diff --git a/Yosemite_CIS.sh b/Yosemite_CIS.sh
index 1365b7b..7e92788 100755
--- a/Yosemite_CIS.sh
+++ b/Yosemite_CIS.sh
@@ -1,24 +1,19 @@
#!/bin/bash
########################################################################
-# CIS Level 1 Benchmark Settings 1.1.0
+# CIS Level 1 Benchmark Settings 1.2.0
# Yosemite (10.10)
# Kris Payne
+# Run as root
########################################################################
-# Log and log archive location
-log_location="/var/log/cis_install.log"
-archive_log_location="/var/log/cis_install-`date +%Y-%m-%d-%H-%M-%S`.log"
-
# 1 Install Updates, Patches and Additional Security Software
softwareUpdates() {
ScriptLogging "1 Install Updates, Patches, and Additional Security Software"
ScriptLogging " ------------------- "
- # 1.1 Verify all Apple provided software is current (Scored)
- local softwareUpdateChecl
- softwareUpdateCheck="$( /usr/sbin/softwareupdate -l | grep -ic "No new software available." )"
- if [[ "$softwareUpdateCheck" -eq 0 ]]; then
+ # 1.1 Verify all Apple provided software is current
+ if [[ "$(/usr/sbin/softwareupdate -l | grep -ic "No new software available.")" -eq 0 ]]; then
ScriptLogging " No new software available."
else
ScriptLogging " Installing Software Updates."
@@ -26,51 +21,38 @@ softwareUpdates() {
fi
# 1.2 Enable Auto Update
- # Checks to see if computer is polling automatically for updates from Apple
-
if [[ "$(/usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled)" = 1 ]]; then
ScriptLogging " Automatic Update Check already enabled."
else
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1 2>&1 >> ScriptLogging
fi
- # SWU managed via policy in Casper
-
# 1.3 Enable app update installs
- # Sets Mac App Store auto-update for installed apps.
-
+ # Requires log out to take visual effect in GUI.
if [[ "$(/usr/bin/defaults read /Library/Preferences/com.apple.commerce AutoUpdate)" = "1" ]]; then
ScriptLogging " Auto Update Apps already enabled."
else
/usr/bin/defaults write /Library/Preferences/com.apple.storeagent AutoUpdate -bool TRUE 2>&1 >> ScriptLogging
fi
- # Policies via AutoPKG and Casper
-
# 1.4 Enable system data files and security update installs
-
- if [[ "$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep ConfigDataInstall)" = "ConfigDataInstall = 1;" ]]; then
+ if [[ "$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | egrep '(ConfigDataInstall)')" = "ConfigDataInstall = 1;" ]]; then
ScriptLogging " ConfigDataInstall is 1."
- elif [[ "$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep CriticalUpdateInstall)" = "CriticalUpdateInstall = 1;" ]]; then
- printf " ConfigDataInstall is 1.\n"
+ elif [[ "$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | egrep '(CriticalUpdateInstall)')" = "CriticalUpdateInstall = 1;" ]]; then
+ ScriptLogging " CriticalUpdateInstall is 1."
else
ScriptLogging " Enabling system data files and security updates."
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true 2>&1 >> ScriptLogging
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true 2>&1 >> ScriptLogging
fi
- # Policy in Casper
-
# 1.5 Enable OS X update installs
-
if [[ "$(/usr/bin/defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired)" = "1" ]]; then
ScriptLogging " OS X is set to auto update."
else
ScriptLogging " Setting OS X to auto update."
/usr/bin/defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE 2>&1 >> ScriptLogging
fi
- # Policy in Casper
-sleep 5
}
# 2 System Preferences
@@ -82,7 +64,8 @@ systemPreferences() {
ScriptLogging " 2.1 Bluetooth"
# 2.1 Bluetooth
- # 2.1.1 Turn off Bluetooth, if no paired devices exist (Scored)
+ # 2.1.1 Turn off Bluetooth, if no paired devices exist
+ # Requires `killall -HUP blued` found in cleanAndReboot()
ScriptLogging " Turn off Bluetooth, if no paired devices exist."
if [[ "$(/usr/bin/defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState)" = "1" ]]; then
ScriptLogging " Bluetooth ControllerPowerState is 1."
