Jamf Nation Community

@jason.bracy Definitely interested in improving the workflows - can you give some examples of the errors you're seeing?

Thanks!
katie

Here is the Terminal Output from the remediation script if that helps:

bash-3.2# /Users/Shared/2016_JNUC_Security_Reporting_Compliance-master/3_Security_Remediation.sh 
2016-10-27 15:52:06.638 defaults[2114:49386] 
The domain/default pair of (/Library/Preferences/com.apple.SoftwareUpdate, AutomaticCheckEnabled) does not exist
2016-10-27 15:52:06.671 defaults[2117:49403] 
The domain/default pair of (/Library/Preferences/com.apple.commerce, AutoUpdate) does not exist
2016-10-27 15:52:06.713 defaults[2120:49415] 
The domain/default pair of (/Library/Preferences/com.apple.SoftwareUpdate, ConfigDataInstall) does not exist
2.1.1 passed
2016-10-27 15:52:53.785 defaults[2203:50144] 
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.systemuiserver, menuExtras) does not exist
Error : nodename nor servname provided, or not known
2016-10-27 15:52:54.010 defaults[2213:50224] 
The domain/default pair of (com.apple.screensaver, idleTime) does not exist
2016-10-27 15:52:54.040 defaults[2215:50232] 
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-bl-corner) does not exist
2016-10-27 15:52:54.053 defaults[2216:50236] 
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-tl-corner) does not exist
2016-10-27 15:52:54.068 defaults[2217:50240] 
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-tr-corner) does not exist
2016-10-27 15:52:54.082 defaults[2218:50245] 
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-br-corner) does not exist
2016-10-27 15:52:54.114 defaults[2220:50253] 
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-bl-corner) does not exist
2016-10-27 15:52:54.128 defaults[2221:50257] 
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-tl-corner) does not exist
2016-10-27 15:52:54.140 defaults[2222:50261] 
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-tr-corner) does not exist
2016-10-27 15:52:54.153 defaults[2223:50266] 
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-br-corner) does not exist
2.4.1 passed
Print: Entry, ":NAT:AirPort:Enabled", Does Not Exist
Print: Entry, ":NAT:Enabled", Does Not Exist
Print: Entry, ":NAT:PrimaryInterface:Enabled", Does Not Exist
File Doesn't Exist, Will Create: /Library/Preferences/SystemConfiguration/com.apple.nat.plist
Delete: Entry, ":NAT:AirPort:Enabled", Does Not Exist
Delete: Entry, ":NAT:Enabled", Does Not Exist
Delete: Entry, ":NAT:PrimaryInterface:Enabled", Does Not Exist
2.4.3 passed
2.4.5 passed
Print: Entry, ":PrefKeyServicesEnabled", Does Not Exist
Delete: Entry, ":PrefKeyServicesEnabled", Does Not Exist
2.4.8 passed
2.4.9 passed
Warning: Idle sleep timings for "AC Power" may not behave as expected.
- Disk sleep should be non-zero whenever system sleep is non-zero.
2.6.4 passed
/Users/Shared/2016_JNUC_Security_Reporting_Compliance-master/3_Security_Remediation.sh: line 379: [: : integer expression expected
2.8 passed
2.10 passed
4.1 passed
2016-10-27 15:52:55.303 defaults[2333:50534] 
The domain/default pair of (com.apple.systemuiserver, menuExtras) does not exist
4.4 passed
4.5 passed
4.6 passed
5.7 passed
5.8 passed
5.9 passed
5.18 passed
2016-10-27 15:53:21.135 defaults[2392:50830] 
The domain/default pair of (/Library/Preferences/com.apple.AppleFileServer, guestAccess) does not exist
2016-10-27 15:53:21.146 defaults[2393:50836] 
The domain/default pair of (/Library/Preferences/SystemConfiguration/com.apple.smb.server, AllowGuestAccess) does not exist
2016-10-27 15:53:21.179 defaults[2395:50844] 
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.finder, AppleShowAllExtensions) does not exist
2016-10-27 15:53:21.222 defaults[2398:50856] 
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.Safari, AutoOpenSafeDownloads) does not exist
6.3 passed

@jason.bracy That is helpful. Looks like I need to add in some additional error checking logic. Are you running the policies while a user is logged in (and does the output look similar if you do)?

Thanks,
katie

I was logged in. I decided to see what the scripts would do on a clean install, so it wasn't even enrolled in Casper yet.

