diff --git a/CIS Scripts/1_Set_Organization_Priorities.sh b/CIS Scripts/1_Set_Organization_Priorities.sh
old mode 100644
new mode 100755
index aea9c5e..3b0e63b
--- a/CIS Scripts/1_Set_Organization_Priorities.sh
+++ b/CIS Scripts/1_Set_Organization_Priorities.sh
@@ -89,13 +89,9 @@ OrgScore1_6="true"
OrgScore2_1_1="true"
# OrgScore2_1_1="false"
-## 2.1.2 Turn off Bluetooth "Discoverable" mode when not pairing devices - not applicable to 10.9 and higher.
-## Starting with OS X (10.9) Bluetooth is only set to Discoverable when the Bluetooth System Preference is selected.
-## To ensure that the computer is not Discoverable do not leave that preference open.
-
-# 2.1.3 Show Bluetooth status in menu bar
-OrgScore2_1_3="true"
-# OrgScore2_1_3="false"
+# 2.1.2 Show Bluetooth status in menu bar
+OrgScore2_1_2="true"
+# OrgScore2_1_2="false"
# 2.2.1 Enable "Set time and date automatically"
OrgScore2_2_1="true"
@@ -154,8 +150,8 @@ OrgScore2_4_6="true"
# OrgScore2_4_6="false"
# 2.4.7 Disable Bluetooth Sharing
-OrgScore2_4_7="true"
-# OrgScore2_4_7="false"
+#OrgScore2_4_7="true"
+OrgScore2_4_7="false"
# 2.4.8 Disable File Sharing
OrgScore2_4_8="true"
@@ -188,41 +184,36 @@ OrgScore2_5_1_2="true"
OrgScore2_5_1_3="true"
# OrgScore2_5_1_3="false"
-# 2.5.2 Enable Gatekeeper
+# 2.5.2.1 Enable Gatekeeper
# Configuration Profile - Security and Privacy payload > General > Gatekeeper > Mac App Store and identified developers (selected)
-OrgScore2_5_2="true"
-# OrgScore2_5_2="false"
+OrgScore2_5_2_1="true"
+# OrgScore2_5_2_1="false"
-# 2.5.3 Enable Firewall
+# 2.5.2.2 Enable Firewall
# Configuration Profile - Security and Privacy payload > Firewall > Enable Firewall (checked)
-OrgScore2_5_3="true"
-# OrgScore2_5_3="false"
+OrgScore2_5_2_2="true"
+# OrgScore2_5_2_2="false"
-# 2.5.4 Enable Firewall Stealth Mode
+# 2.5.2.3 Enable Firewall Stealth Mode
# Configuration Profile - Security and Privacy payload > Firewall > Enable stealth mode (checked)
-OrgScore2_5_4="true"
-# OrgScore2_5_4="false"
+OrgScore2_5_2_3="true"
+# OrgScore2_5_2_3="false"
-# 2.5.5 Review Application Firewall Rules
-# Configuration Profile - Security and Privacy payload > Firewall > Control incoming connections for specific apps (selected)
-OrgScore2_5_5="true"
-# OrgScore2_5_5="false"
-
-## 2.5.6 Enable Location Services (Not Scored)
-## As of macOS 10.12.2, Location Services cannot be enabled/monitored programmatically.
-## It is considered user opt in.
+# 2.5.3 Enable Location Services
+OrgScore2_5_3="true"
+# OrgScore2_5_3="false"
## 2.5.7 Monitor Location Services Access (Not Scored)
## As of macOS 10.12.2, Location Services cannot be enabled/monitored programmatically.
## It is considered user opt in.
-# 2.5.8 Disable sending diagnostic and usage data to Apple
-OrgScore2_5_8="true"
-# OrgScore2_5_8="false"
+# 2.5.5 Disable sending diagnostic and usage data to Apple
+OrgScore2_5_5="true"
+# OrgScore2_5_5="false"
-# 2.5.9 Review Advertising Settings (Not Scored)
-OrgScore2_5_9="true"
-# OrgScore2_5_9="false"
+# 2.5.6 Limit Ad tracking and personalized Ads
+OrgScore2_5_6="true"
+# OrgScore2_5_6="false"
# 2.6.1 iCloud configuration (Check for iCloud accounts) (Not Scored)
OrgScore2_6_1="true"
@@ -256,16 +247,19 @@ OrgScore2_7_1="false"
## 2.7.2 Time Machine Volumes Are Encrypted (Not Scored)
## Time Machine is typically not used as an Enterprise backup solution
-# 2.8 Pair the remote control infrared receiver if enabled
-# Since 2013 only the Mac Mini has an infrared receiver
+# 2.8 Disable "Wake for network access"
OrgScore2_8="true"
# OrgScore2_8="false"
-# 2.9 Enable Secure Keyboard Entry in terminal.app
-# Configuration Profile - Custom payload > com.apple.Terminal > SecureKeyboardEntry=true
+# 2.9 Disable Power Nap
OrgScore2_9="true"
# OrgScore2_9="false"
+# 2.10 Enable Secure Keyboard Entry in terminal.app
+# Configuration Profile - Custom payload > com.apple.Terminal > SecureKeyboardEntry=true
+OrgScore2_10="true"
+# OrgScore2_10="false"
+
## 2.10 Securely delete files as needed (Not Scored)
## With the wider use of FileVault and other encryption methods and the growing use of Solid State Drives
## the requirements have changed and the "Secure Empty Trash" capability has been removed from the GUI.
@@ -275,9 +269,6 @@ OrgScore2_9="true"
OrgScore2_11="true"
# OrgScore2_11="false"
-# 2.12 Disable "Wake for network access" and "Power Nap"
-OrgScore2_12="true"
-# OrgScore2_12="false"
# 3.1 Enable security Auditing
OrgScore3_1="true"
@@ -287,15 +278,15 @@ OrgScore3_1="true"
OrgScore3_2="true"
# OrgScore3_2="false"
-# 3.3 Ensure security auditing retention
+# 3.3 Retain install.log for 365 or more days
OrgScore3_3="true"
# OrgScore3_3="false"
-# 3.4 Control access to audit records
+# 3.4 Ensure security auditing retention
OrgScore3_4="true"
# OrgScore3_4="false"
-# 3.5 Retain install.log for 365 or more days
+# 3.5 Control access to audit records
OrgScore3_5="true"
# OrgScore3_5="false"
@@ -350,11 +341,11 @@ OrgScore5_1_4="true"
OrgScore5_3="true"
# OrgScore5_3="false"
-# 5.4 Use a separate timestamp for each user/tty combo
+# 5.4 Automatically lock the login keychain for inactivity
OrgScore5_4="true"
# OrgScore5_4="false"
-# 5.5 Automatically lock the login keychain for inactivity
+# 5.5 Use a separate timestamp for each user/tty combo
# This is a very bad idea. It will confuse users.
# OrgScore5_5="true"
OrgScore5_5="false"
@@ -410,12 +401,19 @@ OrgScore5_16="true"
## 5.17 Secure individual keychains and items (Not Scored)
-## 5.18 Create specialized keychains for different purposes (Not Scored)
-# 5.19 System Integrity Protection status
+# 5.18 System Integrity Protection status
+OrgScore5_18="true"
+# OrgScore5_18="false"
+
+# 5.19 Enable Sealed System Volume (SSV)
OrgScore5_19="true"
# OrgScore5_19="false"
+# 5.20 Enable Library Validation
+OrgScore5_20="true"
+# OrgScore5_20="false"
+
# 6.1.1 Display login window as name and password
# Configuration Profile - LoginWindow payload > Window > LOGIN PROMPT > Name and password text fields (selected)
OrgScore6_1_1="true"
@@ -477,8 +475,8 @@ cat << EOF > "$plistlocation"
<${OrgScore1_6}/>
OrgScore2_1_1
<${OrgScore2_1_1}/>
- OrgScore2_1_3
- <${OrgScore2_1_3}/>
+ OrgScore2_1_2
+ <${OrgScore2_1_2}/>
OrgScore2_2_1
<${OrgScore2_2_1}/>
OrgScore2_2_2
@@ -517,18 +515,18 @@ cat << EOF > "$plistlocation"
<${OrgScore2_5_1_2}/>
OrgScore2_5_1_3
<${OrgScore2_5_1_3}/>
- OrgScore2_5_2
- <${OrgScore2_5_2}/>
+ OrgScore2_5_2_1
+ <${OrgScore2_5_2_1}/>
+ OrgScore2_5_2_2
+ <${OrgScore2_5_2_2}/>
+ OrgScore2_5_2_3
+ <${OrgScore2_5_2_3}/>
OrgScore2_5_3
<${OrgScore2_5_3}/>
- OrgScore2_5_4
- <${OrgScore2_5_4}/>
OrgScore2_5_5
<${OrgScore2_5_5}/>
- OrgScore2_5_8
- <${OrgScore2_5_8}/>
- OrgScore2_5_9
- <${OrgScore2_5_9}/>
+ OrgScore2_5_6
+ <${OrgScore2_5_6}/>
OrgScore2_6_1
<${OrgScore2_6_1}/>
OrgScore2_6_2
@@ -547,8 +545,6 @@ cat << EOF > "$plistlocation"
<${OrgScore2_9}/>
OrgScore2_11
<${OrgScore2_11}/>
- OrgScore2_12
- <${OrgScore2_12}/>
OrgScore3_1
<${OrgScore3_1}/>
OrgScore3_2
@@ -603,8 +599,12 @@ cat << EOF > "$plistlocation"
<${OrgScore5_14}/>
OrgScore5_16
<${OrgScore5_16}/>
+ OrgScore5_18
+ <${OrgScore5_18}/>
OrgScore5_19
<${OrgScore5_19}/>
+ OrgScore5_20
+ <${OrgScore5_20}/>
OrgScore6_1_1
<${OrgScore6_1_1}/>
OrgScore6_1_2
diff --git a/CIS Scripts/2_Security_Audit_Compliance.sh b/CIS Scripts/2_Security_Audit_Compliance.sh
old mode 100644
new mode 100755
index 7cad895..5c9185e
--- a/CIS Scripts/2_Security_Audit_Compliance.sh
+++ b/CIS Scripts/2_Security_Audit_Compliance.sh
@@ -54,6 +54,12 @@ hardwareUUID="$(/usr/sbin/system_profiler SPHardwareDataType | grep "Hardware UU
logFile="/Library/Application Support/SecurityScoring/remediation.log"
+osVersion="$(sw_vers -productversion)"
+if [ "$osVersion" < 11 ]; then
+ echo "This script does not support Catalina. Please use https://github.com/jamf/CIS-for-macOS-Catalina-CP instead"
+ exit 0
+fi
+
if [[ $(tail -n 1 "$logFile") = *"Remediation complete" ]]; then
echo "Append to existing logFile"
@@ -200,7 +206,7 @@ if [ "$Audit2_1_1" = "1" ]; then
if [ "$btPowerState" = "0" ]; then
echo "$(date -u)" "2.1.1 passed" | tee -a "$logFile"
$Defaults write "$plistlocation" OrgScore2_1_1 -bool false; else
- connectable="$(system_profiler SPBluetoothDataType | grep Connectable | awk '{print $2}' | head -1)"
+ connectable="$(system_profiler SPBluetoothDataType 2>&1| grep Connectable | awk '{print $2}' | head -1)"
if [[ "$connectable" != "Yes" ]]; then
echo "$(date -u)" "2.1.1 passed" | tee -a "$logFile"
$Defaults write "$plistlocation" OrgScore2_1_1 -bool false; else
@@ -210,18 +216,18 @@ if [ "$Audit2_1_1" = "1" ]; then
fi
fi
-# 2.1.3 Show Bluetooth status in menu bar
+# 2.1.2 Show Bluetooth status in menu bar
# Verify organizational score
-Audit2_1_3="$($Defaults read "$plistlocation" OrgScore2_1_3)"
+Audit2_1_2="$($Defaults read "$plistlocation" OrgScore2_1_2)"
# If organizational score is 1 or true, check status of client
-if [ "$Audit2_1_3" = "1" ]; then
+if [ "$Audit2_1_2" = "1" ]; then
btMenuBar="$($Defaults read /Users/"$currentUser"/Library/Preferences/com.apple.systemuiserver menuExtras | grep -c Bluetooth.menu)"
# If client fails, then note category in audit file
if [ "$btMenuBar" = "0" ]; then
- echo "* 2.1.3 Show Bluetooth status in menu bar" >> "$auditfilelocation"
- echo "$(date -u)" "2.1.3 fix" | tee -a "$logFile"; else
- echo "$(date -u)" "2.1.3 passed" | tee -a "$logFile"
- $Defaults write "$plistlocation" OrgScore2_1_3 -bool false
+ echo "* 2.1.2 Show Bluetooth status in menu bar" >> "$auditfilelocation"
+ echo "$(date -u)" "2.1.2 fix" | tee -a "$logFile"; else
+ echo "$(date -u)" "2.1.2 passed" | tee -a "$logFile"
+ $Defaults write "$plistlocation" OrgScore2_1_2 -bool false
fi
fi
@@ -469,7 +475,7 @@ fi
Audit2_4_10="$($Defaults read "$plistlocation" OrgScore2_4_10)"
# If organizational score is 1 or true, check status of client
if [ "$Audit2_4_10" = "1" ]; then
- contentCacheStatus="$(/usr/bin/AssetCacheManagerUtil status 2>&1 | grep -c "Activated = 0;")"
+ contentCacheStatus="$(/usr/bin/AssetCacheManagerUtil status 2>&1 | grep -c "Activated: false")"
# If client fails, then note category in audit file
if [ "$contentCacheStatus" == 1 ]; then
echo "$(date -u)" "2.4.10 passed" | tee -a "$logFile"
@@ -567,116 +573,116 @@ if [ "$Audit2_5_1_3" = "1" ]; then
fi
-# 2.5.2 Enable Gatekeeper
+# 2.5.2.1 Enable Gatekeeper
# Configuration Profile - Security and Privacy payload > General > Gatekeeper > Mac App Store and identified developers (selected)
# Verify organizational score
-Audit2_5_2="$($Defaults read "$plistlocation" OrgScore2_5_2)"
+Audit2_5_2.1="$($Defaults read "$plistlocation" OrgScore2_5_2_1)"
# If organizational score is 1 or true, check status of client
-if [ "$Audit2_5_2" = "1" ]; then
+if [ "$Audit2_5_2_1" = "1" ]; then
CP_gatekeeperEnabled="$(/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -c 'EnableAssessment = 1')"
# If client fails, then note category in audit file
if [[ "$CP_gatekeeperEnabled" -gt "0" ]] ; then
- echo "$(date -u)" "2.5.2 passed cp" | tee -a "$logFile"
- $Defaults write "$plistlocation" OrgScore2_5_2 -bool false; else
+ echo "$(date -u)" "2.5.2.1 passed cp" | tee -a "$logFile"
+ $Defaults write "$plistlocation" OrgScore2_5_2_1 -bool false; else
gatekeeperEnabled="$(spctl --status | grep -c "assessments enabled")"
if [ "$gatekeeperEnabled" = "1" ]; then
- echo "$(date -u)" "2.5.2 passed" | tee -a "$logFile"
- $Defaults write "$plistlocation" OrgScore2_5_2 -bool false; else
- echo "* 2.5.2 Enable Gatekeeper" >> "$auditfilelocation"
- echo "$(date -u)" "2.5.2 fix" | tee -a "$logFile"
+ echo "$(date -u)" "2.5.2.1 passed" | tee -a "$logFile"
+ $Defaults write "$plistlocation" OrgScore2_5_2_1 -bool false; else
+ echo "* 2.5.2.1 Enable Gatekeeper" >> "$auditfilelocation"
+ echo "$(date -u)" "2.5.2.1 fix" | tee -a "$logFile"
fi
fi
fi
-# 2.5.3 Enable Firewall
+# 2.5.2.2 Enable Firewall
# Configuration Profile - Security and Privacy payload > Firewall > Enable Firewall (checked)
# Verify organizational score
-Audit2_5_3="$($Defaults read "$plistlocation" OrgScore2_5_3)"
+Audit2_5_2_2="$($Defaults read "$plistlocation" OrgScore2_5_2_2)"
