Same here Jason. I haven't had a chance this week to dig in too deeply (middle of audits this week!) but I'm seeing the same thing you are.
@jason.bracy Definitely interested in improving the workflows - can you give some examples of the errors you're seeing?
Thanks!
katie
Here is the Terminal Output from the remediation script if that helps:
bash-3.2# /Users/Shared/2016_JNUC_Security_Reporting_Compliance-master/3_Security_Remediation.sh
2016-10-27 15:52:06.638 defaults[2114:49386]
The domain/default pair of (/Library/Preferences/com.apple.SoftwareUpdate, AutomaticCheckEnabled) does not exist
2016-10-27 15:52:06.671 defaults[2117:49403]
The domain/default pair of (/Library/Preferences/com.apple.commerce, AutoUpdate) does not exist
2016-10-27 15:52:06.713 defaults[2120:49415]
The domain/default pair of (/Library/Preferences/com.apple.SoftwareUpdate, ConfigDataInstall) does not exist
2.1.1 passed
2016-10-27 15:52:53.785 defaults[2203:50144]
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.systemuiserver, menuExtras) does not exist
Error : nodename nor servname provided, or not known
2016-10-27 15:52:54.010 defaults[2213:50224]
The domain/default pair of (com.apple.screensaver, idleTime) does not exist
2016-10-27 15:52:54.040 defaults[2215:50232]
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-bl-corner) does not exist
2016-10-27 15:52:54.053 defaults[2216:50236]
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-tl-corner) does not exist
2016-10-27 15:52:54.068 defaults[2217:50240]
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-tr-corner) does not exist
2016-10-27 15:52:54.082 defaults[2218:50245]
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-br-corner) does not exist
2016-10-27 15:52:54.114 defaults[2220:50253]
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-bl-corner) does not exist
2016-10-27 15:52:54.128 defaults[2221:50257]
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-tl-corner) does not exist
2016-10-27 15:52:54.140 defaults[2222:50261]
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-tr-corner) does not exist
2016-10-27 15:52:54.153 defaults[2223:50266]
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-br-corner) does not exist
2.4.1 passed
Print: Entry, ":NAT:AirPort:Enabled", Does Not Exist
Print: Entry, ":NAT:Enabled", Does Not Exist
Print: Entry, ":NAT:PrimaryInterface:Enabled", Does Not Exist
File Doesn't Exist, Will Create: /Library/Preferences/SystemConfiguration/com.apple.nat.plist
Delete: Entry, ":NAT:AirPort:Enabled", Does Not Exist
Delete: Entry, ":NAT:Enabled", Does Not Exist
Delete: Entry, ":NAT:PrimaryInterface:Enabled", Does Not Exist
2.4.3 passed
2.4.5 passed
Print: Entry, ":PrefKeyServicesEnabled", Does Not Exist
Delete: Entry, ":PrefKeyServicesEnabled", Does Not Exist
2.4.8 passed
2.4.9 passed
Warning: Idle sleep timings for "AC Power" may not behave as expected.
- Disk sleep should be non-zero whenever system sleep is non-zero.
2.6.4 passed
/Users/Shared/2016_JNUC_Security_Reporting_Compliance-master/3_Security_Remediation.sh: line 379: [: : integer expression expected
2.8 passed
2.10 passed
4.1 passed
2016-10-27 15:52:55.303 defaults[2333:50534]
The domain/default pair of (com.apple.systemuiserver, menuExtras) does not exist
4.4 passed
4.5 passed
4.6 passed
5.7 passed
5.8 passed
5.9 passed
5.18 passed
2016-10-27 15:53:21.135 defaults[2392:50830]
The domain/default pair of (/Library/Preferences/com.apple.AppleFileServer, guestAccess) does not exist
2016-10-27 15:53:21.146 defaults[2393:50836]
The domain/default pair of (/Library/Preferences/SystemConfiguration/com.apple.smb.server, AllowGuestAccess) does not exist
2016-10-27 15:53:21.179 defaults[2395:50844]
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.finder, AppleShowAllExtensions) does not exist
2016-10-27 15:53:21.222 defaults[2398:50856]
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.Safari, AutoOpenSafeDownloads) does not exist
6.3 passed
@jason.bracy That is helpful. Looks like I need to add in some additional error checking logic. Are you running the policies while a user is logged in (and does the output look similar if you do)?
Thanks,
katie
I was logged in. I decided to see what the scripts would do on a clean install, so it wasn't even enrolled in Casper yet.
