log "Cauliflower Vest exited with ${BINARY_EXIT}"
else
log "Cauliflower Vest doesn't exist! Please contact helpdesk!"
echo "Cauliflower Vest doesn't exist! Please visit helpdesk!"
sleep 10
fi
# Uncomment the following four lines for use with iHook
#echo "%BECOMEKEY"
#echo "%ENDPOLE"
#echo "%WINDOWLEVEL HIGH"
#echo "%TITLE Cauliflower Vest Encryption."
if [[ ${BINARY_EXIT} == 0 ]]; then
echo "Cauliflower Vest needs to reboot to begin encryption." >&2
echo "Rebooting..." >&2
for i in 0 20 40 60 80 100; do
echo "%${i}"
sleep 1
done
/sbin/shutdown -r now
fi
# Here, we've either already bailed out, or failed, soooo...
echo "Cauliflower Vest couldn't encrypt your disk."
echo "Please contact helpdesk immediately!"
sleep 1000
}
main "${@}"