Thanks,

Jason

Try mine: https://github.com/franton/CIS-Apple-Security-Casper

Thanks @franton I'll give those a try.

Also found this set of scripts for 10.10: https://github.com/usnistgov/applesec Don't know why I was never able to find that before. Seems to be the official NIST configuration, so we may be reinventing the wheel here...

FWIW, got a little more time to dig into the JAMF scripts. With the updates (a huge thank you to @kenglish ) they appear to be working for the most part, but a few issues I'm seeing:

1) The following errors appear every time, and never go away despite "remediation". This despite the fact that they DO appear to be set when I check the actual machine:

2.4.2 Disable Internet Sharing 2.6.5 Review Application Firewall Rules 2.8 Pair the remote control infrared receiver if enabled 4.2 Enable Show Wi-Fi status in menu bar * 5.1.4 Check Library folder for world writable files

(eg - Wi-Fi status IS in the menu bar, if I remove it and re-run the scripts, it IS corrected, but continues to be listed as a failure).

2) I'm a bit concerned about log sizes - 5.1.4 is creating HUGE logs on the systems I'm testing this on - the JSS truncates it with the message "[Log data was truncated to a max size of 1000000 bytes]". I already noticed a tiny increase in my backup size last night, it appears to be parsing directories incorrectly, as I have tons of entries such as the following:

chmod: Support/Adobe/Uninstall/{39C9FB9C-7A84-11E1-B574-D095DF20721F}/{39C9FB9C-7A84-11E1-B574-D095DF20721F}.app/Contents/Resources/fr_FR.lproj: No such file or directory chmod: 2487491: No such file or directory chmod: 0: No such file or directory chmod: drwxrwxrwx: No such file or directory chmod: 3: No such file or directory chmod: root: No such file or directory chmod: wheel: No such file or directory chmod: 102: No such file or directory chmod: Dec: No such file or directory chmod: 23: No such file or directory chmod: 2015: No such file or directory chmod: Support/Adobe/Uninstall/{39C9FB9C-7A84-11E1-B574-D095DF20721F}/{39C9FB9C-7A84-11E1-B574-D095DF20721F}.app/Contents/Resources/fr_XM.lproj: No such file or directory chmod: 2487493: No such file or directory chmod: 0: No such file or directory chmod: drwxrwxrwx: No such file or directory chmod: 3: No such file or directory chmod: root: No such file or directory chmod: wheel: No such file or directory chmod: 102: No such file or directory chmod: Dec: No such file or directory chmod: 23: No such file or directory chmod: 2015: No such file or directory chmod: Support/Adobe/Uninstall/{39C9FB9C-7A84-11E1-B574-D095DF20721F}/{39C9FB9C-7A84-11E1-B574-D095DF20721F}.app/Contents/Resources/French.lproj: No such file or directory chmod: 24874

(Naturally... it HAD to be Adobe! ;) )

I'm not sure what the best compromise is, but I know that with logs hitting 1mb each time it runs, this would more than double the size of my database within a few hours if I applied it to all systems, and continue to cause my logs to grow much faster than I'm really comfortable with.

@Taylor.Armstrong

Re: 5.1.4, I actually built in an exception for Adobe that's commented out by default in Step 3:

# for libPermissions in $( find /Library -type d -perm -2 -ls | grep -v Caches | grep -v Adobe); do
chmod -R o-w $libPermissions
done

The additional awesome thing about Adobe items in /Library is that even if you remediate, the next time the products update, they'll just break the permissions over again.

My inclination is to build in a permanent exception for that particular issue.

That would make Step 2 look like this:

# 5.1.4 Check Library folder for world writable files
# Verify organizational score
Audit5_1_4="`defaults read "$plistlocation" OrgScore5_1_4`"
# If organizational score is 1 or true, check status of client
if [ "$Audit5_1_4" = "1" ]; then
    libPermissions=`find /Library -type d -perm -2 -ls | grep -v Caches | grep -v Adobe | wc -l | xargs`
    # If client fails, then note category in audit file
    if [ "$libPermissions" = "0" ]; then
        echo "5.1.4 passed"; else
        echo "* 5.1.4 Check Library folder for world writable files" >> "$auditfilelocation"
    fi
fi

And Step 3:

# 5.1.4 Check Library folder for world writable files
# Verify organizational score
Audit5_1_4="`defaults read "$plistlocation" OrgScore5_1_4`"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
if [ "$Audit5_1_4" = "1" ]; then
for libPermissions in $( find /Library -type d -perm -2 -ls | grep -v Caches | grep -v Adobe); do
            chmod -R o-w $libPermissions
        done
fi

Will check into 2.4.2, 2.8, and 4.2 as well.

