Did you create extension attributes/smart groups (proper scoping)/policies /configuration profiles to compliment the scripts you're running?
For example, In order to maintain compliance you need to pipe the script results (CIS Benchmark compliance results) into extension attributes, then create smart groups predicated upon a computers extension attribute results, then scope policies/configuration profiles to the smart groups in order to remediate the machines.
Thats just one way to skin this cat.
I'm not saying it's perfectly ready for prime time. But the macOS Security Compliance Project is working on CIS compliance. You can check it out under the CIS branch.
https://github.com/usnistgov/macos_security
Did you create extension attributes/smart groups (proper scoping)/policies /configuration profiles to compliment the scripts you're running?
For example, In order to maintain compliance you need to pipe the script results (CIS Benchmark compliance results) into extension attributes, then create smart groups predicated upon a computers extension attribute results, then scope policies/configuration profiles to the smart groups in order to remediate the machines.
Thats just one way to skin this cat.
Are those required to do the actual remediation component of the scripts? From what I understood 2.5_Audit_List_Extension and 2.6_Audit_Count were only used for if you wanted to use smart groups to track non-compliant systems (I skipped this because we are using our vulnerability management tool for this task).
I'm not saying it's perfectly ready for prime time. But the macOS Security Compliance Project is working on CIS compliance. You can check it out under the CIS branch.
https://github.com/usnistgov/macos_security
I'll have to take a look at this. Thanks for the info.
I'm not saying it's perfectly ready for prime time. But the macOS Security Compliance Project is working on CIS compliance. You can check it out under the CIS branch.
https://github.com/usnistgov/macos_security
Just in case anyone is looking for this, go to this link to avoid the 404
https://github.com/usnistgov/macos_security/
Just in case anyone is looking for this, go to this link to avoid the 404
https://github.com/usnistgov/macos_security/
is there some documentation on how to implement these benchmarks? I'm not a programmer by any stretch of the imagination and new to GH and managing Jamf Pro. I need to understand how I get what these GH repos are sharing into Jamf as a policy. I'm only used to the method of turning on the various config profiles, nothing with the scripting I see in GH. Any directional help would be greatly appreciated!
^^^ I'm in the same boat as you ReplicantJK - can anyone point to documentation/instructions?
@ReplicantJK @corydee There's a Getting Started on the Wiki https://github.com/usnistgov/macos_security/wiki
Also these two sessions will help some though a bit older
http://docs.macsysadmin.se/2020/video/Day2Session3.mp4
https://www.youtube.com/watch?v=mpEBEelSWlI
They're virtually the same presentation from 2020.
On top of that if you are a member or can join the Mac Admins slack (https://www.macadmins.org) you can find help in #macos_security_compliance on the project.
This is a platform agnostic project (meant to be used with any MDM) so it will take a little tweaking to work within Jamf itself.