# If organizational score is 1 or true, check status of client
-if [ "$Audit2_5_3" = "1" ]; then
+if [ "$Audit2_5_2_2" = "1" ]; then
CP_firewallEnabled="$(/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -c 'EnableFirewall = 1')"
# If client fails, then note category in audit file
if [[ "$CP_firewallEnabled" -gt "0" ]] ; then
- echo "$(date -u)" "2.5.3 passed cp" | tee -a "$logFile"
- $Defaults write "$plistlocation" OrgScore2_5_3 -bool false; else
+ echo "$(date -u)" "2.5.2.2 passed cp" | tee -a "$logFile"
+ $Defaults write "$plistlocation" OrgScore2_5_2_2 -bool false; else
firewallEnabled="$($Defaults read /Library/Preferences/com.apple.alf globalstate)"
if [ "$firewallEnabled" = "0" ]; then
- echo "* 2.5.3 Enable Firewall" >> "$auditfilelocation"
- echo "$(date -u)" "2.5.3 fix" | tee -a "$logFile"; else
- echo "$(date -u)" "2.5.3 passed" | tee -a "$logFile"
- $Defaults write "$plistlocation" OrgScore2_5_3 -bool false
+ echo "* 2.5.2.2 Enable Firewall" >> "$auditfilelocation"
+ echo "$(date -u)" "2.5.2.2 fix" | tee -a "$logFile"; else
+ echo "$(date -u)" "2.5.2.2 passed" | tee -a "$logFile"
+ $Defaults write "$plistlocation" OrgScore2_5_2_2 -bool false
fi
fi
fi
-# 2.5.4 Enable Firewall Stealth Mode
+# 2.5.2.3 Enable Firewall Stealth Mode
# Configuration Profile - Security and Privacy payload > Firewall > Enable stealth mode (checked)
# Verify organizational score
-Audit2_5_4="$($Defaults read "$plistlocation" OrgScore2_5_4)"
+Audit2_5_2_3="$($Defaults read "$plistlocation" OrgScore2_5_2_3)"
# If organizational score is 1 or true, check status of client
-if [ "$Audit2_5_4" = "1" ]; then
+if [ "$Audit2_5_2_3" = "1" ]; then
CP_stealthEnabled="$(/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -c 'EnableStealthMode = 1')"
# If client fails, then note category in audit file
if [[ "$CP_stealthEnabled" -gt "0" ]] ; then
- echo "$(date -u)" "2.5.4 passed cp" | tee -a "$logFile"
- $Defaults write "$plistlocation" OrgScore2_5_4 -bool false; else
+ echo "$(date -u)" "2.5.2.3 passed cp" | tee -a "$logFile"
+ $Defaults write "$plistlocation" OrgScore2_5_2_3 -bool false; else
stealthEnabled="$(/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode | awk '{print $3}')"
if [ "$stealthEnabled" = "enabled" ]; then
- echo "$(date -u)" "2.5.4 passed" | tee -a "$logFile"
- $Defaults write "$plistlocation" OrgScore2_5_4 -bool false; else
- echo "* 2.5.4 Enable Firewall Stealth Mode" >> "$auditfilelocation"
- echo "$(date -u)" "2.5.4 fix" | tee -a "$logFile"
+ echo "$(date -u)" "2.5.2.3 passed" | tee -a "$logFile"
+ $Defaults write "$plistlocation" OrgScore2_5_2_3 -bool false; else
+ echo "* 2.5.2.3 Enable Firewall Stealth Mode" >> "$auditfilelocation"
+ echo "$(date -u)" "2.5.2.3 fix" | tee -a "$logFile"
fi
fi
fi
-# 2.5.5 Review Application Firewall Rules
-# Configuration Profile - Security and Privacy payload > Firewall > Control incoming connections for specific apps (selected)
+# 2.5.3 Enable Location Services
# Verify organizational score
-Audit2_5_5="$($Defaults read "$plistlocation" OrgScore2_5_5)"
+Audit2_5_3="$($Defaults read "$plistlocation" OrgScore2_5_3)"
# If organizational score is 1 or true, check status of client
-if [ "$Audit2_5_5" = "1" ]; then
- appsInbound="$(/usr/libexec/ApplicationFirewall/socketfilterfw --listapps | grep ALF | awk '{print $7}')" # this shows the true state of the config profile too.
- # If client fails, then note category in audit file
- if [[ "$appsInbound" -le "10" ]] || [ -z "$appsInbound" ]; then
- echo "$(date -u)" "2.5.5 passed" | tee -a "$logFile"
- $Defaults write "$plistlocation" OrgScore2_5_5 -bool false; else
- echo "* 2.5.5 Review Application Firewall Rules" >> "$auditfilelocation"
- echo "$(date -u)" "2.5.5 fix" | tee -a "$logFile"
- fi
+# If client fails, then remediate
+if [ "$Audit2_5_3" = "1" ]; then
+ auditdEnabled=$(launchctl print-disabled system | grep -c '"com.apple.locationd" => true')
+ if [ "$auditdEnabled" = "0" ]; then
+ echo "$(date -u)" "2.5.3 passed" | tee -a "$logFile"
+ $Defaults write "$plistlocation" OrgScore2_5_3 -bool false
+ else
+ echo "* 2.5.3 Enable Location Services" >> "$auditfilelocation"
+ echo "$(date -u)" "2.5.3 fix" | tee -a "$logFile"
+ fi
fi
-# 2.5.8 Disable sending diagnostic and usage data to Apple
+# 2.5.5 Disable sending diagnostic and usage data to Apple
# Verify organizational score
-Audit2_5_8="$($Defaults read "$plistlocation" OrgScore2_5_8)"
+Audit2_5_5="$($Defaults read "$plistlocation" OrgScore2_5_5)"
# If organizational score is 1 or true, check status of client
-if [ "$Audit2_5_8" = "1" ]; then
+if [ "$Audit2_5_5" = "1" ]; then
CP_disableDiagnostic="$(/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -c 'allowDiagnosticSubmission = 0')"
# If client fails, then note category in audit file
if [[ "$CP_disableDiagnostic" -gt "0" ]] ; then
- echo "$(date -u)" "2.5.8 passed cp" | tee -a "$logFile"
- $Defaults write "$plistlocation" OrgScore2_5_8 -bool false; else
+ echo "$(date -u)" "2.5.5 passed cp" | tee -a "$logFile"
+ $Defaults write "$plistlocation" OrgScore2_5_5 -bool false; else
AppleDiagn=$($Defaults read /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist AutoSubmit)
if [ "$AppleDiagn" == 1 ]; then
- /bin/echo "* 2.5.8 Disable sending diagnostic and usage data to Apple" >> "$auditfilelocation"
- echo "$(date -u)" "2.5.8 fix Disable sending diagnostic and usage data to Apple" | tee -a "$logFile"; else
- echo "$(date -u)" "2.5.8 passed" | tee -a "$logFile"
- $Defaults write "$plistlocation" OrgScore2_5_8 -bool false
+ /bin/echo "* 2.5.5 Disable sending diagnostic and usage data to Apple" >> "$auditfilelocation"
+ echo "$(date -u)" "2.5.5 fix Disable sending diagnostic and usage data to Apple" | tee -a "$logFile"; else
+ echo "$(date -u)" "2.5.5 passed" | tee -a "$logFile"
+ $Defaults write "$plistlocation" OrgScore2_5_5 -bool false
fi
fi
fi
-# 2.5.9 Force Limited Ad Tracking
+# 2.5.6 Limit Ad tracking and personalized Ads
# Verify organizational score
-Audit2_5_9="$($Defaults read "$plistlocation" OrgScore2_5_9)"
+Audit2_5_6="$($Defaults read "$plistlocation" OrgScore2_5_6)"
# If organizational score is 1 or true, check status of client
-if [ "$Audit2_5_9" = "1" ]; then
- if [ "$($Defaults read /Users/"$currentUser"/Library/Preferences/com.apple.AdLib.plist forceLimitAdTracking)" = "1" ]; then
- echo "$(date -u)" "2.5.9 passed" | tee -a "$logFile"
- $Defaults write "$plistlocation" OrgScore2_5_9 -bool false
+if [ "$Audit2_5_6" = "1" ]; then
+ if [ "$($Defaults read /Users/"$currentUser"/Library/Preferences/com.apple.AdLib.plist allowApplePersonalizedAdvertising)" = "0" ]; then
+ echo "$(date -u)" "2.5.6 passed" | tee -a "$logFile"
+ $Defaults write "$plistlocation" OrgScore2_5_6 -bool false
else
- echo "* 2.5.9 Review Force Limited Ad Tracking" >> "$auditfilelocation"
- echo "$(date -u)" "2.5.9 fix" | tee -a "$logFile"
+ echo "* 2.5.6 Review Limit Ad tracking and personalized Ads" >> "$auditfilelocation"
+ echo "$(date -u)" "2.5.6 fix" | tee -a "$logFile"
fi
fi
