Skip to main content
Question

CIS Benchmark: Monterey

  • January 12, 2022
  • 4 replies
  • 20 views
B
Forum|alt.badge.img+3

Hello All,

 

I have been attempting to implement a level one CIS Benchmark and I haven't figured it out just yet. Any advice would be great. Also, I have stumbled across a script that was made for BigSur has anyone adjusted this script to work for Monterey?

https://github.com/gocardless/CIS-for-macOS-BigSur-CP 

 

Thank you in advance !!

    4 replies

    jmahlman
    Forum|alt.badge.img+17
    • jmahlman
    • Valued Contributor
    • 307 replies
    • January 12, 2022

    Hey there! First, I would look at the macOS Security Compliance project. It's updated regularly, open source, and suggested by Apple (and Jamf). There is even a CIS variant available from Mischa van der Bent. I have not used this one but it's a great starting point.

    However, if you're looking for a "simpler" approach, check out this CIS Script that Mischa also wrote. It's inspired by the Jamf professional services script and it provides nice reports.

    R
    Forum|alt.badge.img+7
    • R_C
    • Contributor
    • 44 replies
    • June 7, 2022

    Looks like the macOS Security Compliance Project finally added CIS although I haven't tried implementing it yet.

    S
    Forum|alt.badge.img+8
    • sharif_khan
    • Valued Contributor
    • 90 replies
    • October 5, 2022

    @jmahlman did you applied CIS Bench mark Mischa one? I am trying to test that one. Can you or anyone please share me the workflow. I already follow the steps from his github but i think i need help.

    jmahlman
    Forum|alt.badge.img+17
    • jmahlman
    • Valued Contributor
    • 307 replies
    • October 6, 2022

    @jmahlman did you applied CIS Bench mark Mischa one? I am trying to test that one. Can you or anyone please share me the workflow. I already follow the steps from his github but i think i need help.


    I applied using the MSCP CIS guidance. I'm not using Mischa's approach right now. 

    I made some EAs to collect data from the audit files to know when to remediate.

    This one will give a number:

    #!/bin/zsh # cis v2 - Audit List auditList=$(/usr/libexec/PlistBuddy -c "Print" "/Library/Preferences/org.cislvl2.plist" | sed -nE '{N; s/[[:space:]]*(.*) = Dict.*finding = true.*/\\1/p ; D;}') echo "<result>${auditList}</result>"

    This will give a list of findings:

    #!/bin/zsh # cis v2 - Audit Count auditCount=$(/usr/libexec/PlistBuddy -c "Print" /Library/Preferences/org.cis_leidos.audit.plist | grep -c "finding = true") echo "<result>${auditCount}</result>"

     


    Terms & ConditionsCookie settingsAccessibility statement