PDA

View Full Version : Security Applescript




erikg
Oct 5, 2010, 05:33 PM
Hey Guys,

I am attempting to create a script that will either turn on or off auto log-off under the security preference pane as well as doing it without a password prompt.

When run it will give me a dialog box with three choices. Yes, No, Cancle.

For some reason when I run it, everything seems to compile fine and I get an echo message in the console that seems to show everything doing what it should. When I double check that the auto log-off option has been affected, it never changes...

display dialog "Auto Logoff Script" buttons {"Yes", "No", "Cancel"} default button 3
set the button_pressed to the button returned of the result

if the button_pressed is "Yes" then
tell application "System Events"
tell security preferences
get properties
--> returns: {require password to wake:false, class:security preferences object, secure virtual memory:false, require password to unlock:false, automatic login:false, log out when inactive:false, log out when inactive interval:60}
set properties to {log out when inactive:true}
end tell
end tell

else if the button_pressed is "No" then
tell application "System Events"
tell security preferences
get properties
--> returns: {require password to wake:false, class:security preferences object, secure virtual memory:false, require password to unlock:false, automatic login:false, log out when inactive:false, log out when inactive interval:60}
set properties to {log out when inactive:false}
end tell
end tell

else
display dialog "Canceld"
end if


Appreciate any help/advice on this!



chown33
Oct 5, 2010, 09:02 PM
There's no way you can get this to work without using an admin password. There may be a way to do it by circumventing or undermining the security architecture, but that opens up a security hole.

Why does this particular setting need to be scripted for instant on/off without a password?

erikg
Oct 5, 2010, 09:46 PM
If the password could not be avoided that's fine, but I would like to get it running at least.

I am using this on a laptop with some sensitive info. It goes in and out of secure areas and I just want something I can click on quickly depending on the environment I am in.

chown33
Oct 6, 2010, 01:10 AM
I am using this on a laptop with some sensitive info. It goes in and out of secure areas and I just want something I can click on quickly depending on the environment I am in.
From a security standpoint, that makes no sense to me.
Just leave it set so it always logs out on idle.

Inside the secured area, no harm is caused by having it always log out when left idle. It may be inconvenient, but security is all about inconvenient tradeoffs. There may even be a policy that computers in the secured area must logout when idle.

Outside the secured area, that is definitely what should happen, policy or not. I doubt there's a policy that allows idle machines containing sensitive info being left open for anyone outside the secured area to use. I'm not sure why a machine containing sensitive info is allowed to leave a secured area, but with no details it's impossible to guess.

I see no reason why you'd ever want to turn this setting off when sensitive info is present.

erikg
Oct 6, 2010, 05:35 AM
Thank you for your incite, I appreciate your feed back on this topic and certainly understand the points you are raising.

Going from there, my original question is not based on the appropriate ways of handling security, I am really hoping someone would be able to point out a working method for the script I am trying to create, or if its even possible.

Not trying to come off as an arse or anything, :)