From e08d21ac46636aa95f69c33514833a6fffff7514 Mon Sep 17 00:00:00 2001
From: nnikolovGC <80894962+nnikolovGC@users.noreply.github.com>
Date: Tue, 11 May 2021 11:19:13 +0100
Subject: [PATCH 1/5] Update script to work for Big Sur (#1)

* Update Show Bluetooth status in menu bar's number

* Add missing bracket

* Disable Disable Bluetooth Sharing

The check is no longer possible programmatically

* Update Disable Content Caching check

This is only a minor wording change in the output

* Update Enable Gatekeepr's number

* Update Enable Firewall's number

* Update Enable Firewall Stealth Mode's number

* Remove Review Application Firewall Rule

Check is no longer a part of the benchmark

* Update Disable sending diagnostic and usage data to Apple's number

* Remove Pair the remote control infrared receiver if enabled

* Swap 3.3, 3.4 and 3.5 around

* Swap 5.4 and 5.5

* Change System Integrity Protection status to 5.18

* Redirect stderr to devnull for 2.1.1

* Update Limit Ad tracking and personalized Ads

* Update Show Wi-Fi status in menu bar

* Update Ensure http server is not running

* Update SecureKeyboardEntry's number

* Update Wake fo network access's number

* Finish updating Secure Keyboard entry's number

* Add check for Disable Power Nap

* Add Enable Sealed System Volume (SSV)

* Add Enable Library Validation

* Add Enable Location Services

* Add iTerm to SecureKeyboardEntry check

* Fix typos

* Improve usability and update README

* Chmod +x scripts

* Improve README readability

* Remove CIS exception list

The exceptions will depend on our org
---
 CIS Scripts/1_Set_Organization_Priorities.sh | 116 +++----
 CIS Scripts/2_Security_Audit_Compliance.sh   | 320 +++++++++++--------
 CIS Scripts/3_Security_Remediation.sh        | 195 ++++++-----
 Extension Attributes/2.5_Audit_List.sh       |   0
 README.md                                    |  71 +---
 5 files changed, 358 insertions(+), 344 deletions(-)
 mode change 100644 => 100755 CIS Scripts/1_Set_Organization_Priorities.sh
 mode change 100644 => 100755 CIS Scripts/2_Security_Audit_Compliance.sh
 mode change 100644 => 100755 CIS Scripts/3_Security_Remediation.sh
 mode change 100644 => 100755 Extension Attributes/2.5_Audit_List.sh

diff --git a/CIS Scripts/1_Set_Organization_Priorities.sh b/CIS Scripts/1_Set_Organization_Priorities.sh
old mode 100644
new mode 100755
index aea9c5e..3b0e63b
--- a/CIS Scripts/1_Set_Organization_Priorities.sh	
+++ b/CIS Scripts/1_Set_Organization_Priorities.sh	
@@ -89,13 +89,9 @@ OrgScore1_6="true"
 OrgScore2_1_1="true"
 # OrgScore2_1_1="false"
 
-## 2.1.2 Turn off Bluetooth "Discoverable" mode when not pairing devices - not applicable to 10.9 and higher.
-## Starting with OS X (10.9) Bluetooth is only set to Discoverable when the Bluetooth System Preference is selected. 
-## To ensure that the computer is not Discoverable do not leave that preference open.
-
-# 2.1.3 Show Bluetooth status in menu bar 
-OrgScore2_1_3="true"
-# OrgScore2_1_3="false"
+# 2.1.2 Show Bluetooth status in menu bar 
+OrgScore2_1_2="true"
+# OrgScore2_1_2="false"
 
 # 2.2.1 Enable "Set time and date automatically" 
 OrgScore2_2_1="true"
@@ -154,8 +150,8 @@ OrgScore2_4_6="true"
 # OrgScore2_4_6="false"
 
 # 2.4.7 Disable Bluetooth Sharing 
-OrgScore2_4_7="true"
-# OrgScore2_4_7="false"
+#OrgScore2_4_7="true"
+OrgScore2_4_7="false"
 
 # 2.4.8 Disable File Sharing 
 OrgScore2_4_8="true"
@@ -188,41 +184,36 @@ OrgScore2_5_1_2="true"
 OrgScore2_5_1_3="true"
 # OrgScore2_5_1_3="false"
 
-# 2.5.2 Enable Gatekeeper
+# 2.5.2.1 Enable Gatekeeper
 # Configuration Profile - Security and Privacy payload > General > Gatekeeper > Mac App Store and identified developers (selected)
-OrgScore2_5_2="true"
-# OrgScore2_5_2="false"
+OrgScore2_5_2_1="true"
+# OrgScore2_5_2_1="false"
 
-# 2.5.3 Enable Firewall 
+# 2.5.2.2 Enable Firewall 
 # Configuration Profile - Security and Privacy payload > Firewall > Enable Firewall (checked)
-OrgScore2_5_3="true"
-# OrgScore2_5_3="false"
+OrgScore2_5_2_2="true"
+# OrgScore2_5_2_2="false"
 
-# 2.5.4 Enable Firewall Stealth Mode 
+# 2.5.2.3 Enable Firewall Stealth Mode 
 # Configuration Profile - Security and Privacy payload > Firewall > Enable stealth mode (checked)
-OrgScore2_5_4="true"
-# OrgScore2_5_4="false"
+OrgScore2_5_2_3="true"
+# OrgScore2_5_2_3="false"
 
-# 2.5.5 Review Application Firewall Rules 
-# Configuration Profile - Security and Privacy payload > Firewall > Control incoming connections for specific apps (selected)
-OrgScore2_5_5="true"
-# OrgScore2_5_5="false"
-
-## 2.5.6 Enable Location Services (Not Scored)
-## As of macOS 10.12.2, Location Services cannot be enabled/monitored programmatically.
-## It is considered user opt in.
+# 2.5.3 Enable Location Services
+OrgScore2_5_3="true"
+# OrgScore2_5_3="false"
 
 ## 2.5.7 Monitor Location Services Access (Not Scored)
 ## As of macOS 10.12.2, Location Services cannot be enabled/monitored programmatically.
 ## It is considered user opt in.
 
-# 2.5.8 Disable sending diagnostic and usage data to Apple
-OrgScore2_5_8="true"
-# OrgScore2_5_8="false"
+# 2.5.5 Disable sending diagnostic and usage data to Apple
+OrgScore2_5_5="true"
+# OrgScore2_5_5="false"
 
-# 2.5.9 Review Advertising Settings (Not Scored)
-OrgScore2_5_9="true"
-# OrgScore2_5_9="false"
+# 2.5.6 Limit Ad tracking and personalized Ads 
+OrgScore2_5_6="true"
+# OrgScore2_5_6="false"
 
 # 2.6.1 iCloud configuration (Check for iCloud accounts) (Not Scored)
 OrgScore2_6_1="true"
@@ -256,16 +247,19 @@ OrgScore2_7_1="false"
 ## 2.7.2 Time Machine Volumes Are Encrypted (Not Scored)
 ## Time Machine is typically not used as an Enterprise backup solution
 
-# 2.8 Pair the remote control infrared receiver if enabled
-# Since 2013 only the Mac Mini has an infrared receiver
+# 2.8 Disable "Wake for network access"
 OrgScore2_8="true"
 # OrgScore2_8="false"
 
-# 2.9 Enable Secure Keyboard Entry in terminal.app 
-# Configuration Profile - Custom payload > com.apple.Terminal > SecureKeyboardEntry=true
+# 2.9 Disable Power Nap
 OrgScore2_9="true"
 # OrgScore2_9="false"
 
+# 2.10 Enable Secure Keyboard Entry in terminal.app 
+# Configuration Profile - Custom payload > com.apple.Terminal > SecureKeyboardEntry=true
+OrgScore2_10="true"
+# OrgScore2_10="false"
+
 ## 2.10 Securely delete files as needed (Not Scored)
 ## With the wider use of FileVault and other encryption methods and the growing use of Solid State Drives
 ## the requirements have changed and the "Secure Empty Trash" capability has been removed from the GUI.
@@ -275,9 +269,6 @@ OrgScore2_9="true"
 OrgScore2_11="true"
 # OrgScore2_11="false"
 
-# 2.12 Disable "Wake for network access" and "Power Nap"
-OrgScore2_12="true"
-# OrgScore2_12="false"
 
 # 3.1 Enable security Auditing
 OrgScore3_1="true"
@@ -287,15 +278,15 @@ OrgScore3_1="true"
 OrgScore3_2="true"
 # OrgScore3_2="false"
 
-# 3.3 Ensure security auditing retention
+# 3.3 Retain install.log for 365 or more days
 OrgScore3_3="true"
 # OrgScore3_3="false"
 
-# 3.4 Control access to audit records
+# 3.4 Ensure security auditing retention
 OrgScore3_4="true"
 # OrgScore3_4="false"
 
-# 3.5 Retain install.log for 365 or more days 
+# 3.5 Control access to audit records 
 OrgScore3_5="true"
 # OrgScore3_5="false"
 
@@ -350,11 +341,11 @@ OrgScore5_1_4="true"
 OrgScore5_3="true"
 # OrgScore5_3="false"
 
-# 5.4 Use a separate timestamp for each user/tty combo
+# 5.4 Automatically lock the login keychain for inactivity
 OrgScore5_4="true"
 # OrgScore5_4="false"
 
-# 5.5 Automatically lock the login keychain for inactivity
+# 5.5 Use a separate timestamp for each user/tty combo
 # This is a very bad idea. It will confuse users.
 # OrgScore5_5="true"
 OrgScore5_5="false"
@@ -410,12 +401,19 @@ OrgScore5_16="true"
 
 ## 5.17 Secure individual keychains and items (Not Scored)
 
-## 5.18 Create specialized keychains for different purposes (Not Scored)
 
-# 5.19 System Integrity Protection status
+# 5.18 System Integrity Protection status
+OrgScore5_18="true"
+# OrgScore5_18="false"
+
+# 5.19 Enable Sealed System Volume (SSV) 
 OrgScore5_19="true"
 # OrgScore5_19="false"
 
+# 5.20 Enable Library Validation 
+OrgScore5_20="true"
+# OrgScore5_20="false"
+
 # 6.1.1 Display login window as name and password 
 # Configuration Profile - LoginWindow payload > Window > LOGIN PROMPT > Name and password text fields (selected)
 OrgScore6_1_1="true"
@@ -477,8 +475,8 @@ cat << EOF > "$plistlocation"
 		<${OrgScore1_6}/>
 		<key>OrgScore2_1_1</key>
 		<${OrgScore2_1_1}/>
-		<key>OrgScore2_1_3</key>
-		<${OrgScore2_1_3}/>
+		<key>OrgScore2_1_2</key>
+		<${OrgScore2_1_2}/>
 		<key>OrgScore2_2_1</key>
 		<${OrgScore2_2_1}/>
 		<key>OrgScore2_2_2</key>
@@ -517,18 +515,18 @@ cat << EOF > "$plistlocation"
 		<${OrgScore2_5_1_2}/>
 		<key>OrgScore2_5_1_3</key>
 		<${OrgScore2_5_1_3}/>
-		<key>OrgScore2_5_2</key>
-		<${OrgScore2_5_2}/>
+		<key>OrgScore2_5_2_1</key>
+		<${OrgScore2_5_2_1}/>
+		<key>OrgScore2_5_2_2</key>
+		<${OrgScore2_5_2_2}/>
+		<key>OrgScore2_5_2_3</key>
+		<${OrgScore2_5_2_3}/>
 		<key>OrgScore2_5_3</key>
 		<${OrgScore2_5_3}/>
-		<key>OrgScore2_5_4</key>
-		<${OrgScore2_5_4}/>
 		<key>OrgScore2_5_5</key>
 		<${OrgScore2_5_5}/>
-		<key>OrgScore2_5_8</key>
-		<${OrgScore2_5_8}/>
-		<key>OrgScore2_5_9</key>
-		<${OrgScore2_5_9}/>
+		<key>OrgScore2_5_6</key>
+		<${OrgScore2_5_6}/>
 		<key>OrgScore2_6_1</key>
 		<${OrgScore2_6_1}/>
 		<key>OrgScore2_6_2</key>
@@ -547,8 +545,6 @@ cat << EOF > "$plistlocation"
 		<${OrgScore2_9}/>
 		<key>OrgScore2_11</key>
 		<${OrgScore2_11}/>
-		<key>OrgScore2_12</key>
-		<${OrgScore2_12}/>
 		<key>OrgScore3_1</key>
 		<${OrgScore3_1}/>
 		<key>OrgScore3_2</key>
@@ -603,8 +599,12 @@ cat << EOF > "$plistlocation"
 		<${OrgScore5_14}/>
 		<key>OrgScore5_16</key>
 		<${OrgScore5_16}/>
+		<key>OrgScore5_18</key>
+		<${OrgScore5_18}/>
 		<key>OrgScore5_19</key>
 		<${OrgScore5_19}/>
+		<key>OrgScore5_20</key>
+		<${OrgScore5_20}/>
 		<key>OrgScore6_1_1</key>
 		<${OrgScore6_1_1}/>
 		<key>OrgScore6_1_2</key>
diff --git a/CIS Scripts/2_Security_Audit_Compliance.sh b/CIS Scripts/2_Security_Audit_Compliance.sh
old mode 100644
new mode 100755
index 7cad895..5c9185e
--- a/CIS Scripts/2_Security_Audit_Compliance.sh	
+++ b/CIS Scripts/2_Security_Audit_Compliance.sh	
@@ -54,6 +54,12 @@ hardwareUUID="$(/usr/sbin/system_profiler SPHardwareDataType | grep "Hardware UU
 
 logFile="/Library/Application Support/SecurityScoring/remediation.log"
 
