So, to test the CIS Compliance scripts linked to in the presentation, I built a clean Mac with 10.11.6. and ran the scripts unaltered. However I received several errors and when re-running the CIS tool, while some settings were changed, many still fail the test.
Looking at the Terminal output and the logs it looks like the defaults commands are failing (and yes I did run the scripts with sudo). Also a suggestion... Since the scripts seem to be performing the settings only on the Currently logged in user, I would suggest adding a loop that runs the commands on all users as well as all of the Template files.
Just wondering if anyone has had any success with these scripts? It is a huge step forward for me, but until I can get all of the settings to configure correctly, there will still be some work to do.
@kenglish
I think I've figured out a couple of the issues with the remediation script:
For the 5.10 remediation you need the following (thanks @rtrouton https://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/):
security authorizationdb read system.preferences > /tmp/system.preferences.plist
defaults write /tmp/system.preferences.plist shared -bool false
security authorizationdb write system.preferences < /tmp/system.preferences.plist
Then for any of the user level preferences to actually take effect you need to add
killall cfprefsd
If you don't kill cfprefsd, then the changes are overwritten by the current settings. Haven't tested it, so you might also need to do a
killall -u $LOGGEDINUSER cfprefsd
@jason.bracy
Sorry, I have to post this here. Please do not kill the cfprefsd process.
This was a dirty hack to refresh the preferences memory cache from 10.9 and doing so causes more potential harm that good. But don't just take my word on it: it was covered in the JNUC 2016 talk by @bentoms and @james_ridsdale .
@franton
I appreciate the comment and the link, however using "killall cfprefsd" is the only way that I have been able to retain changes made to certain preferences when changing them with defaults. If you have a better way to make the changes stick, then please share.
Ok. Authorisation database changes do not need cfprefsd restarted to take effect. Everything else can be done with configuration profiles, which is Apple's preferred method of applying preferences. I only include the defaults commands in my CIS repo for the sake of clarity.
When I get to implement this on the system i'm working on, it'll be via profiles ... at least the stuff that can be done via profiles. The rest will be scripts to run command line tools.
CIS Benchmark for macOS 10.12 is out.
Thanks franton - wasn't scheduled to be released until tomorrow, but lots like it is up early...
@Taylor.Armstrong I logged in and there it was!
@franton Appreciate the reply (Sorry for the delay in answering, I was traveling all last week)
I would also like to use profiles for configuring CIS requirements, however unfortunately our Cyber Sec team want the CIS tool to show the results of the test and the current implementation of the tools does not read profiles - it doesn't even read the authorizationsdb settings correctly.
I also have to deal with Macs in Secure areas and off network that do not have access to the JSS, so need to have a manual script that can run on those machines.
Obviously Profiles are the best way to go, but as we are all learning in regards to Compliance: Security ≠ Compliance if the compliance audit tool can't read the settings, then we aren't compliant.
@jason.bracy That's why I suggested having a look at my own CIS repo. I've EA's that do work with profiles. I currently work in Finance where that is a requirement also.
BTW, others in this thread may already have seen, but since I just got back from vacation and hadn't seen a notice, video of Katie's presentation is up.
https://www.jamf.com/resources/digging-into-security-compliance-and-reporting/
@kenglish : I'm going to try to go through and flag the deltas between the 10.11 and 10.12 CIS benchmarks in the next couple of days, if you haven't had a chance to do so yet I'm happy to share if you'd like. My task for the next couple of weeks is to tweak the scripts for 10.12 as needed, along with pushing through review and approval of the 10.12 benchmark on our campus here for adoption.
@kenglish
I'm getting the same errors:
2019-10-29 15:57:28.637 defaults[1636:24616]
The domain/default pair of (/Users/cameron/Library/Preferences/com.apple.dock, wvous-tl-corner) does not exist
2019-10-29 15:57:28.718 defaults[1640:24628]
The domain/default pair of (/Users/cameron/Library/Preferences/com.apple.dock, wvous-bl-corner) does not exist
2019-10-29 15:57:28.741 defaults[1641:24631]
The domain/default pair of (/Users/cameron/Library/Preferences/com.apple.dock, wvous-tl-corner) does not exist
2.4.6 passed
Print: Entry, ":PrefKeyServicesEnabled", Does Not Exist
Lots like this.
Running this version of the script:
written by Katie English, Jamf October 2016
updated for 10.12 CIS benchmarks by Katie English, Jamf February 2017
updated by Laurent Pertois, Jamf September 2018
github.com/jamfprofessionalservices
User is on Catalina.
Is there an updated script anywhere that fixes these errors?
@kenglish
I'm getting the same errors:
2019-10-29 15:57:28.637 defaults[1636:24616]
The domain/default pair of (/Users/cameron/Library/Preferences/com.apple.dock, wvous-tl-corner) does not exist
2019-10-29 15:57:28.718 defaults[1640:24628]
The domain/default pair of (/Users/cameron/Library/Preferences/com.apple.dock, wvous-bl-corner) does not exist
2019-10-29 15:57:28.741 defaults[1641:24631]
The domain/default pair of (/Users/cameron/Library/Preferences/com.apple.dock, wvous-tl-corner) does not exist
2.4.6 passed
Print: Entry, ":PrefKeyServicesEnabled", Does Not Exist
Lots like this.
Running this version of the script:
written by Katie English, Jamf October 2016
updated for 10.12 CIS benchmarks by Katie English, Jamf February 2017
updated by Laurent Pertois, Jamf September 2018
github.com/jamfprofessionalservices
User is on Catalina.
Is there an updated script anywhere that fixes these errors?
Hi, any updates to fixing Executing Policy CIS Baseline Scripts - Self Service
Script result: 2022-05-02 09:09:11.378 defaults[7261:67192]
The domain/default pair of (/Library/Application Support/SecurityScoring/org_security_score.plist, OrgScore1_1) does not exist 2022-05-02 09:09:11.392 defaults[7262:67203] The domain/default pair of (/Library/Application Support/SecurityScoring/org_security_score.plist, OrgScore1_2) does not exist 2022-05-02 09:09:11.404 defaults[7264:67208] The domain/default pair of (/Library/Application Support/SecurityScoring/org_security_score.plist, OrgScore1_3) does not exist 2022-05-02 09:09:11.416 defaults[7265:67213] The domain/default pair of (/Library/Application Support/SecurityScoring/org_security_score.plist, OrgScore1_4) does not exist 2022-05-02 09:09:11.429 defaults[7266:67216] The domain/default pair of (/Library/Application Support/SecurityScoring/org_security_score.plist, OrgScore1_5) does not exist 2022-05-02 09:09:11.442 defaults[7267:67220] The domain/default pair of (/Library/Application Support/SecurityScoring/org_security_score.plist, OrgScore1_6) does not exist 2022-05-02 09:09:11.454 defaults[7268:67223] The domain/default pair of (/Library/Application Support/SecurityScoring/org_security_score.plist, OrgScore2_1_1) does not exist
We have validated that this path does exist, yet the GITHUB CIS scripts seem not to see it. Every control is showing the "does not exist"
/Library/Application Support/SecurityScoring/org_security_score.plist
