Help

Set home folder permission per CIS benchmark

tvieson
New Contributor

Posted on ‎06-01-2017 07:44 AM

I'm attempting to follow the CIS macOS 10.12 security benchmark. One of the recommendations (5.1.1) is to remove read and execute from group and global. Easy enough to document , but for a live environment we'd want something to run when a new home folder is created.

Testing has revealed that sudo is required so I'm thinking a script to loop through home folders and run:

sudo chmod -R og-rwx /Users/<username>

Issue I have, being a macOS admin n00b, is what should the daemon/plist be configured to monitor to ensure I'm running the script at the correct time. Or perhaps there is a master "home folder" permission template I can modify to ensure new home folders adhere to the CIS recommendation.

0 Kudos
2 REPLIES 2

Taylor_Armstron
Valued Contributor

Posted on ‎06-01-2017 08:57 AM

FYI - if you haven't yet, you may want to look at JAMF's scripts for implementing CIS...

https://www.jamf.com/jamf-nation/discussions/21882/errors-running-scripts-for-cis-compliance-from-digging-into-security-compliance-and-reporting-session

I'm not trying to run it when the home folder is created, but you could run it periodically, or run it at login to probably achieve the desired result.

0 Kudos

milesleacy
Valued Contributor

Posted on ‎06-01-2017 09:32 AM

Please note that use of CIS recommendations must be tempered by usability. Be careful and test all workflows and apps in your environment against this change.

As you're a self-described "macOS admin n00b", please know that modifying the way one's home folder behaves may result in unexpected operations and/or downtime.

Unless your users are both sharing computers with individuals unauthorized to see their files and storing their files in improper/nonstandard locations, there is little, if any risk from the default home folder permissions.

0 Kudos