@@ -105,31 +88,28 @@ systemPreferences() {
# is selected. To ensure that the computer is not Discoverable do not leave that preference open.
if [[ "$(/usr/sbin/system_profiler SPBluetoothDataType | grep -i discoverable | awk '{ print $2 }')" = "Off" ]]; then
- ScriptLogging " Bluetooth Discoverable is off."
+ ScriptLogging " Bluetooth is not discoverable."
fi
- # uuid=`/usr/sbin/system_profiler SPHardwareDataType | grep "Hardware UUID" | cut -c22-57`
- # /usr/bin/defaults write /Users/$@/Library/Preferences/ByHost/com.apple.Bluetooth.$uuid DiscoverableState -bool no
- # /usr/sbin/chown $@ /Users/$@/Library/Preferences/ByHost/com.apple.Bluetooth.$uuid.plist
- # Stolen from http://krypted.com/mac-security/disabling-bluetooth-discoverable-mode/
- # Need to test.
-
- # 2.1.3 Show Bluetooth status in menu bar (Scored)
+ # 2.1.3 Show Bluetooth status in menu bar
+ # This is user level. This script is not run at user level.
if [[ "$(/usr/bin/defaults read com.apple.systemuiserver menuExtras | grep Bluetooth.menu)" = "/System/Library/CoreServices/Menu Extras/Bluetooth.menu" ]]; then
ScriptLogging " Bluetooth shown in menu bar."
else
/usr/bin/defaults write com.apple.systemuiserver menuExtras -array-add "/System/Library/CoreServices/Menu Extras/Bluetooth.menu" 2>&1 >> ScriptLogging
fi
+
+ ScriptLogging " 2.2 Date & Time"
# 2.2 Date & Time
- ScriptLogging " 2.2 Date & Time"
- # 2.2.1 Enable "Set time and date automatically" (Scored)
+ # 2.2.1 Enable "Set time and date automatically"
+ # Listed as Level 2 profile, however, it does not get in the way of the user and provides great benefit.
if [[ "$(/usr/sbin/systemsetup -getusingnetworktime | awk '{ print $3 }')" = "On" ]]; then
- ScriptLogging " NetworkTime already on. Ensuring server is time.apple.com."
+ ScriptLogging " NetworkTime on. Ensuring server is time.apple.com."
if [[ "$(/usr/sbin/systemsetup -getnetworktimeserver | awk '{ print $4 }')" = "time.apple.com" ]]; then
- ScriptLogging " NetworkTime is set and is set to time.apple.com."
+ ScriptLogging " NetworkTime is on and set to time.apple.com."
fi
else
@@ -139,7 +119,7 @@ systemPreferences() {
fi
ScriptLogging " Set NetworkTime to time.apple.com."
- /usr/sbin/systemsetup -setnetworktimeserver time.apple.com
+ /usr/sbin/systemsetup -setnetworktimeserver time.apple.com 2>&1 >> ScriptLogging
ScriptLogging " Ensure NetworkTime is on."
/usr/sbin/systemsetup -setusingnetworktime on 2>&1 >> ScriptLogging
@@ -148,113 +128,289 @@ systemPreferences() {
# 2.2.2 Ensure time set is within appropriate limits
/usr/sbin/ntpdate -sv time.apple.com 2>&1 >> ScriptLogging
- # 2.3 Desktop & Screen Saver
+
ScriptLogging " 2.3 Desktop & Screen Saver"
+ # 2.3 Desktop & Screen Saver
# 2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver
- /usr/bin/defaults -currentHost write com.apple.screensaver idleTime 600 2>&1 >> ScriptLogging
- # going to move this to a user based configuration profile
+ # User configuration profiles are more useful here.
