CIS Security Benchmark using Casper?

Valued Contributor

Mostly just hoping to get lucky and find someone who has done this, but before I re-invent the wheel...

Has anyone applied the CIS security baseline on Macs using Casper? I'm looking at implementing it for our 10.11 systems, moving from a previous setup on 10.9 in Centrify. Ideally I'd like to do this via profiles, but expect it will take a mix of approaches.

I saw that DISA has recently released a set of profiles that can simply be dropped into place in Casper, so again, just hoping someone else may have already tackled this before me.


New Contributor

I am interested in this as well. Please advise if there are any updates.

New Contributor III

I am aware of a company that helps organizations setup the CIS benchmark on the JSS: You might want to reach out to them. They do it for STIG and CIS.

Valued Contributor II

I've been working on most of that, monitored through extension attributes. It's not comprehensive but it's enough to get you going.

New Contributor III

Thanks @franton

New Contributor III

I've been working on this on and off over the last couple of months, as time allows. Also did a couple of remote sessions with JAMF on some of these. A lot of my extension attribute logic is pretty simplistic. None of this should be considered fully tested.

Extension Attributes:

CIS - Admin to Access System Wide Preferences

#!/bin/bash echo "<result>security authorizationdb read system.preferences | grep -A1 shared</result>"

CIS - AFP Guest Access

#!/bin/bash echo "<result>defaults read /Library/Preferences/ guestAccess</result>"

CIS - Auto Install Software Updates

#!/bin/bash echo "<result>defaults read /Library/Preferences/ AutomaticCheckEnabled</result>"

CIS - AutoLoginUser

#!/bin/bash echo "<result>defaults read /Library/Preferences/ | grep autoLoginUser</result>"

CIS - AutoOpenSafeDownloads

#!/bin/bash user=$( ls -la /dev/console | cut -d " " -f 4 ) RESULT=$(sudo -u $user defaults read AutoOpenSafeDownloads) echo "<result>$RESULT</result>"

CIS - Bluetooth Sharing

#!/bin/bash user=$( ls -la /dev/console | cut -d " " -f 4 ) echo "<result>sudo -u $user system_profiler SPBluetoothDataType | grep State</result>"

CIS - Bonjour Advertising Service (want a value of 1 or 2)

#!/bin/bash echo "<result>defaults read /Library/Preferences/ globalstate</result>"

CIS - CD/DVD Sharing

#!/bin/bash echo "<result>launchctl list | egrep ODSAgent</result>"

CIS - Firewall Allowed Apps

#!/bin/bash echo "<result>/usr/libexec/ApplicationFirewall/socketfilterfw --listapps</result>"

CIS - Firewall Status

#!/bin/bash echo "<result>defaults read /Library/Preferences/ globalstate</result>"

CIS - Gatekeeper Status

#!/bin/bash echo "<result>spctl --status</result>"

CIS - Guest Account Login Disabled

#!/bin/bash echo "<result>defaults read /Library/Preferences/ GuestEnabled</result>"

CIS - Hot Corner Values

#!/bin/bash echo "<result>defaults read ~/Library/Preferences/ | grep -i corner</result>"

CIS - Infrared Receiver Present

#!/bin/bash echo "<result>system_profiler SPUSBDataType | egrep "IR Receiver" -c</result>"

CIS - Infrared Receiver Status

#!/bin/bash echo "<result>defaults read /Library/Preferences/ DeviceEnabled</result>"

CIS - Infrared Receiver UIDFilter

#!/bin/bash echo "<result>defaults read /Library/Preferences/ UIDFilter</result>"

CIS - Internet Sharing

#!/bin/sh InternetSharingOn=/usr/libexec/PlistBuddy -c "Print :NAT:Enabled" /Library/Preferences/SystemConfiguration/ echo "<result>$InternetSharingOn</result>"

CIS - Login Screen Text

#!/bin/bash echo "<result>defaults read /Library/Preferences/ LoginwindowText</result>"

CIS - NFS Server

#!/bin/bash echo "<result>ps -ef | grep -i nfsd</result>"

CIS - Password on Sleep or Screensaver

#!/bin/bash user=$( ls -la /dev/console | cut -d " " -f 4 ) RESULT=$(sudo -u $user defaults read askForPassword) echo "<result>$RESULT</result>"

CIS - Root Account Disabled

#!/bin/bash RESULT=$(dscl . -read /Users/root AuthenticationAuthority) echo "<result>$RESULT</result>"