Thanks,
Jason
Thanks @franton I'll give those a try.
Also found this set of scripts for 10.10: https://github.com/usnistgov/applesec Don't know why I was never able to find that before. Seems to be the official NIST configuration, so we may be reinventing the wheel here...
FWIW, got a little more time to dig into the JAMF scripts. With the updates (a huge thank you to @kenglish ) they appear to be working for the most part, but a few issues I'm seeing:
1) The following errors appear every time, and never go away despite "remediation". This despite the fact that they DO appear to be set when I check the actual machine:
2.4.2 Disable Internet Sharing 2.6.5 Review Application Firewall Rules 2.8 Pair the remote control infrared receiver if enabled 4.2 Enable Show Wi-Fi status in menu bar * 5.1.4 Check Library folder for world writable files
(eg - Wi-Fi status IS in the menu bar, if I remove it and re-run the scripts, it IS corrected, but continues to be listed as a failure).
2) I'm a bit concerned about log sizes - 5.1.4 is creating HUGE logs on the systems I'm testing this on - the JSS truncates it with the message "[Log data was truncated to a max size of 1000000 bytes]". I already noticed a tiny increase in my backup size last night, it appears to be parsing directories incorrectly, as I have tons of entries such as the following:
chmod: Support/Adobe/Uninstall/{39C9FB9C-7A84-11E1-B574-D095DF20721F}/{39C9FB9C-7A84-11E1-B574-D095DF20721F}.app/Contents/Resources/fr_FR.lproj: No such file or directory
chmod: 2487491: No such file or directory
chmod: 0: No such file or directory
chmod: drwxrwxrwx: No such file or directory
chmod: 3: No such file or directory
chmod: root: No such file or directory
chmod: wheel: No such file or directory
chmod: 102: No such file or directory
chmod: Dec: No such file or directory
chmod: 23: No such file or directory
chmod: 2015: No such file or directory
chmod: Support/Adobe/Uninstall/{39C9FB9C-7A84-11E1-B574-D095DF20721F}/{39C9FB9C-7A84-11E1-B574-D095DF20721F}.app/Contents/Resources/fr_XM.lproj: No such file or directory
chmod: 2487493: No such file or directory
chmod: 0: No such file or directory
chmod: drwxrwxrwx: No such file or directory
chmod: 3: No such file or directory
chmod: root: No such file or directory
chmod: wheel: No such file or directory
chmod: 102: No such file or directory
chmod: Dec: No such file or directory
chmod: 23: No such file or directory
chmod: 2015: No such file or directory
chmod: Support/Adobe/Uninstall/{39C9FB9C-7A84-11E1-B574-D095DF20721F}/{39C9FB9C-7A84-11E1-B574-D095DF20721F}.app/Contents/Resources/French.lproj: No such file or directory
chmod: 24874
(Naturally... it HAD to be Adobe! ;) )
I'm not sure what the best compromise is, but I know that with logs hitting 1mb each time it runs, this would more than double the size of my database within a few hours if I applied it to all systems, and continue to cause my logs to grow much faster than I'm really comfortable with.
@Taylor.Armstrong
Re: 5.1.4, I actually built in an exception for Adobe that's commented out by default in Step 3:
# for libPermissions in $( find /Library -type d -perm -2 -ls | grep -v Caches | grep -v Adobe); do
chmod -R o-w $libPermissions
done
The additional awesome thing about Adobe items in /Library is that even if you remediate, the next time the products update, they'll just break the permissions over again.
My inclination is to build in a permanent exception for that particular issue.
That would make Step 2 look like this:
# 5.1.4 Check Library folder for world writable files
# Verify organizational score
Audit5_1_4="`defaults read "$plistlocation" OrgScore5_1_4`"
# If organizational score is 1 or true, check status of client
if [ "$Audit5_1_4" = "1" ]; then
libPermissions=`find /Library -type d -perm -2 -ls | grep -v Caches | grep -v Adobe | wc -l | xargs`
# If client fails, then note category in audit file
if [ "$libPermissions" = "0" ]; then
echo "5.1.4 passed"; else
echo "* 5.1.4 Check Library folder for world writable files" >> "$auditfilelocation"
fi
fi
And Step 3:
# 5.1.4 Check Library folder for world writable files
# Verify organizational score
Audit5_1_4="`defaults read "$plistlocation" OrgScore5_1_4`"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
if [ "$Audit5_1_4" = "1" ]; then
for libPermissions in $( find /Library -type d -perm -2 -ls | grep -v Caches | grep -v Adobe); do
chmod -R o-w $libPermissions
done
fi
Will check into 2.4.2, 2.8, and 4.2 as well.
