GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → jamf → CIS-for-macOS-Sierra-CP

jamf / CIS-for-macOS-Sierra-CP

Licence: MIT license
CIS for macOS 10.12 remediated with script and configuration profiles

Programming Languages

shell
77523 projects

Labels

cisconfiguration-profilejamf

Projects that are alternatives of or similar to CIS-for-macOS-Sierra-CP

CIS-for-macOS-High-Sierra-CP
No description or website provided.
Stars: ✭ 36 (+56.52%)
Mutual labels:  cis, configuration-profile, jamf
CIS-for-macOS-High-Sierra
No description or website provided.
Stars: ✭ 15 (-34.78%)
Mutual labels:  cis, jamf
UBUNTU18-CIS
CIS Baseline Ansible Role for Ubuntu 18
Stars: ✭ 20 (-13.04%)
Mutual labels:  cis
kinobi
An external patch definition server for Jamf Pro
Stars: ✭ 76 (+230.43%)
Mutual labels:  jamf
scl jamf tools
This repository contains a collection of tools written to perform as enhancements to the Jamf Pro management software.
Stars: ✭ 39 (+69.57%)
Mutual labels:  jamf
Prowler
Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains more than 200 controls covering CIS, ISO27001, GDPR, HIPAA, SOC2, ENS and other security frameworks.
Stars: ✭ 4,561 (+19730.43%)
Mutual labels:  cis
jamfpro-extension-attributes
🔍 A repository for EAs to use for reporting in the Jamf Pro Server
Stars: ✭ 30 (+30.43%)
Mutual labels:  jamf
c3
𝗖𝟯 provides compliant AWS CDK components to various security standards.
Stars: ✭ 24 (+4.35%)
Mutual labels:  cis
blade runner
Blade Runner is a Jamf Pro based Python application that automates and implements a framework to offboard, secure erase and document deprecated Mac systems.
Stars: ✭ 24 (+4.35%)
Mutual labels:  jamf
kubernetes-security-benchmark
A simple way to evaluate the security of your Kubernetes deployment against sets of best practices defined by various community sources
Stars: ✭ 27 (+17.39%)
Mutual labels:  cis
cis benchmarks audit
Simple command line tool to check for compliance against CIS Benchmarks
Stars: ✭ 182 (+691.3%)
Mutual labels:  cis
The Practical Linux Hardening Guide
This guide details creating a secure Linux production system. OpenSCAP (C2S/CIS, STIG).
Stars: ✭ 8,790 (+38117.39%)
Mutual labels:  cis
k8s-security-policies
This repository provides a security policies library that is used for securing Kubernetes clusters configurations. The security policies are created based on CIS Kubernetes benchmark and rules defined in Kubesec.io.
Stars: ✭ 160 (+595.65%)
Mutual labels:  cis
Jamf-Nation-Roadshow-London-2018
No description or website provided.
Stars: ✭ 16 (-30.43%)
Mutual labels:  jamf
UBUNTU20-CIS
Ansible role for Ubuntu 2004 CIS Baseline
Stars: ✭ 136 (+491.3%)
Mutual labels:  cis
Audit-Test-Automation
The Audit Test Automation Package gives you the ability to get an overview about the compliance status of several systems. You can easily create HTML-reports and have a transparent overview over compliance and non-compliance of explicit setttings and configurations in comparison to industry standards and hardening guides.
Stars: ✭ 37 (+60.87%)
Mutual labels:  cis
JSS-Resource-Tools
A CLI utility that utilises the Jamf Pro (previously Casper Suite) API in order to import, export and update JSS resources en-masse.
Stars: ✭ 24 (+4.35%)
Mutual labels:  jamf
python-jamf
`python-jamf` is a library for connecting to a Jamf Server that maps directly to the Jamf Pro Classic API. It is the basis for the `jctl` tool to automate patch management & packages and many other items.
Stars: ✭ 37 (+60.87%)
Mutual labels:  jamf
scout-public
A tool to aggregate devices across multiple MDM servers
Stars: ✭ 22 (-4.35%)
Mutual labels:  jamf
cli
The universal GraphQL API and CSPM tool for AWS, Azure, GCP, K8s, and tencent.
Stars: ✭ 811 (+3426.09%)
Mutual labels:  cis
View All Similar Projects ➔

