CIS Apple macOS 10.13 Benchmark for 2.3.2 and 2.3.3

DOCUMENT LAST UPDATED
2019-08-07

DOCUMENT PURPOSE

CIS Apple macOS 10.13 Benchmark 2.3 Desktop & Screen Saver 2.3.2 Secure screen saver corners (Scored) - Level 2 2.3.3 Familiarize users with screen lock tools or corner to Start Screen Saver (Not Scored) - Level 1

TEST CONDITIONS
2019-08-07 - TESTED ON macOS 10.13 and 10.14

OVERVIEW
According to CIS Apple macOS 10.13 Benchmark v1.0.0 for 2.3.2 and 2.3.3...

This sounds fairly straight forward until you read up on the remediation sections for those benchmarks.

2.3.2 Secure screen saver corners (Scored) - Level 2
CIS recommends the following methodology...

Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Mission Control 3. Select Hot Corners 4. Remove any corners which are set to Disable Screen Saver

Well, that's not exactly an automated approach. Hmmm...

NOTE: In 2.3.3 they "elude" to the method.

2.3.3 Familiarize users with screen lock tools or corner to Start Screen Saver (Not Scored) - Level 1
CIS quickly moves onto this secondary benchmark that suggests we need to Familiarize users with screen lock tools or corner to Start Screen Saver.

They don't really go into any detail on how to familiarize users.

NOTE: There are many methods to invoke the screen saver functionality. May methods are beyond the knowledge of the typical user. This (CIS) method is one of the more direct methods.

Additionally - let's say you do manage to automate this using the CIS suggestion that's "hinted" at... You're most likely going to piss off your users if they use their hot corners like mine do. You don't want to keep wiping their corners out.

With that... I give you my solution to this wonky benchmark.

I wrote a simple script that performs the following...

• Allows the user to have 3 of the 4 hot corners for their own personal needs
• Test to see if the user's com.apple.dock.plist actually exists
• Test to see if the user has jamfHelper - not a deal breaker if they don't
• Run certain sudo commands AS the user - this is important not to jack up their dock
• Applies the hot corner settings immediately without logging out or rebooting - CIS benchmark 2.3.2
• Ignored users who are compliant! No alerts!
• Takes into account hot corners that have never been set (plist is mysteriously missing those attributes for new devices)
• Inform the user what's happening and even has an unattended mode
• Alerts the user at the end and "trains" them on how to use the hot corner thereby meeting CIS Benchmark 2.3.3
• Tests for "Disable Screen Saver, alerts the user, and remediates

That being said, I've tested this on macOS 10.13 and 10.14...

Without further ado... Here is the script...

SCRIPT

#!/bin/bash

#
# FILENAME:
#   CIS_Apple_macOS_10_13_Benchmark_2_3_2_and_2_3_3.sh
#
# PURPOSE/DESCRIPTION:
#   Enforce the following CIS benchmarks only if the user doesn't already have these CIS benchmarks applied.
#
#   CIS Apple macOS 10.13 Benchmark v1.0.0
#       2.3 Desktop & Screen Saver
#           2.3.2 Secure screen saver corners (Scored) - Level 2
#           2.3.3 Familiarize users with screen lock tools or corner to Start Screen Saver (Not Scored) - Level 1
#
# TESTING:
#   Tested against macOS 10.13 and 10.14
#
# CHANGE CONTROL LOG:
#   Version 2.31 - 2019-08-07
#       Updated by Caine Hörr
#           Cleaned up log/display output
#           Added check_hot_corners_for_disable_screen_saver function to adhere to 2.3.2 Secure screen saver corners (Scored) audit requirements
#           Created check_hot_corners_for_proper_modifier_settings function
#           Created cornerNames function
#           created jamfHelper_Disabled_Screen_Saver function
#           Removed modifier adjustments from check_hot_corners_for_screen_saver function
#           Moved call to jamfHelper_PostFlight out of quit function - pop-up was appearing even on compliant systems
#           Moved call to jamfHelper_PostFlight into evaluate_hot_corner_settings function
#           Moved call to jamfHelper_PostFlight into check_hot_corners_for_screen_saver function 
#   Version 2.1 - 2019-08-06
#       Updated by Caine Hörr
#           Added jamfHelper Functionality to "train" the user how to use the hot corner
#           Added jamfHelper Functionality
#           Added file checks for existence of plist
#           Added sudo -u ${currentUser} to account for a bug where sudo destroys the com.apple.dock.plist file
#           Reorganized all the functions with greater granularity and compartmentalization
#           Added additional checks for corner modifier values
#   Version 1.2 - 2019-08-05
#       Updated by Caine Hörr
#           Broke out into additional functions
#           Added additional verbosity
#           Added checks for plist without wvous-XX-corner data
#           Added checks for plist without wvous-XX-modifier data
#   Version 1.0 - 2019-08-02
#       Created by Caine Hörr
#           Initial script creation
#