CIS - ScreenSaver Inactivity Timeout

#!/bin/bash user=$( ls -la /dev/console | cut -d " " -f 4 ) RESULT=$(sudo -u $user defaults -currentHost read idleTime) echo "<result>$RESULT</result>"

CIS - Secure Keyboard Entry

#!/bin/bash user=$( ls -la /dev/console | cut -d " " -f 4 ) echo "<result>sudo -u $user defaults read SecureKeyboardEntry</result>"

CIS - Show Password Hints

#!/bin/bash echo "<result>defaults read /Library/Preferences/ RetriesUntilHint</result>"

CIS - ShowAllFileExtensions

#!/bin/bash user=$( ls -la /dev/console | cut -d " " -f 4 ) RESULT=$(sudo -u $user defaults read NSGlobalDomain AppleShowAllExtensions) echo "<result>$RESULT</result>"

CIS - SMB Guest Access

#!/bin/bash echo "<result>defaults read /Library/Preferences/SystemConfiguration/ AllowGuestAccess</result>"

CIS - System Integrity Protection Status

#!/bin/bash echo "<result>csrutil status</result>"

CIS - Time Server

#!/bin/bash echo "<result>systemsetup -getnetworktimeserver | awk '{print $4}'</result>"


CIS Benchmark 1.2,3,4 - Enable Auto Updates

#!/bin/bash sudo defaults write /Library/Preferences/ AutomaticCheckEnabled -int 1 sudo defaults write /Library/Preferences/ AutoUpdate -int 1 sudo defaults write /Library/Preferences/ ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/ CriticalUpdateInstall -bool true defaults write /Library/Preferecnes/ AutoUpdateRestartRequired -bool true

CIS Benchmark 2.1.1 - Disable Bluetooth

#!/bin/bash sudo defaults write /Library/Preferences/ ControllerPowerState -int 0 sudo killall -HUP blued

CIS Benchmark 2.1.1 - Disable Bluetooth If Not Paired

#!/bin/bash btOn=$(defaults read /Library/Preferences/ ControllerPowerState) if [ $btOn = 1 ] then connectable=$(system_profiler | grep "Bluetooth:" -A 20 | grep Connectable | awk '{print $2}' ) echo $connectable if [ "$connectable" = "Yes" ] then echo "Devices are paired. No action required." else defaults write /Library/Preferences/ ControllerPowerState -int 0 killall -HUP blued echo "No devices paired. Bluetooth disabled." fi else echo "Bluetooth not enabled." fi

CIS Benchmark 2.1.3 - Open Bluetooth Menu Item (Adds to the Menu Bar)

#!/bin/bash open /system/library/coreservices/menu extras/

CIS Benchmark 2.2.2 - Set NTP to

#!/bin/bash ntpdate -sv

CIS Benchmark 2.3.2,4 - Screensaver Hot Corners
I use an adapted version of MacMule's script from MacMule's Screensaver Hot Corner Script

CIS Benchmark 2.3.3 - Sleep on Battery Power

#!/bin/bash pmset -b displaysleep 30

CIS Benchmark 2.3.3,2.5.1,2 - Sleep, Wake for Network Settings

#!/bin/bash sudo pmset -a womp 0 pmset -c sleep 0 pmset -b displaysleep 30

CIS Benchmark 2.4.1 - Disable Remote Apple Events

#!/bin/bash systemsetup -setremoteappleevents off

CIS Benchmark 2.4.2 - Disable Internet Sharing

#!/bin/bash /usr/libexec/PlistBuddy -c "Delete NAT:Enabled" /Library/Preferences/SystemConfiguration/ /usr/libexec/PlistBuddy -c "add NAT:Enabled integer 0" /Library/Preferences/SystemConfiguration/

CIS Benchmark 2.4.3 - Disable Screen Sharing

#!/bin/bash launchctl unload -w /System/Library/LaunchDaemons/

CIS Benchmark 2.4.4 - Disable Printer Sharing

#!/bin/bash while read -r printer _; do /usr/sbin/lpadmin -p "${printer/:}" -o printer-is-shared=false done < <(/usr/bin/lpstat -v)

CIS Benchmark 2.4.8 -Disable/Kill File Sharing

#!/bin/bash launchctl unload -w /System/Library/LaunchDaemons/

CIS Benchmark 2.5.1 - Disable Wake for Network Access

#!/bin/bash pmset -a womp 0

CIS Benchmark 2.6.3 - Enable Firewall

#!/bin/bash defaults write /Library/Preferences/ globalstate -int 1

CIS Benchmark 2.8 - Disable IR Controller

#!/bin/bash defaults write /Library/Preferences/ DeviceEnabled 0

CIS Benchmark 2.9 - Enable Secure Keyboard Entry

#!/bin/bash user=$( ls -la /dev/console | cut -d " " -f 4 ) sudo -u $user defaults write SecureKeyboardEntry 1

