Errors running scripts for CIS Compliance from "Digging into Security, Compliance, and Reporting" session

jason_bracy
Contributor III

So, to test the CIS Compliance scripts linked to in the presentation, I built a clean Mac with 10.11.6. and ran the scripts unaltered. However I received several errors and when re-running the CIS tool, while some settings were changed, many still fail the test.

Looking at the Terminal output and the logs it looks like the defaults commands are failing (and yes I did run the scripts with sudo). Also a suggestion... Since the scripts seem to be performing the settings only on the Currently logged in user, I would suggest adding a loop that runs the commands on all users as well as all of the Template files.

Just wondering if anyone has had any success with these scripts? It is a huge step forward for me, but until I can get all of the settings to configure correctly, there will still be some work to do.

38 REPLIES 38

Taylor_Armstron
Valued Contributor

Same here Jason. I haven't had a chance this week to dig in too deeply (middle of audits this week!) but I'm seeing the same thing you are.

KatieE
Contributor
Contributor

@jason.bracy Definitely interested in improving the workflows - can you give some examples of the errors you're seeing?

Thanks!
katie

jason_bracy
Contributor III

Here is the Terminal Output from the remediation script if that helps:

bash-3.2# /Users/Shared/2016_JNUC_Security_Reporting_Compliance-master/3_Security_Remediation.sh 
2016-10-27 15:52:06.638 defaults[2114:49386] 
The domain/default pair of (/Library/Preferences/com.apple.SoftwareUpdate, AutomaticCheckEnabled) does not exist
2016-10-27 15:52:06.671 defaults[2117:49403] 
The domain/default pair of (/Library/Preferences/com.apple.commerce, AutoUpdate) does not exist
2016-10-27 15:52:06.713 defaults[2120:49415] 
The domain/default pair of (/Library/Preferences/com.apple.SoftwareUpdate, ConfigDataInstall) does not exist
2.1.1 passed
2016-10-27 15:52:53.785 defaults[2203:50144] 
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.systemuiserver, menuExtras) does not exist
Error : nodename nor servname provided, or not known
2016-10-27 15:52:54.010 defaults[2213:50224] 
The domain/default pair of (com.apple.screensaver, idleTime) does not exist
2016-10-27 15:52:54.040 defaults[2215:50232] 
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-bl-corner) does not exist
2016-10-27 15:52:54.053 defaults[2216:50236] 
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-tl-corner) does not exist
2016-10-27 15:52:54.068 defaults[2217:50240] 
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-tr-corner) does not exist
2016-10-27 15:52:54.082 defaults[2218:50245] 
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-br-corner) does not exist
2016-10-27 15:52:54.114 defaults[2220:50253] 
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-bl-corner) does not exist
2016-10-27 15:52:54.128 defaults[2221:50257] 
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-tl-corner) does not exist
2016-10-27 15:52:54.140 defaults[2222:50261] 
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-tr-corner) does not exist
2016-10-27 15:52:54.153 defaults[2223:50266] 
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.dock, wvous-br-corner) does not exist
2.4.1 passed
Print: Entry, ":NAT:AirPort:Enabled", Does Not Exist
Print: Entry, ":NAT:Enabled", Does Not Exist
Print: Entry, ":NAT:PrimaryInterface:Enabled", Does Not Exist
File Doesn't Exist, Will Create: /Library/Preferences/SystemConfiguration/com.apple.nat.plist
Delete: Entry, ":NAT:AirPort:Enabled", Does Not Exist
Delete: Entry, ":NAT:Enabled", Does Not Exist
Delete: Entry, ":NAT:PrimaryInterface:Enabled", Does Not Exist
2.4.3 passed
2.4.5 passed
Print: Entry, ":PrefKeyServicesEnabled", Does Not Exist
Delete: Entry, ":PrefKeyServicesEnabled", Does Not Exist
2.4.8 passed
2.4.9 passed
Warning: Idle sleep timings for "AC Power" may not behave as expected.
- Disk sleep should be non-zero whenever system sleep is non-zero.
2.6.4 passed
/Users/Shared/2016_JNUC_Security_Reporting_Compliance-master/3_Security_Remediation.sh: line 379: [: : integer expression expected
2.8 passed
2.10 passed
4.1 passed
2016-10-27 15:52:55.303 defaults[2333:50534] 
The domain/default pair of (com.apple.systemuiserver, menuExtras) does not exist
4.4 passed
4.5 passed
4.6 passed
5.7 passed
5.8 passed
5.9 passed
5.18 passed
2016-10-27 15:53:21.135 defaults[2392:50830] 
The domain/default pair of (/Library/Preferences/com.apple.AppleFileServer, guestAccess) does not exist
2016-10-27 15:53:21.146 defaults[2393:50836] 
The domain/default pair of (/Library/Preferences/SystemConfiguration/com.apple.smb.server, AllowGuestAccess) does not exist
2016-10-27 15:53:21.179 defaults[2395:50844] 
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.finder, AppleShowAllExtensions) does not exist
2016-10-27 15:53:21.222 defaults[2398:50856] 
The domain/default pair of (/Users/caspertemp/Library/Preferences/com.apple.Safari, AutoOpenSafeDownloads) does not exist
6.3 passed