+ # Make sure what is set in the config profile is smaller than section 2.3.3
+
+ #/usr/bin/defaults -currentHost write com.apple.screensaver idleTime 600 2>&1 >> ScriptLogging
# 2.3.2 Secure screen saver corners
- # going to move this to a user based configuration profile
+ # Listed as Level 2 profile, however, it does not get in the way of the user and provides great benefit.
+ # Take a "clear-all" approach here, as 2.3.4 sets an active corner for enabling screensaver.
+
+ # Set in User Template
+ for USER_TEMPLATE in "/System/Library/User Template"/*
+ do
+ /usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.dock wvous-tl-corner 1 2>&1 >> ScriptLogging
+ /usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.dock wvous-tr-corner 1 2>&1 >> ScriptLogging
+ /usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.dock wvous-bl-corner 1 2>&1 >> ScriptLogging
+ /usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.dock wvous-br-corner 1 2>&1 >> ScriptLogging
+ done
+
+ # Set for already created users
+ for USER_HOME in /Users/*
+ do
+ USER_UID=`basename "${USER_HOME}"`
+ if [ ! "${USER_UID}" = "Shared" ]; then
+ if [ ! -d "${USER_HOME}"/Library/Preferences ]; then
+ /bin/mkdir -p "${USER_HOME}"/Library/Preferences 2>&1 >> ScriptLogging
+ /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library 2>&1 >> ScriptLogging
+ /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences 2>&1 >> ScriptLogging
+ fi
+ if [ -d "${USER_HOME}"/Library/Preferences ]; then
+ /usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.dock wvous-tl-corner 1 2>&1 >> ScriptLogging
+ /usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.dock wvous-tr-corner 1 2>&1 >> ScriptLogging
+ /usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.dock wvous-bl-corner 1 2>&1 >> ScriptLogging
+ /usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.dock wvous-br-corner 1 2>&1 >> ScriptLogging
+ fi
+ fi
+ done
# 2.3.3 Verify Display Sleep is set to a value larger than the Screen Saver (Not Scored)
/usr/bin/pmset -a displaysleep 15 2>&1 >> ScriptLogging
# 2.3.4 Set a screen corner to Start Screen Saver
- #/usr/bin/defaults write ~/Library/Preferences/com.apple.dock wvous-tl-corner 5
+ /usr/bin/defaults write ~/Library/Preferences/com.apple.dock wvous-br-corner 5 2>&1 >> ScriptLogging
+
- # 2.4 Sharing
ScriptLogging " 2.4 Sharing"
+ # 2.4 Sharing
+ # Sharing is listed as Recommendations, not subsections. They are all listed as Level 1 profile, though.
# 2.4.1 Disable Remote Apple Events (Scored)
if [[ "$(/usr/sbin/systemsetup -getremoteappleevents | awk '{ print $4 }')" = "Off" ]]; then
- ScriptLogging " Remote Apple Events already set to off."
+ ScriptLogging " Remote Apple Events set to off."
else
/usr/sbin/systemsetup -setremoteappleevents off 2>&1 >> ScriptLogging
+ ScriptLogging " Remote Apple Events set to off."
fi
# 2.4.2 Disable Internet Sharing (Scored)
+
+ #TODO: Test. New audit/remediation written.
+
# Internet Sharing is off by default. Running these commands without checking
# first will send the machine into a downward sprial of doom and depair.
# It's your funeral if you uncomment. Left in for remediation/completeness sake.
- # /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict Enabled -int 0
- # /bin/launchctl unload -w /System/Library/LaunchDaemons/ com.apple.InternetSharing.plist
-
+ # if [[ ! -e "/Library/Preferences/SystemConfiguration/com.apple.nat" ]]; then
+ # ScriptLogging " No 'com.apple.nat' file present. Internet Sharing Disabled."