@@ -778,38 +784,58 @@ if [ "$Audit2_7_1" = "1" ]; then
fi
fi
-# 2.8 Pair the remote control infrared receiver if enabled
+# 2.8 Disable "Wake for network access"
# Verify organizational score
Audit2_8="$($Defaults read "$plistlocation" OrgScore2_8)"
# If organizational score is 1 or true, check status of client
if [ "$Audit2_8" = "1" ]; then
- IRPortDetect="$(system_profiler SPUSBDataType | egrep "IR Receiver" -c)"
- # If client fails, then note category in audit file
- if [ "$IRPortDetect" = "0" ]; then
- echo "$(date -u)" "2.8 passed" | tee -a "$logFile"
- $Defaults write "$plistlocation" OrgScore2_8 -bool false; else
- echo "* 2.8 Pair the remote control infrared receiver if enabled" >> "$auditfilelocation"
- echo "$(date -u)" "2.8 fix" | tee -a "$logFile"
+ CP_wompEnabled="$(/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -c '"Wake On LAN" = 0')"
+ # If client fails, then note category in audit file
+ if [[ "$CP_wompEnabled" = "3" ]] ; then
+ echo "$(date -u)" "2.8 passed" | tee -a "$logFile"
+ $Defaults write "$plistlocation" OrgScore2_8 -bool false; else
+ wompEnabled="$(pmset -g | grep womp | awk '{print $2}')"
+ if [ "$wompEnabled" = "0" ]; then
+ echo "$(date -u)" "2.8 passed" | tee -a "$logFile"
+ $Defaults write "$plistlocation" OrgScore2_8 -bool false; else
+ echo "* 2.8 Disable Wake for network access" >> "$auditfilelocation"
+ echo "$(date -u)" "2.8 fix" | tee -a "$logFile"
+ fi
+ fi
+fi
+
+# 2.9 Disable Power Nap
+# Verify organizational score
+Audit2_9="$($Defaults read "$plistlocation" OrgScore2_9)"
+# If organizational score is 1 or true, check status of client
+if [ "$Audit2_9" = "1" ]; then
+ napEnabled="$(pmset -g everything | grep -c 'powernap 1')"
+ if [ "$napEnabled" = 0 ]; then
+ echo "$(date -u)" "2.9 passed" | tee -a "$logFile"
+ $Defaults write "$plistlocation" OrgScore2_9 -bool false; else
+ echo "* 2.9 Disable Power Nap" >> "$auditfilelocation"
+ echo "$(date -u)" "2.9 fix" | tee -a "$logFile"
fi
fi
# 2.10 Enable Secure Keyboard Entry in terminal.app
# Configuration Profile - Custom payload > com.apple.Terminal > SecureKeyboardEntry=true
# Verify organizational score
-Audit2_9="$($Defaults read "$plistlocation" OrgScore2_9)"
+Audit2_9="$($Defaults read "$plistlocation" OrgScore2_10)"
# If organizational score is 1 or true, check status of client
-if [ "$Audit2_9" = "1" ]; then
+if [ "$Audit2_10" = "1" ]; then
CP_secureKeyboard="$(/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -c 'SecureKeyboardEntry = 1')"
# If client fails, then note category in audit file
if [[ "$CP_secureKeyboard" -gt "0" ]] ; then
- echo "$(date -u)" "2.9 passed cp" | tee -a "$logFile"
- $Defaults write "$plistlocation" OrgScore2_9 -bool false; else
+ echo "$(date -u)" "2.10 passed cp" | tee -a "$logFile"
+ $Defaults write "$plistlocation" OrgScore2_10 -bool false; else
secureKeyboard="$($Defaults read /Users/"$currentUser"/Library/Preferences/com.apple.Terminal SecureKeyboardEntry)"
- if [ "$secureKeyboard" = "1" ]; then
- echo "$(date -u)" "2.9 passed" | tee -a "$logFile"
- $Defaults write "$plistlocation" OrgScore2_9 -bool false; else
- echo "* 2.9 Enable Secure Keyboard Entry in terminal.app" >> "$auditfilelocation"
- echo "$(date -u)" "2.9 fix" | tee -a "$logFile"
+ iTermSecure="$($Defaults read -app iTerm 'Secure Input')"
+ if [ "$secureKeyboard" = "1" ] && ["$iTermSecure" -ne "0" ]; then
+ echo "$(date -u)" "2.10 passed" | tee -a "$logFile"
+ $Defaults write "$plistlocation" OrgScore2_10 -bool false; else
+ echo "* 2.10 Enable Secure Keyboard Entry in terminal.app" >> "$auditfilelocation"
+ echo "$(date -u)" "2.10 fix" | tee -a "$logFile"
fi
fi
fi
@@ -838,25 +864,6 @@ fi
fi
-# 2.12 Disable "Wake for network access" and "Power Nap"
-# Verify organizational score
-Audit2_12="$($Defaults read "$plistlocation" OrgScore2_12)"
-# If organizational score is 1 or true, check status of client
-if [ "$Audit2_12" = "1" ]; then
- CP_wompEnabled="$(/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -c '"Wake On LAN" = 0')"
- # If client fails, then note category in audit file
- if [[ "$CP_wompEnabled" = "3" ]] ; then
- echo "$(date -u)" "2.12 passed" | tee -a "$logFile"
- $Defaults write "$plistlocation" OrgScore2_12 -bool false; else
- wompEnabled="$(pmset -g | grep womp | awk '{print $2}')"
- if [ "$wompEnabled" = "0" ]; then
- echo "$(date -u)" "2.12 passed" | tee -a "$logFile"
- $Defaults write "$plistlocation" OrgScore2_12 -bool false; else
- echo "* 2.12 Disable Wake for network access" >> "$auditfilelocation"
- echo "$(date -u)" "2.12 fix" | tee -a "$logFile"
- fi
- fi
-fi
# 3.1 Enable security auditing
# Verify organizational score
@@ -889,52 +896,53 @@ if [ "$Audit3_2" = "1" ]; then
fi
fi
-# 3.3 Ensure security auditing retention
+# 3.3 Retain install.log for 365 or more days
# Verify organizational score
Audit3_3="$($Defaults read "$plistlocation" OrgScore3_3)"
# If organizational score is 1 or true, check status of client
if [ "$Audit3_3" = "1" ]; then
- auditRetention="$(cat /etc/security/audit_control | egrep expire-after)"
- if [ "$auditRetention" = "expire-after:60d OR 1G" ]; then
+ installRetention="$(grep -i ttl /etc/asl/com.apple.install | awk -F'ttl=' '{print $2}')"
+ # If client fails, then note category in audit file
+ if [[ "$installRetention" = "" ]] || [[ "$installRetention" -lt "365" ]]; then
+ echo "* 3.3 Retain install.log for 365 or more days" >> "$auditfilelocation"
+ echo "$(date -u)" "3.3 fix" | tee -a "$logFile"; else
echo "$(date -u)" "3.3 passed" | tee -a "$logFile"
- $Defaults write "$plistlocation" OrgScore3_3 -bool false; else
- echo "* 3.3 Ensure security auditing retention" >> "$auditfilelocation"
- echo "$(date -u)" "3.3 fix" | tee -a "$logFile"
- fi
+ $Defaults write "$plistlocation" OrgScore3_3 -bool false
fi
-
+fi
-# 3.4 Control access to audit records
-# Audit only. Remediation requires system inspection.
+# 3.4 Ensure security auditing retention
# Verify organizational score
Audit3_4="$($Defaults read "$plistlocation" OrgScore3_4)"
# If organizational score is 1 or true, check status of client
if [ "$Audit3_4" = "1" ]; then
- etccheck=$(ls -le /etc/security/audit_control | grep -v '\-r-------- 1 root wheel')
- varcheck=$(ls -le /var/audit | grep -v '\-r--r----- 1 root wheel\|current\|total')
- if [[ "$etccheck" = "" ]] && [[ "$varcheck" = "" ]]; then
+ auditRetention="$(cat /etc/security/audit_control | egrep expire-after)"
+ if [ "$auditRetention" = "expire-after:60d OR 1G" ]; then
echo "$(date -u)" "3.4 passed" | tee -a "$logFile"
- $Defaults write "$plistlocation" OrgScore3_4 -bool false
- else
- echo "* 3.4 Control access to audit records" >> "$auditfilelocation"
+ $Defaults write "$plistlocation" OrgScore3_4 -bool false; else
+ echo "* 3.4 Ensure security auditing retention" >> "$auditfilelocation"
echo "$(date -u)" "3.4 fix" | tee -a "$logFile"
+ fi
fi
-fi
-
-# 3.5 Retain install.log for 365 or more days
+
+
+# 3.5 Control access to audit records
+# Audit only. Remediation requires system inspection.