KatieE
Contributor
Contributor

@jason.bracy That is helpful. Looks like I need to add in some additional error checking logic. Are you running the policies while a user is logged in (and does the output look similar if you do)?

Thanks,
katie

jason_bracy
Contributor III

I was logged in. I decided to see what the scripts would do on a clean install, so it wasn't even enrolled in Casper yet.

Thanks,

Jason

franton
Valued Contributor III

jason_bracy
Contributor III

Thanks @franton I'll give those a try.

jason_bracy
Contributor III

Also found this set of scripts for 10.10: https://github.com/usnistgov/applesec Don't know why I was never able to find that before. Seems to be the official NIST configuration, so we may be reinventing the wheel here...

Taylor_Armstron
Valued Contributor

FWIW, got a little more time to dig into the JAMF scripts. With the updates (a huge thank you to @kenglish ) they appear to be working for the most part, but a few issues I'm seeing:

1) The following errors appear every time, and never go away despite "remediation". This despite the fact that they DO appear to be set when I check the actual machine:

2.4.2 Disable Internet Sharing 2.6.5 Review Application Firewall Rules 2.8 Pair the remote control infrared receiver if enabled 4.2 Enable Show Wi-Fi status in menu bar * 5.1.4 Check Library folder for world writable files

(eg - Wi-Fi status IS in the menu bar, if I remove it and re-run the scripts, it IS corrected, but continues to be listed as a failure).

2) I'm a bit concerned about log sizes - 5.1.4 is creating HUGE logs on the systems I'm testing this on - the JSS truncates it with the message "[Log data was truncated to a max size of 1000000 bytes]". I already noticed a tiny increase in my backup size last night, it appears to be parsing directories incorrectly, as I have tons of entries such as the following:

chmod: Support/Adobe/Uninstall/{39C9FB9C-7A84-11E1-B574-D095DF20721F}/{39C9FB9C-7A84-11E1-B574-D095DF20721F}.app/Contents/Resources/fr_FR.lproj: No such file or directory chmod: 2487491: No such file or directory chmod: 0: No such file or directory chmod: drwxrwxrwx: No such file or directory chmod: 3: No such file or directory chmod: root: No such file or directory chmod: wheel: No such file or directory chmod: 102: No such file or directory chmod: Dec: No such file or directory chmod: 23: No such file or directory chmod: 2015: No such file or directory chmod: Support/Adobe/Uninstall/{39C9FB9C-7A84-11E1-B574-D095DF20721F}/{39C9FB9C-7A84-11E1-B574-D095DF20721F}.app/Contents/Resources/fr_XM.lproj: No such file or directory chmod: 2487493: No such file or directory chmod: 0: No such file or directory chmod: drwxrwxrwx: No such file or directory chmod: 3: No such file or directory chmod: root: No such file or directory chmod: wheel: No such file or directory chmod: 102: No such file or directory chmod: Dec: No such file or directory chmod: 23: No such file or directory chmod: 2015: No such file or directory chmod: Support/Adobe/Uninstall/{39C9FB9C-7A84-11E1-B574-D095DF20721F}/{39C9FB9C-7A84-11E1-B574-D095DF20721F}.app/Contents/Resources/French.lproj: No such file or directory chmod: 24874

(Naturally... it HAD to be Adobe! ;) )

I'm not sure what the best compromise is, but I know that with logs hitting 1mb each time it runs, this would more than double the size of my database within a few hours if I applied it to all systems, and continue to cause my logs to grow much faster than I'm really comfortable with.