CIS for macOS Sierra - Script and Configuration Profile Remediation

INFO:

Refers to document CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf, available at https://benchmarks.cisecurity.org

USAGE:

  • Create Extension Attributes using the following scripts:

2.5_Audit_List Extension Attribute

Set as Data Type "String." Reads contents of /Library/Application Support/SecurityScoring/org_audit file and records to Jamf Pro inventory record.

2.6_Audit_Count Extension Attribute

Set as Data Type "Integer." Reads contents of /Library/Application Support/SecurityScoring/org_audit file and records count of items to Jamf Pro inventory record. Usable with smart group logic (2.6_Audit_Count greater than 0) to immediately determine computers not in compliance.

  1. After creation, make note of the ID number of these Extension Attributes. To find the ID, select the Extension Attribute then click into your browser's address bar. The ID number is after the "id=" in the URL.

  2. Add the following scripts to your Jamf Pro

  • 1_Set_Organization_Priorities
  • 2_Security_Audit_Compliance_ORG or 2_Security_Audit_Compliance_API
  • 3_Security_Remediation

Scripts 1_Set_Organization_Priorities and 2_Security_Audit_Compliance_API will need additional configuration prior to deployment.

1_Set_Organization_Priorities

Admins set organizational compliance for each listed item, which gets written to plist. The values default to "true," meaning if an organization wishes to disregard a given item they must set the value to false by changing the associated comment:

OrgScore1_1="true" or OrgScore1_1="false"

The script writes to /Library/Application Support/SecurityScoring/org_security_score.plist by default.

2_Security_Audit_Compliance_API

Configure the following variables in the script:

  • Line 42: Enter your Jamf Pro URL.
  • Lines 52 and 53: The values for "ENTER_SALT_HERE" and "ENTER_PASSWORD_HERE" are generated by the Encrypted Strings repo created by Bryson Tyrrell. (https://github.com/brysontyrrell/EncryptedStrings) To generate the values, paste the following into Terminal:
 function GenerateEncryptedString() {
    # Usage ~$ GenerateEncryptedString "String"
    local STRING="${1}"
    local SALT=$(openssl rand -hex 8)
    local K=$(openssl rand -hex 12)
    local ENCRYPTED=$(echo "${STRING}" | openssl enc -aes256 -a -A -S "${SALT}" -k "${K}")
    echo "Encrypted String: ${ENCRYPTED}"
    echo "Salt: ${SALT} | Passphrase: ${K}"
}

Press return then enter

GenerateEncryptedString "Username_String"

replacing Username_String with a Jamf Pro API username that has PUT permission for Computer Extension Attributes. Save the output for later use and repeat this step with the API user's password. Enter the respective Salt and Password in lines 52 and 53.

  • Line 55: Enter the ID for the Extension Attribute 2.6_Audit_Count

  • Line 56: Enter the ID for the Extension Attribute 2.5_Audit_List

  • Add the configured script to your Jamf Pro server and configure the parameter labels for parameter 4 (API Username Encrypted String) and parameter 5 (API Password Encrypted String).

  • Create a single Jamf Policy using all three scripts.
    1_Set_Organization_Priorities - Script Priority: Before
    2_Security_Audit_Compliance_ORG or 2_Security_Audit_Compliance_API - Script Priority: Before
    3_Security_Remediation - Script Priority: Before
    2_Security_Audit_Compliance_ORG or 2_Security_Audit_Compliance_API - Script Priority: After

For script 2_Security_Audit_Compliance enter the values generated when you configured lines 52 and 53 in parameters 4 and 5.