+ # else
+ # /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict Enabled -int 0 2>&1 >> ScriptLogging
+ # /bin/launchctl unload -w /System/Library/LaunchDaemons/ com.apple.InternetSharing.plist 2>&1 >> ScriptLogging
+ # fi
# 2.4.3 Disable Screen Sharing (Scored)
- # Screen sharing controlled by Remote Management Preferences
+
+ #TODO: Test. New audit/remediation written.
+
+ if [[ "$(/bin/launchctl load /System/Library/LaunchDaemons/com.apple.screensharing.plist)" = "/System/Library/LaunchDaemons/com.apple.screensharing.plist: Service is disabled" ]]; then
+ ScriptLogging " Screen Sharing Disabled."
+ else
+ /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off 2>&1 >> ScriptLogging
+ fi
# 2.4.4 Disable Printer Sharing (Scored)
+ # No need to audit, just remediate.
/usr/sbin/cupsctl --no-share-printers 2>&1 >> ScriptLogging
# 2.4.5 Disable Remote Login (Scored)
- # Controlled at Firewall
- # Also, open only for one user on systems. Defined in Casper
+ # Only open to service accounts.
+ #TODO: Test. New audit/remediation written.
+ if [[ "$(/usr/sbin/systemsetup -getremotelogin | awk '{ print $3 }')" = "Off" ]]; then
+ ScriptLogging " Remote Login Disabled."
+ else
+ /usr/sbin/systemsetup -setremotelogin off 2>&1 >> ScriptLogging
+ ScriptLogging " Remote Login Disabled."
+ fi
# 2.4.6 Disable DVD or CD Sharing (Scored)
# Devices do not have Optical Drives
# 2.4.7 Disable Bluetooth Sharing
- # Needs work.
+
+ #TODO: Test. New audit/remediation written.
+
+ if [[ "$(/usr/sbin/system_profiler SPBluetoothDataType | grep State)" = "Disabled\nDisabled\nDisabled"]]; then
+ ScriptLogging " Bluetooth Sharing Disabled."
+ else
+ local hardwareUUID=$(/usr/sbin/system_profiler SPHardwareDataType | grep "Hardware UUID" | awk -F ": " '{print $2}')
+ for USER_HOME in /Users/*
+ do
+ USER_UID=`basename "${USER_HOME}"`
+ if [ ! "${USER_UID}" = "Shared" ]; then
+ if [ ! -d "${USER_HOME}"/Library/Preferences ]; then
+ /bin/mkdir -p "${USER_HOME}"/Library/Preferences 2>&1 >> ScriptLogging
+ /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library 2>&1 >> ScriptLogging
+ /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences 2>&1 >> ScriptLogging
+ fi
+ if [ ! -d "${USER_HOME}"/Library/Preferences/ByHost ]; then
+ /bin/mkdir -p "${USER_HOME}"/Library/Preferences/ByHost 2>&1 >> ScriptLogging
+ /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library 2>&1 >> ScriptLogging
+ /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences 2>&1 >> ScriptLogging
+ /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences/ByHost 2>&1 >> ScriptLogging
+ fi
+ if [ -d "${USER_HOME}"/Library/Preferences/ByHost ]; then
+ /usr/bin/defaults write "$USER_HOME"/Library/Preferences/ByHost/com.apple.Bluetooth.$hardwareUUID.plist PrefKeyServicesEnabled -bool false 2>&1 >> ScriptLogging
+ #/usr/libexec/PlistBuddy -c "Delete :PrefKeyServicesEnabled" "$USER_HOME"/Library/Preferences/ByHost/com.apple.Bluetooth.$hardwareUUID.plist
+ #/usr/libexec/PlistBuddy -c "Add :PrefKeyServicesEnabled bool false" "$USER_HOME"/Library/Preferences/ByHost/com.apple.Bluetooth.$hardwareUUID.plist
+ /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences/ByHost/com.apple.Bluetooth.$hardwareUUID.plist 2>&1 >> ScriptLogging
+ fi
+ fi
+ done
+ fi
# 2.4.8 Disable File Sharing (Scored)
- # Handled in netShareOff.sh
+
+ #TODO: Test. New audit/remediation written.
