CIS Script implementation for macOS 11 Big Sur

lilwo0ky
New Contributor

Hi all,

I have been tasked with bringing our Mac clients to 75% compliance with the CIS Level 1 benchmark for macOS 11. I am currently using the Jamf-provided scripts (https://github.com/gocardless/CIS-for-macOS-BigSur-CP) to automate rollout to our machines. When I run these scripts manually, the scripts more or less run as they should. However, when trying to roll these out via policy in Jamf, I am only getting around 53% compliance. This is set up in Jamf as a single policy containing the 3 scripts, which runs once per user per computer. For those who have used this script, did you run into a similar issue? I am using our in-house vulnerability scanning tool to check compliance.

 

Just a disclaimer, I am not the Mac admin for our organization, just a guy from security tasked with secure configuration. Hopefully someone here has encountered a similar issue and can help me out

 

Any help is appreciated. 

8 REPLIES 8

Hugonaut
Valued Contributor II

Did you create extension attributes/smart groups (proper scoping)/policies /configuration profiles to compliment the scripts you're running?

For example, In order to maintain compliance you need to pipe the script results (CIS Benchmark compliance results) into extension attributes, then create smart groups predicated upon a computers extension attribute results, then scope policies/configuration profiles to the smart groups in order to remediate the machines.

 

Thats just one way to skin this cat.

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

Are those required to do the actual remediation component of the scripts? From what I understood 2.5_Audit_List_Extension and 2.6_Audit_Count were only used for if you wanted to use smart groups to track non-compliant systems (I skipped this because we are using our vulnerability management tool for this task). 

boberito
Valued Contributor

I'm not saying it's perfectly ready for prime time. But the macOS Security Compliance Project is working on CIS compliance. You can check it out under the CIS branch.

https://github.com/usnistgov/macos_security

I'll have to take a look at this. Thanks for the info.

ttyler
New Contributor II

Just in case anyone is looking for this, go to this link to avoid the 404

https://github.com/usnistgov/macos_security/

is there some documentation on how to implement these benchmarks? I'm not a programmer by any stretch of the imagination and new to GH and managing Jamf Pro. I need to understand how I get what these GH repos are sharing into Jamf as a policy. I'm only used to the method of turning on the various config profiles, nothing with the scripting I see in GH. Any directional help would be greatly appreciated!

corydee
New Contributor

^^^ I'm in the same boat as you ReplicantJK - can anyone point to documentation/instructions?

boberito
Valued Contributor

@ReplicantJK @corydee There's a Getting Started on the Wiki https://github.com/usnistgov/macos_security/wiki

Also these two sessions will help some though a bit older

http://docs.macsysadmin.se/2020/video/Day2Session3.mp4

https://www.youtube.com/watch?v=mpEBEelSWlI

They're virtually the same presentation from 2020. 

On top of that if you are a member or can join the Mac Admins slack (https://www.macadmins.org) you can find help in #macos_security_compliance on the project.

This is a platform agnostic project (meant to be used with any MDM) so it will take a little tweaking to work within Jamf itself.