main(){
    run_as_root
    get_current_user
    cornerNames
    jamfHelper_Settings
    check_plist
    hot_corner_settings
    evaluate_hot_corner_settings
    quit
}

run_as_root(){
    # Check for admin/root permissions
    if [ "$(/usr/bin/id -u)" != "0" ]; then
        /bin/echo "Script must be run as root, or have root privileges (ie. sudo)."
        exit 1
    fi
}

get_current_user(){
    currentUser=$(/usr/bin/stat -f "%Su" "/dev/console")
    echo "[INFO] CURRENTLY LOGGED IN USER: ${currentUser}"
}

cornerNames(){
    bl="BOTTOM LEFT"
    br="BOTTOM RIGHT"
    tl="TOP LEFT"
    tr="TOP RIGHT"
}

jamfHelper_Settings(){
    echo # Line break for log/output clarity
    jamfHelperBinary="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"

    if [ -f "${jamfHelperBinary}" ]; then
        echo "[INFO] ${jamfHelperBinary} INSTALLED"
    else
        echo "[WARNING] ${jamfHelperBinary} NOT INSTALLED"
    fi
}

jamfHelper_PreFlight(){
    if [ -f "${jamfHelperBinary}" ]; then
        # Configure jamfHelper 
        jhWindowType="utility"
        jhTitle="SYSTEM SECURITY UPDATE"
        jhHeading="Screen Saver Hot Corner Configuration"
        jhAlignHeading="left"
        jhDescription="In an effort to ensure a robust security posture, COMPANY IT is configuring a hot corner on your device that will provide you with the ability to initiate the screen saver at will. This configuration takes less than 5 seconds to complete. Your system will not reboot. Please contact EMAIL@COMPANY.COM if you have questions or concerns."
        jhAlignDescription="justified"
        jhIconPath="/Library/CorporateResources/COMPANY_branded_OS_user_icon.png"
        jhButton1Label="CONTINUE"
        jhTimeoutValueInSeconds="30" # 30 seconds
        jhCountdownPromptLabel="AUTO-RUN IN: "
        jgAlignCountdown="center"

        # Alert the user
        jamfHelper_PreFlight_Results=$(sudo -u ${currentUser} "${jamfHelperBinary}" -windowType ${jhWindowType} -title "${jhTitle}" -heading "${jhHeading}" -alignHeading ${jhAlignHeading} -description "${jhDescription}" -alignDescription ${jhAlignDescription} -icon "${jhIconPath}" -button1 "${jhButton1Label}" -timeout ${jhTimeoutValueInSeconds} -countdown -countdownPrompt "${jhCountdownPromptLabel}" -alignCountdown ${jgAlignCountdown})
    fi
}

jamfHelper_Disabled_Screen_Saver(){
    if [ -f "${jamfHelperBinary}" ]; then
        # Configure jamfHelper 
        jhWindowType="utility"
        jhTitle="SYSTEM SECURITY UPDATE"
        jhHeading="${cornerValue} Hot Corner To Disable Screen Saver Has Been Detected"
        jhAlignHeading="left"
        jhDescription="Setting a hot corner to disable the screen saver is a violation of COMPANY's security posture. This hot corner has been removed. Please contact EMAIL@COMPANY.COM if you have questions or concerns."
        jhAlignDescription="justified"
        jhIconPath="/Library/CorporateResources/COMPANY_branded_OS_user_icon.png"
        jhButton1Label="CONTINUE"
        jhTimeoutValueInSeconds="30" # 30 seconds
        jhCountdownPromptLabel="AUTO-RUN IN: "
        jgAlignCountdown="center"

