Posted on 10-27-2016 01:30 PM
So, to test the CIS Compliance scripts linked to in the presentation, I built a clean Mac with 10.11.6. and ran the scripts unaltered. However I received several errors and when re-running the CIS tool, while some settings were changed, many still fail the test.
Looking at the Terminal output and the logs it looks like the defaults commands are failing (and yes I did run the scripts with sudo). Also a suggestion... Since the scripts seem to be performing the settings only on the Currently logged in user, I would suggest adding a loop that runs the commands on all users as well as all of the Template files.
Just wondering if anyone has had any success with these scripts? It is a huge step forward for me, but until I can get all of the settings to configure correctly, there will still be some work to do.
Posted on 10-27-2016 01:50 PM
Same here Jason. I haven't had a chance this week to dig in too deeply (middle of audits this week!) but I'm seeing the same thing you are.
Posted on 10-28-2016 08:26 AM
@jason.bracy Definitely interested in improving the workflows - can you give some examples of the errors you're seeing?
Thanks!
katie
Posted on 10-28-2016 08:38 AM
Here is the Terminal Output from the remediation script if that helps:
bash-3.2# /Users/Shared/2016_JNUC_Security_Reporting_Compliance-master/3_Security_Remediation.sh
2016-10-27 15:52:06.638 defaults[2114:49386]
The domain/default pair of (/Library/Preferences/com.apple.SoftwareUpdate, AutomaticCheckEnabled) does not exist
2016-10-27 15:52:06.671 defaults[2117:49403]
The domain/default pair of (/Library/Preferences/com.apple.commerce, AutoUpdate) does not exist
2016-10-27 15:52:06.713 defaults[2120:49415]
The domain/default pair of (/Library/Preferences/com.apple.SoftwareUpdate, ConfigDataInstall) does not exist
2.1.1 passed
2016-10-27 15:52:53.785 defaults[2203:50144]
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.systemuiserver, menuExtras) does not exist
Error : nodename nor servname provided, or not known
2016-10-27 15:52:54.010 defaults[2213:50224]
The domain/default pair of (com.apple.screensaver, idleTime) does not exist
2016-10-27 15:52:54.040 defaults[2215:50232]
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-bl-corner) does not exist
2016-10-27 15:52:54.053 defaults[2216:50236]
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-tl-corner) does not exist
2016-10-27 15:52:54.068 defaults[2217:50240]
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-tr-corner) does not exist
2016-10-27 15:52:54.082 defaults[2218:50245]
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-br-corner) does not exist
2016-10-27 15:52:54.114 defaults[2220:50253]
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-bl-corner) does not exist
2016-10-27 15:52:54.128 defaults[2221:50257]
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-tl-corner) does not exist
2016-10-27 15:52:54.140 defaults[2222:50261]
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-tr-corner) does not exist
2016-10-27 15:52:54.153 defaults[2223:50266]
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-br-corner) does not exist
2.4.1 passed
Print: Entry, ":NAT:AirPort:Enabled", Does Not Exist
Print: Entry, ":NAT:Enabled", Does Not Exist
Print: Entry, ":NAT:PrimaryInterface:Enabled", Does Not Exist
File Doesn't Exist, Will Create: /Library/Preferences/SystemConfiguration/com.apple.nat.plist
Delete: Entry, ":NAT:AirPort:Enabled", Does Not Exist
Delete: Entry, ":NAT:Enabled", Does Not Exist
Delete: Entry, ":NAT:PrimaryInterface:Enabled", Does Not Exist
2.4.3 passed
2.4.5 passed
Print: Entry, ":PrefKeyServicesEnabled", Does Not Exist
Delete: Entry, ":PrefKeyServicesEnabled", Does Not Exist
2.4.8 passed
2.4.9 passed
Warning: Idle sleep timings for "AC Power" may not behave as expected.
- Disk sleep should be non-zero whenever system sleep is non-zero.