+osVersion="$(sw_vers -productversion)"
+if [ "$osVersion" < 11 ]; then
+	echo "This script does not support Catalina. Please use https://github.com/jamf/CIS-for-macOS-Catalina-CP instead"
+	exit 0
+fi
+
 
 if [[ $(tail -n 1 "$logFile") = *"Remediation complete" ]]; then
 	echo "Append to existing logFile"
@@ -200,7 +206,7 @@ if [ "$Audit2_1_1" = "1" ]; then
 	if [ "$btPowerState" = "0" ]; then
 		echo "$(date -u)" "2.1.1 passed" | tee -a "$logFile"
 		$Defaults write "$plistlocation" OrgScore2_1_1 -bool false; else
-		connectable="$(system_profiler SPBluetoothDataType | grep Connectable | awk '{print $2}' | head -1)"
+		connectable="$(system_profiler SPBluetoothDataType 2>&1| grep Connectable | awk '{print $2}' | head -1)"
 		if [[ "$connectable" != "Yes" ]]; then
 			echo "$(date -u)" "2.1.1 passed" | tee -a "$logFile"
 			$Defaults write "$plistlocation" OrgScore2_1_1 -bool false; else
@@ -210,18 +216,18 @@ if [ "$Audit2_1_1" = "1" ]; then
 	fi
 fi
 
-# 2.1.3 Show Bluetooth status in menu bar
+# 2.1.2 Show Bluetooth status in menu bar
 # Verify organizational score
-Audit2_1_3="$($Defaults read "$plistlocation" OrgScore2_1_3)"
+Audit2_1_2="$($Defaults read "$plistlocation" OrgScore2_1_2)"
 # If organizational score is 1 or true, check status of client
-if [ "$Audit2_1_3" = "1" ]; then
+if [ "$Audit2_1_2" = "1" ]; then
 	btMenuBar="$($Defaults read /Users/"$currentUser"/Library/Preferences/com.apple.systemuiserver menuExtras | grep -c Bluetooth.menu)"
 	# If client fails, then note category in audit file
 	if [ "$btMenuBar" = "0" ]; then
-		echo "* 2.1.3 Show Bluetooth status in menu bar" >> "$auditfilelocation"
-		echo "$(date -u)" "2.1.3 fix" | tee -a "$logFile"; else
-		echo "$(date -u)" "2.1.3 passed" | tee -a "$logFile"
-		$Defaults write "$plistlocation" OrgScore2_1_3 -bool false
+		echo "* 2.1.2 Show Bluetooth status in menu bar" >> "$auditfilelocation"
+		echo "$(date -u)" "2.1.2 fix" | tee -a "$logFile"; else
+		echo "$(date -u)" "2.1.2 passed" | tee -a "$logFile"
+		$Defaults write "$plistlocation" OrgScore2_1_2 -bool false
 	fi
 fi
 
@@ -469,7 +475,7 @@ fi
 Audit2_4_10="$($Defaults read "$plistlocation" OrgScore2_4_10)"
 # If organizational score is 1 or true, check status of client
 if [ "$Audit2_4_10" = "1" ]; then
-	contentCacheStatus="$(/usr/bin/AssetCacheManagerUtil status 2>&1 | grep -c "Activated = 0;")"
+	contentCacheStatus="$(/usr/bin/AssetCacheManagerUtil status 2>&1 | grep -c "Activated: false")"
 	# If client fails, then note category in audit file
 	if [ "$contentCacheStatus" == 1 ]; then
  		echo "$(date -u)" "2.4.10 passed" | tee -a "$logFile"
@@ -567,116 +573,116 @@ if [ "$Audit2_5_1_3" = "1" ]; then
 fi
 	
 
-# 2.5.2 Enable Gatekeeper 
+# 2.5.2.1 Enable Gatekeeper 
 # Configuration Profile - Security and Privacy payload > General > Gatekeeper > Mac App Store and identified developers (selected)
 # Verify organizational score
-Audit2_5_2="$($Defaults read "$plistlocation" OrgScore2_5_2)"
+Audit2_5_2.1="$($Defaults read "$plistlocation" OrgScore2_5_2_1)"
 # If organizational score is 1 or true, check status of client
-if [ "$Audit2_5_2" = "1" ]; then
+if [ "$Audit2_5_2_1" = "1" ]; then
 	CP_gatekeeperEnabled="$(/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -c 'EnableAssessment = 1')"
 	# If client fails, then note category in audit file
 	if [[ "$CP_gatekeeperEnabled" -gt "0" ]] ; then
-		echo "$(date -u)" "2.5.2 passed cp" | tee -a "$logFile"
-		$Defaults write "$plistlocation" OrgScore2_5_2 -bool false; else
+		echo "$(date -u)" "2.5.2.1 passed cp" | tee -a "$logFile"
+		$Defaults write "$plistlocation" OrgScore2_5_2_1 -bool false; else
 		gatekeeperEnabled="$(spctl --status | grep -c "assessments enabled")"
 		if [ "$gatekeeperEnabled" = "1" ]; then
-			echo "$(date -u)" "2.5.2 passed" | tee -a "$logFile"
-			$Defaults write "$plistlocation" OrgScore2_5_2 -bool false; else
-			echo "* 2.5.2 Enable Gatekeeper" >> "$auditfilelocation"
-			echo "$(date -u)" "2.5.2 fix" | tee -a "$logFile"
+			echo "$(date -u)" "2.5.2.1 passed" | tee -a "$logFile"
+			$Defaults write "$plistlocation" OrgScore2_5_2_1 -bool false; else
+			echo "* 2.5.2.1 Enable Gatekeeper" >> "$auditfilelocation"
+			echo "$(date -u)" "2.5.2.1 fix" | tee -a "$logFile"
 		fi
 	fi
 fi
 
-# 2.5.3 Enable Firewall 
+# 2.5.2.2 Enable Firewall 
 # Configuration Profile - Security and Privacy payload > Firewall > Enable Firewall (checked)
 # Verify organizational score
-Audit2_5_3="$($Defaults read "$plistlocation" OrgScore2_5_3)"
+Audit2_5_2_2="$($Defaults read "$plistlocation" OrgScore2_5_2_2)"
 # If organizational score is 1 or true, check status of client
-if [ "$Audit2_5_3" = "1" ]; then
+if [ "$Audit2_5_2_2" = "1" ]; then
 	CP_firewallEnabled="$(/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -c 'EnableFirewall = 1')"
 	# If client fails, then note category in audit file
 	if [[ "$CP_firewallEnabled" -gt "0" ]] ; then
-		echo "$(date -u)" "2.5.3 passed cp" | tee -a "$logFile"
-		$Defaults write "$plistlocation" OrgScore2_5_3 -bool false; else
+		echo "$(date -u)" "2.5.2.2 passed cp" | tee -a "$logFile"
+		$Defaults write "$plistlocation" OrgScore2_5_2_2 -bool false; else
 		firewallEnabled="$($Defaults read /Library/Preferences/com.apple.alf globalstate)"
 		if [ "$firewallEnabled" = "0" ]; then
-			echo "* 2.5.3 Enable Firewall" >> "$auditfilelocation"
-			echo "$(date -u)" "2.5.3 fix" | tee -a "$logFile"; else
-			echo "$(date -u)" "2.5.3 passed" | tee -a "$logFile"
-			$Defaults write "$plistlocation" OrgScore2_5_3 -bool false
+			echo "* 2.5.2.2 Enable Firewall" >> "$auditfilelocation"
+			echo "$(date -u)" "2.5.2.2 fix" | tee -a "$logFile"; else
+			echo "$(date -u)" "2.5.2.2 passed" | tee -a "$logFile"
+			$Defaults write "$plistlocation" OrgScore2_5_2_2 -bool false
 		fi
 	fi
 fi
 
-# 2.5.4 Enable Firewall Stealth Mode 
+# 2.5.2.3 Enable Firewall Stealth Mode 
 # Configuration Profile - Security and Privacy payload > Firewall > Enable stealth mode (checked)
 # Verify organizational score
-Audit2_5_4="$($Defaults read "$plistlocation" OrgScore2_5_4)"
+Audit2_5_2_3="$($Defaults read "$plistlocation" OrgScore2_5_2_3)"
 # If organizational score is 1 or true, check status of client
-if [ "$Audit2_5_4" = "1" ]; then
+if [ "$Audit2_5_2_3" = "1" ]; then
 	CP_stealthEnabled="$(/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -c 'EnableStealthMode = 1')"
 	# If client fails, then note category in audit file
 	if [[ "$CP_stealthEnabled" -gt "0" ]] ; then
-		echo "$(date -u)" "2.5.4 passed cp" | tee -a "$logFile"
-		$Defaults write "$plistlocation" OrgScore2_5_4 -bool false; else
+		echo "$(date -u)" "2.5.2.3 passed cp" | tee -a "$logFile"
+		$Defaults write "$plistlocation" OrgScore2_5_2_3 -bool false; else
 		stealthEnabled="$(/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode | awk '{print $3}')"
 		if [ "$stealthEnabled" = "enabled" ]; then
-			echo "$(date -u)" "2.5.4 passed" | tee -a "$logFile"
-			$Defaults write "$plistlocation" OrgScore2_5_4 -bool false; else
-			echo "* 2.5.4 Enable Firewall Stealth Mode" >> "$auditfilelocation"
-			echo "$(date -u)" "2.5.4 fix" | tee -a "$logFile"
+			echo "$(date -u)" "2.5.2.3 passed" | tee -a "$logFile"
+			$Defaults write "$plistlocation" OrgScore2_5_2_3 -bool false; else
+			echo "* 2.5.2.3 Enable Firewall Stealth Mode" >> "$auditfilelocation"
+			echo "$(date -u)" "2.5.2.3 fix" | tee -a "$logFile"
 		fi
 	fi
 fi
 
-# 2.5.5 Review Application Firewall Rules
-# Configuration Profile - Security and Privacy payload > Firewall > Control incoming connections for specific apps (selected)
+# 2.5.3 Enable Location Services
 # Verify organizational score
-Audit2_5_5="$($Defaults read "$plistlocation" OrgScore2_5_5)"
+Audit2_5_3="$($Defaults read "$plistlocation" OrgScore2_5_3)"
 # If organizational score is 1 or true, check status of client
-if [ "$Audit2_5_5" = "1" ]; then
-	appsInbound="$(/usr/libexec/ApplicationFirewall/socketfilterfw --listapps | grep ALF | awk '{print $7}')" # this shows the true state of the config profile too.
-	# If client fails, then note category in audit file
-	if [[ "$appsInbound" -le "10" ]] || [ -z "$appsInbound" ]; then
-		echo "$(date -u)" "2.5.5 passed" | tee -a "$logFile"
-		$Defaults write "$plistlocation" OrgScore2_5_5 -bool false; else
-		echo "* 2.5.5 Review Application Firewall Rules" >> "$auditfilelocation"
-		echo "$(date -u)" "2.5.5 fix" | tee -a "$logFile"
-	fi
+# If client fails, then remediate
+if [ "$Audit2_5_3" = "1" ]; then
+       auditdEnabled=$(launchctl print-disabled system | grep -c '"com.apple.locationd" => true')
+       if [ "$auditdEnabled" = "0" ]; then
+           echo "$(date -u)" "2.5.3 passed" | tee -a "$logFile"
+           $Defaults write "$plistlocation" OrgScore2_5_3 -bool false
+       else
+           echo "* 2.5.3 Enable Location Services" >> "$auditfilelocation"
+           echo "$(date -u)" "2.5.3 fix" | tee -a "$logFile"
+       fi
 fi
 
-# 2.5.8 Disable sending diagnostic and usage data to Apple
+# 2.5.5 Disable sending diagnostic and usage data to Apple
 # Verify organizational score
-Audit2_5_8="$($Defaults read "$plistlocation" OrgScore2_5_8)"
+Audit2_5_5="$($Defaults read "$plistlocation" OrgScore2_5_5)"
 # If organizational score is 1 or true, check status of client
-if [ "$Audit2_5_8" = "1" ]; then
+if [ "$Audit2_5_5" = "1" ]; then
 CP_disableDiagnostic="$(/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -c 'allowDiagnosticSubmission = 0')"
 	# If client fails, then note category in audit file
 	if [[ "$CP_disableDiagnostic" -gt "0" ]] ; then
-		echo "$(date -u)" "2.5.8 passed cp" | tee -a "$logFile"
-		$Defaults write "$plistlocation" OrgScore2_5_8 -bool false; else
+		echo "$(date -u)" "2.5.5 passed cp" | tee -a "$logFile"
+		$Defaults write "$plistlocation" OrgScore2_5_5 -bool false; else
 	AppleDiagn=$($Defaults read /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist AutoSubmit)
 	if [ "$AppleDiagn" == 1 ]; then 
-		/bin/echo "* 2.5.8 Disable sending diagnostic and usage data to Apple" >> "$auditfilelocation"
-		echo "$(date -u)" "2.5.8 fix Disable sending diagnostic and usage data to Apple" | tee -a "$logFile"; else
-		echo "$(date -u)" "2.5.8 passed" | tee -a "$logFile"
-		$Defaults write "$plistlocation" OrgScore2_5_8 -bool false
+		/bin/echo "* 2.5.5 Disable sending diagnostic and usage data to Apple" >> "$auditfilelocation"
+		echo "$(date -u)" "2.5.5 fix Disable sending diagnostic and usage data to Apple" | tee -a "$logFile"; else
+		echo "$(date -u)" "2.5.5 passed" | tee -a "$logFile"
+		$Defaults write "$plistlocation" OrgScore2_5_5 -bool false
 		fi
 	fi
 fi
 