        # Get the user's selection
        jamfHelper_Disabled_Screen_Saver_Results=$(sudo -u ${currentUser} "${jamfHelperBinary}" -windowType ${jhWindowType} -title "${jhTitle}" -heading "${jhHeading}" -alignHeading ${jhAlignHeading} -description "${jhDescription}" -alignDescription ${jhAlignDescription} -icon "${jhIconPath}" -button1 "${jhButton1Label}" -timeout ${jhTimeoutValueInSeconds} -countdown -countdownPrompt "${jhCountdownPromptLabel}" -alignCountdown ${jgAlignCountdown})
    fi
}

jamfHelper_PostFlight(){
    if [ -f "${jamfHelperBinary}" ]; then
        # Configure jamfHelper 
        jhWindowType="utility"
        jhTitle="SYSTEM SECURITY UPDATE"
        jhHeading="Screen Saver Hot Corner Configuration Has Been Set"
        jhAlignHeading="left"
        jhDescription="The ${cornerValue} corner of your display has been set as your screen saver hot corner. Dragging your mouse to the ${cornerValue} corner will turn on your screen saver and lock your device. Please contact EMAIL@COMPANY.COM if you have questions or concerns."
        jhAlignDescription="justified"
        jhIconPath="/Library/CorporateResources/COMPANY_branded_OS_user_icon.png"
        jhButton1Label="CONTINUE"
        jhTimeoutValueInSeconds="30" # 30 seconds
        jhCountdownPromptLabel="AUTO-RUN IN: "
        jgAlignCountdown="center"

        # Get the user's selection
        jamfHelper_PostFlight_Results=$(sudo -u ${currentUser} "${jamfHelperBinary}" -windowType ${jhWindowType} -title "${jhTitle}" -heading "${jhHeading}" -alignHeading ${jhAlignHeading} -description "${jhDescription}" -alignDescription ${jhAlignDescription} -icon "${jhIconPath}" -button1 "${jhButton1Label}" -timeout ${jhTimeoutValueInSeconds} -countdown -countdownPrompt "${jhCountdownPromptLabel}" -alignCountdown ${jgAlignCountdown})
    fi
}

check_plist(){
    echo # Line break for log/output clarity
    plist="/Users/${currentUser}/Library/Preferences/com.apple.dock.plist"
    if [ -f "${plist}" ]; then
        echo "[INFO] ${plist} EXISTS"
        plist_defaults="/Users/${currentUser}/Library/Preferences/com.apple.dock"
    else
        echo "[ERROR] ${plist} DOES NOT EXIST"
        exit 1
    fi
}

hot_corner_settings(){
    echo # Line break for log/output clarity
    hot_corner_check=$(defaults read ${plist_defaults} | grep -i "wvous")
    echo "[INFO] ***** HOT CORNER SETTINGS AS READ FROM DEFAULTS *****"
    echo "${hot_corner_check}"
}

evaluate_hot_corner_settings(){
    echo # Line break for log/output clarity
    if [[ ${hot_corner_check} != "" ]]; then
        echo "[INFO] HOT CORNER SETTINGS EXIST"
        hot_corner_breakout
        check_hot_corners_for_proper_modifier_settings
        check_hot_corners_for_disabled_screen_saver
        check_hot_corners_for_screen_saver
    else
        echo "[WARNING] HOT CORNERS SETTINGS DO NOT EXIST"
        jamfHelper_PreFlight
        hot_corners_first_run
        restart_supporting_services
        hot_corner_settings
        jamfHelper_PostFlight
        evaluate_hot_corner_settings
    fi
}

hot_corner_breakout(){
        # Bottom Left Corner
        wvous_bl_corner=$(defaults read ${plist_defaults} | grep -i "wvous-bl-corner" | awk '{ print $3 }' | sed 's/(.*);/1 /')
        wvous_bl_modifier=$(defaults read ${plist_defaults} | grep -i "wvous-bl-modifier" | awk '{ print $3 }' | sed 's/(.*);/1 /')

        # Bottom Right Corner
        wvous_br_corner=$(defaults read ${plist_defaults} | grep -i "wvous-br-corner" | awk '{ print $3 }' | sed 's/(.*);/1 /')
        wvous_br_modifier=$(defaults read ${plist_defaults} | grep -i "wvous-br-modifier" | awk '{ print $3 }' | sed 's/(.*);/1 /')

        # Top Left Corner
        wvous_tl_corner=$(defaults read ${plist_defaults} | grep -i "wvous-tl-corner" | awk '{ print $3 }' | sed 's/(.*);/1 /')
        wvous_tl_modifier=$(defaults read ${plist_defaults} | grep -i "wvous-tl-modifier" | awk '{ print $3 }' | sed 's/(.*);/1 /')

