- Jamf Nation Community
- Products
- Jamf Pro
- Re: Ensure home folders are secure
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Ensure home folders are secure
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-20-2024 10:42 PM
Looking for a script to achieve this from JAMF Pro for all the managed devices
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-21-2024 04:52 AM
Secure ≠ Archive.
- Secure - If FileVault is enabled, the home directories along with everything else are encrypted and secured.
- Archive - Beyond Time Machine Apple really does not have any solutions for archiving files which includes no options in the MDM framework for something like Jamf to hook in to.
- It is usually a very bad practice to backup workstation data. Why are you trying to archive workstations?
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-21-2024 06:04 AM
It sounds like you are going through a CIS benchmark review.
5.1.1 Ensure Home Folders Are Secure (Automated)
Profile Applicability:
• Level 1
Description:
By default, macOS allows all valid users into the top level of every other user's home
folder and restricts access to the Apple default folders within. Another user on the same
system can see you have a "Documents" folder but cannot see inside it. This
configuration does work for personal file sharing but can expose user files to standard
accounts on the system.
The best parallel for Enterprise environments is that everyone who has a Dropbox
account can see everything that is at the top level but can't see your pictures. Similarly
with macOS, users can see into every new Directory that is created because of the
default permissions.
Home folders should be restricted to access only by the user. Sharing should be used
on dedicated servers or cloud instances that are managing access controls. Some
environments may encounter problems if execute rights are removed as well as read
and write. Either no access or execute only for group or others is acceptable.
Rationale:
Allowing all users to view the top level of all networked users' home folder may not be
desirable since it may lead to the revelation of sensitive information.
Impact:
If implemented, users will not be able to use the "Public" folders in other users' home
folders. "Public" folders with appropriate permissions would need to be set up in the
/Shared folder.
Page 299
Audit:
Terminal Method:
Run the following command to ensure that all home folders are secure:
$ /usr/bin/sudo /usr/bin/find /System/Volumes/Data/Users -mindepth 1 -
maxdepth 1 -type d -not -perm 700 | /usr/bin/grep -v "Shared" | /usr/bin/grep
-v "Guest"
The output will show what user folders are not secure.
example:
$ /usr/bin/sudo /usr/bin/find /System/Volumes/Data/Users -mindepth 1 -
maxdepth 1 -type d -not -perm 700 | /usr/bin/grep -v "Shared" | /usr/bin/grep
-v "Guest"
/System/Volumes/Data/Users/firstuser
/System/Volumes/Data/Users/thirduser
Remediation:
Terminal Method:
For each user, run the following command to secure all home folders:
$ /usr/bin/sudo /bin/chmod -R og-rwx /Users/<username>
Alternately, run the following command if there needs to be executable access for a
home folder:
$ /usr/bin/sudo /bin/chmod -R og-rw /Users/<username>/usr/bin/sudo /bin/chmod -R og-rwx /Users/<username>
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-26-2024 06:16 AM
I disagree with this CIS recommendation, which is also listed as Microsoft SecureScore, but I have bad experiences trying to recursively force chmod to entire user folders.
Running that command will also yield tons of errors because of how apple manages secure folders.
On any benchmark it's good to remember that you can't get 100%.
Reply
