jamf/CIS-for-macOS-Catalina-CP jamf/CIS-for-macOS-Catalina-CP

  • Stars
    star
    122
  • Rank 290,365 (Top 6 %)
  • Language
    Shell
  • License
    MIT License
  • Created over 4 years ago
  • Updated about 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
jamf/CIS-for-macOS-Catalina-CP
github

jamf

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

CIS Benchmarks for macOS Catalina

CIS for macOS Catalina - Script and Configuration Profile Remediation

INFO:

Refers to document CIS_Apple_OSX_10.15_Benchmark_v1.0.0.pdf, available at https://benchmarks.cisecurity.org

USAGE:

  • Create Extension Attributes using the following scripts:

2.5_Audit_List Extension Attribute

Set as Data Type "String." Reads contents of /Library/Application Support/SecurityScoring/org_audit file and records to Jamf Pro inventory record.

2.6_Audit_Count Extension Attribute

Set as Data Type "Integer." Reads contents of /Library/Application Support/SecurityScoring/org_audit file and records count of items to Jamf Pro inventory record. Usable with smart group logic (2.6_Audit_Count greater than 0) to immediately determine computers not in compliance.

Add the following scripts to your Jamf Pro

  • 1_Set_Organization_Priorities
  • 2_Security_Audit_Compliance
  • 3_Security_Remediation

Script 1_Set_Organization_Priorities will need additional configuration prior to deployment.

1_Set_Organization_Priorities

Admins set organizational compliance for each listed item, which gets written to plist. The values default to "true," meaning if an organization wishes to disregard a given item they must set the value to false by changing the associated comment:

OrgScore1_1="true" or OrgScore1_1="false"

2_Security_Audit_Complaince

Configure the following variables in the script:

The script writes to /Library/Application Support/SecurityScoring/org_security_score.plist by default.

  • Create a single Jamf Policy using all three scripts.
    1_Set_Organization_Priorities - Script Priority: Before
    2_Security_Audit_Compliance Script Priority: Before
    3_Security_Remediation - Script Priority: Before
    2_Security_Audit_Compliance - Script Priority: After
    Maintenance Payload - Update Inventory

  • Policy: Some recurring trigger to track compliance over time.

NOTES:

  • Item "1.1 Verify all Apple provided software is current" is disabled by default.
  • Item "2.1.2 Turn off Bluetooth "Discoverable" mode when not pairing devices - not applicable to 10.9 and higher." Starting with OS X (10.9) Bluetooth is only set to Discoverable when the Bluetooth System Preference is selected. To ensure that the computer is not Discoverable do not leave that preference open.
  • Item "2.6.6 Enable Location Services (Not Scored)" is disabled by default. As of macOS 10.12.2, Location Services cannot be enabled/monitored programmatically. It is considered user opt in.
  • Item "2.6.7 Monitor Location Services Access (Not Scored)" is disabled by default. As of macOS 10.12.2, Location Services cannot be enabled/monitored programmatically. It is considered user opt in.
  • Item "2.7.1 Time Machine Auto-Backup " is disabled by default. Time Machine is typically not used as an Enterprise backup solution
  • Item "2.7.2 Time Machine Volumes Are Encrypted (Not Scored)" is disabled by default. Time Machine is typically not used as an Enterprise backup solution
  • Item "2.10 Securely delete files as needed (Not Scored)" is disabled by default. With the wider use of FileVault and other encryption methods and the growing use of Solid State Drives the requirements have changed and the "Secure Empty Trash" capability has been removed from the GUI.
  • Item "4.3 Create network specific locations (Not Scored)" is disabled by default.
  • Item "5.5 Automatically lock the login keychain for inactivity" is disabled by default.
  • Item "5.6 Ensure login keychain is locked when the computer sleeps" is disabled by default.
  • Item "5.15 Do not enter a password-related hint (Not Scored)" is disabled by default. Not needed if 6.1.2 Disable "Show password hints" is enforced.
  • Item "5.17 Secure individual keychains and items (Not Scored)" is disabled by default.
  • Item "5.8 Create specialized keychains for different purposes (Not Scored)" is disabled by default.
  • Item "6.3 Safari disable Internet Plugins for global use (Not Scored)" is disabled by default.

2_Security_Audit_Compliance

Run this before and after 3_Security_Remediation to audit the Remediation Reads the plist at /Library/Application Support/SecurityScoring/org_security_score.plist. For items prioritized (listed as "true,") the script queries against the current computer/user environment to determine compliance against each item.