-# 2.5.9 Force Limited Ad Tracking
+# 2.5.6 Limit Ad tracking and personalized Ads
 # Verify organizational score
-Audit2_5_9="$($Defaults read "$plistlocation" OrgScore2_5_9)"
+Audit2_5_6="$($Defaults read "$plistlocation" OrgScore2_5_6)"
 # If organizational score is 1 or true, check status of client
-if [ "$Audit2_5_9" = "1" ]; then
-	if [ "$($Defaults read /Users/"$currentUser"/Library/Preferences/com.apple.AdLib.plist forceLimitAdTracking)" = "1" ]; then
-		echo "$(date -u)" "2.5.9 passed" | tee -a "$logFile"
-		$Defaults write "$plistlocation" OrgScore2_5_9 -bool false
+if [ "$Audit2_5_6" = "1" ]; then
+	if [ "$($Defaults read /Users/"$currentUser"/Library/Preferences/com.apple.AdLib.plist allowApplePersonalizedAdvertising)" = "0" ]; then
+		echo "$(date -u)" "2.5.6 passed" | tee -a "$logFile"
+		$Defaults write "$plistlocation" OrgScore2_5_6 -bool false
 	else
-		echo "* 2.5.9 Review Force Limited Ad Tracking" >> "$auditfilelocation"
-		echo "$(date -u)" "2.5.9 fix" | tee -a "$logFile"
+		echo "* 2.5.6 Review Limit Ad tracking and personalized Ads" >> "$auditfilelocation"
+		echo "$(date -u)" "2.5.6 fix" | tee -a "$logFile"
 	fi
 fi
 
@@ -778,38 +784,58 @@ if [ "$Audit2_7_1" = "1" ]; then
 	fi
 fi
 
-# 2.8 Pair the remote control infrared receiver if enabled
+# 2.8 Disable "Wake for network access"
 # Verify organizational score
 Audit2_8="$($Defaults read "$plistlocation" OrgScore2_8)"
 # If organizational score is 1 or true, check status of client
 if [ "$Audit2_8" = "1" ]; then
-	IRPortDetect="$(system_profiler SPUSBDataType | egrep "IR Receiver" -c)"
-	# If client fails, then note category in audit file
-	if [ "$IRPortDetect" = "0" ]; then
-		echo "$(date -u)" "2.8 passed" | tee -a "$logFile"
-		$Defaults write "$plistlocation" OrgScore2_8 -bool false; else
-		echo "* 2.8 Pair the remote control infrared receiver if enabled" >> "$auditfilelocation"
-		echo "$(date -u)" "2.8 fix" | tee -a "$logFile"
+	CP_wompEnabled="$(/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -c '"Wake On LAN" = 0')"
+		# If client fails, then note category in audit file
+		if [[ "$CP_wompEnabled" = "3" ]] ; then
+			echo "$(date -u)" "2.8 passed" | tee -a "$logFile"
+			$Defaults write "$plistlocation" OrgScore2_8 -bool false; else
+			wompEnabled="$(pmset -g | grep womp | awk '{print $2}')"
+			if [ "$wompEnabled" = "0" ]; then
+				echo "$(date -u)" "2.8 passed" | tee -a "$logFile"
+				$Defaults write "$plistlocation" OrgScore2_8 -bool false; else
+				echo "* 2.8 Disable Wake for network access" >> "$auditfilelocation"
+				echo "$(date -u)" "2.8 fix" | tee -a "$logFile"
+			fi
+		fi
+fi
+
+# 2.9 Disable Power Nap
+# Verify organizational score
+Audit2_9="$($Defaults read "$plistlocation" OrgScore2_9)"
+# If organizational score is 1 or true, check status of client
+if [ "$Audit2_9" = "1" ]; then
+	napEnabled="$(pmset -g everything | grep -c 'powernap             1')"
+	if [ "$napEnabled" = 0 ]; then
+		echo "$(date -u)" "2.9 passed" | tee -a "$logFile"
+		$Defaults write "$plistlocation" OrgScore2_9 -bool false; else
+		echo "* 2.9 Disable Power Nap" >> "$auditfilelocation"
+		echo "$(date -u)" "2.9 fix" | tee -a "$logFile"
 	fi
 fi
 
 # 2.10 Enable Secure Keyboard Entry in terminal.app 
 # Configuration Profile - Custom payload > com.apple.Terminal > SecureKeyboardEntry=true
 # Verify organizational score
-Audit2_9="$($Defaults read "$plistlocation" OrgScore2_9)"
+Audit2_9="$($Defaults read "$plistlocation" OrgScore2_10)"
 # If organizational score is 1 or true, check status of client
-if [ "$Audit2_9" = "1" ]; then
+if [ "$Audit2_10" = "1" ]; then
 	CP_secureKeyboard="$(/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -c 'SecureKeyboardEntry = 1')"
 	# If client fails, then note category in audit file
 	if [[ "$CP_secureKeyboard" -gt "0" ]] ; then
-		echo "$(date -u)" "2.9 passed cp" | tee -a "$logFile"
-		$Defaults write "$plistlocation" OrgScore2_9 -bool false; else
+		echo "$(date -u)" "2.10 passed cp" | tee -a "$logFile"
+		$Defaults write "$plistlocation" OrgScore2_10 -bool false; else
 		secureKeyboard="$($Defaults read /Users/"$currentUser"/Library/Preferences/com.apple.Terminal SecureKeyboardEntry)"
-		if [ "$secureKeyboard" = "1" ]; then
-			echo "$(date -u)" "2.9 passed" | tee -a "$logFile"
-			$Defaults write "$plistlocation" OrgScore2_9 -bool false; else
-			echo "* 2.9 Enable Secure Keyboard Entry in terminal.app" >> "$auditfilelocation"
-			echo "$(date -u)" "2.9 fix" | tee -a "$logFile"
+		iTermSecure="$($Defaults read -app iTerm 'Secure Input')"
+		if [ "$secureKeyboard" = "1" ] && ["$iTermSecure" -ne "0" ]; then
+			echo "$(date -u)" "2.10 passed" | tee -a "$logFile"
+			$Defaults write "$plistlocation" OrgScore2_10 -bool false; else
+			echo "* 2.10 Enable Secure Keyboard Entry in terminal.app" >> "$auditfilelocation"
+			echo "$(date -u)" "2.10 fix" | tee -a "$logFile"
 		fi
 	fi
 fi
@@ -838,25 +864,6 @@ fi
 fi
 
 
-# 2.12 Disable "Wake for network access" and "Power Nap"
-# Verify organizational score
-Audit2_12="$($Defaults read "$plistlocation" OrgScore2_12)"
-# If organizational score is 1 or true, check status of client
-if [ "$Audit2_12" = "1" ]; then
-	CP_wompEnabled="$(/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -c '"Wake On LAN" = 0')"
-		# If client fails, then note category in audit file
-		if [[ "$CP_wompEnabled" = "3" ]] ; then
-			echo "$(date -u)" "2.12 passed" | tee -a "$logFile"
-			$Defaults write "$plistlocation" OrgScore2_12 -bool false; else
-			wompEnabled="$(pmset -g | grep womp | awk '{print $2}')"
-			if [ "$wompEnabled" = "0" ]; then
-				echo "$(date -u)" "2.12 passed" | tee -a "$logFile"
-				$Defaults write "$plistlocation" OrgScore2_12 -bool false; else
-				echo "* 2.12 Disable Wake for network access" >> "$auditfilelocation"
-				echo "$(date -u)" "2.12 fix" | tee -a "$logFile"
-			fi
-		fi
-fi
 
 # 3.1 Enable security auditing
 # Verify organizational score
@@ -889,52 +896,53 @@ if [ "$Audit3_2" = "1" ]; then
 	fi
 fi
 
-# 3.3 Ensure security auditing retention
+# 3.3 Retain install.log for 365 or more days 
 # Verify organizational score
 Audit3_3="$($Defaults read "$plistlocation" OrgScore3_3)"
 # If organizational score is 1 or true, check status of client
 if [ "$Audit3_3" = "1" ]; then
-	auditRetention="$(cat /etc/security/audit_control | egrep expire-after)"
-	if [ "$auditRetention" = "expire-after:60d OR 1G" ]; then
+	installRetention="$(grep -i ttl /etc/asl/com.apple.install | awk -F'ttl=' '{print $2}')"
+	# If client fails, then note category in audit file
+	if [[ "$installRetention" = "" ]] || [[ "$installRetention" -lt "365" ]]; then
+		echo "* 3.3 Retain install.log for 365 or more days" >> "$auditfilelocation"
+		echo "$(date -u)" "3.3 fix" | tee -a "$logFile"; else
 		echo "$(date -u)" "3.3 passed" | tee -a "$logFile"
-		$Defaults write "$plistlocation" OrgScore3_3 -bool false; else
-		echo "* 3.3 Ensure security auditing retention" >> "$auditfilelocation"
-		echo "$(date -u)" "3.3 fix" | tee -a "$logFile"
-		fi
+		$Defaults write "$plistlocation" OrgScore3_3 -bool false
 	fi
-		
+fi
 
-# 3.4 Control access to audit records
-# Audit only.  Remediation requires system inspection.
+# 3.4 Ensure security auditing retention
 # Verify organizational score
 Audit3_4="$($Defaults read "$plistlocation" OrgScore3_4)"
 # If organizational score is 1 or true, check status of client
 if [ "$Audit3_4" = "1" ]; then
-	etccheck=$(ls -le /etc/security/audit_control | grep -v '\-r--------  1 root  wheel')
-	varcheck=$(ls -le /var/audit | grep -v '\-r--r-----  1 root  wheel\|current\|total')
-	if [[ "$etccheck" = "" ]] && [[ "$varcheck" = "" ]]; then
+	auditRetention="$(cat /etc/security/audit_control | egrep expire-after)"
+	if [ "$auditRetention" = "expire-after:60d OR 1G" ]; then
 		echo "$(date -u)" "3.4 passed" | tee -a "$logFile"
-		$Defaults write "$plistlocation" OrgScore3_4 -bool false
-	else
-		echo "* 3.4 Control access to audit records" >> "$auditfilelocation"
+		$Defaults write "$plistlocation" OrgScore3_4 -bool false; else
+		echo "* 3.4 Ensure security auditing retention" >> "$auditfilelocation"
 		echo "$(date -u)" "3.4 fix" | tee -a "$logFile"
+		fi
 	fi
-fi
-	
-# 3.5 Retain install.log for 365 or more days 
+		
+
+# 3.5 Control access to audit records
+# Audit only.  Remediation requires system inspection.
 # Verify organizational score
 Audit3_5="$($Defaults read "$plistlocation" OrgScore3_5)"
 # If organizational score is 1 or true, check status of client
 if [ "$Audit3_5" = "1" ]; then
-	installRetention="$(grep -i ttl /etc/asl/com.apple.install | awk -F'ttl=' '{print $2}')"
-	# If client fails, then note category in audit file
-	if [[ "$installRetention" = "" ]] || [[ "$installRetention" -lt "365" ]]; then
-		echo "* 3.5 Retain install.log for 365 or more days" >> "$auditfilelocation"
-		echo "$(date -u)" "3.5 fix" | tee -a "$logFile"; else
+	etccheck=$(ls -le /etc/security/audit_control | grep -v '\-r--------  1 root  wheel')
+	varcheck=$(ls -le /var/audit | grep -v '\-r--r-----  1 root  wheel\|current\|total')
+	if [[ "$etccheck" = "" ]] && [[ "$varcheck" = "" ]]; then
 		echo "$(date -u)" "3.5 passed" | tee -a "$logFile"
 		$Defaults write "$plistlocation" OrgScore3_5 -bool false
+	else
+		echo "* 3.5 Control access to audit records" >> "$auditfilelocation"
+		echo "$(date -u)" "3.5 fix" | tee -a "$logFile"
 	fi
 fi
+	
 
 # 3.6 Ensure Firewall is configured to log
 # Verify organizational score
@@ -978,9 +986,9 @@ fi
 Audit4_2="$($Defaults read "$plistlocation" OrgScore4_2)"
 # If organizational score is 1 or true, check status of client
 if [ "$Audit4_2" = "1" ]; then
-	wifiMenuBar="$($Defaults read /Users/"$currentUser"/Library/Preferences/com.apple.systemuiserver menuExtras | grep -c AirPort.menu)"
+	wifiMenuBar="$($Defaults -currentHost read com.apple.controlcenter.plist WiFi)"
 	# If client fails, then note category in audit file
-	if [ "$wifiMenuBar" = "0" ]; then
+	if [ "$wifiMenuBar" -ne 18 ]; then
 		echo "* 4.2 Enable Show Wi-Fi status in menu bar" >> "$auditfilelocation"
 		echo "$(date -u)" "4.2 fix" | tee -a "$logFile"; else
 		echo "$(date -u)" "4.2 passed" | tee -a "$logFile"
@@ -994,7 +1002,8 @@ Audit4_4="$($Defaults read "$plistlocation" OrgScore4_4)"
 # If organizational score is 1 or true, check status of client
 # Code fragment from https://github.com/krispayne/CIS-Settings/blob/master/ElCapitan_CIS.sh
 if [ "$Audit4_4" = "1" ]; then
-	if /bin/launchctl list | egrep httpd > /dev/null; then
+	httpdDisabled="$(launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => true')"
+	if [ "$httpdDisabled" = 0 ]; then
 		echo "* 4.4 Ensure http server is not running" >> "$auditfilelocation"
 		echo "$(date -u)" "4.4 fix" | tee -a "$logFile"; else
 		echo "$(date -u)" "4.4 passed" | tee -a "$logFile"
@@ -1091,30 +1100,31 @@ if [ "$Audit5_3" = "1" ]; then
 	fi
 fi
 
-# 5.4 Use a separate timestamp for each user/tty combo
+
+# 5.5 Automatically lock the login keychain for inactivity
 # Verify organizational score
 Audit5_4="$($Defaults read "$plistlocation" OrgScore5_4)"
 # If organizational score is 1 or true, check status of client
 if [ "$Audit5_4" = "1" ]; then
-	ttyTimestamp="$(cat /etc/sudoers | egrep tty_tickets)"
+	keyTimeout="$(security show-keychain-info /Users/"$currentUser"/Library/Keychains/login.keychain 2>&1 | grep -c "no-timeout")"
 	# If client fails, then note category in audit file
-	if [ "$ttyTimestamp" != "" ]; then
-		echo "* 5.4 Use a separate timestamp for each user/tty combo" >> "$auditfilelocation"
+	if [ "$keyTimeout" -gt 0 ]; then
+		echo "* 5.4 Automatically lock the login keychain for inactivity" >> "$auditfilelocation"
 		echo "$(date -u)" "5.4 fix" | tee -a "$logFile"; else
 		echo "$(date -u)" "5.4 passed" | tee -a "$logFile"
 		$Defaults write "$plistlocation" OrgScore5_4 -bool false
 	fi
 fi
 