        # Top Right Corner
        wvous_tr_corner=$(defaults read ${plist_defaults} | grep -i "wvous-tr-corner" | awk '{ print $3 }' | sed 's/(.*);/1 /')
        wvous_tr_modifier=$(defaults read ${plist_defaults} | grep -i "wvous-tr-modifier" | awk '{ print $3 }' | sed 's/(.*);/1 /')
}

check_hot_corners_for_screen_saver(){
    # Looking for a hot corner with a value of 5
    echo # Line break for log/output clarity
    echo "[INFO] ***** LOOKING FOR SCREEN SAVER ASSIGNED TO HOT CORNER *****"

    if [[ ${wvous_bl_corner} -ne "5" ]]; then
        echo "[INFO] ${bl} CORNER NOT SET TO SCREEN SAVER"
        if [[ ${wvous_br_corner} -ne "5" ]]; then
            echo "[INFO] ${br} CORNER NOT SET TO SCREEN SAVER"
            if [[ ${wvous_tl_corner} -ne "5" ]]; then 
                echo "[INFO] ${tl} CORNER NOT SET TO SCREEN SAVER"
                if [[ ${wvous_tr_corner} -ne "5" ]]; then
                    echo "[INFO] ${tr} CORNER NOT SET TO SCREEN SAVER"
                    echo "[WARNING] SCREEN SAVER HOT CORNER NOT SET"
                    jamfHelper_PreFlight
                    set_default_hot_corner
                    restart_supporting_services
                    cornerValue="${bl}"
                    jamfHelper_PostFlight
                else
                    echo "[INFO] ${tr} CORNER SET TO SCREEN SAVER"
                fi
            else
                echo "[INFO] ${tl} CORNER SET TO SCREEN SAVER"
            fi
        else
            echo "[INFO] ${br} CORNER SET TO SCREEN SAVER"
        fi
    else
        echo "[INFO] ${bl} CORNER SET TO SCREEN SAVER"
    fi
}

check_hot_corners_for_proper_modifier_settings(){
    # Looking for a hot corner modifier with a value other than 0
    echo # Line break for log/output clarity
    echo "[INFO] ***** LOOKING FOR INCORRECT HOT CORNER MODIFIERS *****"

    if [[ ${wvous_bl_modifier} -eq "0" ]]; then
        echo "[INFO] ${bl} CORNER MODIFIER IS CORRECT"
    else
        echo "[WARNING] ${bl} CORNER MODIFER IS INCORRECT"
        echo "[INFO] CORRECTING ${bl} CORNER MODIFIER"
        sudo -u ${currentUser} defaults write ${plist_defaults} wvous-bl-modifier -int 0
    fi

    if [[ ${wvous_br_modifier} -eq "0" ]]; then
        echo "[INFO] ${br} CORNER MODIFIER IS CORRECT"
    else
        echo "[WARNING] ${br} CORNER MODIFER IS INCORRECT"
        echo "[INFO] CORRECTING ${br} CORNER MODIFIER"
        sudo -u ${currentUser} defaults write ${plist_defaults} wvous-br-modifier -int 0
    fi

    if [[ ${wvous_tl_modifier} -eq "0" ]]; then
        echo "[INFO] ${tl} CORNER MODIFIER IS CORRECT"
    else
        echo "[WARNING] ${tl} CORNER MODIFER IS INCORRECT"
        echo "[INFO] CORRECTING ${tl} CORNER MODIFIER"
        sudo -u ${currentUser} defaults write ${plist_defaults} wvous-tl-modifier -int 0
    fi

    if [[ ${wvous_tr_modifier} -eq "0" ]]; then
        echo "[INFO] ${tr} CORNER MODIFIER IS CORRECT"
    else
        echo "[WARNING] ${tt} CORNER MODIFER IS INCORRECT"
        echo "[INFO] CORRECTING ${tr} CORNER MODIFIER"
        sudo -u ${currentUser} defaults write ${plist_defaults} wvous-tr-modifier -int 0
    fi
}

check_hot_corners_for_disabled_screen_saver(){
    # Looking for a hot corner with a value of 6
    echo # Line break for log/output clarity
    echo "[INFO] ***** LOOKING FOR DISABLED SCREEN SAVER ASSIGNED TO HOT CORNER *****"