Non-compliant items are recorded at /Library/Application Support/SecurityScoring/org_audit

3_Security_Remediation

Run 2_Security_Audit_Compliance after to audit the Remediation Reads the plist at /Library/Application Support/SecurityScoring/org_security_score.plist. For items prioritized (listed as "true,") the script applies recommended remediation actions for the client/user.

SCORED CIS EXCEPTIONS:

  • Does not implement pwpolicy commands (5.2.1 - 5.2.8)

  • Audits but does not actively remediate (due to alternate profile/policy functionality within Jamf Pro):

  • 2.4.4 Disable Printer Sharing
  • 2.5.1.1 Enable FileVault
  • 5.19 System Integrity Protection status
  • Audits but does not remediate (due to requirement to review the device)
  • 3.4 Control access to audit records

REMEDIATED USING CONFIGURATION PROFILES:

The following Configuration profiles are available in mobileconfig and plist form. If you wish to change a particular setting, edit the plist in question. Mobileconfigs can be uploaded to Jamf Pro Configuration Profiles as is and plists can be added to a new Configuration Profile as Custom Payloads.

CIS 10.15 Custom Settings mobileconfig

  • 1.2 Enable Auto Update
  • 1.5 Enable system data files and security update installed
  • 2.9 Enable Secure Keyboard Entry in terminal.app
  • 4.1 Disable Bonjour advertising service
  • 6.1.4 Disable "Allow guests to connect to shared folders"
  • 6.3 Disable the automatic run of safe files in Safari

CIS 10.15 LoginWindow Security_and_Privacy ScreenSaver mobileconfig

  • 2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver
  • 2.3.2 Secure screen saver corners
  • 2.3.3 Set a screen corner to Start Screen Saver
  • 2.5.2 Enable Gatekeeper
  • 2.5.3 Enable Firewall
  • 2.5.4 Enable Firewall Stealth Mode
  • 2.5.5 Review Application Firewall Rules
  • 5.8 Disable automatic login
  • 5.9 Require a password to wake the computer from sleep or screen saver
  • 5.13 Create a custom message for the Login Screen
  • 5.16 Disable Fast User Switching (Not Scored)
  • 6.1.1 Display login window as name and password
  • 6.1.2 Disable "Show password hints"
  • 6.1.3 Disable guest account

CIS 10.15 Restrictions mobileconfig

  • 2.4.10 Disable Content Caching (Not Scored) - Restrictions payload > Functionality > Allow Content Caching (unchecked)
  • 2.5.8 Disable sending diagnostic and usage data to Apple - Restrictions payload > Allow Diagnostic Submission (unchecked)
  • 2.6.1 iCloud system configuration
  • Includes:
  • Disable preference pane (Not Scored) - Restrictions payload > Preferences > disable selected items > iCloud
  • Disable the use of iCloud password for local accounts (Not Scored) - Restrictions payload > Functionality > Allow use of iCloud password for local accounts (unchecked)
  • Disable iCloud Back to My Mac (Not Scored) - Restrictions payload > Functionality > Allow iCloud Back to My Mac (unchecked)
  • Disable iCloud Find My Mac (Not Scored) - Restrictions payload > Functionality > Allow iCloud Find My Mac (unchecked)
  • Disable iCloud Bookmarks (Not Scored) - Restrictions payload > Functionality > Allow iCloud Bookmarks (unchecked)
  • Disable iCloud Mail (Not Scored) - Restrictions payload > Functionality > Allow iCloud Mail (unchecked)
  • Disable iCloud Calendar (Not Scored) - Restrictions payload > Functionality > Allow iCloud Calendar (unchecked)
  • Disable iCloud Reminders (Not Scored) - Restrictions payload > Functionality > Allow iCloud Reminders (unchecked)
  • Disable iCloud Contacts (Not Scored) - Restrictions payload > Functionality > Allow iCloud Contacts (unchecked)
  • Disable iCloud Notes (Not Scored) - Restrictions payload > Functionality > Allow iCloud Notes (unchecked)
  • 2.6.2 Disable iCloud keychain (Not Scored) - Restrictions payload > Functionality > Allow iCloud Keychain (unchecked)
  • 2.6.3 Disable iCloud Drive (Not Scored) - Restrictions payload > Functionality > Allow iCloud Drive (unchecked)
  • 2.6.4 Disable iCloud Drive Document sync - Restrictions payload > Functionality > Allow iCloud Desktop & Documents (unchecked)
  • 2.6.5 Disable iCloud Drive Desktop sync - Restrictions payload > Functionality > Allow iCloud Desktop & Documents (unchecked)2.6.8 Disable sending diagnostic and usage data to Apple