-# 5.5 Automatically lock the login keychain for inactivity
+# 5.5 Use a separate timestamp for each user/tty combo
 # Verify organizational score
 Audit5_5="$($Defaults read "$plistlocation" OrgScore5_5)"
 # If organizational score is 1 or true, check status of client
 if [ "$Audit5_5" = "1" ]; then
-	keyTimeout="$(security show-keychain-info /Users/"$currentUser"/Library/Keychains/login.keychain 2>&1 | grep -c "no-timeout")"
+	ttyTimestamp="$(cat /etc/sudoers | egrep tty_tickets)"
 	# If client fails, then note category in audit file
-	if [ "$keyTimeout" -gt 0 ]; then
-		echo "* 5.5 Automatically lock the login keychain for inactivity" >> "$auditfilelocation"
+	if [ "$ttyTimestamp" != "" ]; then
+		echo "* 5.5 Use a separate timestamp for each user/tty combo" >> "$auditfilelocation"
 		echo "$(date -u)" "5.5 fix" | tee -a "$logFile"; else
 		echo "$(date -u)" "5.5 passed" | tee -a "$logFile"
 		$Defaults write "$plistlocation" OrgScore5_5 -bool false
@@ -1308,21 +1318,51 @@ if [ "$Audit5_16" = "1" ]; then
 	fi
 fi
 
-# 5.19 System Integrity Protection status
+# 5.18 System Integrity Protection status
 # Verify organizational score
-Audit5_19="$($Defaults read "$plistlocation" OrgScore5_19)"
+Audit5_18="$($Defaults read "$plistlocation" OrgScore5_18)"
 # If organizational score is 1 or true, check status of client
-if [ "$Audit5_19" = "1" ]; then
+if [ "$Audit5_18" = "1" ]; then
 	sipEnabled="$(/usr/bin/csrutil status | awk '{print $5}')"
 	# If client fails, then note category in audit file
 	if [ "$sipEnabled" = "enabled." ]; then
+		echo "$(date -u)" "5.18 passed" | tee -a "$logFile"
+		$Defaults write "$plistlocation" OrgScore5_18 -bool false; else
+		echo "* 5.18 System Integrity Protection status - not enabled" >> "$auditfilelocation"
+		echo "$(date -u)" "5.18 fix" | tee -a "$logFile"
+	fi
+fi
+
+# 5.19 Enable Sealed System Volume (SSV) 
+# Verify organizational score
+Audit5_19="$($Defaults read "$plistlocation" OrgScore5_19)"
+# If organizational score is 1 or true, check status of client
+if [ "$Audit5_19" = "1" ]; then
+	ssvEnabled="$(/usr/bin/csrutil authenticated-root status | awk '{print $4}')"
+	# If client fails, then note category in audit file
+	if [ "$ssvEnabled" = "enabled" ]; then
 		echo "$(date -u)" "5.19 passed" | tee -a "$logFile"
 		$Defaults write "$plistlocation" OrgScore5_19 -bool false; else
-		echo "* 5.19 System Integrity Protection status - not enabled" >> "$auditfilelocation"
+		echo "* 5.19 Enable Sealed System Volume (SSV) - not enabled" >> "$auditfilelocation"
 		echo "$(date -u)" "5.19 fix" | tee -a "$logFile"
 	fi
 fi
 
+# 5.20 Enable Library Validation 
+# Verify organizational score
+Audit5_19="$($Defaults read "$plistlocation" OrgScore5_20)"
+# If organizational score is 1 or true, check status of client
+if [ "$Audit5_20" = "1" ]; then
+	libValidationDisabled="$($Defaults read /Library/Preferences/com.apple.security.librarayvalidation.plist DisableLibraryValidation)"
+	# If client fails, then note category in audit file
+	if [ "$libValidationDisabled" = 0 ]; then
+		echo "$(date -u)" "5.20 passed" | tee -a "$logFile"
+		$Defaults write "$plistlocation" OrgScore5_20 -bool false; else
+		echo "* 5.20 Library Validation - not enabled" >> "$auditfilelocation"
+		echo "$(date -u)" "5.20 fix" | tee -a "$logFile"
+	fi
+fi
+
 # 6.1.1 Display login window as name and password
 # Configuration Profile - LoginWindow payload > Window > LOGIN PROMPT > Name and password text fields (selected)
 # Verify organizational score
diff --git a/CIS Scripts/3_Security_Remediation.sh b/CIS Scripts/3_Security_Remediation.sh
old mode 100644
new mode 100755
index a29d6cd..ba6d998
--- a/CIS Scripts/3_Security_Remediation.sh	
+++ b/CIS Scripts/3_Security_Remediation.sh	
@@ -135,14 +135,14 @@ if [ "$Audit2_1_1" = "1" ]; then
 	fi
 fi
 
-# 2.1.3 Show Bluetooth status in menu bar
+# 2.1.2 Show Bluetooth status in menu bar
 # Verify organizational score
-Audit2_1_3="$(defaults read "$plistlocation" OrgScore2_1_3)"
+Audit2_1_2="$(defaults read "$plistlocation" OrgScore2_1_2)"
 # If organizational score is 1 or true, check status of client
 # If client fails, then remediate
-if [ "$Audit2_1_3" = "1" ]; then
+if [ "$Audit2_1_2" = "1" ]; then
 	open "/System/Library/CoreServices/Menu Extras/Bluetooth.menu"
-	echo "$(date -u)" "2.1.3 remediated" | tee -a "$logFile"
+	echo "$(date -u)" "2.1.2 remediated" | tee -a "$logFile"
 fi
 
 ## 2.2.1 Enable "Set time and date automatically" (Not Scored)
@@ -397,71 +397,69 @@ if [ "$Audit2_4_11" = "1" ]; then
 	echo "$(date -u)" "2.4.11 remediated - requires restart" | tee -a "$logFile"
 fi
 
-# 2.5.2 Enable Gatekeeper 
+# 2.5.2.1 Enable Gatekeeper 
 # Verify organizational score
-Audit2_5_2="$(defaults read "$plistlocation" OrgScore2_5_2)"
+Audit2_5_2_1="$(defaults read "$plistlocation" OrgScore2_5_2_1)"
 # If organizational score is 1 or true, check status of client
 # If client fails, then remediate
-if [ "$Audit2_5_2" = "1" ]; then
+if [ "$Audit2_5_2_1" = "1" ]; then
 	spctl --master-enable
-	echo "$(date -u)" "2.5.2 remediated" | tee -a "$logFile"
+	echo "$(date -u)" "2.5.2.1 remediated" | tee -a "$logFile"
 fi
 
-# 2.5.3 Enable Firewall 
+# 2.5.2.2 Enable Firewall 
 # Remediation sets Firewall on for essential services
 # Verify organizational score
-Audit2_5_3="$(defaults read "$plistlocation" OrgScore2_5_3)"
+Audit2_5_2_2="$(defaults read "$plistlocation" OrgScore2_5_2_2)"
 # If organizational score is 1 or true, check status of client
 # If client fails, then remediate
-if [ "$Audit2_5_3" = "1" ]; then
+if [ "$Audit2_5_2_2" = "1" ]; then
 	defaults write /Library/Preferences/com.apple.alf globalstate -int 2
-	echo "$(date -u)" "2.5.3 remediated" | tee -a "$logFile"
+	echo "$(date -u)" "2.5.2.2 remediated" | tee -a "$logFile"
 fi
 
-# 2.5.4 Enable Firewall Stealth Mode 
+# 2.5.2.3 Enable Firewall Stealth Mode 
 # Verify organizational score
-Audit2_5_4="$(defaults read "$plistlocation" OrgScore2_5_4)"
+Audit2_5_2_3="$(defaults read "$plistlocation" OrgScore2_5_2_3)"
 # If organizational score is 1 or true, check status of client
 # If client fails, then remediate
-if [ "$Audit2_5_4" = "1" ]; then
+if [ "$Audit2_5_2_3" = "1" ]; then
 	/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
-	echo "$(date -u)" "2.5.4 remediated" | tee -a "$logFile"
+	echo "$(date -u)" "2.5.2.3 remediated" | tee -a "$logFile"
 fi
 
-# 2.5.5 Review Application Firewall Rules
+# 2.5.3 Enable Location Services
 # Verify organizational score
-Audit2_5_5="$(defaults read "$plistlocation" OrgScore2_5_5)"
+Audit2_5_3="$(defaults read "$plistlocation" OrgScore2_5_3)"
 # If organizational score is 1 or true, check status of client
-# If client fails, then alert to need of remediation
-if [ "$Audit2_5_5" = "1" ]; then
-	echo "$(date -u)" "2.5.5 not remediated" | tee -a "$logFile"
+if [ "$Audit2_5_3" = "1" ]; then
+	launchctl load -w /System/Library/LaunchDaemons/com.apple.locationd.plist
+	echo "$(date -u)" "2.5.3 remediated" | tee -a "$logFile"
 fi
 
-# 2.5.6 Enable Location Services
-
-# 2.5.8 Disable sending diagnostic and usage data to Apple
+# 2.5.5 Disable sending diagnostic and usage data to Apple
 # Verify Organizational score
-Audit2_5_8="$(defaults read "$plistlocation" OrgScore2_5_8)"
+Audit2_5_5="$(defaults read "$plistlocation" OrgScore2_5_5)"
 # If organizational score is 1 or true, check status of client
 # If client fails, then remediate
-if [ "$Audit2_5_8" = "1" ]; then
+if [ "$Audit2_5_5" = "1" ]; then
 	AppleDiagn=$(defaults read /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist AutoSubmit)
 	if [ $AppleDiagn == 1 ]; then 
 		defaults write /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist AutoSubmit -int 0
-		echo "$(date -u)" "2.5.8 remediated" | tee -a "$logFile"
+		echo "$(date -u)" "2.5.5 remediated" | tee -a "$logFile"
 	fi
 fi
 
-# 2.5.9 Force Limited Ad Tracking
+# 2.5.6 Limit Ad tracking and personalized Ads
 # Verify Organizational score
-Audit2_5_9="$(defaults read "$plistlocation" OrgScore2_5_9)"
+Audit2_5_6="$(defaults read "$plistlocation" OrgScore2_5_6)"
 # If organizational score is 1 or true, check status of client
 # If client fails, then remediate
-if [ "$Audit2_5_9" = "1" ]; then
+if [ "$Audit2_5_6" = "1" ]; then
 	defaults write /Users/"${currentUser}"/Library/Preferences/com.apple.AdLib.plist forceLimitAdTracking -bool true
 	chown "${currentUser}":staff /Users/"${currentUser}"/Library/Preferences/com.apple.AdLib.plist
-	echo "$(date -u)" "2.5.9 consider using a configuration profile" | tee -a "$logFile"
-	echo "$(date -u)" "2.5.9 remediated" | tee -a "$logFile"
+	echo "$(date -u)" "2.5.6 consider using a configuration profile" | tee -a "$logFile"
+	echo "$(date -u)" "2.5.6 remediated" | tee -a "$logFile"
 fi
 
 # 2.7.1 Time Machine Auto-Backup
@@ -474,37 +472,42 @@ if [ "$Audit2_7_1" = "1" ]; then
 	echo "$(date -u)" "2.7.1 remediated" | tee -a "$logFile"
 fi
 
-# 2.8 Pair the remote control infrared receiver if enabled
+# 2.8 Disable "Wake for network access"
 # Verify organizational score
 Audit2_8="$(defaults read "$plistlocation" OrgScore2_8)"
 # If organizational score is 1 or true, check status of client
 # If client fails, then remediate
 if [ "$Audit2_8" = "1" ]; then
-	defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false
+	pmset -a womp 0
+	pmset -a powernap 0
 	echo "$(date -u)" "2.8 remediated" | tee -a "$logFile"
 fi
 
-# 2.9 Enable Secure Keyboard Entry in terminal.app 
+# 2.9 Disable Power Nap
 # Verify organizational score
 Audit2_9="$(defaults read "$plistlocation" OrgScore2_9)"
 # If organizational score is 1 or true, check status of client
 # If client fails, then remediate
 if [ "$Audit2_9" = "1" ]; then
-	defaults write /Users/"$currentUser"/Library/Preferences/com.apple.Terminal SecureKeyboardEntry -bool true
+	pmset -a powernap 0
 	echo "$(date -u)" "2.9 remediated" | tee -a "$logFile"
 fi
 
-# 2.12 Disable "Wake for network access"
+# 2.10 Enable Secure Keyboard Entry in terminal.app 
 # Verify organizational score
-Audit2_12="$(defaults read "$plistlocation" OrgScore2_12)"
+Audit2_10="$(defaults read "$plistlocation" OrgScore2_10)"
 # If organizational score is 1 or true, check status of client
 # If client fails, then remediate
-if [ "$Audit2_12" = "1" ]; then
-	pmset -a womp 0
-	pmset -a powernap 0
-	echo "$(date -u)" "2.12 remediated" | tee -a "$logFile"
+if [ "$Audit2_10" = "1" ]; then
+	defaults write /Users/"$currentUser"/Library/Preferences/com.apple.Terminal SecureKeyboardEntry -bool true
+	iTerm="$(defaults read -app iTerm | /usr/bin/grep -c "Couldn't find an application")"
+	if [ "$iTerm" -gt "0" ]; then
+		defaults write -app iTerm "Secure Input" -bool true
+	fi
+	echo "$(date -u)" "2.10 remediated" | tee -a "$logFile"
 fi
 
+
 # 3.1 Enable security auditing
 # Verify organizational score
 Audit3_1="$(defaults read "$plistlocation" OrgScore3_1)"
@@ -528,26 +531,49 @@ if [ "$Audit3_2" = "1" ]; then
 	echo "$(date -u)" "3.2 remediated" | tee -a "$logFile"
 fi
 