KatieE
Contributor
Contributor

@Taylor.Armstrong

Re: 5.1.4, I actually built in an exception for Adobe that's commented out by default in Step 3:

# for libPermissions in $( find /Library -type d -perm -2 -ls | grep -v Caches | grep -v Adobe); do
chmod -R o-w $libPermissions
done

The additional awesome thing about Adobe items in /Library is that even if you remediate, the next time the products update, they'll just break the permissions over again.

My inclination is to build in a permanent exception for that particular issue.

That would make Step 2 look like this:

# 5.1.4 Check Library folder for world writable files
# Verify organizational score
Audit5_1_4="`defaults read "$plistlocation" OrgScore5_1_4`"
# If organizational score is 1 or true, check status of client
if [ "$Audit5_1_4" = "1" ]; then
    libPermissions=`find /Library -type d -perm -2 -ls | grep -v Caches | grep -v Adobe | wc -l | xargs`
    # If client fails, then note category in audit file
    if [ "$libPermissions" = "0" ]; then
        echo "5.1.4 passed"; else
        echo "* 5.1.4 Check Library folder for world writable files" >> "$auditfilelocation"
    fi
fi

And Step 3:

# 5.1.4 Check Library folder for world writable files
# Verify organizational score
Audit5_1_4="`defaults read "$plistlocation" OrgScore5_1_4`"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
if [ "$Audit5_1_4" = "1" ]; then
for libPermissions in $( find /Library -type d -perm -2 -ls | grep -v Caches | grep -v Adobe); do
            chmod -R o-w $libPermissions
        done
fi

Will check into 2.4.2, 2.8, and 4.2 as well.

Taylor_Armstron
Valued Contributor

Well, that might teach me to re-read the script before complaining! :)
(seriously - thank you for this - HUGE step for us)

Can confirm that making the change and using the "Adobe" line resolved the massive log issue. Still having what looks like a few parsing issues (e.g.: "chmod: Support/VMware/VMware: No such file or directory
chmod: Fusion/Shared: No such file or directory" - appears that it is breaking with a space in the directory path), but I'm down from 100mb of results to something "normal". (FWIW, 22,231 lines in the log down to 92. I'd say that's better :)

If you don't mind my asking, which version of the CIS baseline is this based on? I'm testing against a 10.11 laptop, but will try to spin up a couple of VM's for additional testing as well. We generally use a slightly modified CIS for our setup, and we have a couple of people working on the 10.12 CIS effort now. I'm trying to go through and identify what settings from our "normal" baseline are missing from this and see what I can do to add them in, but you've given us a HUGE platform to start from.

jason_bracy
Contributor III

I'll start looking at the new scripts as soon as I can. Is there any thought on how to meet the Local Account password requirements from CIS without messing with AD accounts? The official CIS script has a section to create the plist file for pwpolicy, but I am not sure how to limit the enforcement to only local accounts over UID 500. Any chance that you could add that part of their script into the JAMF scripts?

Thanks,

Jason

Taylor_Armstron
Valued Contributor

Afraid we just use AD here, so no help there.

We do still use pwpolicy for the local account, mostly just to keep the auditors happy, since we can legitimately say we're doing it across the board including local admin accounts.

Taylor_Armstron
Valued Contributor

(also, just to clarify - the NIST scripts !=CIS. Looks like they're based on an internal NIST guide? But definitely a different baseline than CIS.)

KatieE
Contributor
Contributor

@Taylor.Armstrong The benchmark I worked against was CIS 10.11 v1.0.0. I'd definitely like to keep it updated with the 10.12 iteration is released.

@jason.bracy I have an outstanding "feature request" to myself to work on password compliance reporting, but I'm not sure what combination works best just yet. I do want to point out that NIST and CIS are not the same entity, and your organizational mileage may vary between the two sets of recommendations.