# Verify organizational score
Audit3_5="$($Defaults read "$plistlocation" OrgScore3_5)"
# If organizational score is 1 or true, check status of client
if [ "$Audit3_5" = "1" ]; then
- installRetention="$(grep -i ttl /etc/asl/com.apple.install | awk -F'ttl=' '{print $2}')"
- # If client fails, then note category in audit file
- if [[ "$installRetention" = "" ]] || [[ "$installRetention" -lt "365" ]]; then
- echo "* 3.5 Retain install.log for 365 or more days" >> "$auditfilelocation"
- echo "$(date -u)" "3.5 fix" | tee -a "$logFile"; else
+ etccheck=$(ls -le /etc/security/audit_control | grep -v '\-r-------- 1 root wheel')
+ varcheck=$(ls -le /var/audit | grep -v '\-r--r----- 1 root wheel\|current\|total')
+ if [[ "$etccheck" = "" ]] && [[ "$varcheck" = "" ]]; then
echo "$(date -u)" "3.5 passed" | tee -a "$logFile"
$Defaults write "$plistlocation" OrgScore3_5 -bool false
+ else
+ echo "* 3.5 Control access to audit records" >> "$auditfilelocation"
+ echo "$(date -u)" "3.5 fix" | tee -a "$logFile"
fi
fi
+
# 3.6 Ensure Firewall is configured to log
# Verify organizational score
@@ -978,9 +986,9 @@ fi
Audit4_2="$($Defaults read "$plistlocation" OrgScore4_2)"
# If organizational score is 1 or true, check status of client
if [ "$Audit4_2" = "1" ]; then
- wifiMenuBar="$($Defaults read /Users/"$currentUser"/Library/Preferences/com.apple.systemuiserver menuExtras | grep -c AirPort.menu)"
+ wifiMenuBar="$($Defaults -currentHost read com.apple.controlcenter.plist WiFi)"
# If client fails, then note category in audit file
- if [ "$wifiMenuBar" = "0" ]; then
+ if [ "$wifiMenuBar" -ne 18 ]; then
echo "* 4.2 Enable Show Wi-Fi status in menu bar" >> "$auditfilelocation"
echo "$(date -u)" "4.2 fix" | tee -a "$logFile"; else
echo "$(date -u)" "4.2 passed" | tee -a "$logFile"
@@ -994,7 +1002,8 @@ Audit4_4="$($Defaults read "$plistlocation" OrgScore4_4)"
# If organizational score is 1 or true, check status of client
# Code fragment from https://github.com/krispayne/CIS-Settings/blob/master/ElCapitan_CIS.sh
if [ "$Audit4_4" = "1" ]; then
- if /bin/launchctl list | egrep httpd > /dev/null; then
+ httpdDisabled="$(launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => true')"
+ if [ "$httpdDisabled" = 0 ]; then
echo "* 4.4 Ensure http server is not running" >> "$auditfilelocation"
echo "$(date -u)" "4.4 fix" | tee -a "$logFile"; else
echo "$(date -u)" "4.4 passed" | tee -a "$logFile"
@@ -1091,30 +1100,31 @@ if [ "$Audit5_3" = "1" ]; then
fi
fi
-# 5.4 Use a separate timestamp for each user/tty combo
+
+# 5.5 Automatically lock the login keychain for inactivity
# Verify organizational score
Audit5_4="$($Defaults read "$plistlocation" OrgScore5_4)"
# If organizational score is 1 or true, check status of client
if [ "$Audit5_4" = "1" ]; then
- ttyTimestamp="$(cat /etc/sudoers | egrep tty_tickets)"
+ keyTimeout="$(security show-keychain-info /Users/"$currentUser"/Library/Keychains/login.keychain 2>&1 | grep -c "no-timeout")"
# If client fails, then note category in audit file
- if [ "$ttyTimestamp" != "" ]; then
- echo "* 5.4 Use a separate timestamp for each user/tty combo" >> "$auditfilelocation"
+ if [ "$keyTimeout" -gt 0 ]; then
+ echo "* 5.4 Automatically lock the login keychain for inactivity" >> "$auditfilelocation"
echo "$(date -u)" "5.4 fix" | tee -a "$logFile"; else
echo "$(date -u)" "5.4 passed" | tee -a "$logFile"
$Defaults write "$plistlocation" OrgScore5_4 -bool false
fi
fi
-# 5.5 Automatically lock the login keychain for inactivity
+# 5.5 Use a separate timestamp for each user/tty combo
# Verify organizational score
Audit5_5="$($Defaults read "$plistlocation" OrgScore5_5)"
# If organizational score is 1 or true, check status of client
if [ "$Audit5_5" = "1" ]; then
- keyTimeout="$(security show-keychain-info /Users/"$currentUser"/Library/Keychains/login.keychain 2>&1 | grep -c "no-timeout")"
+ ttyTimestamp="$(cat /etc/sudoers | egrep tty_tickets)"
# If client fails, then note category in audit file
- if [ "$keyTimeout" -gt 0 ]; then
- echo "* 5.5 Automatically lock the login keychain for inactivity" >> "$auditfilelocation"
+ if [ "$ttyTimestamp" != "" ]; then
+ echo "* 5.5 Use a separate timestamp for each user/tty combo" >> "$auditfilelocation"
echo "$(date -u)" "5.5 fix" | tee -a "$logFile"; else
echo "$(date -u)" "5.5 passed" | tee -a "$logFile"
$Defaults write "$plistlocation" OrgScore5_5 -bool false
@@ -1308,21 +1318,51 @@ if [ "$Audit5_16" = "1" ]; then
fi
fi
-# 5.19 System Integrity Protection status
+# 5.18 System Integrity Protection status
# Verify organizational score
-Audit5_19="$($Defaults read "$plistlocation" OrgScore5_19)"
+Audit5_18="$($Defaults read "$plistlocation" OrgScore5_18)"
# If organizational score is 1 or true, check status of client
-if [ "$Audit5_19" = "1" ]; then
+if [ "$Audit5_18" = "1" ]; then
sipEnabled="$(/usr/bin/csrutil status | awk '{print $5}')"
# If client fails, then note category in audit file
if [ "$sipEnabled" = "enabled." ]; then
+ echo "$(date -u)" "5.18 passed" | tee -a "$logFile"
+ $Defaults write "$plistlocation" OrgScore5_18 -bool false; else
+ echo "* 5.18 System Integrity Protection status - not enabled" >> "$auditfilelocation"
+ echo "$(date -u)" "5.18 fix" | tee -a "$logFile"
+ fi
+fi
+
+# 5.19 Enable Sealed System Volume (SSV)
+# Verify organizational score
+Audit5_19="$($Defaults read "$plistlocation" OrgScore5_19)"
+# If organizational score is 1 or true, check status of client
+if [ "$Audit5_19" = "1" ]; then
+ ssvEnabled="$(/usr/bin/csrutil authenticated-root status | awk '{print $4}')"
+ # If client fails, then note category in audit file
+ if [ "$ssvEnabled" = "enabled" ]; then
echo "$(date -u)" "5.19 passed" | tee -a "$logFile"
$Defaults write "$plistlocation" OrgScore5_19 -bool false; else
- echo "* 5.19 System Integrity Protection status - not enabled" >> "$auditfilelocation"
+ echo "* 5.19 Enable Sealed System Volume (SSV) - not enabled" >> "$auditfilelocation"
echo "$(date -u)" "5.19 fix" | tee -a "$logFile"
fi
fi
+# 5.20 Enable Library Validation
+# Verify organizational score
+Audit5_19="$($Defaults read "$plistlocation" OrgScore5_20)"
+# If organizational score is 1 or true, check status of client
+if [ "$Audit5_20" = "1" ]; then
+ libValidationDisabled="$($Defaults read /Library/Preferences/com.apple.security.librarayvalidation.plist DisableLibraryValidation)"
+ # If client fails, then note category in audit file
+ if [ "$libValidationDisabled" = 0 ]; then
+ echo "$(date -u)" "5.20 passed" | tee -a "$logFile"
+ $Defaults write "$plistlocation" OrgScore5_20 -bool false; else
+ echo "* 5.20 Library Validation - not enabled" >> "$auditfilelocation"
+ echo "$(date -u)" "5.20 fix" | tee -a "$logFile"
+ fi
+fi
+
# 6.1.1 Display login window as name and password
# Configuration Profile - LoginWindow payload > Window > LOGIN PROMPT > Name and password text fields (selected)
# Verify organizational score
diff --git a/CIS Scripts/3_Security_Remediation.sh b/CIS Scripts/3_Security_Remediation.sh