2.6.4 passed
/Users/Shared/2016_JNUC_Security_Reporting_Compliance-master/3_Security_Remediation.sh: line 379: [: : integer expression expected
2.8 passed
2.10 passed
4.1 passed
2016-10-27 15:52:55.303 defaults[2333:50534]
The domain/default pair of (com.apple.systemuiserver, menuExtras) does not exist
4.4 passed
4.5 passed
4.6 passed
5.7 passed
5.8 passed
5.9 passed
5.18 passed
2016-10-27 15:53:21.135 defaults[2392:50830]
The domain/default pair of (/Library/Preferences/com.apple.AppleFileServer, guestAccess) does not exist
2016-10-27 15:53:21.146 defaults[2393:50836]
The domain/default pair of (/Library/Preferences/SystemConfiguration/com.apple.smb.server, AllowGuestAccess) does not exist
2016-10-27 15:53:21.179 defaults[2395:50844]
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.finder, AppleShowAllExtensions) does not exist
2016-10-27 15:53:21.222 defaults[2398:50856]
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.Safari, AutoOpenSafeDownloads) does not exist
6.3 passed
Posted on 10-28-2016 11:57 AM
@jason.bracy That is helpful. Looks like I need to add in some additional error checking logic. Are you running the policies while a user is logged in (and does the output look similar if you do)?
Thanks,
katie
Posted on 10-28-2016 12:33 PM
I was logged in. I decided to see what the scripts would do on a clean install, so it wasn't even enrolled in Casper yet.
Thanks,
Jason
Posted on 10-30-2016 12:14 AM
Posted on 10-31-2016 08:52 AM
Thanks @franton I'll give those a try.
Posted on 10-31-2016 10:23 AM
Also found this set of scripts for 10.10: https://github.com/usnistgov/applesec Don't know why I was never able to find that before. Seems to be the official NIST configuration, so we may be reinventing the wheel here...
Posted on 11-01-2016 10:23 AM
FWIW, got a little more time to dig into the JAMF scripts. With the updates (a huge thank you to @kenglish ) they appear to be working for the most part, but a few issues I'm seeing:
1) The following errors appear every time, and never go away despite "remediation". This despite the fact that they DO appear to be set when I check the actual machine:
2.4.2 Disable Internet Sharing 2.6.5 Review Application Firewall Rules 2.8 Pair the remote control infrared receiver if enabled 4.2 Enable Show Wi-Fi status in menu bar * 5.1.4 Check Library folder for world writable files
(eg - Wi-Fi status IS in the menu bar, if I remove it and re-run the scripts, it IS corrected, but continues to be listed as a failure).
2) I'm a bit concerned about log sizes - 5.1.4 is creating HUGE logs on the systems I'm testing this on - the JSS truncates it with the message "[Log data was truncated to a max size of 1000000 bytes]". I already noticed a tiny increase in my backup size last night, it appears to be parsing directories incorrectly, as I have tons of entries such as the following:
chmod: Support/Adobe/Uninstall/{39C9FB9C-7A84-11E1-B574-D095DF20721F}/{39C9FB9C-7A84-11E1-B574-D095DF20721F}.app/Contents/Resources/fr_FR.lproj: No such file or directory chmod: 2487491: No such file or directory chmod: 0: No such file or directory chmod: drwxrwxrwx: No such file or directory chmod: 3: No such file or directory chmod: root: No such file or directory chmod: wheel: No such file or directory chmod: 102: No such file or directory chmod: Dec: No such file or directory chmod: 23: No such file or directory chmod: 2015: No such file or directory chmod: Support/Adobe/Uninstall/{39C9FB9C-7A84-11E1-B574-D095DF20721F}/{39C9FB9C-7A84-11E1-B574-D095DF20721F}.app/Contents/Resources/fr_XM.lproj: No such file or directory chmod: 2487493: No such file or directory chmod: 0: No such file or directory chmod: drwxrwxrwx: No such file or directory chmod: 3: No such file or directory chmod: root: No such file or directory chmod: wheel: No such file or directory chmod: 102: No such file or directory chmod: Dec: No such file or directory chmod: 23: No such file or directory chmod: 2015: No such file or directory chmod: Support/Adobe/Uninstall/{39C9FB9C-7A84-11E1-B574-D095DF20721F}/{39C9FB9C-7A84-11E1-B574-D095DF20721F}.app/Contents/Resources/French.lproj: No such file or directory chmod: 24874
(Naturally... it HAD to be Adobe! ;) )
I'm not sure what the best compromise is, but I know that with logs hitting 1mb each time it runs, this would more than double the size of my database within a few hours if I applied it to all systems, and continue to cause my logs to grow much faster than I'm really comfortable with.
