CIS 10.12.x (Sierra) Benchmarks - Locking up...

cainehorr
Contributor III

Anyone else using CIS Benchmark scripts for Jamf written by @kenglish?

We're running the CIS scripts found here: https://github.com/jamfprofessionalservices/CIS-for-macOS-Sierra

After the scripts are run and the machine is rebooted, it hangs after FileVault login and won't log in.

After we reinstall Sierra (or High Sierra) on top of itself, it seems to resolve the issue.

At first I thought it was related to 10.12.6 but when we tried on 10.12.5, the same issues occurred.

We're also finding that it takes several passes to get from 0% compliancy down to 30+ failures and then down to 7-8 failures that never quite resolve.

Would love some discussion and insight here.

Thanks!

PS - Here are the failures...

CIS Audit Count: 7
CIS Audit List:
2.3.4 Set a screen corner to Start Screen Saver
2.5.1 Disable Wake for network access
2.5.2 Disable sleeping the computer when connected to power
5.4 Automatically lock the login keychain for inactivity
5.12 Create a custom message for the Login Screen
5.13 Create a Login window banner
6.2 Turn on filename extensions

According to https://github.com/jamfprofessionalservices/CIS-for-macOS-Sierra/blob/master/README.md, the following is expected...

5.13 Create a Login window banner

Everything else... Hmmm...

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

5 REPLIES 5

Taylor_Armstron
Valued Contributor

Similar experience here, although without the lock-up.. but consistently several issues that never get resolved.

We do have a fair ## of exceptions to the policy though, so one of those may be what is causing the issue on your end.

walts_9
New Contributor III

@cainehorr I have the same problem with the FileVault log in hanging. I've tried running verbose mode on the computers I'm testing with, but I'm not seeing any errors there. Did you notice that his happens after running the 3_Security_Remediation.sh or earlier in the process? I'm trying to narrow it down to the remediation script (which would make the most sense) and then go back through each remediation to see if one of those is causing the hanging issue.

Edit: I'm pretty sure it is something in the remediation script. I just remembered that in my testing after reinstalling Sierra I was able to log in with no issue, but then following the application of the 3_Security_Remediation.sh the FileVault log in hangs again after restarting.

mrben
New Contributor III

Yeah, I wouldn't rely entirely on this for CIS. Many of the controls should be handled with configuration profiles instead of shell execs.

cainehorr
Contributor III

@mrben Unfortunately, config profiles are too inclusive as they bundle more than what's needed and they don't necessarily address the various CIS benchmarks in question. Great idea in theory, but not necessarily in practice.

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

rastogisagar123
Contributor II

What are the best practice to implement CIS benchmarks? Do we need to implement via Scripts or configuration profiles?

please suggest.

Sagar Rastogi