CIS Benchmark 3.2 - Enable Security Log Auditing

#!/bin/bash launchctl load -w /System/Library/LaunchDaemons/

CIS Benchmark 5.1.1 - Secure Home Folders

#!/bin/sh for userNames in /Users/* do chmod -R og-rw /Users/$userNames done

CIS Benchmark 5.12 - Custom Login Screen Message

#!/bin/bash defaults write /Library/Preferences/ LoginwindowText "Desired Text Goes Here."

CIS Benchmark 5.7 - Disable Automatic Login

#!/bin/bash defaults delete /Library/Preferences/ autoLoginUser

CIS Benchmark 5.8 - Require Password On Lock

#!/bin/bash user=$( ls -la /dev/console | cut -d " " -f 4 ) sudo -u $user defaults write askForPassword -int 1 sudo -u $user defaults write askForPasswordDelay -int 0

CIS Benchmark 5.9 - Require Admin Password for System Wide Preferences

#!/bin/bash security authorizationdb read system.preferences > /tmp/system.preferences.plist /usr/libexec/PlistBuddy -c "Set :shared false" /tmp/system.preferences.plist security authorizationdb write system.preferences < /tmp/system.preferences.plist

CIS Benchmark 6.1.2 - Disable Show Password Hints

#!/bin/bash defaults write /Library/Preferences/ RetriesUntilHint -int 0

CIS Benchmark 6.1.3,6.1.4 - Disable Guest Account Login

#!/bin/bash defaults write /Library/Preferences/ GuestEnabled - bool NO defaults write /Library/Preferences/ guestAccess -bool no defaults write /Library/Preferences/SystemConfiguration/ AllowGuestAccess -bool no

CIS Benchmark 6.2 - Show File Extensions

#!/bin/bash user=$( ls -la /dev/console | cut -d " " -f 4 ) sudo -u $user defaults write NSGlobalDomain AppleShowAllExtensions -bool true; killall Finder


OSX Security Checklist
Apple Security Checklist Companion
KrisPayne's Github
JAMF - Consultant via Encompass program helped me wade through a lot of these

Valued Contributor II

@ndeal The issue you'll have with these is anything set by a profile will not be accurately reported by a defaults read command. It's why in some of the EA's I wrote, they're using Python Objective-C to read out via an OS API instead. This method reads what's currently being enforced vs the file/memory cache content.

New Contributor III

Got it. Yeah, my methodology does not utilize profiles for the enforcement (just scripts/policies).

Valued Contributor II

New Contributor III


That is great info and really helps out a lot. Thanks for doing all of that work.

I voted up a feature request for this but it really would be awesome if the CIS whitepaper was updated and maybe has these integrated directly into Casper. That would be a huge selling point to present to upper management.

Valued Contributor II

You're welcome. I believe that may already be in progress.

Valued Contributor II

I think that Jamf legitimizing any benchmarks, checklist or "standard" is not a very good idea.

Valued Contributor II

Ok. Why?

Valued Contributor II

Not all benchmarks, checklist or "standards" are correct for all environments, I know that many managers and security "experts" will just force Apple admins to apply all setting.

This will create a de facto industry standard.



What are the best practice to implement CIS benchmarks? Do we need to implement via Scripts or configuration profiles?

please suggest.

New Contributor III

@rastogisagar In reviewing with Apple, we @ Jamf suggest you start reviewing configuration profiles from this point forward. Scripts can still be used to enforce/remediate your security posture, but the abilities that scripts will have as macOS gets updated will continue to be in question. It's unfortunate for you can have one script to rule them all, but it will turn into multiple configuration profiles.


@mwoodruff thanks a lot for your response, what I understand from this. Configuration profiles are far better than scripts, please correct me if I misunderstood

New Contributor III

@rastogisagar not better, just the future of applying settings in macOS. Scripts have their value, and in some ways better.

New Contributor

This is what I found:

Hope it helps.

New Contributor III

And here is the Configuration Profile version of that same link:

We are actively working on updating for High Sierra CIS, and while we are at it we hope to see CIS for Mojave drop soon allowing us to update it shortly thereafter.