Posted on 11-01-2016 10:32 AM
Re: 5.1.4, I actually built in an exception for Adobe that's commented out by default in Step 3:
# for libPermissions in $( find /Library -type d -perm -2 -ls | grep -v Caches | grep -v Adobe); do
chmod -R o-w $libPermissions
done
The additional awesome thing about Adobe items in /Library is that even if you remediate, the next time the products update, they'll just break the permissions over again.
My inclination is to build in a permanent exception for that particular issue.
That would make Step 2 look like this:
# 5.1.4 Check Library folder for world writable files
# Verify organizational score
Audit5_1_4="`defaults read "$plistlocation" OrgScore5_1_4`"
# If organizational score is 1 or true, check status of client
if [ "$Audit5_1_4" = "1" ]; then
libPermissions=`find /Library -type d -perm -2 -ls | grep -v Caches | grep -v Adobe | wc -l | xargs`
# If client fails, then note category in audit file
if [ "$libPermissions" = "0" ]; then
echo "5.1.4 passed"; else
echo "* 5.1.4 Check Library folder for world writable files" >> "$auditfilelocation"
fi
fi
And Step 3:
# 5.1.4 Check Library folder for world writable files
# Verify organizational score
Audit5_1_4="`defaults read "$plistlocation" OrgScore5_1_4`"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
if [ "$Audit5_1_4" = "1" ]; then
for libPermissions in $( find /Library -type d -perm -2 -ls | grep -v Caches | grep -v Adobe); do
chmod -R o-w $libPermissions
done
fi
Will check into 2.4.2, 2.8, and 4.2 as well.
Posted on 11-01-2016 11:20 AM
Well, that might teach me to re-read the script before complaining! :)
(seriously - thank you for this - HUGE step for us)
Can confirm that making the change and using the "Adobe" line resolved the massive log issue. Still having what looks like a few parsing issues (e.g.: "chmod: Support/VMware/VMware: No such file or directory
chmod: Fusion/Shared: No such file or directory" - appears that it is breaking with a space in the directory path), but I'm down from 100mb of results to something "normal". (FWIW, 22,231 lines in the log down to 92. I'd say that's better :)
If you don't mind my asking, which version of the CIS baseline is this based on? I'm testing against a 10.11 laptop, but will try to spin up a couple of VM's for additional testing as well. We generally use a slightly modified CIS for our setup, and we have a couple of people working on the 10.12 CIS effort now. I'm trying to go through and identify what settings from our "normal" baseline are missing from this and see what I can do to add them in, but you've given us a HUGE platform to start from.
Posted on 11-01-2016 11:54 AM
I'll start looking at the new scripts as soon as I can. Is there any thought on how to meet the Local Account password requirements from CIS without messing with AD accounts? The official CIS script has a section to create the plist file for pwpolicy, but I am not sure how to limit the enforcement to only local accounts over UID 500. Any chance that you could add that part of their script into the JAMF scripts?
Thanks,
Jason
Posted on 11-01-2016 12:08 PM
Afraid we just use AD here, so no help there.
We do still use pwpolicy for the local account, mostly just to keep the auditors happy, since we can legitimately say we're doing it across the board including local admin accounts.
Posted on 11-01-2016 12:11 PM
(also, just to clarify - the NIST scripts !=CIS. Looks like they're based on an internal NIST guide? But definitely a different baseline than CIS.)
Posted on 11-01-2016 12:24 PM
@Taylor.Armstrong The benchmark I worked against was CIS 10.11 v1.0.0. I'd definitely like to keep it updated with the 10.12 iteration is released.
@jason.bracy I have an outstanding "feature request" to myself to work on password compliance reporting, but I'm not sure what combination works best just yet. I do want to point out that NIST and CIS are not the same entity, and your organizational mileage may vary between the two sets of recommendations.
Posted on 11-01-2016 12:39 PM
Thanks @kenglish. Just wanted to verify since I know I'll be asked when I bring this up at our weekly change control meeting :)
FWIW, the CIS group bumped up their schedule - I believe initial release of the 10.12 baseline is scheduled for later this month, they're really picking up the pace compared to previous OS's.
