Posted on 06-20-2024 08:46 AM
Hi
i need help.
We want to monitor Time Machine. If Time Machine is disabled on Macs, Jamf Protect should trigger an alert and notify me. In the custom analytics, there is a sensor type called "File System Event" that can monitor which files are created, updated, or deleted. The question is, is it possible in Jamf Protect to match the content of files (plist) when creating custom analytics? For example, to search for a key "LastKnownEncryptionState" in /Library/Preferences/com.apple.TimeMachine.plist?
We also want to monitor the firewall . If users disable them, we need to be notified. In Jamf Protect, we can create custom analytics and upload scripts. I have already implemented this for the firewall. When I use the terminal and execute the command 'socketfirewallfw', Jamf Protect is alerted and I receive a notification. However, Jamf Protect does not get alerted when I disable the firewall through the System Preferences on the desktop.
please with examples :)
Thanks
Posted on 06-20-2024 09:02 AM
Hi @Grisha
Time Machine can be restricted using Jamf Pro - Configuration Profiles - Restrictions - `Allow modifying Time Machine settings (macOS 14 or later)` and then there's no need for monitoring. Optionally the execution of Time Machine can be restricted using either Jamf Pro restricted software or Threat Prevention in Jamf Protect.
Similar to the FireWall that can be restricted from being modified using Jamf Pro Configuration Profiles.
Posted on 06-21-2024 12:26 AM
Thank you very much for the quick response. We do not want to restrict our users, but rather monitor whether they comply with our security rules. In GitLab (https://github.com/jamf/jamfprotect), I found Compliance, but it does not have what I am looking for, so I built my own compliance script. Unfortunately, it does not work. Can you help check if the script is correct or give tips on how to check the script?
Time Mashine:
$event.path MATCHES[cd] "/Library/Preferences/com.apple.TimeMachine.plist" AND FUNCTION($event.file, "Backup:", ".Destinations.LastKnownEncryptionState") == "NotEncrypted"
or
$event.path MATCHES[cd] "/Library/Preferences/com.apple.TimeMachine.plist" AND $event.file.access.LastKnownEncryptionState CONTAINS "NotEncrypted"
Firewall:
$event.type == 1 AND
$event.process.signingInfo.appid == "com.apple.socketfilterfw" AND
$event.process.args.@count > 0 AND
(((ANY $event.process.args IN {"--setglobalstate", "--setloggingmode", "--setblockall"}) AND (ANY $event.process.args == "off")) OR (ANY $event.process.args IN {"--unblockapp", "--remove"}))
06-26-2024 12:51 AM - edited 06-26-2024 12:51 AM
Hey @Grisha
This one should work related to Time Machine -> https://github.com/jamf/jamfprotect/blob/new_timemachine_analytic/custom_analytic_detections/timemac... soon in Jamf Protect there will be other options to monitor Time Machine backups but this will be sufficient for now.
Related to the firewall Analytic - it seems you've used the one from our repository, are you reporting that it's not working as expected?
Posted on 06-26-2024 05:13 AM
Many thanks for your help. With Compliance Time Machine, I've tested it and it works. Regarding the firewall, I found Compliance in GitLab () and tested it. Our expectation was that if I disable the firewall, Jamf Protect would alert, but it only happens when I run the command "socketfirewallfw" in the console. If I disable the firewall through the desktop settings -> network -> firewall, Jamf Protect does not alert. My question is, can Jamf Protect alert not only when I run a command in the terminal but also when I go to settings and disable the firewall through the desktop?
or
We probably need to add something so that Compliance works as we wish?
we use Compliance Custom Analytics for Firewall:
$event.type == 1 AND
$event.process.signingInfo.appid == "com.apple.socketfilterfw" AND
$event.process.args.@count > 0 AND
(((ANY $event.process.args IN {"--setglobalstate", "--setloggingmode", "--setblockall"}) AND (ANY $event.process.args == "off")) OR (ANY $event.process.args IN {"--unblockapp", "--remove"}))
Posted on 06-26-2024 08:44 AM
I have resolved the issue with the firewall. Thank you once again. I have the last 2 questions with predicate is for me new, can you please tell me, is it possible to check Compliance Custom Analytics before I upload it in Jamf Protect via Terminal on Macs using a specific command or script?
please with examples :)
I am not clear about the event type flags. I found something for Flag in Jamf Protect, can you please confirm if they are correct? If not, please provide me with the link.
Event Type 0 (Creation): This represents the creation of a file or directory.
Event Type 1 (Deletion): Indicates that a file or directory has been deleted.
Event Type 2 (Attribute Change): Refers to changes in the attributes of a file or directory, such as permissions.
Event Type 3 (Update): This denotes an update to an existing file or directory, such as modifications to its contents.
Event Type 4 (Rename): This indicates that a file or directory has been renamed.
Event Type 5 (Read): Represents that a file or directory has been read.
Event Type 6 (Execution): Indicates that a file has been executed