Posted on 08-26-2021 12:05 PM
I have been tasked with bringing our Mac clients to 75% compliance with the CIS Level 1 benchmark for macOS 11. I am currently using the Jamf-provided scripts (https://github.com/gocardless/CIS-for-macOS-BigSur-CP) to automate rollout to our machines. When I run these scripts manually, the scripts more or less run as they should. However, when trying to roll these out via policy in Jamf, I am only getting around 53% compliance. This is set up in Jamf as a single policy containing the 3 scripts, which runs once per user per computer. For those who have used this script, did you run into a similar issue? I am using our in-house vulnerability scanning tool to check compliance.
Just a disclaimer, I am not the Mac admin for our organization, just a guy from security tasked with secure configuration. Hopefully someone here has encountered a similar issue and can help me out
Any help is appreciated.
08-26-2021 01:32 PM - edited 08-26-2021 01:33 PM
Did you create extension attributes/smart groups (proper scoping)/policies /configuration profiles to compliment the scripts you're running?
For example, In order to maintain compliance you need to pipe the script results (CIS Benchmark compliance results) into extension attributes, then create smart groups predicated upon a computers extension attribute results, then scope policies/configuration profiles to the smart groups in order to remediate the machines.
Thats just one way to skin this cat.
Posted on 08-26-2021 02:18 PM
Are those required to do the actual remediation component of the scripts? From what I understood 2.5_Audit_List_Extension and 2.6_Audit_Count were only used for if you wanted to use smart groups to track non-compliant systems (I skipped this because we are using our vulnerability management tool for this task).
Posted on 08-26-2021 02:00 PM
I'm not saying it's perfectly ready for prime time. But the macOS Security Compliance Project is working on CIS compliance. You can check it out under the CIS branch.
Posted on 08-26-2021 02:21 PM
I'll have to take a look at this. Thanks for the info.
Posted on 01-26-2022 11:16 PM
Just in case anyone is looking for this, go to this link to avoid the 404
Posted on 05-10-2022 07:41 AM
is there some documentation on how to implement these benchmarks? I'm not a programmer by any stretch of the imagination and new to GH and managing Jamf Pro. I need to understand how I get what these GH repos are sharing into Jamf as a policy. I'm only used to the method of turning on the various config profiles, nothing with the scripting I see in GH. Any directional help would be greatly appreciated!
Posted on 05-19-2022 08:00 AM
^^^ I'm in the same boat as you ReplicantJK - can anyone point to documentation/instructions?
Posted on 05-19-2022 08:51 AM
@ReplicantJK @corydee There's a Getting Started on the Wiki https://github.com/usnistgov/macos_security/wiki
Also these two sessions will help some though a bit older
They're virtually the same presentation from 2020.
On top of that if you are a member or can join the Mac Admins slack (https://www.macadmins.org) you can find help in #macos_security_compliance on the project.
This is a platform agnostic project (meant to be used with any MDM) so it will take a little tweaking to work within Jamf itself.