Mac OS X Security Checklist

milesleacy
Valued Contributor

The Mac OS X Security Checklist posted by JAMF Software (link below) is nice, but where's the accompanying technical paper that shows customers how to implement the recommendations referenced?

Some community members have the knowledge to just run with the bulletpoints, but some don't. Even for those of us who do, it would be a great value add to have these things documented so all we have to do is test rather than research, create, and test.

Mac OS X Security Checklist

14 REPLIES 14

gachowski
Valued Contributor II

We use Mac benchmarks, from CIS

https://benchmarks.cisecurity.org

It's based on the old Apple/NSA X.6 doc that hasn't been updated since then but CIS has tried their best to keep it updated. They include a "how to" set the each setting if it can be set. : )

C

mm2270
Legendary Contributor III

Interesting. When was this white paper created? It may have been there a long time and I just never saw it, but I just took a look and one of the features of Casper Suite listed is "Patch Management". That seems slightly misleading since Casper Suite does not really have a true Patch Management function. Yes, you can get there with the use of 3rd party or manually created packages, Smart Groups and policies, (or some help with AutoPkgr) but its not exactly the same thing. If it was, JAMF wouldn't be working to bring a Patch Management function to the suite.
This is more true for straight OS X updates coming from a SUS though.

Anyway, I agree, having some accompanying documentation for each recommendation on best practices to implement them would be nice. For brand new Casper Suite customers coming into the fold and being asked to secure their Mac environment, this would be an incredible resource. Not just the recommendations, but steps on how to get there.

kish_jayson
Contributor

We create a Minimum Security Baseline and update a corresponding document based on the CIS Benchmarks anytime we roll out a newer version of the operating system. You can download them from here:

https://benchmarks.cisecurity.org/downloads/multiform/index.cfm

Not every recommendation is practical to implement, but definitely a lot of good information.

davidhiggs
Contributor III

We've also been using this, it's a great reference for building up a security compliance report and they give you all the CLI commands you need to do it. I found Yosemite had a few errors, but generally pretty good. The Yosemite report took several months to come out from CIS after the release of 10.10, i'm glad to see the El Cap report is already out!

We took a selection of security controls and created a script which we put into Self Service. This idea came about from staff that were travelling overseas and wanted to ensure they had the best protection applied to their machine. We can't always tightly manage our environment, so this was a good compromise and allows them to easily apply it when needed.

Highly recommended!

68015c4483a341ea9fcf09aab7b67f7c

david_dondero
New Contributor II

@davidhiggs David I would love it if you could share your script with everyone. I am sure everyone secures their Macs differently but it would be great to share and see the why as well as the how...

milesleacy
Valued Contributor

@david.dondero That's exactly what I'm calling for. The document I linked to has lots of recommended settings, for example "Disable Remote Apple Events in Sharing". If I'm new to all of this, how do I know how to disable remote Apple events?

gachowski
Valued Contributor II

Straight from the CIS Doc... @ : )

https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.11_Benchmark_v1.0.0.pdf

2.4.1 Disable Remote Apple Events (Scored) Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer. Rationale: Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system. Audit: Perform the following to ensure the system is configured as prescribed:

1. Run the following command in Terminal: 
 sudo systemsetup -getremoteappleevents 
 3. Verify the value returned is Remote Apple Events: Off 


Remediation: Perform the following to implement the prescribed state:

1. Run the following command in Terminal: sudo systemsetup -setremoteappleevents off

gachowski
Valued Contributor II

Also here is a link to my git hub that is my 1st run scrip that has how and which setting we use...

https://github.com/uraqt/Scripts/blob/master/Config

spraguga
Contributor

@milesleacy @davidhiggs @daviddondero +1 for CIS, all separate EAs and policies for troubleshooting and reporting.

milesleacy
Valued Contributor

I suppose that I'm making a very vague feature request...

Unless this is a marketing document for the professional services team, which really isn't JAMF's MO, in my experience; when publishing a set of recommendations, it is much more helpful to publish a set of instructions for implementing those recommendations.

davidhiggs
Contributor III

@david.dondero whoops sorry missed your request. here it is, quite basic with no checking. at some point i'll expand this to cover 10.9-10.11. Not all the AppStore stuff was in that document, so I had to fill in the blanks. Seems 10.11 have changed things a bit too.

#!/bin/bash

#Secure My Mac, written by David Higgs. Based on CIS audit for Yosemite v1.0.0

#1.x Install Updates, Patches and Additional Security Software
defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true
defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool true
defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true
defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true
defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool true
defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool true

#2.6.2 Enable Gatekeeper
spctl --master-enable

#3.2 Enable security auditing
launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist

#5.7 Disable automatic login
defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser

#5.8 Require a password to wake the computer from sleep or screen saver
defaults write com.apple.screensaver askForPassword -int 1

#6.3 Disable the automatic run of safe files in Safari
defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no

exit 0

gachowski
Valued Contributor II

Not so sure about

3.2 Enable security auditing

launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist

I think man page might say not to load it that way it's not clear.

C

davidhiggs
Contributor III

@gachowski thanks C, will also check your first run script too for ideas :)

MacJunior
Contributor III

@davidhiggs do you have an updated script to secure a Mac based on CIS benchmarks but for Monterey?