-# 3.3 Ensure security auditing retention
+# 3.3 Retain install.log for 365 or more days 
 # Verify organizational score
 Audit3_3="$(defaults read "$plistlocation" OrgScore3_3)"
 # If organizational score is 1 or true, check status of client
 # If client fails, then remediate
 if [ "$Audit3_3" = "1" ]; then
+	installRetention="$(grep -i ttl /etc/asl/com.apple.install | awk -F'ttl=' '{print $2}')"
+	if [[ "$installRetention" = "" ]]; then
+		mv /etc/asl/com.apple.install /etc/asl/com.apple.install.old
+		sed '$s/$/ ttl=365/' /etc/asl/com.apple.install.old > /etc/asl/com.apple.install
+		chmod 644 /etc/asl/com.apple.install
+		chown root:wheel /etc/asl/com.apple.install
+		echo "$(date -u)" "3.3 remediated" | tee -a "$logfile"	
+	else
+	if [[ "$installRetention" -lt "365" ]]; then
+		mv /etc/asl/com.apple.install /etc/asl/com.apple.install.old
+		sed "s/"ttl=$installRetention"/"ttl=365"/g" /etc/asl/com.apple.install.old > /etc/asl/com.apple.install
+		chmod 644 /etc/asl/com.apple.install
+		chown root:wheel /etc/asl/com.apple.install
+		echo "$(date -u)" "3.3 remediated" | tee -a "$logfile"	
+	fi
+	fi
+fi
+# 3.4 Ensure security auditing retention
+# Verify organizational score
+Audit3_4="$(defaults read "$plistlocation" OrgScore3_4)"
+# If organizational score is 1 or true, check status of client
+# If client fails, then remediate
+if [ "$Audit3_4" = "1" ]; then
 	cp /etc/security/audit_control /etc/security/audit_control_old
 	oldExpireAfter=$(cat /etc/security/audit_control | egrep expire-after)
 	sed "s/${oldExpireAfter}/expire-after:60d OR 1G/g" /etc/security/audit_control_old > /etc/security/audit_control
 	chmod 644 /etc/security/audit_control
 	chown root:wheel /etc/security/audit_control
-	echo "$(date -u)" "3.3 remediated" | tee -a "$logfile"	
+	echo "$(date -u)" "3.4 remediated" | tee -a "$logfile"	
 fi
 
-# 3.4 Control access to audit records
+# 3.5 Control access to audit records
 # Verify organizational score
-Audit3_4="$(defaults read "$plistlocation" OrgScore3_4)"
+Audit3_5="$(defaults read "$plistlocation" OrgScore3_5)"
 # If organizational score is 1 or true, check status of client
 # If client fails, then remediate
-if [ "$Audit3_4" = "1" ]; then
+if [ "$Audit3_5" = "1" ]; then
 	chown -R root:wheel /var/audit
 	chmod -R 440 /var/audit
 	chown root:wheel /etc/security/audit_control
@@ -555,29 +581,6 @@ if [ "$Audit3_4" = "1" ]; then
 	"$(date -u)" "3.3 remediated" | tee -a "$logfile"	
 fi
 
-# 3.5 Retain install.log for 365 or more days 
-# Verify organizational score
-Audit3_5="$(defaults read "$plistlocation" OrgScore3_5)"
-# If organizational score is 1 or true, check status of client
-# If client fails, then remediate
-if [ "$Audit3_5" = "1" ]; then
-	installRetention="$(grep -i ttl /etc/asl/com.apple.install | awk -F'ttl=' '{print $2}')"
-	if [[ "$installRetention" = "" ]]; then
-		mv /etc/asl/com.apple.install /etc/asl/com.apple.install.old
-		sed '$s/$/ ttl=365/' /etc/asl/com.apple.install.old > /etc/asl/com.apple.install
-		chmod 644 /etc/asl/com.apple.install
-		chown root:wheel /etc/asl/com.apple.install
-		echo "$(date -u)" "3.5 remediated" | tee -a "$logfile"	
-	else
-	if [[ "$installRetention" -lt "365" ]]; then
-		mv /etc/asl/com.apple.install /etc/asl/com.apple.install.old
-		sed "s/"ttl=$installRetention"/"ttl=365"/g" /etc/asl/com.apple.install.old > /etc/asl/com.apple.install
-		chmod 644 /etc/asl/com.apple.install
-		chown root:wheel /etc/asl/com.apple.install
-		echo "$(date -u)" "3.5 remediated" | tee -a "$logfile"	
-	fi
-	fi
-fi
 
 # 3.6 Ensure firewall is configured to log
 # Verify organizational score
@@ -699,35 +702,35 @@ if [ "$Audit5_3" = "1" ]; then
 	echo "$(date -u)" "5.3 remediated" | tee -a "$logFile"
 fi
 
-# 5.4 Use a separate timestamp for each user/tty combo
+# 5.5 Use a separate timestamp for each user/tty combo
 # Verify organizational score
-Audit5_4="$(defaults read "$plistlocation" OrgScore5_4)"
+Audit5_5="$(defaults read "$plistlocation" OrgScore5_5)"
 # If organizational score is 1 or true, check status of client
 # If client fails, then remediate
-if [ "$Audit5_4" = "1" ]; then
+if [ "$Audit5_5" = "1" ]; then
 	sed -i ".old" '/Default !tty_tickets/d' /etc/sudoers
 	chmod 644 /etc/sudoers
 	chown root:wheel /etc/sudoers
-	echo "$(date -u)" "5.4 remediated" | tee -a "$logFile"
+	echo "$(date -u)" "5.5 remediated" | tee -a "$logFile"
 fi
 
-# 5.5 Automatically lock the login keychain for inactivity
+# 5.4 Automatically lock the login keychain for inactivity
 # 5.6 Ensure login keychain is locked when the computer sleeps
-# If both 5.5 and 5.6 need to be set, both commands must be run at the same time
+# If both 5.4 and 5.6 need to be set, both commands must be run at the same time
 # Verify organizational score
-Audit5_5="$(defaults read "$plistlocation" OrgScore5_5)"
+Audit5_4="$(defaults read "$plistlocation" OrgScore5_4)"
 Audit5_6="$(defaults read "$plistlocation" OrgScore5_6)"
 # If organizational score is 1 or true, check status of client
 # If client fails, then remediate
-if [ "$Audit5_5" = "1" ] && [ "$Audit5_6" = 1 ]; then
-echo "$(date -u)" "Checking 5.5 and 5.6" | tee -a "$logFile"
+if [ "$Audit5_4" = "1" ] && [ "$Audit5_6" = 1 ]; then
+echo "$(date -u)" "Checking 5.4 and 5.6" | tee -a "$logFile"
 	security set-keychain-settings -l -u -t 21600s /Users/"$currentUser"/Library/Keychains/login.keychain
-	echo "$(date -u)" "5.5 and 5.6 remediated" | tee -a "$logFile"
-	elif [ "$Audit5_5" = "1" ] && [ "$Audit5_6" = 0 ]; then
-		echo "$(date -u)" "Checking 5.5" | tee -a "$logFile"
+	echo "$(date -u)" "5.4 and 5.6 remediated" | tee -a "$logFile"
+	elif [ "$Audit5_4" = "1" ] && [ "$Audit5_6" = 0 ]; then
+		echo "$(date -u)" "Checking 5.4" | tee -a "$logFile"
 		security set-keychain-settings -u -t 21600s /Users/"$currentUser"/Library/Keychains/login.keychain
-		echo "$(date -u)" "5.5 remediated" | tee -a "$logFile"
-		elif [ "$Audit5_5" = "0" ] && [ "$Audit5_6" = 1 ]; then
+		echo "$(date -u)" "5.4 remediated" | tee -a "$logFile"
+		elif [ "$Audit5_4" = "0" ] && [ "$Audit5_6" = 1 ]; then
 			echo "$(date -u)" "Checking 5.6" | tee -a "$logFile"
 			security set-keychain-settings -l /Users/"$currentUser"/Library/Keychains/login.keychain
 			echo "$(date -u)" "5.6 remediated" | tee -a "$logFile"
@@ -831,17 +834,37 @@ if [ "$Audit5_16" = "1" ]; then
 	echo "$(date -u)" "5.16 remediated" | tee -a "$logFile"
 fi
 
-# 5.19 System Integrity Protection status
+# 5.18 System Integrity Protection status
+# Verify organizational score
+Audit5_18="$(defaults read "$plistlocation" OrgScore5_18)"
+# If organizational score is 1 or true, check status of client
+# If client fails, then remediate
+if [ "$Audit5_18" = "1" ]; then
+	echo "This tool needs to be executed from the Recovery OS."
+	#/usr/bin/csrutil enable
+	#echo "$(date -u)" "5.18 remediated" | tee -a "$logFile"
+fi
+
+# 5.19 Enable Sealed System Volume (SSV)
 # Verify organizational score
 Audit5_19="$(defaults read "$plistlocation" OrgScore5_19)"
 # If organizational score is 1 or true, check status of client
 # If client fails, then remediate
 if [ "$Audit5_19" = "1" ]; then
 	echo "This tool needs to be executed from the Recovery OS."
-	#/usr/bin/csrutil enable
+	#/usr/bin/csrutil authenticated-root enable
 	#echo "$(date -u)" "5.19 remediated" | tee -a "$logFile"
 fi
 
+# 5.20 Enable Library Validation 
+# Verify organizational score
+Audit5_20="$(defaults read "$plistlocation" OrgScore5_20)"
+# If organizational score is 1 or true, check status of client
+if [ "$Audit5_20" = "1" ]; then
+	defaults write /Library/Preferences/com.apple.security.librarayvalidation.plist DisableLibraryValidation -bool false
+	echo "$(date -u)" "5.20 remediated" | tee -a "$logFile"
+fi
+
 # 6.1.1 Display login window as name and password
 # Verify organizational score
 Audit6_1_1="$(defaults read "$plistlocation" OrgScore6_1_1)"
diff --git a/Extension Attributes/2.5_Audit_List.sh b/Extension Attributes/2.5_Audit_List.sh
old mode 100644
new mode 100755
diff --git a/README.md b/README.md
index 5e6ff4a..5dee3d2 100644
--- a/README.md
+++ b/README.md
@@ -1,9 +1,18 @@
-# CIS for macOS Catalina - Script and Configuration Profile Remediation
+# CIS for macOS Big Sur - Script and Configuration Profile Remediation
 ## INFO:
 
-Refers to document CIS_Apple_OSX_10.15_Benchmark_v1.0.0.pdf, available at https://benchmarks.cisecurity.org
+Refers to document CIS_Apple_macOS_11.0_Benchmark_v1.1.0.pdf, available at https://benchmarks.cisecurity.org
 
 ## USAGE:
+### Manual Usage
+
+These scripts are intended to be used by jamf. However, if you want to manually benchmark your own **Big Sur** laptop, you can do so via the following steps:
+
+* Ensure that `/Library/Application Support/` exists. Note that sudo is required for its creation
+* Update `CIS Scripts/1_Set_Organization_Priorities.sh` if necessary. Checks can be enabled and disabled by changing their corresponding boolean values
+* Run `CIS Scripts/2_Security_Audit_Compliance.sh` with sudo to run the benchmark
+* You can now get a list of all fails by using `Extension Attributes/2.5_Audit_List.sh` or remediate the fails using `CIS Scripts/3_Security_Remediation.sh` (sudo required as some checks cannot be run by standard users)
+
 * Create Extension Attributes using the following scripts:
 ### 2.5_Audit_List Extension Attribute
 
@@ -86,61 +95,3 @@ Non-compliant items are recorded at /Library/Application Support/SecurityScoring
 Run 2_Security_Audit_Compliance after to audit the Remediation
 Reads the plist at /Library/Application Support/SecurityScoring/org_security_score.plist. For items prioritized (listed as "true,") the script applies recommended remediation actions for the client/user.
 