old mode 100644
new mode 100755
index a29d6cd..ba6d998
--- a/CIS Scripts/3_Security_Remediation.sh
+++ b/CIS Scripts/3_Security_Remediation.sh
@@ -135,14 +135,14 @@ if [ "$Audit2_1_1" = "1" ]; then
fi
fi
-# 2.1.3 Show Bluetooth status in menu bar
+# 2.1.2 Show Bluetooth status in menu bar
# Verify organizational score
-Audit2_1_3="$(defaults read "$plistlocation" OrgScore2_1_3)"
+Audit2_1_2="$(defaults read "$plistlocation" OrgScore2_1_2)"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
-if [ "$Audit2_1_3" = "1" ]; then
+if [ "$Audit2_1_2" = "1" ]; then
open "/System/Library/CoreServices/Menu Extras/Bluetooth.menu"
- echo "$(date -u)" "2.1.3 remediated" | tee -a "$logFile"
+ echo "$(date -u)" "2.1.2 remediated" | tee -a "$logFile"
fi
## 2.2.1 Enable "Set time and date automatically" (Not Scored)
@@ -397,71 +397,69 @@ if [ "$Audit2_4_11" = "1" ]; then
echo "$(date -u)" "2.4.11 remediated - requires restart" | tee -a "$logFile"
fi
-# 2.5.2 Enable Gatekeeper
+# 2.5.2.1 Enable Gatekeeper
# Verify organizational score
-Audit2_5_2="$(defaults read "$plistlocation" OrgScore2_5_2)"
+Audit2_5_2_1="$(defaults read "$plistlocation" OrgScore2_5_2_1)"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
-if [ "$Audit2_5_2" = "1" ]; then
+if [ "$Audit2_5_2_1" = "1" ]; then
spctl --master-enable
- echo "$(date -u)" "2.5.2 remediated" | tee -a "$logFile"
+ echo "$(date -u)" "2.5.2.1 remediated" | tee -a "$logFile"
fi
-# 2.5.3 Enable Firewall
+# 2.5.2.2 Enable Firewall
# Remediation sets Firewall on for essential services
# Verify organizational score
-Audit2_5_3="$(defaults read "$plistlocation" OrgScore2_5_3)"
+Audit2_5_2_2="$(defaults read "$plistlocation" OrgScore2_5_2_2)"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
-if [ "$Audit2_5_3" = "1" ]; then
+if [ "$Audit2_5_2_2" = "1" ]; then
defaults write /Library/Preferences/com.apple.alf globalstate -int 2
- echo "$(date -u)" "2.5.3 remediated" | tee -a "$logFile"
+ echo "$(date -u)" "2.5.2.2 remediated" | tee -a "$logFile"
fi
-# 2.5.4 Enable Firewall Stealth Mode
+# 2.5.2.3 Enable Firewall Stealth Mode
# Verify organizational score
-Audit2_5_4="$(defaults read "$plistlocation" OrgScore2_5_4)"
+Audit2_5_2_3="$(defaults read "$plistlocation" OrgScore2_5_2_3)"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
-if [ "$Audit2_5_4" = "1" ]; then
+if [ "$Audit2_5_2_3" = "1" ]; then
/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
- echo "$(date -u)" "2.5.4 remediated" | tee -a "$logFile"
+ echo "$(date -u)" "2.5.2.3 remediated" | tee -a "$logFile"
fi
-# 2.5.5 Review Application Firewall Rules
+# 2.5.3 Enable Location Services
# Verify organizational score
-Audit2_5_5="$(defaults read "$plistlocation" OrgScore2_5_5)"
+Audit2_5_3="$(defaults read "$plistlocation" OrgScore2_5_3)"
# If organizational score is 1 or true, check status of client
-# If client fails, then alert to need of remediation
-if [ "$Audit2_5_5" = "1" ]; then
- echo "$(date -u)" "2.5.5 not remediated" | tee -a "$logFile"
+if [ "$Audit2_5_3" = "1" ]; then
+ launchctl load -w /System/Library/LaunchDaemons/com.apple.locationd.plist
+ echo "$(date -u)" "2.5.3 remediated" | tee -a "$logFile"
fi
-# 2.5.6 Enable Location Services
-
-# 2.5.8 Disable sending diagnostic and usage data to Apple
+# 2.5.5 Disable sending diagnostic and usage data to Apple
# Verify Organizational score
-Audit2_5_8="$(defaults read "$plistlocation" OrgScore2_5_8)"
+Audit2_5_5="$(defaults read "$plistlocation" OrgScore2_5_5)"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
-if [ "$Audit2_5_8" = "1" ]; then
+if [ "$Audit2_5_5" = "1" ]; then
AppleDiagn=$(defaults read /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist AutoSubmit)
if [ $AppleDiagn == 1 ]; then
defaults write /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist AutoSubmit -int 0
- echo "$(date -u)" "2.5.8 remediated" | tee -a "$logFile"
+ echo "$(date -u)" "2.5.5 remediated" | tee -a "$logFile"
fi
fi
-# 2.5.9 Force Limited Ad Tracking
+# 2.5.6 Limit Ad tracking and personalized Ads
# Verify Organizational score
-Audit2_5_9="$(defaults read "$plistlocation" OrgScore2_5_9)"
+Audit2_5_6="$(defaults read "$plistlocation" OrgScore2_5_6)"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
-if [ "$Audit2_5_9" = "1" ]; then
+if [ "$Audit2_5_6" = "1" ]; then
defaults write /Users/"${currentUser}"/Library/Preferences/com.apple.AdLib.plist forceLimitAdTracking -bool true
chown "${currentUser}":staff /Users/"${currentUser}"/Library/Preferences/com.apple.AdLib.plist
- echo "$(date -u)" "2.5.9 consider using a configuration profile" | tee -a "$logFile"
- echo "$(date -u)" "2.5.9 remediated" | tee -a "$logFile"
+ echo "$(date -u)" "2.5.6 consider using a configuration profile" | tee -a "$logFile"
+ echo "$(date -u)" "2.5.6 remediated" | tee -a "$logFile"
fi
# 2.7.1 Time Machine Auto-Backup
@@ -474,37 +472,42 @@ if [ "$Audit2_7_1" = "1" ]; then
echo "$(date -u)" "2.7.1 remediated" | tee -a "$logFile"
fi
-# 2.8 Pair the remote control infrared receiver if enabled
+# 2.8 Disable "Wake for network access"
# Verify organizational score
Audit2_8="$(defaults read "$plistlocation" OrgScore2_8)"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
if [ "$Audit2_8" = "1" ]; then
- defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false
+ pmset -a womp 0
+ pmset -a powernap 0
echo "$(date -u)" "2.8 remediated" | tee -a "$logFile"
fi
-# 2.9 Enable Secure Keyboard Entry in terminal.app
+# 2.9 Disable Power Nap
# Verify organizational score
Audit2_9="$(defaults read "$plistlocation" OrgScore2_9)"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
if [ "$Audit2_9" = "1" ]; then
- defaults write /Users/"$currentUser"/Library/Preferences/com.apple.Terminal SecureKeyboardEntry -bool true
+ pmset -a powernap 0
echo "$(date -u)" "2.9 remediated" | tee -a "$logFile"
fi
-# 2.12 Disable "Wake for network access"
+# 2.10 Enable Secure Keyboard Entry in terminal.app
# Verify organizational score
-Audit2_12="$(defaults read "$plistlocation" OrgScore2_12)"
+Audit2_10="$(defaults read "$plistlocation" OrgScore2_10)"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
-if [ "$Audit2_12" = "1" ]; then
- pmset -a womp 0
- pmset -a powernap 0
- echo "$(date -u)" "2.12 remediated" | tee -a "$logFile"
+if [ "$Audit2_10" = "1" ]; then
+ defaults write /Users/"$currentUser"/Library/Preferences/com.apple.Terminal SecureKeyboardEntry -bool true
+ iTerm="$(defaults read -app iTerm | /usr/bin/grep -c "Couldn't find an application")"
+ if [ "$iTerm" -gt "0" ]; then
+ defaults write -app iTerm "Secure Input" -bool true
+ fi
+ echo "$(date -u)" "2.10 remediated" | tee -a "$logFile"
fi
+
# 3.1 Enable security auditing
# Verify organizational score
Audit3_1="$(defaults read "$plistlocation" OrgScore3_1)"
@@ -528,26 +531,49 @@ if [ "$Audit3_2" = "1" ]; then
