jamf / cis-for-macos-catalina-cp Goto Github PK
View Code? Open in Web Editor NEWCIS Benchmarks for macOS Catalina
License: MIT License
CIS Benchmarks for macOS Catalina
License: MIT License
Not really an issue with this version which is working fine on Catalina but it does have big fails on Big Sur.
I'm getting run times of over 12 hours, most about 18.
Any plans to update this for Big Sur?
I have some confusion regarding this CIS script.
Question #1: can I use one than other like whether REMEDIATED USING CONFIGURATION PROFILES or Script remediation with policy? Or do I have to use both?
Question #2: Getting syntax error for Python command not found for following command
currentUser="$(python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");')"
Question #3: Confused about Script 2_Security_Audit_Compliance.sh script and then that will impact on other as well. So please let me know how can I perform that. Another thing those remediation which I will remediate via Profile do i need to make those organizational value true or false. like
OrgScore2_1_1="false".
Question #3: When I deployed Custom setting profile then .plist is not updating but that showing it aplied.
Example: 2.10 Enable Secure Keyboard Entry in terminal.app and iTerm 2
I used the configuration profile and that is showing secure Keyboard Entry checked when I look from apple menu but that didnot changed on /Users/pcmwksadm/Library/Preferences/com.apple.Terminal.plist key value SecureKeyboardEntry True.
I have noticed that the Jamf scripts have the wrong benchmarks in some cases.
EXAMPLE:
Within the 1_Set_Organization_Priorities.sh script, the following is stated:
## 2.5.6 Enable Location Services (Not Scored)
## As of macOS 10.12.2, Location Services cannot be enabled/monitored programmatically.
## It is considered user opt in.
## 2.5.7 Monitor Location Services Access (Not Scored)
## As of macOS 10.12.2, Location Services cannot be enabled/monitored programmatically.
## It is considered user opt in.
This does not align with the CIS_Apple_macOS_10.15_Benchmark_v1.2.0.pdf from CIS Workbench.
According to the CIS_Apple_macOS_10.15_Benchmark_v1.2.0.pdf document,
According to the CIS_Apple_macOS_10.15_Benchmark_v1.2.0.pdf document, Location services are 2.5.3 and 2.5.4
The 1_Set_Organization_Priorities.sh script show 2.5.3 and 2.5.4 as follows:
# 2.5.3 Enable Firewall
# Configuration Profile - Security and Privacy payload > Firewall > Enable Firewall (checked)
OrgScore2_5_3="true"
# OrgScore2_5_3="false"
# 2.5.4 Enable Firewall Stealth Mode
# Configuration Profile - Security and Privacy payload > Firewall > Enable stealth mode (checked)
OrgScore2_5_4="true"
# OrgScore2_5_4="false"
The CIS_Apple_macOS_10.15_Benchmark_v1.2.0.pdf document shows firewall as follows:
To date, these are the only discrepancies I have found. There may be others.
As of the current CIS_Apple_macOS_10.15_Benchmark_v1.2.0.pdf document, the Jamf Scripts for CIS do not align.
When will Jamf come out with the CIS for macOS Big Sur
In the remediation script, if 2.4.1(Remote Apple Events) is enabled, the remediation fails since the absolute path is not used.
Script result: setremoteappleevents: Turning Remote AppleEvents on or off requires Full Disk Access privileges.
Updating the script to use /usr/sbin/systemsetup -setremoteappleevents off
resolves that issue.
Jamf PPPC profile is installed.
For 2.6.4 in audit script - the audit for 2.6.4 is incorrect when calling out the audit and plistlocation - its a typo - 2_7_4
Audit2_7_4="$(defaults read "$plistlocation" OrgScore2_7_4)"
For 2.5.1.2 in audit script - the audit for 2.5.1.2 is incorrect when calling out the plistlocation - its a typo - 2_6_1_2
Audit2_5_1_2="$(defaults read "$plistlocation" OrgScore2_6_1_2)"
The guest home folder is detected with:
ls /Users/ 2>&1 | grep -c Guest
This can result in misdetection if a local user account is contains "Guest". For example if you create user accounts with the name "Kiosk Guest Account" or "Guest Campus".
These are not Guest accounts in a strict sense. Therefore the should not be counted as a detection. To fix this, replace the line with
ls /Users/ 2>&1 | grep -cx Guest
This will ensure a whole line matching and solve the issue.
I ran the 1_Set_Organization_Priorities.sh and when I run the 2nd and 3rd files I ge the following message
The domain/default pair of (/Library/Application Support/SecurityScoring/org_security_score.plist, OrgScore6_1_5) does not exist
the .plist file is there, what do I need to do different?
In 2_Security_Audit_Compliance.sh:
When the script runs on our systems (which have encrypted APFS volumes) this check was failing even though the volumes were encrypted. I tracked the issue to line 528:
ENCRYPTION=$(echo "$APVOLINFO" | awk '/FileVault/ {print $3;exit}')
This is returning the value "(Unlocked)"
I changed the script to the following:
ENCRYPTION=$(echo "$APVOLINFO" | awk '/FileVault/ {print $2;exit}')
It now returns "Yes" and the check passes properly.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.