-SCORED CIS EXCEPTIONS:
-
-- Does not implement `pwpolicy` commands (5.2.1 - 5.2.8)
-
-- Audits but does not actively remediate (due to alternate profile/policy functionality within Jamf Pro):
-* 2.4.4 Disable Printer Sharing
-* 2.5.1.1 Enable FileVault
-* 5.19 System Integrity Protection status
-
-- Audits but does not remediate (due to requirement to review the device)
-* 3.4 Control access to audit records
-
-## REMEDIATED USING CONFIGURATION PROFILES:
-The following Configuration profiles are available in mobileconfig and plist form.  If you wish to change a particular setting, edit the plist in question.  Mobileconfigs can be uploaded to Jamf Pro Configuration Profiles as is and plists can be added to a new Configuration Profile as Custom Payloads.
-
-### CIS 10.15 Custom Settings mobileconfig
-* 1.2 Enable Auto Update
-* 1.5 Enable system data files and security update installed
-* 2.9 Enable Secure Keyboard Entry in terminal.app 
-* 4.1 Disable Bonjour advertising service 
-* 6.1.4 Disable "Allow guests to connect to shared folders" 
-* 6.3 Disable the automatic run of safe files in Safari
-
-### CIS 10.15 LoginWindow Security_and_Privacy ScreenSaver mobileconfig
-* 2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver 
-* 2.3.2 Secure screen saver corners 
-* 2.3.3 Set a screen corner to Start Screen Saver 
-* 2.5.2 Enable Gatekeeper
-* 2.5.3 Enable Firewall 
-* 2.5.4 Enable Firewall Stealth Mode 
-* 2.5.5 Review Application Firewall Rules 
-* 5.8 Disable automatic login 
-* 5.9 Require a password to wake the computer from sleep or screen saver
-* 5.13 Create a custom message for the Login Screen
-* 5.16 Disable Fast User Switching (Not Scored)
-* 6.1.1 Display login window as name and password 
-* 6.1.2 Disable "Show password hints" 
-* 6.1.3 Disable guest account 
-
-### CIS 10.15 Restrictions mobileconfig
-* 2.4.10  Disable Content Caching (Not Scored) - Restrictions payload > Functionality > Allow Content Caching (unchecked)
-* 2.5.8 Disable sending diagnostic and usage data to Apple - Restrictions payload > Allow Diagnostic Submission (unchecked)
-* 2.6.1 iCloud system configuration
-* Includes:
-* Disable preference pane (Not Scored) - Restrictions payload > Preferences > disable selected items > iCloud
-* Disable the use of iCloud password for local accounts (Not Scored)  - Restrictions payload > Functionality > Allow use of iCloud password for local accounts (unchecked)
-* Disable iCloud Back to My Mac (Not Scored) - Restrictions payload > Functionality > Allow iCloud Back to My Mac (unchecked)
-* Disable iCloud Find My Mac (Not Scored) - Restrictions payload > Functionality > Allow iCloud Find My Mac (unchecked)
-* Disable iCloud Bookmarks (Not Scored) - Restrictions payload > Functionality > Allow iCloud Bookmarks (unchecked)
-* Disable iCloud Mail (Not Scored)  - Restrictions payload > Functionality > Allow iCloud Mail (unchecked)
-* Disable iCloud Calendar (Not Scored) - Restrictions payload > Functionality > Allow iCloud Calendar (unchecked)
-* Disable iCloud Reminders (Not Scored) - Restrictions payload > Functionality > Allow iCloud Reminders (unchecked)
-* Disable iCloud Contacts (Not Scored) - Restrictions payload > Functionality > Allow iCloud Contacts (unchecked)
-* Disable iCloud Notes (Not Scored) - Restrictions payload > Functionality > Allow iCloud Notes (unchecked)
-* 2.6.2 Disable iCloud keychain (Not Scored) - Restrictions payload > Functionality > Allow iCloud Keychain (unchecked)
-* 2.6.3 Disable iCloud Drive (Not Scored) - Restrictions payload > Functionality > Allow iCloud Drive (unchecked)
-* 2.6.4 Disable iCloud Drive Document sync - Restrictions payload > Functionality > Allow iCloud Desktop & Documents (unchecked)
-* 2.6.5 Disable iCloud Drive Desktop sync - Restrictions payload > Functionality > Allow iCloud Desktop & Documents (unchecked)2.6.8 Disable sending diagnostic and usage data to Apple

From cee9527beb02a00575cac4fbf0e31a31a5bfb33a Mon Sep 17 00:00:00 2001
From: Niko Nikolov <nnikolov@gocardless.com>
Date: Tue, 11 May 2021 11:21:41 +0100
Subject: [PATCH 2/5] Remove disabled check notes

These are to be changed per org
---
 README.md | 29 -----------------------------
 1 file changed, 29 deletions(-)

diff --git a/README.md b/README.md
index 5dee3d2..693e8a0 100644
--- a/README.md
+++ b/README.md
@@ -53,35 +53,6 @@ Maintenance Payload - Update Inventory
 * Policy: Some recurring trigger to track compliance over time. 
 
 
-NOTES: 
-
-* Item "1.1 Verify all Apple provided software is current" is disabled by default.
-* Item "2.1.2 Turn off Bluetooth "Discoverable" mode when not pairing devices - not applicable to 10.9 and higher."
-	Starting with OS X (10.9) Bluetooth is only set to Discoverable when the Bluetooth System Preference is selected. 
-	To ensure that the computer is not Discoverable do not leave that preference open.
-* Item "2.6.6 Enable Location Services (Not Scored)" is disabled by default.
-	As of macOS 10.12.2, Location Services cannot be enabled/monitored programmatically.
-	It is considered user opt in.
-* Item "2.6.7 Monitor Location Services Access (Not Scored)" is disabled by default.
-	As of macOS 10.12.2, Location Services cannot be enabled/monitored programmatically.
-	It is considered user opt in.
-* Item "2.7.1 Time Machine Auto-Backup " is disabled by default.
-	Time Machine is typically not used as an Enterprise backup solution
-* Item "2.7.2 Time Machine Volumes Are Encrypted (Not Scored)" is disabled by default.
-	Time Machine is typically not used as an Enterprise backup solution
-* Item "2.10 Securely delete files as needed (Not Scored)" is disabled by default.
-	With the wider use of FileVault and other encryption methods and the growing use of Solid State Drives
-	the requirements have changed and the "Secure Empty Trash" capability has been removed from the GUI.
-* Item "4.3 Create network specific locations (Not Scored)" is disabled by default.
-* Item "5.5 Automatically lock the login keychain for inactivity" is disabled by default.
-* Item "5.6 Ensure login keychain is locked when the computer sleeps" is disabled by default.
-* Item "5.15 Do not enter a password-related hint (Not Scored)" is disabled by default.
-	Not needed if 6.1.2 Disable "Show password hints" is enforced.
-* Item "5.17 Secure individual keychains and items (Not Scored)" is disabled by default.
-* Item "5.8 Create specialized keychains for different purposes (Not Scored)" is disabled by default.
-* Item "6.3 Safari disable Internet Plugins for global use (Not Scored)" is disabled by default.
-
-
 ### 2_Security_Audit_Compliance
 
 Run this before and after 3_Security_Remediation to audit the Remediation

From 7896f4ab230bfb7b19e7822077a2499fa477199f Mon Sep 17 00:00:00 2001
From: David Cantrell <david.m.cantrell@gmail.com>
Date: Fri, 18 Jun 2021 03:28:06 -0500
Subject: [PATCH 3/5] Update docs to require `1_Set_Organization_Priorities.sh`
 be run first (#2)

Current version of the docs does not explicitly state this must be run first. Failing to run this script first results in a failure of the following two manual usage steps. This update corrects that.
---
 README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 693e8a0..1e6d983 100644
--- a/README.md
+++ b/README.md
@@ -9,7 +9,8 @@ Refers to document CIS_Apple_macOS_11.0_Benchmark_v1.1.0.pdf, available at https
 These scripts are intended to be used by jamf. However, if you want to manually benchmark your own **Big Sur** laptop, you can do so via the following steps:
 
 * Ensure that `/Library/Application Support/` exists. Note that sudo is required for its creation
-* Update `CIS Scripts/1_Set_Organization_Priorities.sh` if necessary. Checks can be enabled and disabled by changing their corresponding boolean values
+* Update `CIS Scripts/1_Set_Organization_Priorities.sh` if necessary. Checks can be enabled and disabled by changing their corresponding boolean values.
+* Run `CIS Scripts/1_Set_Organization_Priorities.sh` with sudo to populate the file `/Library/Application Support/SecurityScoring/org_security_score.plist` with the values defined beginning on line 460 of this script. This `.plist` file drives the following scripts. ***The next two steps will not work if this is not performed first.***
 * Run `CIS Scripts/2_Security_Audit_Compliance.sh` with sudo to run the benchmark
 * You can now get a list of all fails by using `Extension Attributes/2.5_Audit_List.sh` or remediate the fails using `CIS Scripts/3_Security_Remediation.sh` (sudo required as some checks cannot be run by standard users)
 

From e25b095111a8c0d5905c6be84f4ae661ef32ee42 Mon Sep 17 00:00:00 2001
From: nnikolovGC <80894962+nnikolovGC@users.noreply.github.com>
Date: Mon, 21 Jun 2021 09:28:49 +0100
Subject: [PATCH 4/5] Update priorities to match GC's use case (#3)

* Update priorities to match our use case

* Remove commented out lines

Thanks, Greg
---
 CIS Scripts/1_Set_Organization_Priorities.sh | 177 +++++++++----------
 1 file changed, 83 insertions(+), 94 deletions(-)

diff --git a/CIS Scripts/1_Set_Organization_Priorities.sh b/CIS Scripts/1_Set_Organization_Priorities.sh
index 3b0e63b..6b6656d 100755
--- a/CIS Scripts/1_Set_Organization_Priorities.sh	
+++ b/CIS Scripts/1_Set_Organization_Priorities.sh	
@@ -58,150 +58,139 @@ plistlocation="$dir/org_security_score.plist"
 # 1.1 Verify all Apple provided software is current
 # Best managed via Jamf
 OrgScore1_1="true"
-# OrgScore1_1="false"
 
 # 1.2 Enable Auto Update 
 # Configuration Profile - Custom payload > com.apple.SoftwareUpdate.plist > AutomaticCheckEnabled=true, AutomaticDownload=true
-OrgScore1_2="true"
-# OrgScore1_2="false"
+OrgScore1_2="false"
 
 # 1.3 Enable Download new updates when available  
 # Configuration Profile - Custom payload > com.apple.SoftwareUpdate.plist > com.apple.SoftwareUpdate AutomaticDownload=true
 OrgScore1_3="true"
-# OrgScore1_3="false"
 
 # 1.4 Enable app update installs
 # Does not work as a Configuration Profile - Custom payload > com.apple.commerce
-OrgScore1_4="true"
-# OrgScore1_4="false"
+OrgScore1_4="false"
 
 # 1.5 Enable system data files and security update installs 
 # Configuration Profile - Custom payload > com.apple.SoftwareUpdate.plist > ConfigDataInstall=true, CriticalUpdateInstall=true
 OrgScore1_5="true"
-# OrgScore1_5="false"
 
 # 1.6 Enable macOS update installs 
 # Enter profile descrip here
-OrgScore1_6="true"
-# OrgScore1_6="false"
+OrgScore1_6="false"
 
 # 2.1.1 Turn off Bluetooth, if no paired devices exist 
 OrgScore2_1_1="true"
-# OrgScore2_1_1="false"
 
 # 2.1.2 Show Bluetooth status in menu bar 
 OrgScore2_1_2="true"
-# OrgScore2_1_2="false"
 
 # 2.2.1 Enable "Set time and date automatically" 
 OrgScore2_2_1="true"
-# OrgScore2_2_1="false"
 
 # 2.2.2 Ensure time set is within appropriate limits 
 # Not audited - only enforced if identified as priority
-OrgScore2_2_2="true"
-# OrgScore2_2_2="false"
+OrgScore2_2_2="false"
 
 # 2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver 
 # Configuration Profile - LoginWindow payload > Options > Start screen saver after: 20 Minutes of Inactivity
 OrgScore2_3_1="true"
-# OrgScore2_3_1="false"
 
 # 2.3.2 Secure screen saver corners 
 # Configuration Profile - Custom payload > com.apple.dock > wvous-tl-corner=0, wvous-br-corner=5, wvous-bl-corner=0, wvous-tr-corner=0
-OrgScore2_3_2="true"
-# OrgScore2_3_2="false"
+
+OrgScore2_3_2="false"
 
 # 2.3.3 Set a screen corner to Start Screen Saver 
 # Configuration Profile - Custom payload > com.apple.dock > wvous-tl-corner=0, wvous-br-corner=5, wvous-bl-corner=0, wvous-tr-corner=0
-OrgScore2_3_3="true"
-# OrgScore2_3_3="false"
+
+OrgScore2_3_3="false"
 
 ## 2.3.3 Familiarize users with screen lock tools or corner to Start Screen Saver (not scored)
 ## The rationale in the CIS Benchmark for this is incorrect. The computer will lock if the 
 ## display sleeps before the Screen Saver activates
 # Configuration Profile - Custom payload > com.apple.dock > wvous-tl-corner=0, wvous-br-corner=5, wvous-bl-corner=0, wvous-tr-corner=0
-OrgScore2_3_3="true"
-# OrgScore2_3_3="false"
+
+OrgScore2_3_3="false"
 
 # 2.4.1 Disable Remote Apple Events 
 OrgScore2_4_1="true"
-# OrgScore2_4_1="false"
+
 
 # 2.4.2 Disable Internet Sharing 
 OrgScore2_4_2="true"
-# OrgScore2_4_2="false"
+
 
 # 2.4.3 Disable Screen Sharing 
 OrgScore2_4_3="true"
-# OrgScore2_4_3="false"
+
 
 # 2.4.4 Disable Printer Sharing
 OrgScore2_4_4="true"
-# OrgScore2_4_4="false"
+
 
 # 2.4.5 Disable Remote Login 
 # SSH
 OrgScore2_4_5="true"
-# OrgScore2_4_5="false"
+
 
 # 2.4.6 Disable DVD or CD Sharing
 OrgScore2_4_6="true"
-# OrgScore2_4_6="false"
+
 
 # 2.4.7 Disable Bluetooth Sharing 
-#OrgScore2_4_7="true"
+
 OrgScore2_4_7="false"
 
 # 2.4.8 Disable File Sharing 
 OrgScore2_4_8="true"
-# OrgScore2_4_8="false"
+
 
 # 2.4.9 Disable Remote Management
 # Screen Sharing and Apple Remote Desktop
 OrgScore2_4_9="true"
-# OrgScore2_4_9="false"
+
 
 # 2.4.10 Disable Content Caching
 # P2P Software updates
 OrgScore2_4_10="true"
-# OrgScore2_4_10="false"
+
 
 # 2.4.11 Disable Media Sharing
 # P2P Media Sharing
 OrgScore2_4_11="true"
-# OrgScore2_4_11="false"
+
 
 # 2.5.1.1 Enable FileVault
 OrgScore2_5_1_1="true"
-# OrgScore2_5_1_1="false"
+
 
 # 2.5.1.2 Ensure all user storage APFS volumes are encrypted (Not Scored)
 OrgScore2_5_1_2="true"
-# OrgScore2_5_1_2="false"
+
 
 # 2.5.1.3 Ensure all user storage CoreStorage volumes are encrypted (Not Scored)
 OrgScore2_5_1_3="true"
-# OrgScore2_5_1_3="false"
+
 
 # 2.5.2.1 Enable Gatekeeper
 # Configuration Profile - Security and Privacy payload > General > Gatekeeper > Mac App Store and identified developers (selected)
 OrgScore2_5_2_1="true"
-# OrgScore2_5_2_1="false"
+
 
 # 2.5.2.2 Enable Firewall 
 # Configuration Profile - Security and Privacy payload > Firewall > Enable Firewall (checked)
 OrgScore2_5_2_2="true"
-# OrgScore2_5_2_2="false"
+
 