    if [[ ${wvous_bl_corner} -eq "6" ]]; then
        echo "[WARNING] ${bl} CORNER SET TO DISABLE SCREEN SAVER"
        echo "[INFO] SETTING ${bl} CORNER TO NULL"
        sudo -u ${currentUser} defaults write ${plist_defaults} wvous-bl-corner -int 1
        cornerValue="${bl}"
        jamfHelper_Disabled_Screen_Saver
        restart_supporting_services
    else
        echo "[INFO] ${bl} CORNER NOT CONFIGURED TO DISABLE SCREENSAVER"
    fi

    if [[ ${wvous_br_corner} -eq "6" ]]; then
        echo "[WARNING] ${br} CORNER SET TO DISABLE SCREEN SAVER"
        echo "[INFO] SETTING ${br} CORNER TO NULL"
        sudo -u ${currentUser} defaults write ${plist_defaults} wvous-br-corner -int 1
        cornerValue="${br}"
        jamfHelper_Disabled_Screen_Saver
        restart_supporting_services
    else
        echo "[INFO] ${br} CORNER NOT CONFIGURED TO DISABLE SCREENSAVER"
    fi

    if [[ ${wvous_tl_corner} -eq "6" ]]; then
        echo "[WARNING] ${tl} CORNER SET TO DISABLE SCREEN SAVER"
        echo "[INFO] SETTING ${tl} CORNER CORNER TO NULL"
        sudo -u ${currentUser} defaults write ${plist_defaults} wvous-tl-corner -int 1
        cornerValue="${tl}"
        jamfHelper_Disabled_Screen_Saver
        restart_supporting_services
    else
        echo "[INFO] ${tl} CORNER NOT CONFIGURED TO DISABLE SCREENSAVER"
    fi

    if [[ ${wvous_tr_corner} -eq "6" ]]; then
        echo "[WARNING] ${tr} CORNER SET TO DISABLE SCREEN SAVER"
        echo "[INFO] SETTING ${tr} CORNER TO NULL"
        sudo -u ${currentUser} defaults write ${plist_defaults} wvous-tr-corner -int 1
        cornerValue="${tr}"
        jamfHelper_Disabled_Screen_Saver
        restart_supporting_services
    else
        echo "[INFO] ${tr} CORNER NOT CONFIGURED TO DISABLE SCREENSAVER"
    fi
}

set_default_hot_corner(){
    echo "[INFO] ASSIGNING SCREEN SAVER TO ${bl} CORNER"
    echo "[INFO] WRITING CONFIGURATION TO ${plist}"

    sudo -u ${currentUser} defaults write ${plist_defaults} wvous-bl-corner -int 5
    sudo -u ${currentUser} defaults write ${plist_defaults} wvous-bl-modifier -int 0
}

hot_corners_first_run(){
    # Initializes hot corners if not previously configured
    echo "[INFO] CONFIGURING HOT CORNERS"
    echo "[INFO] WRITING CONFIGURATION TO ${plist}"

    # Bottom Left Corner
    sudo -u ${currentUser} defaults write ${plist_defaults} wvous-bl-corner -int 5
    sudo -u ${currentUser} defaults write ${plist_defaults} wvous-bl-modifier -int 0

    # Bottom Right Corner
    sudo -u ${currentUser} defaults write ${plist_defaults} wvous-br-corner -int 1
    sudo -u ${currentUser} defaults write ${plist_defaults} wvous-br-modifier -int 0

    # Top Left Corner
    sudo -u ${currentUser} defaults write ${plist_defaults} wvous-tl-corner -int 1
    sudo -u ${currentUser} defaults write ${plist_defaults} wvous-tl-modifier -int 0

    # Top Right Corner
    sudo -u ${currentUser} defaults write ${plist_defaults} wvous-tr-corner -int 1
    sudo -u ${currentUser} defaults write ${plist_defaults} wvous-tr-modifier -int 0
}

restart_supporting_services(){
    echo # Line break for log/output clarity
    echo "[INFO] QUITTING SYSTEM PREFERENCES"
    sudo -u ${currentUser} pkill -1 'System Preferences'

    echo "[INFO] RESTARTING THE DOCK"
    sudo -u ${currentUser} killall Dock
}

quit(){
    echo # Line break for log/output clarity
    echo "[INFO] SYSTEM ADHERES TO CIS BENCHMARKS 2.3.2 AND 2.3.3"
}

main

exit

ERRATA
You can run this manually from command line OR from within a Jamf policy.

If you do run this within a Jamf policy, you can set an ongoing policy to run once a day, once a week, whatever.

If you have any questions or comments, I'm all ears!

Cheers!