  • Policy: Some recurring trigger to track compliance over time. Do not add Update Inventory if using the API script as the API entries in script 2_Security_Audit_Compliance will populate the appropriate Extension Attributes. If using 2_Security_Audit_Compliance_ORG, add Update Inventory.

NOTES:

  • Item "1.1 Verify all Apple provided software is current" is disabled by default.
  • Item "2.1.2 Turn off Bluetooth "Discoverable" mode when not pairing devices - not applicable to 10.9 and higher." Starting with OS X (10.9) Bluetooth is only set to Discoverable when the Bluetooth System Preference is selected. To ensure that the computer is not Discoverable do not leave that preference open.
  • Item "2.3.3 Verify Display Sleep is set to a value larger than the Screen Saver (Not Scored)" The rationale in the CIS Benchmark for this is incorrect. The computer will lock if the display sleeps before the Screen Saver activates
  • Item "2.6.6 Enable Location Services (Not Scored)" is disabled by default. As of macOS 10.12.2, Location Services cannot be enabled/monitored programmatically. It is considered user opt in.
  • Item "2.6.7 Monitor Location Services Access (Not Scored)" is disabled by default. As of macOS 10.12.2, Location Services cannot be enabled/monitored programmatically. It is considered user opt in.
  • Item "2.8.1 Time Machine Auto-Backup " is disabled by default. Time Machine is typically not used as an Enterprise backup solution
  • Item "2.8.2 Time Machine Volumes Are Encrypted (Not Scored)" is disabled by default. Time Machine is typically not used as an Enterprise backup solution
  • Item "2.12 Securely delete files as needed (Not Scored)" is disabled by default. With the wider use of FileVault and other encryption methods and the growing use of Solid State Drives the requirements have changed and the "Secure Empty Trash" capability has been removed from the GUI.
  • Item "3.4 Enable remote logging for Desktops on trusted networks (Not Scored)" is disabled by default. The built-in syslog capability in OS X runs over UDP without encryption. Broadcasting log unencrypted over the internet is not a good idea. While syslog may be acceptable on some internal trusted networks it is not a solution for mobile devices that hop between networks.
  • Item "4.3 Create network specific locations (Not Scored)" is disabled by default.
  • Item "5.4 Automatically lock the login keychain for inactivity" is disabled by default.
  • Item "5.5 Ensure login keychain is locked when the computer sleeps" is disabled by default.
  • Item "5.6 Enable OCSP and CRL certificate checking" is disabled by default.
  • Item "5.14 Do not enter a password-related hint (Not Scored)" is disabled by default. Not needed if 6.1.2 Disable "Show password hints" is enforced.
  • Item "5.16 Secure individual keychains and items (Not Scored)" is disabled by default.
  • Item "5.17 Create specialized keychains for different purposes (Not Scored)" is disabled by default.
  • Item "5.19 Install an approved tokend for smartcard authentication" is disabled by default. This is superseded by the macos 10.12.x built in SmartCardServices and CryptoTokenKit.
  • Item "6.4 Safari disable Internet Plugins for global use (Not Scored)" is disabled by default.
  • Item "6.5 Use parental controls for systems that are not centrally managed (Not Scored)" is disabled by default.

2_Security_Audit_Compliance_ORG or 2_Security_Audit_Compliance_API can be used in the policy.

2_Security_Audit_Compliance_ORG

Run this before and after 3_Security_Remediation to audit the Remediation Reads the plist at /Library/Application Support/SecurityScoring/org_security_score.plist. For items prioritized (listed as "true,") the script queries against the current computer/user environment to determine compliance against each item.

Non-compliant items are recorded at /Library/Application Support/SecurityScoring/org_audit

2_Security_Audit_Compliance_API

Run this before and after 3_Security_Remediation to audit the Remediation Reads the plist at /Library/Application Support/SecurityScoring/org_security_score.plist. For items prioritized (listed as "true,") the script queries against the current computer/user environment to determine compliance against each item.

