Configuration profiles matching CIS Benchmarks?

ManuCa
New Contributor

Hi everyone!

I was wondering if someone knows of a tool or repository where we can find configuration profiles that match the CIS Benchmarks for macOS. At my organization we have JAMF protect and we can see compliant/non compliant devices in regards to the CIS benchmark (But no "remediate" option! So I would like to correct those non compliant devices via config. profiles).

2 ACCEPTED SOLUTIONS

ljcacioppo
Contributor III

You may want to look into the macOS Security Compliance Project: https://github.com/usnistgov/macos_security/tree/dev_cis_monterey

I think the CIS benchmarks are still in development there

And then there's also this GitHub from jamf from Catalina that might be of some help for some settings:
https://github.com/jamf/CIS-for-macOS-Catalina-CP

View solution in original post

nickvanjaarsvel
New Contributor II
5 REPLIES 5

ljcacioppo
Contributor III

You may want to look into the macOS Security Compliance Project: https://github.com/usnistgov/macos_security/tree/dev_cis_monterey

I think the CIS benchmarks are still in development there

And then there's also this GitHub from jamf from Catalina that might be of some help for some settings:
https://github.com/jamf/CIS-for-macOS-Catalina-CP

Matt_Roy93
Contributor

Follow the Readme on the links @ljcacioppo shared , run the scripts in correct order with customization made tailored to your org requirements, the config profiles and extension attributes are used to ensure ongoing compliance. 

Just to let you know guys: Some of the tests ran on the script that's created when you use the "-s" flag in the generate_guidelines.sh script fail when supposedly they should pass. See for example the "disable password sharing" test. Even though you disable that option via the "Restrictions" in a configuration profile it will keep on failing until you manually set a custom payload  in the config. profile with the keys provided by the guidance PDF.

nickvanjaarsvel
New Contributor II

This one is also very good: https://github.com/mvdbent/CIS-macOS-Security

efil4xiN
Contributor II

+1 mvdbent