Taylor_Armstron
Valued Contributor

Thanks @kenglish. Just wanted to verify since I know I'll be asked when I bring this up at our weekly change control meeting :)

FWIW, the CIS group bumped up their schedule - I believe initial release of the 10.12 baseline is scheduled for later this month, they're really picking up the pace compared to previous OS's.

jason_bracy
Contributor III

Wow! Can't believe that I overlooked that. TOO MANY ACRONYMS! CIS, NIST, DFARS, STIG. However since NIST is the one that is producing the requirements that we need to comply with by 12/2017, then maybe it's not a bad thing.

Taylor_Armstron
Valued Contributor

FWIW, it would be great if the level 2 controls from CIS could be added in, but after reviewing today, once I separated out our deviations, there's only about a dozen or so left. This week's project will be attempting to incorporate those into your framework.

jason_bracy
Contributor III

@Taylor.Armstrong Looks like they have released the 10.12 benchmark - or at least it has been accepted for publication.

franton
Valued Contributor III

@jason.bracy No sign of 10.12 benchmark on the CIS site yet. As soon as it is, i'll be updating my own repo.

Taylor_Armstron
Valued Contributor

Not quite yet, but I'll definitely update this discussion once we submit it for release :) Give it about 2 more weeks if the current schedule holds...

jason_bracy
Contributor III

OK, I figured out part of the problem. I was testing the scripts with my local admin account. The home folder for this account is in /private/var/. Apparently part of the script writes user preferences to /Users/$LOGGEDINUSER/Library/Preferences. So I will look at testing with a standard user later today.

KatieE
Contributor
Contributor

@jason.bracy That's very helpful, thanks. I can add logic to figure out the user path if it's in some non-standard location.

Taylor_Armstron
Valued Contributor

Nice catch Jason. Our "normal" accounts don't follow that rule, but our Casper service account does, so it potentially might arise at some point in time.

jason_bracy
Contributor III

@kenglish The other item that seems to be an issue is:

# 5.10 Require an administrator password to access system-wide preferences
# Verify organizational score
Audit5_10="`defaults read "$plistlocation" OrgScore5_10`"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
if [ "$Audit5_10" = "1" ]; then
adminSysPrefs=`security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep -c "true"`
if [ "$adminSysPrefs" = "1" ]; then
    defaults write /tmp/system.preferences.plist shared -bool true; else
    echo "5.10 passed"
fi

There doesn't seem to be a step that writes to the "security authorizationdb". This command seems to just write it to the tmp location, but never merges it to the actual authorizationdb. I think that the remediation command should actually be:

defaults write system.preferences.plist shared -bool false

jason_bracy
Contributor III

@kenglish

I think I've figured out a couple of the issues with the remediation script:

For the 5.10 remediation you need the following (thanks @rtrouton https://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/):

security authorizationdb read system.preferences > /tmp/system.preferences.plist
defaults write /tmp/system.preferences.plist shared -bool false
security authorizationdb write system.preferences < /tmp/system.preferences.plist

Then for any of the user level preferences to actually take effect you need to add

killall cfprefsd

If you don't kill cfprefsd, then the changes are overwritten by the current settings. Haven't tested it, so you might also need to do a

killall -u $LOGGEDINUSER cfprefsd

franton
Valued Contributor III

@jason.bracy

Sorry, I have to post this here. Please do not kill the cfprefsd process.

This was a dirty hack to refresh the preferences memory cache from 10.9 and doing so causes more potential harm that good. But don't just take my word on it: it was covered in the JNUC 2016 talk by @bentoms and @james_ridsdale .

jason_bracy
Contributor III

@franton

I appreciate the comment and the link, however using "killall cfprefsd" is the only way that I have been able to retain changes made to certain preferences when changing them with defaults. If you have a better way to make the changes stick, then please share.

franton
Valued Contributor III

Ok. Authorisation database changes do not need cfprefsd restarted to take effect. Everything else can be done with configuration profiles, which is Apple's preferred method of applying preferences. I only include the defaults commands in my CIS repo for the sake of clarity.

When I get to implement this on the system i'm working on, it'll be via profiles ... at least the stuff that can be done via profiles. The rest will be scripts to run command line tools.

franton
Valued Contributor III

CIS Benchmark for macOS 10.12 is out.