Non-compliant items are recorded at /Library/Application Support/SecurityScoring/org_audit. Using the REST API, the values for Extension Attributes 2_5 and 2_6 are updated

3_Security_Remediation

Run 2_Security_Audit_Compliance after to audit the Remediation Reads the plist at /Library/Application Support/SecurityScoring/org_security_score.plist. For items prioritized (listed as "true,") the script applies recommended remediation actions for the client/user.

SCORED CIS EXCEPTIONS:

  • Does not implement pwpolicy commands (5.2.1 - 5.2.8)

  • Audits but does not actively remediate (due to alternate profile/policy functionality within Jamf Pro):

  • 2.4.4 Disable Printer Sharing
  • 2.6.1 Enable FileVault
  • 2.7.1 iCloud configuration (Check for iCloud accounts) (Not Scored)
  • 2.11 Java 6 is not the default Java runtime
  • 5.18 System Integrity Protection status

REMEDIATED USING CONFIGURATION PROFILES:

The following Configuration profiles are available in mobileconfig and plist form. If you wish to change a particular setting, edit the plist in question. Mobileconfigs can be uploaded to Jamf Pro Configuration Profiles as is and plists can be added to a new Configuration Profile as Custom Payloads.

CIS 10.12 Custom Settings mobileconfig

  • 1.2 Enable Auto Update
  • 1.4 Enable system data files and security update installed
  • 2.10 Enable Secure Keyboard Entry in terminal.app
  • 4.1 Disable Bonjour advertising service
  • 6.1.4 Disable "Allow guests to connect to shared folders"
  • 6.3 Disable the automatic run of safe files in Safari

CIS 10.12 LoginWindow Security_and_Privacy ScreenSaver mobileconfig

  • 2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver
  • 2.3.2 Secure screen saver corners
  • 2.3.4 Set a screen corner to Start Screen Saver
  • 2.6.2 Enable Gatekeeper
  • 2.6.3 Enable Firewall
  • 2.6.4 Enable Firewall Stealth Mode
  • 2.6.5 Review Application Firewall Rules
  • 2.7.1.01 Disable Apple ID setup during login (Not Scored)
  • 5.8 Disable automatic login
  • 5.9 Require a password to wake the computer from sleep or screen saver
  • 5.12 Create a custom message for the Login Screen
  • 5.15 Disable Fast User Switching (Not Scored)
  • 6.1.1 Display login window as name and password
  • 6.1.2 Disable "Show password hints"
  • 6.1.3 Disable guest account

CIS 10.12 Restrictions mobileconfig

  • 2.7.1.02 Disable the iCloud system preference pane (Not Scored)
  • 2.7.1.03 Disable the use of iCloud password for local accounts (Not Scored)
  • 2.7.1.04 Disable iCloud Back to My Mac (Not Scored)
  • 2.7.1.05 Disable iCloud Find My Mac (Not Scored)
  • 2.7.1.06 Disable iCloud Bookmarks (Not Scored)
  • 2.7.1.07 Disable iCloud Mail (Not Scored)
  • 2.7.1.08 Disable iCloud Calendar (Not Scored)
  • 2.7.1.09 Disable iCloud Reminders (Not Scored)
  • 2.7.1.10 Disable iCloud Contacts (Not Scored)
  • 2.7.1.11 Disable iCloud Notes (Not Scored)
  • 2.7.1.12 Disable Content Caching (Not Scored)
  • 2.7.2 iCloud keychain (Not Scored)
  • 2.7.3 iCloud Drive (Not Scored)
  • 2.7.4 iCloud Drive Document sync
  • 2.7.5 iCloud Drive Desktop sync
  • 6.3 Disable the automatic run of safe files in Safari
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].