Skip to main content
Question

CIS Benchmarks implementation via script vs configuration profiles


rastogisagar123
Forum|alt.badge.img+12

What might be our direction if we need to implement different benchmarks based on different employees in organisation? If we need to restrict sudo/admin rights for the majority of our users but we have a small percentage of our users that require admin rights would we then just have multiple profiles for different users or would we just remove that profile/benchmark from that small workforce that requires admin rights? We may have a requirement where not every endpoint is the same and will need to allow for “uniqueness” in the environment.

If we deploy a configuration profile vs. a script how do we enforce those profiles so if a user has sudo/admin rights they won’t be able to uninstall our Tanium/Jamf/SEP clients?

2 replies

donmontalvo
Forum|alt.badge.img+36
  • Legendary Contributor
  • 4293 replies
  • March 11, 2019

Stumbled onto this question during a search for Tanium uninstall.

Have you looked at putting users who have approval for admin rights into an LDAP group, and excluding them from a policy (script) or Configuration Profile?

Don


dolfhoegaerts
Forum|alt.badge.img+7

You got a few things in here:

For the admin right settings I would go for Jamf Connect in combination with the privileges app. and scope this application for the people that may use admin rights with a approvement flow behind it. You can log the reasons why they need the admin rights with a syslog as well.

 

Then you got the prevention for the removal, I would make a smart group/search that mails the support team when that happens. I

don’t think you can completly prevent this removal but you can create a procedure for followup those issues.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings