CIS Security Benchmark using Casper?

Taylor_Armstron
Valued Contributor

Mostly just hoping to get lucky and find someone who has done this, but before I re-invent the wheel...

Has anyone applied the CIS security baseline on Macs using Casper? I'm looking at implementing it for our 10.11 systems, moving from a previous setup on 10.9 in Centrify. Ideally I'd like to do this via profiles, but expect it will take a mix of approaches.

I saw that DISA has recently released a set of profiles that can simply be dropped into place in Casper, so again, just hoping someone else may have already tackled this before me.

19 REPLIES 19

jgodfrey
New Contributor

I am interested in this as well. Please advise if there are any updates.

mwoodruff
New Contributor III

I am aware of a company that helps organizations setup the CIS benchmark on the JSS: https://cmdsec.com/ You might want to reach out to them. They do it for STIG and CIS.

franton
Valued Contributor II

I've been working on most of that, monitored through extension attributes. It's not comprehensive but it's enough to get you going. https://github.com/franton/Extension-Attributes

mwoodruff
New Contributor III

Thanks @franton

ndeal
New Contributor III

I've been working on this on and off over the last couple of months, as time allows. Also did a couple of remote sessions with JAMF on some of these. A lot of my extension attribute logic is pretty simplistic. None of this should be considered fully tested.

Extension Attributes:

CIS - Admin to Access System Wide Preferences

#!/bin/bash echo "<result>security authorizationdb read system.preferences | grep -A1 shared</result>"

CIS - AFP Guest Access

#!/bin/bash echo "<result>defaults read /Library/Preferences/com.apple.AppleFileServer guestAccess</result>"

CIS - Auto Install Software Updates

#!/bin/bash echo "<result>defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled</result>"

CIS - AutoLoginUser

#!/bin/bash echo "<result>defaults read /Library/Preferences/com.apple.loginwindow | grep autoLoginUser</result>"

CIS - AutoOpenSafeDownloads

#!/bin/bash user=$( ls -la /dev/console | cut -d " " -f 4 ) RESULT=$(sudo -u $user defaults read com.apple.Safari AutoOpenSafeDownloads) echo "<result>$RESULT</result>"

CIS - Bluetooth Sharing

#!/bin/bash user=$( ls -la /dev/console | cut -d " " -f 4 ) echo "<result>sudo -u $user system_profiler SPBluetoothDataType | grep State</result>"

CIS - Bonjour Advertising Service (want a value of 1 or 2)

#!/bin/bash echo "<result>defaults read /Library/Preferences/com.apple.alf globalstate</result>"

CIS - CD/DVD Sharing

#!/bin/bash echo "<result>launchctl list | egrep ODSAgent</result>"

CIS - Firewall Allowed Apps

#!/bin/bash echo "<result>/usr/libexec/ApplicationFirewall/socketfilterfw --listapps</result>"

CIS - Firewall Status

#!/bin/bash echo "<result>defaults read /Library/Preferences/com.apple.alf globalstate</result>"

CIS - Gatekeeper Status

#!/bin/bash echo "<result>spctl --status</result>"

CIS - Guest Account Login Disabled

#!/bin/bash echo "<result>defaults read /Library/Preferences/com.apple.loginwindow GuestEnabled</result>"

CIS - Hot Corner Values

#!/bin/bash echo "<result>defaults read ~/Library/Preferences/com.apple.dock | grep -i corner</result>"

CIS - Infrared Receiver Present

#!/bin/bash echo "<result>system_profiler SPUSBDataType | egrep "IR Receiver" -c</result>"

CIS - Infrared Receiver Status

#!/bin/bash echo "<result>defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled</result>"

CIS - Infrared Receiver UIDFilter

#!/bin/bash echo "<result>defaults read /Library/Preferences/com.apple.driver.AppleIRController UIDFilter</result>"

CIS - Internet Sharing

#!/bin/sh InternetSharingOn=/usr/libexec/PlistBuddy -c "Print :NAT:Enabled" /Library/Preferences/SystemConfiguration/com.apple.nat.plist echo "<result>$InternetSharingOn</result>"

CIS - Login Screen Text

#!/bin/bash echo "<result>defaults read /Library/Preferences/com.apple.loginwindow LoginwindowText</result>"

CIS - NFS Server

#!/bin/bash echo "<result>ps -ef | grep -i nfsd</result>"

CIS - Password on Sleep or Screensaver

#!/bin/bash user=$( ls -la /dev/console | cut -d " " -f 4 ) RESULT=$(sudo -u $user defaults read com.apple.screensaver askForPassword) echo "<result>$RESULT</result>"

CIS - Root Account Disabled

#!/bin/bash RESULT=$(dscl . -read /Users/root AuthenticationAuthority) echo "<result>$RESULT</result>"

CIS - ScreenSaver Inactivity Timeout

#!/bin/bash user=$( ls -la /dev/console | cut -d " " -f 4 ) RESULT=$(sudo -u $user defaults -currentHost read com.apple.screensaver idleTime) echo "<result>$RESULT</result>"

CIS - Secure Keyboard Entry

#!/bin/bash user=$( ls -la /dev/console | cut -d " " -f 4 ) echo "<result>sudo -u $user defaults read com.apple.Terminal SecureKeyboardEntry</result>"

CIS - Show Password Hints

#!/bin/bash echo "<result>defaults read /Library/Preferences/com.apple.loginwindow RetriesUntilHint</result>"

CIS - ShowAllFileExtensions

#!/bin/bash user=$( ls -la /dev/console | cut -d " " -f 4 ) RESULT=$(sudo -u $user defaults read NSGlobalDomain AppleShowAllExtensions) echo "<result>$RESULT</result>"

CIS - SMB Guest Access

#!/bin/bash echo "<result>defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess</result>"

CIS - System Integrity Protection Status

#!/bin/bash echo "<result>csrutil status</result>"

CIS - Time Server

#!/bin/bash echo "<result>systemsetup -getnetworktimeserver | awk '{print $4}'</result>"

Scripts:

CIS Benchmark 1.2,3,4 - Enable Auto Updates

#!/bin/bash sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1 sudo defaults write /Library/Preferences/com.apple.storeagent AutoUpdate -int 1 sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true defaults write /Library/Preferecnes/com.apple.commerce AutoUpdateRestartRequired -bool true

CIS Benchmark 2.1.1 - Disable Bluetooth

#!/bin/bash sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0 sudo killall -HUP blued

CIS Benchmark 2.1.1 - Disable Bluetooth If Not Paired

#!/bin/bash btOn=$(defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState) if [ $btOn = 1 ] then connectable=$(system_profiler | grep "Bluetooth:" -A 20 | grep Connectable | awk '{print $2}' ) echo $connectable if [ "$connectable" = "Yes" ] then echo "Devices are paired. No action required." else defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0 killall -HUP blued echo "No devices paired. Bluetooth disabled." fi else echo "Bluetooth not enabled." fi

CIS Benchmark 2.1.3 - Open Bluetooth Menu Item (Adds to the Menu Bar)

#!/bin/bash open /system/library/coreservices/menu extras/bluetooth.menu

CIS Benchmark 2.2.2 - Set NTP to time.apple.com

#!/bin/bash ntpdate -sv time.apple.com

CIS Benchmark 2.3.2,4 - Screensaver Hot Corners
I use an adapted version of MacMule's script from MacMule's Screensaver Hot Corner Script

CIS Benchmark 2.3.3 - Sleep on Battery Power

#!/bin/bash pmset -b displaysleep 30

CIS Benchmark 2.3.3,2.5.1,2 - Sleep, Wake for Network Settings

#!/bin/bash sudo pmset -a womp 0 pmset -c sleep 0 pmset -b displaysleep 30

CIS Benchmark 2.4.1 - Disable Remote Apple Events

#!/bin/bash systemsetup -setremoteappleevents off

CIS Benchmark 2.4.2 - Disable Internet Sharing

#!/bin/bash /usr/libexec/PlistBuddy -c "Delete NAT:Enabled" /Library/Preferences/SystemConfiguration/com.apple.nat.plist /usr/libexec/PlistBuddy -c "add NAT:Enabled integer 0" /Library/Preferences/SystemConfiguration/com.apple.nat.plist

CIS Benchmark 2.4.3 - Disable Screen Sharing

#!/bin/bash launchctl unload -w /System/Library/LaunchDaemons/com.apple.screensharing.plist

CIS Benchmark 2.4.4 - Disable Printer Sharing

#!/bin/bash while read -r printer _; do /usr/sbin/lpadmin -p "${printer/:}" -o printer-is-shared=false done < <(/usr/bin/lpstat -v)

CIS Benchmark 2.4.8 -Disable/Kill File Sharing

#!/bin/bash launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist

CIS Benchmark 2.5.1 - Disable Wake for Network Access

#!/bin/bash pmset -a womp 0

CIS Benchmark 2.6.3 - Enable Firewall

#!/bin/bash defaults write /Library/Preferences/com.apple.alf globalstate -int 1

CIS Benchmark 2.8 - Disable IR Controller

#!/bin/bash defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled 0

CIS Benchmark 2.9 - Enable Secure Keyboard Entry

#!/bin/bash user=$( ls -la /dev/console | cut -d " " -f 4 ) sudo -u $user defaults write com.apple.Terminal SecureKeyboardEntry 1

CIS Benchmark 3.2 - Enable Security Log Auditing

#!/bin/bash launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist

CIS Benchmark 5.1.1 - Secure Home Folders

#!/bin/sh for userNames in /Users/* do chmod -R og-rw /Users/$userNames done

CIS Benchmark 5.12 - Custom Login Screen Message

#!/bin/bash defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "Desired Text Goes Here."

CIS Benchmark 5.7 - Disable Automatic Login

#!/bin/bash defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser

CIS Benchmark 5.8 - Require Password On Lock

#!/bin/bash user=$( ls -la /dev/console | cut -d " " -f 4 ) sudo -u $user defaults write com.apple.screensaver askForPassword -int 1 sudo -u $user defaults write com.apple.screensaver askForPasswordDelay -int 0

CIS Benchmark 5.9 - Require Admin Password for System Wide Preferences

#!/bin/bash security authorizationdb read system.preferences > /tmp/system.preferences.plist /usr/libexec/PlistBuddy -c "Set :shared false" /tmp/system.preferences.plist security authorizationdb write system.preferences < /tmp/system.preferences.plist

CIS Benchmark 6.1.2 - Disable Show Password Hints

#!/bin/bash defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0

CIS Benchmark 6.1.3,6.1.4 - Disable Guest Account Login

#!/bin/bash defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool no defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool no

CIS Benchmark 6.2 - Show File Extensions

#!/bin/bash user=$( ls -la /dev/console | cut -d " " -f 4 ) sudo -u $user defaults write NSGlobalDomain AppleShowAllExtensions -bool true; killall Finder

References:

OSX Security Checklist
Apple Security Checklist Companion
KrisPayne's Github
JAMF - Consultant via Encompass program helped me wade through a lot of these

franton
Valued Contributor II

@ndeal The issue you'll have with these is anything set by a profile will not be accurately reported by a defaults read command. It's why in some of the EA's I wrote, they're using Python Objective-C to read out via an OS API instead. This method reads what's currently being enforced vs the file/memory cache content.

ndeal
New Contributor III

Got it. Yeah, my methodology does not utilize profiles for the enforcement (just scripts/policies).

franton
Valued Contributor II

hunter990
New Contributor III

Franton,

That is great info and really helps out a lot. Thanks for doing all of that work.

I voted up a feature request for this but it really would be awesome if the CIS whitepaper was updated and maybe has these integrated directly into Casper. That would be a huge selling point to present to upper management.

franton
Valued Contributor II

You're welcome. I believe that may already be in progress.

gachowski
Valued Contributor II

I think that Jamf legitimizing any benchmarks, checklist or "standard" is not a very good idea.

franton
Valued Contributor II

Ok. Why?

gachowski
Valued Contributor II

Not all benchmarks, checklist or "standards" are correct for all environments, I know that many managers and security "experts" will just force Apple admins to apply all setting.

This will create a de facto industry standard.

C

rastogisagar123
Contributor

What are the best practice to implement CIS benchmarks? Do we need to implement via Scripts or configuration profiles?

please suggest.

mwoodruff
New Contributor III

@rastogisagar In reviewing with Apple, we @ Jamf suggest you start reviewing configuration profiles from this point forward. Scripts can still be used to enforce/remediate your security posture, but the abilities that scripts will have as macOS gets updated will continue to be in question. It's unfortunate for you can have one script to rule them all, but it will turn into multiple configuration profiles.

rastogisagar123
Contributor

@mwoodruff thanks a lot for your response, what I understand from this. Configuration profiles are far better than scripts, please correct me if I misunderstood

mwoodruff
New Contributor III

@rastogisagar not better, just the future of applying settings in macOS. Scripts have their value, and in some ways better.

TAPerkins
New Contributor

This is what I found:

https://github.com/jamfprofessionalservices/CIS-for-macOS-Sierra

Hope it helps.

mwoodruff
New Contributor III

And here is the Configuration Profile version of that same link: https://github.com/jamfprofessionalservices/CIS-for-macOS-Sierra-CP

We are actively working on updating for High Sierra CIS, and while we are at it we hope to see CIS for Mojave drop soon allowing us to update it shortly thereafter.