+
+ if [[ "$(/bin/launchctl list | egrep AppleFileServer)" -eq 0 ]]; then
+ ScriptLogging " AFP is enabled. Disabling..."
+ echo "Disable AFP..."
+ else
+ ScriptLogging " AFP is Disabled."
+ fi
+
+ if [[ "$(/bin/launchctl list | egrep smbd)" -eq 0 ]]; then
+ ScriptLogging " SMB is enabled. Disabling..."
+ echo "Disable SMB..."
+ else
+ ScriptLogging " SMB is Disbled."
+ fi
# 2.4.9 Disable Remote Management (Scored)
- # Used in our environment. Disabling not preferred. Limited to one user, defined in Casper.
- # 2.5 Energy Saver
+ # TODO
+ # design audit/remediate
+
+
ScriptLogging " 2.5 Energy Saver"
+ # 2.5 Energy Saver
# 2.5.1 Disable "Wake for network access"
+ # Listed as Level 2 profile, however, it does not get in the way of the user and provides great benefit.
+ # Take a "clear-all" approach here
/usr/bin/pmset -a womp 0 2>&1 >> ScriptLogging
# 2.5.2 Disable sleeping the computer when connected to power
+ # Listed as Level 2 profile, however, it does not get in the way of the user and provides great benefit.
+ # Take a "clear-all" approach here
/usr/bin/pmset -c sleep 0 2>&1 >> ScriptLogging
- # 2.6 Security & Privacy
+
ScriptLogging " 2.6 Security & Privacy"
+ # 2.6 Security & Privacy
# 2.6.1 Enable FileVault (Scored)
- # We do not use FileVault in our environment
+ # This should be handled by an MDM with institutional keys.
+ # audit is `diskutil cs list | grep -i encryption`
# 2.6.2 Enable Gatekeeper (Scored)
- /usr/sbin/spctl --master-enable 2>&1 >> ScriptLogging
+
+ #TODO: Test. New audit/remediation written.
+
+ if [[ "$(/usr/sbin/spctl --status)" = "assessments disabled" ]]; then
+ ScriptLogging " Gatekeeper is disabled. Enabling..."
+ /usr/sbin/spctl --master-enable 2>&1 >> ScriptLogging
+ else
+ ScriptLogging " Gatekeeper is enabled."
+ fi
# 2.6.3 Enable Firewall (Scored)
- /usr/bin/defaults write /Library/Preferences/com.apple.alf globalstate -int 1 2>&1 >> ScriptLogging
+
+ #TODO: Test. New audit/remediation written.
+
+ if [[ "$(/usr/bin/defaults read /Library/Preferences/com.apple.alf globalstate)" -ge 1 ]]; then
+ ScriptLogging " Firewall enabled."
+ else
+ /usr/bin/defaults write /Library/Preferences/com.apple.alf globalstate -int 1 2>&1 >> ScriptLogging
+ ScriptLogging " Firewall enabled."
+ fi
# 2.6.4 Enable Firewall Stealth Mode
- local stealthMode
- stealthMode="$( /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode | grep -ic "Stealth mode enabled" )"
- if [[ "$stealthMode" -eq 0 ]]; then
+
+ #TODO: Test. New audit/remediation written.
+
+ if [[ "$( /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode | grep -ic "Stealth mode enabled" )" -eq 0 ]]; then
ScriptLogging " Firewall Stealth Mode enabled."
else
ScriptLogging " Enabling Firewall Stealth Mode."
