Posted on 11-22-2022 04:26 AM
i'm working on the CIS benchmarks for Monterey and i'm stuck at these points :
Ensure Security Auditing Flags For User-Attributable Events Are Configured Per Local Organizational Requirements (Automated)
Ensure install.log Is Retained for 365 or More Days and No Maximum Size (Automated)
Ensure Security Auditing Retention Is Enabled (Automated)
Ensure Access to Audit Records Is Controlled (Automated)
Ensure Sealed System Volume (SSV) Is Enabled (Automated)
Ensure Appropriate Permissions Are Enabled for System Wide Applications (Automated)
Ensure the Sudo Timeout Period Is Set to Zero (Automated)
Ensure a Separate Timestamp Is Enabled for Each User/tty Combo (Automated)
Ensure the "root" Account Is Disabled (Automated)
Alert when the log capacity is over 75%
Alert user & admin about audit logging failures
Dedicated user to decrypt the hard disk upon startup
Shut down the system if audit logging stopped
Anybody can help out and share their solution?
Posted on 11-22-2022 04:37 AM
Posted on 11-22-2022 09:37 AM
Surprisingly I couldn't find what I'm asking for in there !!
Posted on 11-22-2022 11:22 AM
What are you trying to do? How to set those settings? Do you have the CIS Benchmark downloaded? It has a check and fix in the document, not to mention the way to set those are in the macOS Security Compliance Project.
Posted on 11-22-2022 11:28 AM
download the zip based on your macOS (Monterey/Ventura), extract and find the pdf in CIS macOS Benchmark folder
Posted on 11-23-2022 11:38 AM
@boberito @YanW i'm trying to find a remediation for the points I mentioned, some of them they are not there at all !
- Alert when the log capacity is over 75%
- Alert user & admin about audit logging failures
- Shut down the system if audit logging stopped
And for others i'm getting error when deploying the fix mentioned in the PDF.
Posted on 11-25-2022 10:16 AM
If you look at the GitHub project. They are there. All of those would be under rules -> audit
Those 3 things are also not part of the CIS macOS Benchmark for Monterey (1.1.0 or 2.0) or even Ventura. So that's why you won't find them in the CIS PDF. They are in the project however.
Here's an old video on how to use the project - https://www.youtube.com/watch?v=mpEBEelSWlI&t=3s
Posted on 11-29-2022 05:45 AM
To add on to what others have suggested, JAMF is working on their own NIST project called JAMF Compliance Editor. Reach out to your JAMF Rep for more info. JAMF had a Open Hours call about this very topic on 11.7 and is planning another call on 12.7 but that is still a tentative date.
Establishing Compliance Baselines (jamf.com)
MacOS Compliance Open Hours - Jamf Nation Community - 276931