Well, that might teach me to re-read the script before complaining! :)
(seriously - thank you for this - HUGE step for us)

Can confirm that making the change and using the "Adobe" line resolved the massive log issue. Still having what looks like a few parsing issues (e.g.: "chmod: Support/VMware/VMware: No such file or directory
chmod: Fusion/Shared: No such file or directory" - appears that it is breaking with a space in the directory path), but I'm down from 100mb of results to something "normal". (FWIW, 22,231 lines in the log down to 92. I'd say that's better :)

If you don't mind my asking, which version of the CIS baseline is this based on? I'm testing against a 10.11 laptop, but will try to spin up a couple of VM's for additional testing as well. We generally use a slightly modified CIS for our setup, and we have a couple of people working on the 10.12 CIS effort now. I'm trying to go through and identify what settings from our "normal" baseline are missing from this and see what I can do to add them in, but you've given us a HUGE platform to start from.

I'll start looking at the new scripts as soon as I can. Is there any thought on how to meet the Local Account password requirements from CIS without messing with AD accounts? The official CIS script has a section to create the plist file for pwpolicy, but I am not sure how to limit the enforcement to only local accounts over UID 500. Any chance that you could add that part of their script into the JAMF scripts?

Thanks,

Jason

Afraid we just use AD here, so no help there.

We do still use pwpolicy for the local account, mostly just to keep the auditors happy, since we can legitimately say we're doing it across the board including local admin accounts.

(also, just to clarify - the NIST scripts !=CIS. Looks like they're based on an internal NIST guide? But definitely a different baseline than CIS.)

@Taylor.Armstrong The benchmark I worked against was CIS 10.11 v1.0.0. I'd definitely like to keep it updated with the 10.12 iteration is released.

@jason.bracy I have an outstanding "feature request" to myself to work on password compliance reporting, but I'm not sure what combination works best just yet. I do want to point out that NIST and CIS are not the same entity, and your organizational mileage may vary between the two sets of recommendations.

Thanks @kenglish. Just wanted to verify since I know I'll be asked when I bring this up at our weekly change control meeting :)

FWIW, the CIS group bumped up their schedule - I believe initial release of the 10.12 baseline is scheduled for later this month, they're really picking up the pace compared to previous OS's.

Wow! Can't believe that I overlooked that. TOO MANY ACRONYMS! CIS, NIST, DFARS, STIG. However since NIST is the one that is producing the requirements that we need to comply with by 12/2017, then maybe it's not a bad thing.

FWIW, it would be great if the level 2 controls from CIS could be added in, but after reviewing today, once I separated out our deviations, there's only about a dozen or so left. This week's project will be attempting to incorporate those into your framework.

@Taylor.Armstrong Looks like they have released the 10.12 benchmark - or at least it has been accepted for publication.

@jason.bracy No sign of 10.12 benchmark on the CIS site yet. As soon as it is, i'll be updating my own repo.

Not quite yet, but I'll definitely update this discussion once we submit it for release :) Give it about 2 more weeks if the current schedule holds...

OK, I figured out part of the problem. I was testing the scripts with my local admin account. The home folder for this account is in /private/var/. Apparently part of the script writes user preferences to /Users/$LOGGEDINUSER/Library/Preferences. So I will look at testing with a standard user later today.

@jason.bracy That's very helpful, thanks. I can add logic to figure out the user path if it's in some non-standard location.

Nice catch Jason. Our "normal" accounts don't follow that rule, but our Casper service account does, so it potentially might arise at some point in time.