 # 2.5.2.3 Enable Firewall Stealth Mode 
 # Configuration Profile - Security and Privacy payload > Firewall > Enable stealth mode (checked)
-OrgScore2_5_2_3="true"
-# OrgScore2_5_2_3="false"
+
+OrgScore2_5_2_3="false"
 
 # 2.5.3 Enable Location Services
 OrgScore2_5_3="true"
-# OrgScore2_5_3="false"
+
 
 ## 2.5.7 Monitor Location Services Access (Not Scored)
 ## As of macOS 10.12.2, Location Services cannot be enabled/monitored programmatically.
@@ -209,39 +198,39 @@ OrgScore2_5_3="true"
 
 # 2.5.5 Disable sending diagnostic and usage data to Apple
 OrgScore2_5_5="true"
-# OrgScore2_5_5="false"
+
 
 # 2.5.6 Limit Ad tracking and personalized Ads 
 OrgScore2_5_6="true"
-# OrgScore2_5_6="false"
+
 
 # 2.6.1 iCloud configuration (Check for iCloud accounts) (Not Scored)
 OrgScore2_6_1="true"
-# OrgScore2_6_1="false"
+
 
 # 2.6.2 iCloud keychain (Not Scored)
 # Configuration Profile - Restrictions payload > Functionality > Allow iCloud Keychain (unchecked)
 OrgScore2_6_2="true"
-# OrgScore2_6_2="false"
+
 
 # 2.6.3 iCloud Drive (Not Scored)
 # Configuration Profile - Restrictions payload > Functionality > Allow iCloud Drive (unchecked)
 OrgScore2_6_3="true"
-# OrgScore2_6_3="false"
+
 
 # 2.6.4 iCloud Drive Document sync
 # Configuration Profile - Restrictions payload - > Functionality > Allow iCloud Desktop & Documents (unchecked)
 OrgScore2_6_4="true"
-# OrgScore2_6_4="false"
+
 
 # 2.6.5 iCloud Drive Desktop sync
 # Configuration Profile - Restrictions payload - > Functionality > Allow iCloud Desktop & Documents (unchecked)
 OrgScore2_6_5="true"
-# OrgScore2_6_5="false"
+
 
 # 2.7.1 Time Machine Auto-Backup 
 # Time Machine is typically not used as an Enterprise backup solution
-# OrgScore2_7_1="true"
+
 OrgScore2_7_1="false"
 
 ## 2.7.2 Time Machine Volumes Are Encrypted (Not Scored)
@@ -249,16 +238,16 @@ OrgScore2_7_1="false"
 
 # 2.8 Disable "Wake for network access"
 OrgScore2_8="true"
-# OrgScore2_8="false"
+
 
 # 2.9 Disable Power Nap
 OrgScore2_9="true"
-# OrgScore2_9="false"
 
-# 2.10 Enable Secure Keyboard Entry in terminal.app 
+
+# 2.10 Enable Secure Keyboard Entry in terminal.app and iTerm 2 
 # Configuration Profile - Custom payload > com.apple.Terminal > SecureKeyboardEntry=true
 OrgScore2_10="true"
-# OrgScore2_10="false"
+
 
 ## 2.10 Securely delete files as needed (Not Scored)
 ## With the wider use of FileVault and other encryption methods and the growing use of Solid State Drives
@@ -267,65 +256,65 @@ OrgScore2_10="true"
 # 2.11 Ensure EFI version is valid and being regularly checked
 # see this https://github.com/0xmachos/mOSL/issues/4
 OrgScore2_11="true"
-# OrgScore2_11="false"
+
 
 
 # 3.1 Enable security Auditing
 OrgScore3_1="true"
-# OrgScore3_1="false"
+
 
 # 3.2 Configure Security Auditing Flags per local organizational requirements (Not Scored)
 OrgScore3_2="true"
-# OrgScore3_2="false"
+
 
 # 3.3 Retain install.log for 365 or more days
-OrgScore3_3="true"
-# OrgScore3_3="false"
+
+OrgScore3_3="false"
 
 # 3.4 Ensure security auditing retention
-OrgScore3_4="true"
-# OrgScore3_4="false"
+
+OrgScore3_4="false"
 
 # 3.5 Control access to audit records 
 OrgScore3_5="true"
-# OrgScore3_5="false"
+
 
 # 3.6 Ensure Firewall is configured to log
 OrgScore3_6="true"
-# OrgScore3_6="false"
+
 
 # 4.1 Disable Bonjour advertising service 
 # Configuration Profile - Custom payload > com.apple.mDNSResponder > NoMulticastAdvertisements=true
 OrgScore4_1="true"
-# OrgScore4_1="false"
+
 
 # 4.2 Enable "Show Wi-Fi status in menu bar" 
 OrgScore4_2="true"
-# OrgScore4_2="false"
+
 
 # 4.4 Ensure http server is not running 
 OrgScore4_4="true"
-# OrgScore4_4="false"
+
 
 # 4.5 Ensure nfs server is not running
 OrgScore4_5="true"
-# OrgScore4_5="false"
+
 
 # 5.1.1 Secure Home Folders
 OrgScore5_1_1="true"
-# OrgScore5_1_1="false"
+
 
 # 5.1.2 Check System Wide Applications for appropriate permissions
 OrgScore5_1_2="true"
-# OrgScore5_1_2="false"
+
 
 # 5.1.3 Check System folder for world writable files
 OrgScore5_1_3="true"
-# OrgScore5_1_3="false"
+
 
 # 5.1.4 Check Library folder for world writable files
 OrgScore5_1_4="true"
-# OrgScore5_1_4="false"
+
 
 ## Managed by Active Directory, Enterprise Connect, or a configuration profile.
 ## 5.2.1 Configure account lockout threshold
@@ -339,57 +328,57 @@ OrgScore5_1_4="true"
 
 # 5.3 Reduce the sudo timeout period
 OrgScore5_3="true"
-# OrgScore5_3="false"
+
 
 # 5.4 Automatically lock the login keychain for inactivity
 OrgScore5_4="true"
-# OrgScore5_4="false"
+
 
 # 5.5 Use a separate timestamp for each user/tty combo
 # This is a very bad idea. It will confuse users.
-# OrgScore5_5="true"
+
 OrgScore5_5="false"
 
 # 5.6 Ensure login keychain is locked when the computer sleeps
 # This is a very bad idea. It will confuse users.
-# OrgScore5_6="true"
+
 OrgScore5_6="false"
 
 # 5.7 Do not enable the "root" account
 OrgScore5_7="true"
-# OrgScore5_7="false"
+
 
 # 5.8 Disable automatic login 
 # Configuration Profile - LoginWindow payload > Options > Disable automatic login (checked)
 OrgScore5_8="true"
-# OrgScore5_8="false"
+
 
 # 5.9 Require a password to wake the computer from sleep or screen saver
 # Configuration Profile - Security and Privacy payload > General > Require password * after sleep or screen saver begins (checked)
 OrgScore5_9="true"
-# OrgScore5_9="false"
+
 
 # 5.10 Ensure system is set to hibernate and destroy FileVault key
 OrgScore5_10="true"
-# OrgScore5_10="false"
+
 
 # 5.11 Require an administrator password to access system-wide preferences
 OrgScore5_11="true"
-# OrgScore5_11="false"
+
 
 # 5.12 Disable ability to login to another user's active and locked session
 OrgScore5_12="true"
-# OrgScore5_12="false"
+
 
 # 5.13 Create a custom message for the Login Screen
 # Configuration Profile - LoginWindow payload > Window > Banner (message)
 OrgScore5_13="true"
-# OrgScore5_13="false"
+
 
 # 5.14 Create a Login window banner
 # Policy Banner https://support.apple.com/en-us/HT202277
-OrgScore5_14="true"
-# OrgScore5_14="false"
+
+OrgScore5_14="false"
 
 ## 5.15 Do not enter a password-related hint (Not Scored)
 ## Not needed if 6.1.2 Disable "Show password hints" is enforced.
@@ -397,56 +386,56 @@ OrgScore5_14="true"
 # 5.16 Disable Fast User Switching (Not Scored)
 # Configuration Profile - LoginWindow payload > Options > Enable Fast User Switching (unchecked)
 OrgScore5_16="true"
-# OrgScore5_16="false"
+
 
 ## 5.17 Secure individual keychains and items (Not Scored)
 
 
 # 5.18 System Integrity Protection status
 OrgScore5_18="true"
-# OrgScore5_18="false"
+
 
 # 5.19 Enable Sealed System Volume (SSV) 
 OrgScore5_19="true"
-# OrgScore5_19="false"
+
 
 # 5.20 Enable Library Validation 
 OrgScore5_20="true"
-# OrgScore5_20="false"
+
 
 # 6.1.1 Display login window as name and password 
 # Configuration Profile - LoginWindow payload > Window > LOGIN PROMPT > Name and password text fields (selected)
-OrgScore6_1_1="true"
-# OrgScore6_1_1="false"
+
+OrgScore6_1_1="false"
 
 # 6.1.2 Disable "Show password hints" 
 # Configuration Profile - LoginWindow payload > Options > Show password hint when needed and available (unchecked - Yes this is backwards)
 OrgScore6_1_2="true"
-# OrgScore6_1_2="false"
+
 
 # 6.1.3 Disable guest account 
 # Configuration Profile - LoginWindow payload > Options > Allow Guest User (unchecked)
 OrgScore6_1_3="true"
-# OrgScore6_1_3="false"
+
 
 # 6.1.4 Disable "Allow guests to connect to shared folders" 
 # Configuration Profile - 6.1.4 Disable Allow guests to connect to shared folders - Custom payload > com.apple.AppleFileServer guestAccess=false, com.apple.smb.server AllowGuestAccess=false
 OrgScore6_1_4="true"
-# OrgScore6_1_4="false"
+
 
 # 6.1.5 Remove Guest home folder
 OrgScore6_1_5="true"
-# OrgScore6_1_5="false"
+
 
 # 6.2 Turn on filename extensions
 # Does not work as a Configuration Profile - .GlobalPreferences.plist
 OrgScore6_2="true"
-# OrgScore6_2="false"
+
 
 # 6.3 Disable the automatic run of safe files in Safari
 # Configuration Profile - Custom payload > com.apple.Safari > AutoOpenSafeDownloads=false
 OrgScore6_3="true"
-# OrgScore6_3="false"
+
 
 ## 6.4 Use parental controls for systems that are not centrally managed (Not Scored)
 

From 0606c0d019dd17a3b5895b43106064dda195d4b5 Mon Sep 17 00:00:00 2001
From: Niko Nikolov <nnikolov@gocardless.com>
Date: Wed, 30 Jun 2021 16:58:20 +0100
Subject: [PATCH 5/5] Revert GoCardless-specific commit

This reverts commit e25b095111a8c0d5905c6be84f4ae661ef32ee42.
---
 CIS Scripts/1_Set_Organization_Priorities.sh | 177 ++++++++++---------
 1 file changed, 94 insertions(+), 83 deletions(-)

diff --git a/CIS Scripts/1_Set_Organization_Priorities.sh b/CIS Scripts/1_Set_Organization_Priorities.sh
index 6b6656d..3b0e63b 100755
--- a/CIS Scripts/1_Set_Organization_Priorities.sh	
+++ b/CIS Scripts/1_Set_Organization_Priorities.sh	
@@ -58,139 +58,150 @@ plistlocation="$dir/org_security_score.plist"
 # 1.1 Verify all Apple provided software is current
 # Best managed via Jamf
 OrgScore1_1="true"
+# OrgScore1_1="false"
 
 # 1.2 Enable Auto Update 
 # Configuration Profile - Custom payload > com.apple.SoftwareUpdate.plist > AutomaticCheckEnabled=true, AutomaticDownload=true
-OrgScore1_2="false"
+OrgScore1_2="true"
+# OrgScore1_2="false"
 
 # 1.3 Enable Download new updates when available  
 # Configuration Profile - Custom payload > com.apple.SoftwareUpdate.plist > com.apple.SoftwareUpdate AutomaticDownload=true
 OrgScore1_3="true"
+# OrgScore1_3="false"
 
 # 1.4 Enable app update installs
 # Does not work as a Configuration Profile - Custom payload > com.apple.commerce
-OrgScore1_4="false"
+OrgScore1_4="true"
+# OrgScore1_4="false"
 
 # 1.5 Enable system data files and security update installs 
 # Configuration Profile - Custom payload > com.apple.SoftwareUpdate.plist > ConfigDataInstall=true, CriticalUpdateInstall=true
 OrgScore1_5="true"
+# OrgScore1_5="false"
 
 # 1.6 Enable macOS update installs 
 # Enter profile descrip here
-OrgScore1_6="false"
+OrgScore1_6="true"
+# OrgScore1_6="false"
 
 # 2.1.1 Turn off Bluetooth, if no paired devices exist 
 OrgScore2_1_1="true"
+# OrgScore2_1_1="false"
 
 # 2.1.2 Show Bluetooth status in menu bar 
 OrgScore2_1_2="true"
+# OrgScore2_1_2="false"
 
 # 2.2.1 Enable "Set time and date automatically" 
 OrgScore2_2_1="true"
+# OrgScore2_2_1="false"
 
 # 2.2.2 Ensure time set is within appropriate limits 
 # Not audited - only enforced if identified as priority
-OrgScore2_2_2="false"
+OrgScore2_2_2="true"
+# OrgScore2_2_2="false"
 
 # 2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver 
 # Configuration Profile - LoginWindow payload > Options > Start screen saver after: 20 Minutes of Inactivity
 OrgScore2_3_1="true"
+# OrgScore2_3_1="false"
 
 # 2.3.2 Secure screen saver corners 
 # Configuration Profile - Custom payload > com.apple.dock > wvous-tl-corner=0, wvous-br-corner=5, wvous-bl-corner=0, wvous-tr-corner=0
-
-OrgScore2_3_2="false"
+OrgScore2_3_2="true"
+# OrgScore2_3_2="false"
 