More Repositories

1

PPPC-Utility

Privacy Preferences Policy Control (PPPC) Utility
Swift
732
star
2

CVE-2020-0796-RCE-POC

CVE-2020-0796 Remote Code Execution POC
Python
520
star
3

aftermath

Aftermath is a free macOS IR framework
Swift
459
star
4

DEPNotify-Starter

Bash script to start DEPNotify and run policies during enrollment with Jamf Pro
Shell
363
star
5

NetSUS

NetBoot and Software Update Server
PHP
305
star
6

MakeMeAnAdmin

Provides temporary admin access for a standard user via Jamf Self Service
Shell
254
star
7

CVE-2020-0796-LPE-POC

CVE-2020-0796 Local Privilege Escalation POC
Python
243
star
8

FreeTheSandbox_LPE_POC_13.7

Jailbreak for iOS 13.7 and earlier
C
223
star
9

Jamf-Nation-Scripts

Scripts Migrated from Jamf Nation
Shell
183
star
10

jamfprotect

A repository for open-source resources created for use with or alongside Jamf Protect.
Shell
176
star
11

CVE-2020-1206-POC

CVE-2020-1206 Uninitialized Kernel Memory Read POC
C#
146
star
12

FileVault2_Scripts

Scripts and Extension Attributes for use with FileVault 2 on Mountain Lion
Shell
145
star
13

JamfMigrator

A tool to migrate data granularly between Jamf Pro servers
Swift
137
star
14

mut

Swift
133
star
15

JAWA

Jamf Automation and Webhook Assistant
HTML
128
star
16

Notifier

Swift project which can post macOS alert or banner notifications on 10.15+ clients
Swift
118
star
17

zecops_public

Objective-C
114
star
18

API_Scripts

Scripts that make use of the JAMF Software Server API
Shell
114
star
19

Jamf-Nation-Extension-Attributes

Shell
112
star
20

JamfPrivacyPreferencePolicyControlProfiles

Shell
109
star
21

CIS-for-macOS-Sierra

Shell
105
star
22

ReEnroller

Migrate macOS devices from one Jamf Server to another.
Swift
101
star
23

jamJAR

jamJAR: Jamf, AutoPKG & Munki combined by dataJAR
Python
99
star
24

jamfStatus

Menu app to monitor JamfCloud status
Swift
98
star
25

Jamf-Environment-Test

Admin Utility for testing an environments network for success with Apple Devices
Shell
96
star
26

jamfconnect

A repository for Jamf Connect scripts, configuration profile templates,EAs and more!
Shell
88
star
27

jamfpro

JamfPro Docker image
Shell
70
star
28

regatta

Regatta is a distributed key-value store. It is Kubernetes friendly with emphasis on high read throughput and low operational cost.
Go
64
star
29

NoMAD-2

A complete ground-up rewrite of NoMAD utilizing the same AD Auth Framework found in NoMAD Login.
Swift
63
star
30

NoMADLogin-AD

Login to an AD user account without binding your Mac to AD.
Swift
50
star
31

SMBGhost-SMBleed-scanner

SMBGhost (CVE-2020-0796) and SMBleed (CVE-2020-1206) Scanner
Python
47
star
32

DEPNotify

Swift
43
star
33

2016_JNUC_Security_Reporting_Compliance

Repo for code used in all presentation slides from the 2016 JNUC Presentation "Digging into Security, Compliance, and Reporting"
Shell
42
star
34

Provisioning-Workflows

Provisioning Workflows for a Post-Imaging World
Shell
41
star
35

Classic-API-Postman-Collection

41
star
36

CIS-for-macOS-High-Sierra-CP

Shell
40
star
37

JamfSync

Jamf Sync utility for synchronizing between Jamf Pro distribution points and/or file folders
Swift
38
star
38

ManagedAppConfigLib

Makes Managed AppConfig on iOS, tvOS, and macOS easier to work with.
Swift
36
star
39

jamf-laps-public

A GUI app for retrieving Jamf Pro LAPS ("Local Administrator Password Solution") credentials
Swift
36
star
40

Jamf-Connect-Resources

A repository for Jamf Connect scripts, configuration profile templates, and legacy content.
Shell
36
star
41