@kenglish The other item that seems to be an issue is:

# 5.10 Require an administrator password to access system-wide preferences
# Verify organizational score
Audit5_10="`defaults read "$plistlocation" OrgScore5_10`"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
if [ "$Audit5_10" = "1" ]; then
adminSysPrefs=`security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep -c "true"`
if [ "$adminSysPrefs" = "1" ]; then
    defaults write /tmp/system.preferences.plist shared -bool true; else
    echo "5.10 passed"
fi

There doesn't seem to be a step that writes to the "security authorizationdb". This command seems to just write it to the tmp location, but never merges it to the actual authorizationdb. I think that the remediation command should actually be:

defaults write system.preferences.plist shared -bool false

@kenglish

I think I've figured out a couple of the issues with the remediation script:

For the 5.10 remediation you need the following (thanks @rtrouton https://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/):

security authorizationdb read system.preferences > /tmp/system.preferences.plist
defaults write /tmp/system.preferences.plist shared -bool false
security authorizationdb write system.preferences < /tmp/system.preferences.plist

Then for any of the user level preferences to actually take effect you need to add

killall cfprefsd

If you don't kill cfprefsd, then the changes are overwritten by the current settings. Haven't tested it, so you might also need to do a

killall -u $LOGGEDINUSER cfprefsd

@jason.bracy

Sorry, I have to post this here. Please do not kill the cfprefsd process.

This was a dirty hack to refresh the preferences memory cache from 10.9 and doing so causes more potential harm that good. But don't just take my word on it: it was covered in the JNUC 2016 talk by @bentoms and @james_ridsdale .

@franton

I appreciate the comment and the link, however using "killall cfprefsd" is the only way that I have been able to retain changes made to certain preferences when changing them with defaults. If you have a better way to make the changes stick, then please share.

Ok. Authorisation database changes do not need cfprefsd restarted to take effect. Everything else can be done with configuration profiles, which is Apple's preferred method of applying preferences. I only include the defaults commands in my CIS repo for the sake of clarity.

When I get to implement this on the system i'm working on, it'll be via profiles ... at least the stuff that can be done via profiles. The rest will be scripts to run command line tools.

CIS Benchmark for macOS 10.12 is out.

Thanks franton - wasn't scheduled to be released until tomorrow, but lots like it is up early...

@Taylor.Armstrong I logged in and there it was!

@franton Appreciate the reply (Sorry for the delay in answering, I was traveling all last week)

I would also like to use profiles for configuring CIS requirements, however unfortunately our Cyber Sec team want the CIS tool to show the results of the test and the current implementation of the tools does not read profiles - it doesn't even read the authorizationsdb settings correctly.

I also have to deal with Macs in Secure areas and off network that do not have access to the JSS, so need to have a manual script that can run on those machines.

Obviously Profiles are the best way to go, but as we are all learning in regards to Compliance: Security ≠ Compliance if the compliance audit tool can't read the settings, then we aren't compliant.

@jason.bracy That's why I suggested having a look at my own CIS repo. I've EA's that do work with profiles. I currently work in Finance where that is a requirement also.

BTW, others in this thread may already have seen, but since I just got back from vacation and hadn't seen a notice, video of Katie's presentation is up.

https://www.jamf.com/resources/digging-into-security-compliance-and-reporting/

@kenglish : I'm going to try to go through and flag the deltas between the 10.11 and 10.12 CIS benchmarks in the next couple of days, if you haven't had a chance to do so yet I'm happy to share if you'd like. My task for the next couple of weeks is to tweak the scripts for 10.12 as needed, along with pushing through review and approval of the 10.12 benchmark on our campus here for adoption.

@kenglish I'm getting the same errors: 2019-10-29 15:57:28.637 defaults[1636:24616]

The domain/default pair of (/Users/cameron/Library/Preferences/com.apple.dock, wvous-tl-corner) does not exist
2019-10-29 15:57:28.718 defaults[1640:24628] 
The domain/default pair of (/Users/cameron/Library/Preferences/com.apple.dock, wvous-bl-corner) does not exist
2019-10-29 15:57:28.741 defaults[1641:24631] 
The domain/default pair of (/Users/cameron/Library/Preferences/com.apple.dock, wvous-tl-corner) does not exist

2.4.6 passed
Print: Entry, ":PrefKeyServicesEnabled", Does Not Exist

Lots like this.

Running this version of the script:

written by Katie English, Jamf October 2016
updated for 10.12 CIS benchmarks by Katie English, Jamf February 2017
updated by Laurent Pertois, Jamf September 2018
github.com/jamfprofessionalservices

User is on Catalina.

Is there an updated script anywhere that fixes these errors?

We have validated that this path does exist, yet the GITHUB CIS scripts seem not to see it. Every control is showing the "does not exist"

/Library/Application Support/SecurityScoring/org_security_score.plist