 # 2.3.3 Set a screen corner to Start Screen Saver 
 # Configuration Profile - Custom payload > com.apple.dock > wvous-tl-corner=0, wvous-br-corner=5, wvous-bl-corner=0, wvous-tr-corner=0
-
-OrgScore2_3_3="false"
+OrgScore2_3_3="true"
+# OrgScore2_3_3="false"
 
 ## 2.3.3 Familiarize users with screen lock tools or corner to Start Screen Saver (not scored)
 ## The rationale in the CIS Benchmark for this is incorrect. The computer will lock if the 
 ## display sleeps before the Screen Saver activates
 # Configuration Profile - Custom payload > com.apple.dock > wvous-tl-corner=0, wvous-br-corner=5, wvous-bl-corner=0, wvous-tr-corner=0
-
-OrgScore2_3_3="false"
+OrgScore2_3_3="true"
+# OrgScore2_3_3="false"
 
 # 2.4.1 Disable Remote Apple Events 
 OrgScore2_4_1="true"
-
+# OrgScore2_4_1="false"
 
 # 2.4.2 Disable Internet Sharing 
 OrgScore2_4_2="true"
-
+# OrgScore2_4_2="false"
 
 # 2.4.3 Disable Screen Sharing 
 OrgScore2_4_3="true"
-
+# OrgScore2_4_3="false"
 
 # 2.4.4 Disable Printer Sharing
 OrgScore2_4_4="true"
-
+# OrgScore2_4_4="false"
 
 # 2.4.5 Disable Remote Login 
 # SSH
 OrgScore2_4_5="true"
-
+# OrgScore2_4_5="false"
 
 # 2.4.6 Disable DVD or CD Sharing
 OrgScore2_4_6="true"
-
+# OrgScore2_4_6="false"
 
 # 2.4.7 Disable Bluetooth Sharing 
-
+#OrgScore2_4_7="true"
 OrgScore2_4_7="false"
 
 # 2.4.8 Disable File Sharing 
 OrgScore2_4_8="true"
-
+# OrgScore2_4_8="false"
 
 # 2.4.9 Disable Remote Management
 # Screen Sharing and Apple Remote Desktop
 OrgScore2_4_9="true"
-
+# OrgScore2_4_9="false"
 
 # 2.4.10 Disable Content Caching
 # P2P Software updates
 OrgScore2_4_10="true"
-
+# OrgScore2_4_10="false"
 
 # 2.4.11 Disable Media Sharing
 # P2P Media Sharing
 OrgScore2_4_11="true"
-
+# OrgScore2_4_11="false"
 
 # 2.5.1.1 Enable FileVault
 OrgScore2_5_1_1="true"
-
+# OrgScore2_5_1_1="false"
 
 # 2.5.1.2 Ensure all user storage APFS volumes are encrypted (Not Scored)
 OrgScore2_5_1_2="true"
-
+# OrgScore2_5_1_2="false"
 
 # 2.5.1.3 Ensure all user storage CoreStorage volumes are encrypted (Not Scored)
 OrgScore2_5_1_3="true"
-
+# OrgScore2_5_1_3="false"
 
 # 2.5.2.1 Enable Gatekeeper
 # Configuration Profile - Security and Privacy payload > General > Gatekeeper > Mac App Store and identified developers (selected)
 OrgScore2_5_2_1="true"
-
+# OrgScore2_5_2_1="false"
 
 # 2.5.2.2 Enable Firewall 
 # Configuration Profile - Security and Privacy payload > Firewall > Enable Firewall (checked)
 OrgScore2_5_2_2="true"
-
+# OrgScore2_5_2_2="false"
 
 # 2.5.2.3 Enable Firewall Stealth Mode 
 # Configuration Profile - Security and Privacy payload > Firewall > Enable stealth mode (checked)
-
-OrgScore2_5_2_3="false"
+OrgScore2_5_2_3="true"
+# OrgScore2_5_2_3="false"
 
 # 2.5.3 Enable Location Services
 OrgScore2_5_3="true"
-
+# OrgScore2_5_3="false"
 
 ## 2.5.7 Monitor Location Services Access (Not Scored)
 ## As of macOS 10.12.2, Location Services cannot be enabled/monitored programmatically.
@@ -198,39 +209,39 @@ OrgScore2_5_3="true"
 
 # 2.5.5 Disable sending diagnostic and usage data to Apple
 OrgScore2_5_5="true"
-
+# OrgScore2_5_5="false"
 
 # 2.5.6 Limit Ad tracking and personalized Ads 
 OrgScore2_5_6="true"
-
+# OrgScore2_5_6="false"
 
 # 2.6.1 iCloud configuration (Check for iCloud accounts) (Not Scored)
 OrgScore2_6_1="true"
-
+# OrgScore2_6_1="false"
 
 # 2.6.2 iCloud keychain (Not Scored)
 # Configuration Profile - Restrictions payload > Functionality > Allow iCloud Keychain (unchecked)
 OrgScore2_6_2="true"
-
+# OrgScore2_6_2="false"
 
 # 2.6.3 iCloud Drive (Not Scored)
 # Configuration Profile - Restrictions payload > Functionality > Allow iCloud Drive (unchecked)
 OrgScore2_6_3="true"
-
+# OrgScore2_6_3="false"
 
 # 2.6.4 iCloud Drive Document sync
 # Configuration Profile - Restrictions payload - > Functionality > Allow iCloud Desktop & Documents (unchecked)
 OrgScore2_6_4="true"
-
+# OrgScore2_6_4="false"
 
 # 2.6.5 iCloud Drive Desktop sync
 # Configuration Profile - Restrictions payload - > Functionality > Allow iCloud Desktop & Documents (unchecked)
 OrgScore2_6_5="true"
-
+# OrgScore2_6_5="false"
 
 # 2.7.1 Time Machine Auto-Backup 
 # Time Machine is typically not used as an Enterprise backup solution
-
+# OrgScore2_7_1="true"
 OrgScore2_7_1="false"
 
 ## 2.7.2 Time Machine Volumes Are Encrypted (Not Scored)
@@ -238,16 +249,16 @@ OrgScore2_7_1="false"
 
 # 2.8 Disable "Wake for network access"
 OrgScore2_8="true"
-
+# OrgScore2_8="false"
 
 # 2.9 Disable Power Nap
 OrgScore2_9="true"
+# OrgScore2_9="false"
 
-
-# 2.10 Enable Secure Keyboard Entry in terminal.app and iTerm 2 
+# 2.10 Enable Secure Keyboard Entry in terminal.app 
 # Configuration Profile - Custom payload > com.apple.Terminal > SecureKeyboardEntry=true
 OrgScore2_10="true"
-
+# OrgScore2_10="false"
 
 ## 2.10 Securely delete files as needed (Not Scored)
 ## With the wider use of FileVault and other encryption methods and the growing use of Solid State Drives
@@ -256,65 +267,65 @@ OrgScore2_10="true"
 # 2.11 Ensure EFI version is valid and being regularly checked
 # see this https://github.com/0xmachos/mOSL/issues/4
 OrgScore2_11="true"
-
+# OrgScore2_11="false"
 
 
 # 3.1 Enable security Auditing
 OrgScore3_1="true"
-
+# OrgScore3_1="false"
 
 # 3.2 Configure Security Auditing Flags per local organizational requirements (Not Scored)
 OrgScore3_2="true"
-
+# OrgScore3_2="false"
 
 # 3.3 Retain install.log for 365 or more days
-
-OrgScore3_3="false"
+OrgScore3_3="true"
+# OrgScore3_3="false"
 
 # 3.4 Ensure security auditing retention
-
-OrgScore3_4="false"
+OrgScore3_4="true"
+# OrgScore3_4="false"
 
 # 3.5 Control access to audit records 
 OrgScore3_5="true"
-
+# OrgScore3_5="false"
 
 # 3.6 Ensure Firewall is configured to log
 OrgScore3_6="true"
-
+# OrgScore3_6="false"
 
 # 4.1 Disable Bonjour advertising service 
 # Configuration Profile - Custom payload > com.apple.mDNSResponder > NoMulticastAdvertisements=true
 OrgScore4_1="true"
-
+# OrgScore4_1="false"
 
 # 4.2 Enable "Show Wi-Fi status in menu bar" 
 OrgScore4_2="true"
-
+# OrgScore4_2="false"
 
 # 4.4 Ensure http server is not running 
 OrgScore4_4="true"
-
+# OrgScore4_4="false"
 
 # 4.5 Ensure nfs server is not running
 OrgScore4_5="true"
-
+# OrgScore4_5="false"
 
 # 5.1.1 Secure Home Folders
 OrgScore5_1_1="true"
-
+# OrgScore5_1_1="false"
 
 # 5.1.2 Check System Wide Applications for appropriate permissions
 OrgScore5_1_2="true"
-
+# OrgScore5_1_2="false"
 
 # 5.1.3 Check System folder for world writable files
 OrgScore5_1_3="true"
-
+# OrgScore5_1_3="false"
 
 # 5.1.4 Check Library folder for world writable files
 OrgScore5_1_4="true"
-
+# OrgScore5_1_4="false"
 
 ## Managed by Active Directory, Enterprise Connect, or a configuration profile.
 ## 5.2.1 Configure account lockout threshold
@@ -328,57 +339,57 @@ OrgScore5_1_4="true"
 
 # 5.3 Reduce the sudo timeout period
 OrgScore5_3="true"
-
+# OrgScore5_3="false"
 
 # 5.4 Automatically lock the login keychain for inactivity
 OrgScore5_4="true"
-
+# OrgScore5_4="false"
 
 # 5.5 Use a separate timestamp for each user/tty combo
 # This is a very bad idea. It will confuse users.
-
+# OrgScore5_5="true"
 OrgScore5_5="false"
 
 # 5.6 Ensure login keychain is locked when the computer sleeps
 # This is a very bad idea. It will confuse users.
-
+# OrgScore5_6="true"
 OrgScore5_6="false"
 
 # 5.7 Do not enable the "root" account
 OrgScore5_7="true"
-
+# OrgScore5_7="false"
 
 # 5.8 Disable automatic login 
 # Configuration Profile - LoginWindow payload > Options > Disable automatic login (checked)
 OrgScore5_8="true"
-
+# OrgScore5_8="false"
 
 # 5.9 Require a password to wake the computer from sleep or screen saver
 # Configuration Profile - Security and Privacy payload > General > Require password * after sleep or screen saver begins (checked)
 OrgScore5_9="true"
-
+# OrgScore5_9="false"
 
 # 5.10 Ensure system is set to hibernate and destroy FileVault key
 OrgScore5_10="true"
-
+# OrgScore5_10="false"
 
 # 5.11 Require an administrator password to access system-wide preferences
 OrgScore5_11="true"
-
+# OrgScore5_11="false"
 
 # 5.12 Disable ability to login to another user's active and locked session
 OrgScore5_12="true"
-
+# OrgScore5_12="false"
 
 # 5.13 Create a custom message for the Login Screen
 # Configuration Profile - LoginWindow payload > Window > Banner (message)
 OrgScore5_13="true"
-
+# OrgScore5_13="false"
 
 # 5.14 Create a Login window banner
 # Policy Banner https://support.apple.com/en-us/HT202277
-
-OrgScore5_14="false"
+OrgScore5_14="true"
+# OrgScore5_14="false"
 
 ## 5.15 Do not enter a password-related hint (Not Scored)
 ## Not needed if 6.1.2 Disable "Show password hints" is enforced.
@@ -386,56 +397,56 @@ OrgScore5_14="false"
 # 5.16 Disable Fast User Switching (Not Scored)
 # Configuration Profile - LoginWindow payload > Options > Enable Fast User Switching (unchecked)
 OrgScore5_16="true"
-
+# OrgScore5_16="false"
 
 ## 5.17 Secure individual keychains and items (Not Scored)
 
 
 # 5.18 System Integrity Protection status
 OrgScore5_18="true"
-
+# OrgScore5_18="false"
 
 # 5.19 Enable Sealed System Volume (SSV) 
 OrgScore5_19="true"
-
+# OrgScore5_19="false"
 
 # 5.20 Enable Library Validation 
 OrgScore5_20="true"
-
+# OrgScore5_20="false"
 
 # 6.1.1 Display login window as name and password 
 # Configuration Profile - LoginWindow payload > Window > LOGIN PROMPT > Name and password text fields (selected)
-
-OrgScore6_1_1="false"
+OrgScore6_1_1="true"
+# OrgScore6_1_1="false"
 
 # 6.1.2 Disable "Show password hints" 
 # Configuration Profile - LoginWindow payload > Options > Show password hint when needed and available (unchecked - Yes this is backwards)
 OrgScore6_1_2="true"
-
+# OrgScore6_1_2="false"
 
 # 6.1.3 Disable guest account 
 # Configuration Profile - LoginWindow payload > Options > Allow Guest User (unchecked)
 OrgScore6_1_3="true"
-
+# OrgScore6_1_3="false"
 
 # 6.1.4 Disable "Allow guests to connect to shared folders" 
 # Configuration Profile - 6.1.4 Disable Allow guests to connect to shared folders - Custom payload > com.apple.AppleFileServer guestAccess=false, com.apple.smb.server AllowGuestAccess=false
 OrgScore6_1_4="true"
-
+# OrgScore6_1_4="false"
 
 # 6.1.5 Remove Guest home folder
 OrgScore6_1_5="true"
-
+# OrgScore6_1_5="false"
 
 # 6.2 Turn on filename extensions
 # Does not work as a Configuration Profile - .GlobalPreferences.plist
 OrgScore6_2="true"
-
+# OrgScore6_2="false"
 
 # 6.3 Disable the automatic run of safe files in Safari
 # Configuration Profile - Custom payload > com.apple.Safari > AutoOpenSafeDownloads=false
 OrgScore6_3="true"
-
+# OrgScore6_3="false"
 
 ## 6.4 Use parental controls for systems that are not centrally managed (Not Scored)