echo "$(date -u)" "3.2 remediated" | tee -a "$logFile"
fi
-# 3.3 Ensure security auditing retention
+# 3.3 Retain install.log for 365 or more days
# Verify organizational score
Audit3_3="$(defaults read "$plistlocation" OrgScore3_3)"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
if [ "$Audit3_3" = "1" ]; then
+ installRetention="$(grep -i ttl /etc/asl/com.apple.install | awk -F'ttl=' '{print $2}')"
+ if [[ "$installRetention" = "" ]]; then
+ mv /etc/asl/com.apple.install /etc/asl/com.apple.install.old
+ sed '$s/$/ ttl=365/' /etc/asl/com.apple.install.old > /etc/asl/com.apple.install
+ chmod 644 /etc/asl/com.apple.install
+ chown root:wheel /etc/asl/com.apple.install
+ echo "$(date -u)" "3.3 remediated" | tee -a "$logfile"
+ else
+ if [[ "$installRetention" -lt "365" ]]; then
+ mv /etc/asl/com.apple.install /etc/asl/com.apple.install.old
+ sed "s/"ttl=$installRetention"/"ttl=365"/g" /etc/asl/com.apple.install.old > /etc/asl/com.apple.install
+ chmod 644 /etc/asl/com.apple.install
+ chown root:wheel /etc/asl/com.apple.install
+ echo "$(date -u)" "3.3 remediated" | tee -a "$logfile"
+ fi
+ fi
+fi
+# 3.4 Ensure security auditing retention
+# Verify organizational score
+Audit3_4="$(defaults read "$plistlocation" OrgScore3_4)"
+# If organizational score is 1 or true, check status of client
+# If client fails, then remediate
+if [ "$Audit3_4" = "1" ]; then
cp /etc/security/audit_control /etc/security/audit_control_old
oldExpireAfter=$(cat /etc/security/audit_control | egrep expire-after)
sed "s/${oldExpireAfter}/expire-after:60d OR 1G/g" /etc/security/audit_control_old > /etc/security/audit_control
chmod 644 /etc/security/audit_control
chown root:wheel /etc/security/audit_control
- echo "$(date -u)" "3.3 remediated" | tee -a "$logfile"
+ echo "$(date -u)" "3.4 remediated" | tee -a "$logfile"
fi
-# 3.4 Control access to audit records
+# 3.5 Control access to audit records
# Verify organizational score
-Audit3_4="$(defaults read "$plistlocation" OrgScore3_4)"
+Audit3_5="$(defaults read "$plistlocation" OrgScore3_5)"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
-if [ "$Audit3_4" = "1" ]; then
+if [ "$Audit3_5" = "1" ]; then
chown -R root:wheel /var/audit
chmod -R 440 /var/audit
chown root:wheel /etc/security/audit_control
@@ -555,29 +581,6 @@ if [ "$Audit3_4" = "1" ]; then
"$(date -u)" "3.3 remediated" | tee -a "$logfile"
fi
-# 3.5 Retain install.log for 365 or more days
-# Verify organizational score
-Audit3_5="$(defaults read "$plistlocation" OrgScore3_5)"
-# If organizational score is 1 or true, check status of client
-# If client fails, then remediate
-if [ "$Audit3_5" = "1" ]; then
- installRetention="$(grep -i ttl /etc/asl/com.apple.install | awk -F'ttl=' '{print $2}')"
- if [[ "$installRetention" = "" ]]; then
- mv /etc/asl/com.apple.install /etc/asl/com.apple.install.old
- sed '$s/$/ ttl=365/' /etc/asl/com.apple.install.old > /etc/asl/com.apple.install
- chmod 644 /etc/asl/com.apple.install
- chown root:wheel /etc/asl/com.apple.install
- echo "$(date -u)" "3.5 remediated" | tee -a "$logfile"
- else
- if [[ "$installRetention" -lt "365" ]]; then
- mv /etc/asl/com.apple.install /etc/asl/com.apple.install.old
- sed "s/"ttl=$installRetention"/"ttl=365"/g" /etc/asl/com.apple.install.old > /etc/asl/com.apple.install
- chmod 644 /etc/asl/com.apple.install
- chown root:wheel /etc/asl/com.apple.install
- echo "$(date -u)" "3.5 remediated" | tee -a "$logfile"
- fi
- fi
-fi
# 3.6 Ensure firewall is configured to log
# Verify organizational score
@@ -699,35 +702,35 @@ if [ "$Audit5_3" = "1" ]; then
echo "$(date -u)" "5.3 remediated" | tee -a "$logFile"
fi
-# 5.4 Use a separate timestamp for each user/tty combo
+# 5.5 Use a separate timestamp for each user/tty combo
# Verify organizational score
-Audit5_4="$(defaults read "$plistlocation" OrgScore5_4)"
+Audit5_5="$(defaults read "$plistlocation" OrgScore5_5)"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
-if [ "$Audit5_4" = "1" ]; then
+if [ "$Audit5_5" = "1" ]; then
sed -i ".old" '/Default !tty_tickets/d' /etc/sudoers
chmod 644 /etc/sudoers
chown root:wheel /etc/sudoers
- echo "$(date -u)" "5.4 remediated" | tee -a "$logFile"
+ echo "$(date -u)" "5.5 remediated" | tee -a "$logFile"
fi
-# 5.5 Automatically lock the login keychain for inactivity
+# 5.4 Automatically lock the login keychain for inactivity
# 5.6 Ensure login keychain is locked when the computer sleeps
-# If both 5.5 and 5.6 need to be set, both commands must be run at the same time
+# If both 5.4 and 5.6 need to be set, both commands must be run at the same time
# Verify organizational score
-Audit5_5="$(defaults read "$plistlocation" OrgScore5_5)"
+Audit5_4="$(defaults read "$plistlocation" OrgScore5_4)"
Audit5_6="$(defaults read "$plistlocation" OrgScore5_6)"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
-if [ "$Audit5_5" = "1" ] && [ "$Audit5_6" = 1 ]; then
-echo "$(date -u)" "Checking 5.5 and 5.6" | tee -a "$logFile"
+if [ "$Audit5_4" = "1" ] && [ "$Audit5_6" = 1 ]; then
+echo "$(date -u)" "Checking 5.4 and 5.6" | tee -a "$logFile"
security set-keychain-settings -l -u -t 21600s /Users/"$currentUser"/Library/Keychains/login.keychain
- echo "$(date -u)" "5.5 and 5.6 remediated" | tee -a "$logFile"
- elif [ "$Audit5_5" = "1" ] && [ "$Audit5_6" = 0 ]; then
- echo "$(date -u)" "Checking 5.5" | tee -a "$logFile"
+ echo "$(date -u)" "5.4 and 5.6 remediated" | tee -a "$logFile"
+ elif [ "$Audit5_4" = "1" ] && [ "$Audit5_6" = 0 ]; then
+ echo "$(date -u)" "Checking 5.4" | tee -a "$logFile"
security set-keychain-settings -u -t 21600s /Users/"$currentUser"/Library/Keychains/login.keychain
- echo "$(date -u)" "5.5 remediated" | tee -a "$logFile"
- elif [ "$Audit5_5" = "0" ] && [ "$Audit5_6" = 1 ]; then
+ echo "$(date -u)" "5.4 remediated" | tee -a "$logFile"
+ elif [ "$Audit5_4" = "0" ] && [ "$Audit5_6" = 1 ]; then
echo "$(date -u)" "Checking 5.6" | tee -a "$logFile"
security set-keychain-settings -l /Users/"$currentUser"/Library/Keychains/login.keychain
echo "$(date -u)" "5.6 remediated" | tee -a "$logFile"
@@ -831,17 +834,37 @@ if [ "$Audit5_16" = "1" ]; then
echo "$(date -u)" "5.16 remediated" | tee -a "$logFile"
fi
-# 5.19 System Integrity Protection status
+# 5.18 System Integrity Protection status
+# Verify organizational score
+Audit5_18="$(defaults read "$plistlocation" OrgScore5_18)"
+# If organizational score is 1 or true, check status of client
+# If client fails, then remediate
+if [ "$Audit5_18" = "1" ]; then
+ echo "This tool needs to be executed from the Recovery OS."
+ #/usr/bin/csrutil enable
+ #echo "$(date -u)" "5.18 remediated" | tee -a "$logFile"
+fi
+
+# 5.19 Enable Sealed System Volume (SSV)
# Verify organizational score
Audit5_19="$(defaults read "$plistlocation" OrgScore5_19)"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
if [ "$Audit5_19" = "1" ]; then
echo "This tool needs to be executed from the Recovery OS."
