- Jamf Nation Community
- Products
- Jamf Pro
- CIS Benchmark
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
CIS Benchmark
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-31-2018 04:04 PM
Hey everyone, There is a recommendation in the CIS benchmark about securing home folders. The command they want you to use in order to achieve this is sudo chmod -R og-rwx /Users/$Username I have an issue with changing home folder perms as it can cause unexpected behaviors but this specific command they prescribe concerns me as if ran by the JSS as Root then it will actually lock out the other users making them unable to access their files, desktop and etc. Anyone else having to comply with CIS that is having issues with the recommendation?
Labels:
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-31-2018 07:51 PM
The command should be fine as it is only modifying permissions on the directories and not changing ownership. POSIX permissions usually take the form of ugo where u is the user or owner of the file/directory, g is the group and o is other. The command is removing read, write and execute permissions from the group and other from the home directory recursively leaving the user permissions intact. As with anything, you should try this on a test user before applying it to all user home directories.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-31-2018 08:54 PM
Correct but as I have pointed out changing permissions on the home folder can cause unexpected outcomes. Currently I have tested this on multiple machines all of which are AD bound macs with a mobile profile created. After changing the permissions all applications become unusable and after logging out or rebooting you are taken to a screen where only your wallpaper exists and nothing else. My thoughts are that it has something to do with the mobile profile created.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-31-2018 09:16 PM
For 5.1.1 Secure Home Folders (Scored), we usually run two commands using a loop.
The first command is supported by Apple (Resolve issues caused by changing the permissions of items in your home folder), although you'd think they could mention this in man diskutil. Yes opened a tic with them.
The second command locks the top level of each user's home directory. Not sure its necessary to go beyond the top level of any user's home directory. If you can get past that level you've got the keys to the farm.
#!/bin/sh
over500=$( dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }' )
# Loop through existing users' home directories
for u in $over500;
do
if [[ -d /Users/"${u}" ]];
then
echo "Repairing permissions for $u..."
/usr/sbin/diskutil resetUserPermissions / "${u}"
/bin/chmod 700 /Users/"${u}"
echo "Completed repair of permissions for $u."
echo "++++++++++++++++++++++++++++++++++++"
fi
done
exit 0Sample result on a LAB Mac bound to AD...
This is how permissions look like by default:
# ls -l /Users | grep -v Shared
total 32
drwxr-xr-x+ 16 user2 DOMAINDomain Users 512 Jan 31 21:38 user2/
drwxr-xr-x 24 admin admin 768 Jan 31 21:42 admin/
drwxr-xr-x+ 48 user1 staff 1536 Jan 31 20:23 user1/
#Script runs...
# /tmp/test.sh
Repairing permissions for user2...
Ready to reset user permissions on disk1s1 Macintosh HD
Started verify/repair permissions on disk1s1 Macintosh HD
User permissions have been reset
Finished verify/repair permissions on disk1s1 Macintosh HD
Completed repair of permissions for user2.
++++++++++++++++++++++++++++++++++++
Repairing permissions for admin...
Ready to reset user permissions on disk1s1 Macintosh HD
Started verify/repair permissions on disk1s1 Macintosh HD
User permissions have been reset
Finished verify/repair permissions on disk1s1 Macintosh HD
Completed repair of permissions for admin.
++++++++++++++++++++++++++++++++++++
Repairing permissions for user1...
Ready to reset user permissions on disk1s1 Macintosh HD
Started verify/repair permissions on disk1s1 Macintosh HD
User permissions have been reset
Finished verify/repair permissions on disk1s1 Macintosh HD
Completed repair of permissions for user1.
++++++++++++++++++++++++++++++++++++This is how permissions now look:
# ls -l /Users | grep -v Shared
total 32
drwx------+ 16 user2 DOMAINDomain Users 512 Jan 31 21:38 user2/
drwx------ 24 admin admin 768 Jan 31 21:42 admin/
drwx------+ 48 user1 staff 1536 Jan 31 20:23 user1/
#If a user has admin rights, getting into users' data is trivial, so all bets are off, assuming you've got physical access and are either a FileVault 2 enabled user on the computer, or have access to Jamf Pro. Which is why its safer to use another service controlled by your Security team (cauliflowervest, McAfee, etc.) to escrow FileVault 2 and Bitlocker keys.
Rest assured, if and when there is a breach, no amount of "But <redacted> told us at JNUC that we should give everyone admin rights" pleading can keep you from losing your job.
--
https://donmontalvo.com
https://donmontalvo.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-31-2018 11:02 PM
Thanks I’ll take a look at your method for this. I’ve noticed that some stuff like this isn’t included in the man pages. And on the note of CIS I have to extend the logging on the machines but SIP is already enabled and that is blocking me from changing the log prefs. Is there any loophole in SIP I can use to extend logging from the default to 90 days?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-01-2018 07:55 AM
So just to clarify. I can run the below then and that's it?
echo "Setting user home permissions"
sudo chmod og-rwx /Users/$Username
over500=$( dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }' )
# Loop through existing users' home directories
for u in $over500;
do
if [[ -d /Users/"${u}" ]];
then
echo "Repairing permissions for $u..."
/usr/sbin/diskutil resetUserPermissions / "${u}"
/bin/chmod 700 /Users/"${u}"
echo "Completed repair of permissions for $u."
echo "++++++++++++++++++++++++++++++++++++"
fi
done
exit 0
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-10-2018 03:10 AM
What are the best practice to implement CIS benchmarks? Do we need to implement via Scripts or configuration profiles?
please suggest.
Sagar Rastogi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-16-2022 12:25 PM
I would say configuration profile is the best and easy way but still there has some which you cannot use profile. in that case u have to apply command via Jamf policy