Well, that might teach me to re-read the script before complaining! :)
(seriously - thank you for this - HUGE step for us)
Can confirm that making the change and using the "Adobe" line resolved the massive log issue. Still having what looks like a few parsing issues (e.g.: "chmod: Support/VMware/VMware: No such file or directory
chmod: Fusion/Shared: No such file or directory" - appears that it is breaking with a space in the directory path), but I'm down from 100mb of results to something "normal". (FWIW, 22,231 lines in the log down to 92. I'd say that's better :)
If you don't mind my asking, which version of the CIS baseline is this based on? I'm testing against a 10.11 laptop, but will try to spin up a couple of VM's for additional testing as well. We generally use a slightly modified CIS for our setup, and we have a couple of people working on the 10.12 CIS effort now. I'm trying to go through and identify what settings from our "normal" baseline are missing from this and see what I can do to add them in, but you've given us a HUGE platform to start from.
I'll start looking at the new scripts as soon as I can. Is there any thought on how to meet the Local Account password requirements from CIS without messing with AD accounts? The official CIS script has a section to create the plist file for pwpolicy, but I am not sure how to limit the enforcement to only local accounts over UID 500. Any chance that you could add that part of their script into the JAMF scripts?
Thanks,
Jason
Afraid we just use AD here, so no help there.
We do still use pwpolicy for the local account, mostly just to keep the auditors happy, since we can legitimately say we're doing it across the board including local admin accounts.
(also, just to clarify - the NIST scripts !=CIS. Looks like they're based on an internal NIST guide? But definitely a different baseline than CIS.)
@Taylor.Armstrong The benchmark I worked against was CIS 10.11 v1.0.0. I'd definitely like to keep it updated with the 10.12 iteration is released.
@jason.bracy I have an outstanding "feature request" to myself to work on password compliance reporting, but I'm not sure what combination works best just yet. I do want to point out that NIST and CIS are not the same entity, and your organizational mileage may vary between the two sets of recommendations.
Thanks @kenglish. Just wanted to verify since I know I'll be asked when I bring this up at our weekly change control meeting :)
FWIW, the CIS group bumped up their schedule - I believe initial release of the 10.12 baseline is scheduled for later this month, they're really picking up the pace compared to previous OS's.
Wow! Can't believe that I overlooked that. TOO MANY ACRONYMS! CIS, NIST, DFARS, STIG. However since NIST is the one that is producing the requirements that we need to comply with by 12/2017, then maybe it's not a bad thing.
FWIW, it would be great if the level 2 controls from CIS could be added in, but after reviewing today, once I separated out our deviations, there's only about a dozen or so left. This week's project will be attempting to incorporate those into your framework.
@Taylor.Armstrong Looks like they have released the 10.12 benchmark - or at least it has been accepted for publication.
@jason.bracy No sign of 10.12 benchmark on the CIS site yet. As soon as it is, i'll be updating my own repo.
Not quite yet, but I'll definitely update this discussion once we submit it for release :) Give it about 2 more weeks if the current schedule holds...
OK, I figured out part of the problem. I was testing the scripts with my local admin account. The home folder for this account is in /private/var/. Apparently part of the script writes user preferences to /Users/$LOGGEDINUSER/Library/Preferences. So I will look at testing with a standard user later today.
@jason.bracy That's very helpful, thanks. I can add logic to figure out the user path if it's in some non-standard location.
Nice catch Jason. Our "normal" accounts don't follow that rule, but our Casper service account does, so it potentially might arise at some point in time.
@kenglish The other item that seems to be an issue is:
# 5.10 Require an administrator password to access system-wide preferences
# Verify organizational score
Audit5_10="`defaults read "$plistlocation" OrgScore5_10`"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
if [ "$Audit5_10" = "1" ]; then
adminSysPrefs=`security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep -c "true"`
if [ "$adminSysPrefs" = "1" ]; then
defaults write /tmp/system.preferences.plist shared -bool true; else
echo "5.10 passed"
fi
There doesn't seem to be a step that writes to the "security authorizationdb". This command seems to just write it to the tmp location, but never merges it to the actual authorizationdb. I think that the remediation command should actually be:
defaults write system.preferences.plist shared -bool false