- #/usr/bin/csrutil enable
+ #/usr/bin/csrutil authenticated-root enable
#echo "$(date -u)" "5.19 remediated" | tee -a "$logFile"
fi
+# 5.20 Enable Library Validation
+# Verify organizational score
+Audit5_20="$(defaults read "$plistlocation" OrgScore5_20)"
+# If organizational score is 1 or true, check status of client
+if [ "$Audit5_20" = "1" ]; then
+ defaults write /Library/Preferences/com.apple.security.librarayvalidation.plist DisableLibraryValidation -bool false
+ echo "$(date -u)" "5.20 remediated" | tee -a "$logFile"
+fi
+
# 6.1.1 Display login window as name and password
# Verify organizational score
Audit6_1_1="$(defaults read "$plistlocation" OrgScore6_1_1)"
diff --git a/Extension Attributes/2.5_Audit_List.sh b/Extension Attributes/2.5_Audit_List.sh
old mode 100644
new mode 100755
diff --git a/README.md b/README.md
index 5e6ff4a..1e6d983 100644
--- a/README.md
+++ b/README.md
@@ -1,9 +1,19 @@
-# CIS for macOS Catalina - Script and Configuration Profile Remediation
+# CIS for macOS Big Sur - Script and Configuration Profile Remediation
## INFO:
-Refers to document CIS_Apple_OSX_10.15_Benchmark_v1.0.0.pdf, available at https://benchmarks.cisecurity.org
+Refers to document CIS_Apple_macOS_11.0_Benchmark_v1.1.0.pdf, available at https://benchmarks.cisecurity.org
## USAGE:
+### Manual Usage
+
+These scripts are intended to be used by jamf. However, if you want to manually benchmark your own **Big Sur** laptop, you can do so via the following steps:
+
+* Ensure that `/Library/Application Support/` exists. Note that sudo is required for its creation
+* Update `CIS Scripts/1_Set_Organization_Priorities.sh` if necessary. Checks can be enabled and disabled by changing their corresponding boolean values.
+* Run `CIS Scripts/1_Set_Organization_Priorities.sh` with sudo to populate the file `/Library/Application Support/SecurityScoring/org_security_score.plist` with the values defined beginning on line 460 of this script. This `.plist` file drives the following scripts. ***The next two steps will not work if this is not performed first.***
+* Run `CIS Scripts/2_Security_Audit_Compliance.sh` with sudo to run the benchmark
+* You can now get a list of all fails by using `Extension Attributes/2.5_Audit_List.sh` or remediate the fails using `CIS Scripts/3_Security_Remediation.sh` (sudo required as some checks cannot be run by standard users)
+
* Create Extension Attributes using the following scripts:
### 2.5_Audit_List Extension Attribute
@@ -44,35 +54,6 @@ Maintenance Payload - Update Inventory
* Policy: Some recurring trigger to track compliance over time.
-NOTES:
-
-* Item "1.1 Verify all Apple provided software is current" is disabled by default.
-* Item "2.1.2 Turn off Bluetooth "Discoverable" mode when not pairing devices - not applicable to 10.9 and higher."
- Starting with OS X (10.9) Bluetooth is only set to Discoverable when the Bluetooth System Preference is selected.
- To ensure that the computer is not Discoverable do not leave that preference open.
-* Item "2.6.6 Enable Location Services (Not Scored)" is disabled by default.
- As of macOS 10.12.2, Location Services cannot be enabled/monitored programmatically.
- It is considered user opt in.
-* Item "2.6.7 Monitor Location Services Access (Not Scored)" is disabled by default.
- As of macOS 10.12.2, Location Services cannot be enabled/monitored programmatically.
- It is considered user opt in.
-* Item "2.7.1 Time Machine Auto-Backup " is disabled by default.
- Time Machine is typically not used as an Enterprise backup solution
-* Item "2.7.2 Time Machine Volumes Are Encrypted (Not Scored)" is disabled by default.
- Time Machine is typically not used as an Enterprise backup solution
-* Item "2.10 Securely delete files as needed (Not Scored)" is disabled by default.
- With the wider use of FileVault and other encryption methods and the growing use of Solid State Drives
- the requirements have changed and the "Secure Empty Trash" capability has been removed from the GUI.
-* Item "4.3 Create network specific locations (Not Scored)" is disabled by default.
-* Item "5.5 Automatically lock the login keychain for inactivity" is disabled by default.
-* Item "5.6 Ensure login keychain is locked when the computer sleeps" is disabled by default.
-* Item "5.15 Do not enter a password-related hint (Not Scored)" is disabled by default.
- Not needed if 6.1.2 Disable "Show password hints" is enforced.
-* Item "5.17 Secure individual keychains and items (Not Scored)" is disabled by default.
-* Item "5.8 Create specialized keychains for different purposes (Not Scored)" is disabled by default.
-* Item "6.3 Safari disable Internet Plugins for global use (Not Scored)" is disabled by default.
-
-
### 2_Security_Audit_Compliance
Run this before and after 3_Security_Remediation to audit the Remediation
@@ -86,61 +67,3 @@ Non-compliant items are recorded at /Library/Application Support/SecurityScoring
Run 2_Security_Audit_Compliance after to audit the Remediation
Reads the plist at /Library/Application Support/SecurityScoring/org_security_score.plist. For items prioritized (listed as "true,") the script applies recommended remediation actions for the client/user.
-SCORED CIS EXCEPTIONS:
-
-- Does not implement `pwpolicy` commands (5.2.1 - 5.2.8)
-
-- Audits but does not actively remediate (due to alternate profile/policy functionality within Jamf Pro):
-* 2.4.4 Disable Printer Sharing
-* 2.5.1.1 Enable FileVault
-* 5.19 System Integrity Protection status
-
-- Audits but does not remediate (due to requirement to review the device)
-* 3.4 Control access to audit records
-
-## REMEDIATED USING CONFIGURATION PROFILES:
-The following Configuration profiles are available in mobileconfig and plist form. If you wish to change a particular setting, edit the plist in question. Mobileconfigs can be uploaded to Jamf Pro Configuration Profiles as is and plists can be added to a new Configuration Profile as Custom Payloads.
-
-### CIS 10.15 Custom Settings mobileconfig
-* 1.2 Enable Auto Update
-* 1.5 Enable system data files and security update installed
-* 2.9 Enable Secure Keyboard Entry in terminal.app
-* 4.1 Disable Bonjour advertising service
-* 6.1.4 Disable "Allow guests to connect to shared folders"
-* 6.3 Disable the automatic run of safe files in Safari
-
-### CIS 10.15 LoginWindow Security_and_Privacy ScreenSaver mobileconfig
-* 2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver
-* 2.3.2 Secure screen saver corners
-* 2.3.3 Set a screen corner to Start Screen Saver
-* 2.5.2 Enable Gatekeeper
-* 2.5.3 Enable Firewall
-* 2.5.4 Enable Firewall Stealth Mode
-* 2.5.5 Review Application Firewall Rules
-* 5.8 Disable automatic login
-* 5.9 Require a password to wake the computer from sleep or screen saver
-* 5.13 Create a custom message for the Login Screen
-* 5.16 Disable Fast User Switching (Not Scored)
-* 6.1.1 Display login window as name and password
-* 6.1.2 Disable "Show password hints"
-* 6.1.3 Disable guest account
-
-### CIS 10.15 Restrictions mobileconfig
-* 2.4.10 Disable Content Caching (Not Scored) - Restrictions payload > Functionality > Allow Content Caching (unchecked)
-* 2.5.8 Disable sending diagnostic and usage data to Apple - Restrictions payload > Allow Diagnostic Submission (unchecked)
-* 2.6.1 iCloud system configuration
-* Includes:
-* Disable preference pane (Not Scored) - Restrictions payload > Preferences > disable selected items > iCloud
-* Disable the use of iCloud password for local accounts (Not Scored) - Restrictions payload > Functionality > Allow use of iCloud password for local accounts (unchecked)
-* Disable iCloud Back to My Mac (Not Scored) - Restrictions payload > Functionality > Allow iCloud Back to My Mac (unchecked)
-* Disable iCloud Find My Mac (Not Scored) - Restrictions payload > Functionality > Allow iCloud Find My Mac (unchecked)
-* Disable iCloud Bookmarks (Not Scored) - Restrictions payload > Functionality > Allow iCloud Bookmarks (unchecked)
-* Disable iCloud Mail (Not Scored) - Restrictions payload > Functionality > Allow iCloud Mail (unchecked)
-* Disable iCloud Calendar (Not Scored) - Restrictions payload > Functionality > Allow iCloud Calendar (unchecked)
-* Disable iCloud Reminders (Not Scored) - Restrictions payload > Functionality > Allow iCloud Reminders (unchecked)
-* Disable iCloud Contacts (Not Scored) - Restrictions payload > Functionality > Allow iCloud Contacts (unchecked)
-* Disable iCloud Notes (Not Scored) - Restrictions payload > Functionality > Allow iCloud Notes (unchecked)
-* 2.6.2 Disable iCloud keychain (Not Scored) - Restrictions payload > Functionality > Allow iCloud Keychain (unchecked)
-* 2.6.3 Disable iCloud Drive (Not Scored) - Restrictions payload > Functionality > Allow iCloud Drive (unchecked)
-* 2.6.4 Disable iCloud Drive Document sync - Restrictions payload > Functionality > Allow iCloud Desktop & Documents (unchecked)
-* 2.6.5 Disable iCloud Drive Desktop sync - Restrictions payload > Functionality > Allow iCloud Desktop & Documents (unchecked)2.6.8 Disable sending diagnostic and usage data to Apple