NoMAD

Get all of AD, with none of the bind!
Swift
30
star
42

JamfProvisioner

An Automated Erase/Install Workflow for macOS and Jamf Pro
Shell
30
star
43

powerbi

Jamf PowerBi Integration
28
star
44

jamf-printer-manager

macOS app to upload printer configurations to Jamf Pro
Swift
28
star
45

Subprocess

Swift library for macOS providing interfaces for both synchronous and asynchronous process execution
Swift
27
star
46

CIS-for-macOS-Sierra-CP

CIS for macOS 10.12 remediated with script and configuration profiles
Shell
26
star
47

Mac-Asset-Tag

A script that generates a GUI to accept a user input asset tag for the Mac.
Python
26
star
48

ol

Misc Jamf-related Projects
PowerShell
25
star
49

Scripting-101-Webinar

Resources for the "Scripting 101 for Apple Admins" webinar - June 2019
Shell
25
star
50

AppConfig-Generator

Java
24
star
51

Jamf-Pro-Object-LookUp

Script to query Jamf Pro and find what an Object is associated with
Shell
23
star
52

STIG-macOS-10_14

STIG for macOS Mojave - audit and remediation with scripts and Configuration Profiles
Shell
20
star
53

Munki-Catalog-Browser

Munki Catalog Browser is an app which allows for easy browsing of items in your devices Munki catalogs as well as exporting to CSV
Swift
20
star
54

homebrew-tap

Ruby
19
star
55

CIS-for-macOS-High-Sierra

Shell
17
star
56

JamfConnectUninstall

Shell
16
star
57

NoMAD-ADAuth

Swift
14
star
58

CertificateSDK

Get Certificates From Jamf Pro Into Your iOS Apps
Objective-C
13
star
59

Jamf-Switcher

Jamf Switcher is an app which points either Jamf Pro applications or your browser to a particular Jamf deployment and is configured by Self Service Bookmarks
Swift
13
star
60

jamf_connectwise

An integration between Connectwise and Jamf Pro
Python
12
star
61

SmashingJamfProDashboards

Example jobs, dashboard and YAML file for use with Jamf Pro and Smashing
Ruby
11
star
62

AppConfigSpecCreator

Tool for Generation of Managed App Config Spec Files
JavaScript
10
star
63

authchanger

Utility for making changes to the macOS authorization database to easily allow for changing loginwindow mechanisms.
Swift
9
star
64

rendr

A project scaffolding tool
Rust
8
star
65

Jamf-Connect-Configurations-Templates

8
star
66

JSS-LDAP-Sync

Sync department and building objects in the JSS with LDAP records
PowerShell
7
star
67

TableauIntegrations

JavaScript
7
star
68

groupsync

Sync LDAP groups with GitHub teams (and possibly more in the future).
Go
7
star
69

JamfSupport

Shell
7
star
70

Classic-API-Swagger-Specification

7
star
71

JamfProtect-PPPC-Profile

A PPPC configuration profile to allow full disk and accessibility permissions for computers with the Jamf Protect agent.
6
star
72

anti-phishing-extension

Augment the web with indicators that help detect phishing attempts
JavaScript
6
star
73

regatta-go

Regatta client for Go language
Go
5
star
74

JamfProFlow

Database application for managing configuration sets and change-managed workflows in Jamf Pro
Roff
5
star
75

SplunkBase

Jamf's Published Splunk Base Integration
Python
5
star
76

GDPRAutomationTool

Python
5
star
77

kinobi-title-editor

Shell
4
star
78

Haversack

A Swift library for keychain access on Apple devices
Swift
4
star
79

gitlab_license_exporter

Gitlab License Information exporter
Go
3
star
80

testrail-reporting

Easily send results of your tests to Test Rail.
Groovy
3
star
81

TELUGU_CVE-2018-4124_POC

Objective-C
3
star
82

billboard

Swift
2
star
83

regatta-helm

Helm Chart for the distributed key-value store Regatta.
Smarty
2
star
84

JamfProFlow-Sets

Configs for Jamf Pro
2
star
85

RADAR_API_Postman_Collection

2
star
86

kyverno-test-util

Python
2
star
87

homebrew-internal-tap

Homebrew Internal Tap
Ruby
1
star
88

rendr-sample-blueprint-go-microservice

Shell
1
star
89

aurorasnapshot

Aurora Cluster snapshot handler (Allows to create and delete Aurora DB Snapshots based in tags)
Python
1
star
90

regatta-java

This repository hosts the code of Regatta client for JVM languages.
Java
1
star
91

ms-security-copilot-plugin

Basic Jamf Pro OpenAPI spec for use with Microsoft Security CoPilot plugin
1
star