Posted on 11-01-2016 12:44 PM
Wow! Can't believe that I overlooked that. TOO MANY ACRONYMS! CIS, NIST, DFARS, STIG. However since NIST is the one that is producing the requirements that we need to comply with by 12/2017, then maybe it's not a bad thing.
Posted on 11-01-2016 01:53 PM
FWIW, it would be great if the level 2 controls from CIS could be added in, but after reviewing today, once I separated out our deviations, there's only about a dozen or so left. This week's project will be attempting to incorporate those into your framework.
Posted on 11-01-2016 02:05 PM
@Taylor.Armstrong Looks like they have released the 10.12 benchmark - or at least it has been accepted for publication.
Posted on 11-01-2016 02:07 PM
@jason.bracy No sign of 10.12 benchmark on the CIS site yet. As soon as it is, i'll be updating my own repo.
Posted on 11-01-2016 07:47 PM
Not quite yet, but I'll definitely update this discussion once we submit it for release :) Give it about 2 more weeks if the current schedule holds...
Posted on 11-09-2016 11:41 AM
OK, I figured out part of the problem. I was testing the scripts with my local admin account. The home folder for this account is in /private/var/. Apparently part of the script writes user preferences to /Users/$LOGGEDINUSER/Library/Preferences. So I will look at testing with a standard user later today.
Posted on 11-09-2016 11:52 AM
@jason.bracy That's very helpful, thanks. I can add logic to figure out the user path if it's in some non-standard location.
Posted on 11-09-2016 12:35 PM
Nice catch Jason. Our "normal" accounts don't follow that rule, but our Casper service account does, so it potentially might arise at some point in time.
Posted on 11-09-2016 01:12 PM
@kenglish The other item that seems to be an issue is:
# 5.10 Require an administrator password to access system-wide preferences
# Verify organizational score
Audit5_10="`defaults read "$plistlocation" OrgScore5_10`"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
if [ "$Audit5_10" = "1" ]; then
adminSysPrefs=`security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep -c "true"`
if [ "$adminSysPrefs" = "1" ]; then
defaults write /tmp/system.preferences.plist shared -bool true; else
echo "5.10 passed"
fi
There doesn't seem to be a step that writes to the "security authorizationdb". This command seems to just write it to the tmp location, but never merges it to the actual authorizationdb. I think that the remediation command should actually be:
defaults write system.preferences.plist shared -bool false
Posted on 11-11-2016 01:13 PM
I think I've figured out a couple of the issues with the remediation script:
For the 5.10 remediation you need the following (thanks @rtrouton https://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/):
security authorizationdb read system.preferences > /tmp/system.preferences.plist
defaults write /tmp/system.preferences.plist shared -bool false
security authorizationdb write system.preferences < /tmp/system.preferences.plist
Then for any of the user level preferences to actually take effect you need to add
killall cfprefsd
If you don't kill cfprefsd, then the changes are overwritten by the current settings. Haven't tested it, so you might also need to do a
killall -u $LOGGEDINUSER cfprefsd
Posted on 11-11-2016 02:54 PM
Sorry, I have to post this here. Please do not kill the cfprefsd
process.
This was a dirty hack to refresh the preferences memory cache from 10.9 and doing so causes more potential harm that good. But don't just take my word on it: it was covered in the JNUC 2016 talk by @bentoms and @james_ridsdale .
Posted on 11-11-2016 09:05 PM
I appreciate the comment and the link, however using "killall cfprefsd" is the only way that I have been able to retain changes made to certain preferences when changing them with defaults. If you have a better way to make the changes stick, then please share.
Posted on 11-12-2016 12:07 AM
Ok. Authorisation database changes do not need cfprefsd restarted to take effect. Everything else can be done with configuration profiles, which is Apple's preferred method of applying preferences. I only include the defaults commands in my CIS repo for the sake of clarity.
When I get to implement this on the system i'm working on, it'll be via profiles ... at least the stuff that can be done via profiles. The rest will be scripts to run command line tools.
Posted on 11-12-2016 06:11 AM
CIS Benchmark for macOS 10.12 is out.
Posted on 11-13-2016 01:08 PM
Thanks franton - wasn't scheduled to be released until tomorrow, but lots like it is up early...
