CIS 2.3.2 Ensure Screen Saver Corners Are Secure (Automated)

donmontalvo
Esteemed Contributor III

Both CIS and Tenable provide a configuration profile method to undo any hot corner set to disable screen saver.

CIS uses <≠6>

DonM 2022-09-02 at 14.15.54.png


Tenable uses <!=6>
DonM 2022-09-02 at 14.21.49.png

Neither seem to work. Anyone have any luck with this?

--
https://donmontalvo.com
1 ACCEPTED SOLUTION

Just took a look at both.

I think what you’re seeing are examples of how not to write documentation. They’re trying to to tell you “something other that 6” or “not 6”. I don’t think they intend you to use those as actual values.

Integers ≠ strings.

View solution in original post

13 REPLIES 13

talkingmoose
Moderator
Moderator

I’m not familiar with either of those management systems, but those values are not integers. They may be doing some proprietary magic on their end to make this work.

In my testing, setting the corner to the “ - “ in the dropdown list changes the plist value to “1”. I know of no way to disable a single property in a list of properties — just how to enforce a single property.

And I haven’t tested whether a profile enforces these properties.

1 = -

2 = Mission Control

3 = Application Windows

4 = Desktop

5 = Start Screen Saver

6 = Disable Screen Saver

10 = Put Display to Sleep

11 = Launchpad

12 = Notification Center

13 = Lock Screen

14 = Quick Note

donmontalvo
Esteemed Contributor III

Yep, someone told me it's possible to undo a corner if it is set to 6 using a configuration profile and sent me the info, so I thought I'd give it a shot.
CIS
Tenable

The way we've always done it is to monitor for corners that are set to 6, and set to 0.
It would be fantastic if this could be automated using a Configuration Profile some day.

--
https://donmontalvo.com

Just took a look at both.

I think what you’re seeing are examples of how not to write documentation. They’re trying to to tell you “something other that 6” or “not 6”. I don’t think they intend you to use those as actual values.

Integers ≠ strings.

donmontalvo
Esteemed Contributor III

I agree.

”I’m gonna write a stupid article.” - CIS

“Hold my beer.” - Tenable

 

--
https://donmontalvo.com

mm2270
Legendary Contributor III

I use this and it works perfectly for me.

<?xml version="1.0"?>
<plist version="1.0">
  <dict>
    <key>wvous-bl-corner</key>
    <integer>1</integer>
    <key>wvous-bl-modifier</key>
    <integer>0</integer>
    <key>wvous-br-corner</key>
    <integer>1</integer>
    <key>wvous-br-modifier</key>
    <integer>0</integer>
    <key>wvous-tl-corner</key>
    <integer>1</integer>
    <key>wvous-tl-modifier</key>
    <integer>0</integer>
    <key>wvous-tr-corner</key>
    <integer>1</integer>
    <key>wvous-tr-modifier</key>
    <integer>0</integer>
  </dict>
</plist>

By "perfectly" I should note that the GUI for the screen corners is never grayed out, but any changes to the screen corners does not stick so it has the same effect - no screen corners can be set.

donmontalvo
Esteemed Contributor III

@mm2270 nice, but see my last post. Unfortunately Apple hasn't provided a way to unset any corner set to 6, using a configuration profile. #sigh

You coming to JNUC 2022?

--
https://donmontalvo.com

SCCM
Contributor III
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>wvous-bl-corner</key>
	<integer>0</integer>
	<key>wvous-br-corner</key>
	<integer>0</integer>
	<key>wvous-tl-corner</key>
	<integer>0</integer>
	<key>wvous-tr-corner</key>
	<integer>0</integer>
</dict>
</plist>

The Above should work (custom payload). They can set a hot corner, but when they exit the screen it will have cleared it.

donmontalvo
Esteemed Contributor III

@SCCM thanks, but we aren't looking to "lock down" all of the hot corners. Using Custom Payload won't work, it'll just be converted to a Dock payload, not that it matters in this case.

We are going stick to the current method of using an EA to determine if a user has any of the hot corners set to 6, and if so use a script to set it to 0.

We want users to have a choice, we just can't allow 6 for security reasons.

For our use case, configuration profiles isn't an option.

--
https://donmontalvo.com

mm2270
Legendary Contributor III

I see what you're after now @donmontalvo. Yeah, unfortunately given the on/off permanent nature of most Configuration Profile settings, using a profile for this won't work if you want to allow users to choose options other than "Start screen saver". So a script will be your best option in this case.

In our case we just made the decision that no-one can use any hot corners and disabled them all for security reasons (bank environment).

I don't suppose you would be willing or able to share the EA, policies, and scripts for doing this?

Nate1
New Contributor III

Hey @davidi4 

Here's our extension attribute that runs a script:

user=$(ls -l /dev/console | cut -d " " -f 4)
a=$(defaults read /Users/$user/Library/Preferences/com.apple.dock.plist | grep "corner" | cut -d "=" -f2 | cut -d ";" -f1 | sed 's/ //g')
if [[ ${a[*]} =~ "6" ]]; then
echo "<result>yes</result>"
else
echo "<result>no</result>"
fi

 

from there, just create a smart group that checks for the extension attribute you named it (have it look for "yes"

Then run your script to remove or reset the dock for those machines



SCCM
Contributor III

@donmontalvo fair enough but with the way your setting it, does it even pass a cis audit? how frequently have you got your inventory set i.e. daily / weekly? The user will have the setting avaliable for them up untill it checks in and reports the change. You prob would be better off creating a lauch demon running locally which just changes the setting if found on a defaults read of com.apple.dock

Like @mm2270 we just disabled it, as the auditors said allowing it to be set for the day wasnt good enough, and we wanted to limit the number of demons running.

donmontalvo
Esteemed Contributor III

Having an active EA to identify when someone's hot corner is set to disable screen lock, with a script to remove the setting has been enough to pass audit in most companies. I submitted through Feedback Assistant (FB11558798) a request to give us a way to unset if someone sets it, so it's manageable using a Configuration Profile.

--
https://donmontalvo.com