Taylor_Armstron
Valued Contributor

Thanks franton - wasn't scheduled to be released until tomorrow, but lots like it is up early...

franton
Valued Contributor III

@Taylor.Armstrong I logged in and there it was!

jason_bracy
Contributor III

@franton Appreciate the reply (Sorry for the delay in answering, I was traveling all last week)

I would also like to use profiles for configuring CIS requirements, however unfortunately our Cyber Sec team want the CIS tool to show the results of the test and the current implementation of the tools does not read profiles - it doesn't even read the authorizationsdb settings correctly.

I also have to deal with Macs in Secure areas and off network that do not have access to the JSS, so need to have a manual script that can run on those machines.

Obviously Profiles are the best way to go, but as we are all learning in regards to Compliance: Security ≠ Compliance if the compliance audit tool can't read the settings, then we aren't compliant.

franton
Valued Contributor III

@jason.bracy That's why I suggested having a look at my own CIS repo. I've EA's that do work with profiles. I currently work in Finance where that is a requirement also.

Taylor_Armstron
Valued Contributor

BTW, others in this thread may already have seen, but since I just got back from vacation and hadn't seen a notice, video of Katie's presentation is up.

https://www.jamf.com/resources/digging-into-security-compliance-and-reporting/

@kenglish : I'm going to try to go through and flag the deltas between the 10.11 and 10.12 CIS benchmarks in the next couple of days, if you haven't had a chance to do so yet I'm happy to share if you'd like. My task for the next couple of weeks is to tweak the scripts for 10.12 as needed, along with pushing through review and approval of the 10.12 benchmark on our campus here for adoption.

jlbrown
New Contributor

@kenglish I'm getting the same errors: 2019-10-29 15:57:28.637 defaults[1636:24616]

The domain/default pair of (/Users/cameron/Library/Preferences/com.apple.dock, wvous-tl-corner) does not exist
2019-10-29 15:57:28.718 defaults[1640:24628] 
The domain/default pair of (/Users/cameron/Library/Preferences/com.apple.dock, wvous-bl-corner) does not exist
2019-10-29 15:57:28.741 defaults[1641:24631] 
The domain/default pair of (/Users/cameron/Library/Preferences/com.apple.dock, wvous-tl-corner) does not exist
2.4.6 passed
Print: Entry, ":PrefKeyServicesEnabled", Does Not Exist

Lots like this.

Running this version of the script:

written by Katie English, Jamf October 2016
updated for 10.12 CIS benchmarks by Katie English, Jamf February 2017
updated by Laurent Pertois, Jamf September 2018
github.com/jamfprofessionalservices

User is on Catalina.

Is there an updated script anywhere that fixes these errors?

Espaay
New Contributor III

Hi, any updates to fixing Executing Policy CIS Baseline Scripts - Self Service

Script result: 2022-05-02 09:09:11.378 defaults[7261:67192]
The domain/default pair of (/Library/Application Support/SecurityScoring/org_security_score.plist, OrgScore1_1) does not exist 2022-05-02 09:09:11.392 defaults[7262:67203] The domain/default pair of (/Library/Application Support/SecurityScoring/org_security_score.plist, OrgScore1_2) does not exist 2022-05-02 09:09:11.404 defaults[7264:67208] The domain/default pair of (/Library/Application Support/SecurityScoring/org_security_score.plist, OrgScore1_3) does not exist 2022-05-02 09:09:11.416 defaults[7265:67213] The domain/default pair of (/Library/Application Support/SecurityScoring/org_security_score.plist, OrgScore1_4) does not exist 2022-05-02 09:09:11.429 defaults[7266:67216] The domain/default pair of (/Library/Application Support/SecurityScoring/org_security_score.plist, OrgScore1_5) does not exist 2022-05-02 09:09:11.442 defaults[7267:67220] The domain/default pair of (/Library/Application Support/SecurityScoring/org_security_score.plist, OrgScore1_6) does not exist 2022-05-02 09:09:11.454 defaults[7268:67223] The domain/default pair of (/Library/Application Support/SecurityScoring/org_security_score.plist, OrgScore2_1_1) does not exist

Espaay
New Contributor III

We have validated that this path does exist, yet the GITHUB CIS scripts seem not to see it. Every control is showing the "does not exist"

/Library/Application Support/SecurityScoring/org_security_score.plist