Posted on 11-13-2016 02:05 PM
@Taylor.Armstrong I logged in and there it was!
Posted on 11-21-2016 09:09 AM
@franton Appreciate the reply (Sorry for the delay in answering, I was traveling all last week)
I would also like to use profiles for configuring CIS requirements, however unfortunately our Cyber Sec team want the CIS tool to show the results of the test and the current implementation of the tools does not read profiles - it doesn't even read the authorizationsdb settings correctly.
I also have to deal with Macs in Secure areas and off network that do not have access to the JSS, so need to have a manual script that can run on those machines.
Obviously Profiles are the best way to go, but as we are all learning in regards to Compliance: Security ≠ Compliance if the compliance audit tool can't read the settings, then we aren't compliant.
Posted on 11-21-2016 09:11 AM
@jason.bracy That's why I suggested having a look at my own CIS repo. I've EA's that do work with profiles. I currently work in Finance where that is a requirement also.
Posted on 11-28-2016 01:49 PM
BTW, others in this thread may already have seen, but since I just got back from vacation and hadn't seen a notice, video of Katie's presentation is up.
https://www.jamf.com/resources/digging-into-security-compliance-and-reporting/
@kenglish : I'm going to try to go through and flag the deltas between the 10.11 and 10.12 CIS benchmarks in the next couple of days, if you haven't had a chance to do so yet I'm happy to share if you'd like. My task for the next couple of weeks is to tweak the scripts for 10.12 as needed, along with pushing through review and approval of the 10.12 benchmark on our campus here for adoption.
Posted on 10-28-2019 10:37 PM
@kenglish I'm getting the same errors: 2019-10-29 15:57:28.637 defaults[1636:24616]
The domain/default pair of (/Users/cameron/Library/Preferences/com.apple.dock, wvous-tl-corner) does not exist
2019-10-29 15:57:28.718 defaults[1640:24628]
The domain/default pair of (/Users/cameron/Library/Preferences/com.apple.dock, wvous-bl-corner) does not exist
2019-10-29 15:57:28.741 defaults[1641:24631]
The domain/default pair of (/Users/cameron/Library/Preferences/com.apple.dock, wvous-tl-corner) does not exist
2.4.6 passed
Print: Entry, ":PrefKeyServicesEnabled", Does Not Exist
Lots like this.
Running this version of the script:
written by Katie English, Jamf October 2016
updated for 10.12 CIS benchmarks by Katie English, Jamf February 2017
updated by Laurent Pertois, Jamf September 2018
github.com/jamfprofessionalservices
User is on Catalina.
Is there an updated script anywhere that fixes these errors?
Posted on 05-02-2022 06:14 AM
Hi, any updates to fixing Executing Policy CIS Baseline Scripts - Self Service
Script result: 2022-05-02 09:09:11.378 defaults[7261:67192]
The domain/default pair of (/Library/Application Support/SecurityScoring/org_security_score.plist, OrgScore1_1) does not exist 2022-05-02 09:09:11.392 defaults[7262:67203] The domain/default pair of (/Library/Application Support/SecurityScoring/org_security_score.plist, OrgScore1_2) does not exist 2022-05-02 09:09:11.404 defaults[7264:67208] The domain/default pair of (/Library/Application Support/SecurityScoring/org_security_score.plist, OrgScore1_3) does not exist 2022-05-02 09:09:11.416 defaults[7265:67213] The domain/default pair of (/Library/Application Support/SecurityScoring/org_security_score.plist, OrgScore1_4) does not exist 2022-05-02 09:09:11.429 defaults[7266:67216] The domain/default pair of (/Library/Application Support/SecurityScoring/org_security_score.plist, OrgScore1_5) does not exist 2022-05-02 09:09:11.442 defaults[7267:67220] The domain/default pair of (/Library/Application Support/SecurityScoring/org_security_score.plist, OrgScore1_6) does not exist 2022-05-02 09:09:11.454 defaults[7268:67223] The domain/default pair of (/Library/Application Support/SecurityScoring/org_security_score.plist, OrgScore2_1_1) does not exist
Posted on 05-02-2022 06:19 AM
We have validated that this path does exist, yet the GITHUB CIS scripts seem not to see it. Every control is showing the "does not exist"
/Library/Application Support/SecurityScoring/org_security_score.plist