- /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on 2>&1 >> ScriptLogging
+ /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on 2>&1 >> ScriptLogging
+ ScriptLogging " Firewall Stealth Mode enabled."
fi
# 2.6.5 Review Application Firewall Rules
- # Needs work.
- # 2.7 iCloud
- # printf "2.7 iCloud"
- # this section is currently only set for Recommendations, not Published standards.
+ #TODO: Test. New audit/remediation written.
- # 2.8 Pair the remote control infrared receiver if enabled (Scored)
- # Disable:
- /usr/bin/defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled 0 2>&1 >> ScriptLogging
+ if [[ "$(/usr/libexec/ApplicationFirewall/socketfilterfw --listapps | grep "ALF" | awk '{ print $7 }')" -lt 10 ]]; then
+ ScriptLogging " Number of apps is less than 10."
+ else
+ ScriptLogging "***** Number of apps is greater than 10, please investigate! *****"
- # 2.9 Enable Secure Keyboard Entry in terminal.app (Scored)
+ # 2.7 iCloud
+ # This section has moved from Recommendations over to Subsections, however, no audit or remidiation guideleins are given.
+ # The following recommedations are listed in Level 2 profile.
+ # 2.7.1 iCloud configuration
+ # 2.7.2 iCloud keychain
+ # 2.7.3 iCloud Drive
+
+ # 2.8 Pair the remote control infrared receiver if enabled
+ # Listed as Level 1 recommendation
+
+ #TODO: Test. New audit/remediation written.
+
+ if [[ "$(/usr/sbin/system_profiler 2>/dev/null | egrep "IR Receiver")" -eq 0 ]]; then
+ ScriptLogging " No IR Receiver present."
+ elif [[ "$(/usr/sbin/system_profiler 2>/dev/null | egrep "IR Receiver")" -gt 0 ]]; then
+ ScriptLogging " IR Receiver present. Check to see if the interface is enabled."
+ if [[ "$(/usr/bin/defaults read /Library/Preferences/com.apple.driver.AppleIRController | awk '{ print $3 }')" = "0" ]]; then
+ ScriptLogging " IR Receiever Disabled."
+ else
+ /usr/bin/defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled 0 2>&1 >> ScriptLogging
+ ScriptLogging " IR Receiever Disabled."
+ fi
+ fi
+
+ # 2.9 Enable Secure Keyboard Entry in terminal.app
+ # Listed as Level 1 recommendation
+ # Let's not audit, let's just force it.
/usr/bin/defaults write -app Terminal SecureKeyboardEntry 1 2>&1 >> ScriptLogging
# 2.10 Java 6 is not the default Java runtime
-
- # 2.11 Securely delete files as needed (Recommended)
- # Need to re-work this into either configuration profile or User Template.
- # /usr/bin/defaults write ~/Library/Preferences/com.apple.finder EmptyTrashSecurely 1
-sleep 5
+ # Listed as Level 1 recommendation
+ # Java is the devil, installing it means you're a bad person.
+
+ # 2.11 Configure Secure Empty Trash
+ # Listed as Level 1 recommendation
+ # Can be secured more securely with a configuration profile.
+ # Issues with config profile, especially if they are not user removable, in the event that a large file has been
+ # trashed, productivity can be hindered when emptying the trash. (only speaking from experience.) Gather requirements!
+ # If configured here through the script, the user can easily enable/disable at will in Finder Preferences.
+
+ for USER_TEMPLATE in "/System/Library/User Template"/*
+ do
+ /usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.finder EmptyTrashSecurely 1 2>&1 >> ScriptLogging
+ done
+
+ # Set for already created users
+ for USER_HOME in /Users/*
+ do
+ USER_UID=`basename "${USER_HOME}"`
+ if [ ! "${USER_UID}" = "Shared" ]; then
+ if [ ! -d "${USER_HOME}"/Library/Preferences ]; then
+ /bin/mkdir -p "${USER_HOME}"/Library/Preferences 2>&1 >> ScriptLogging
+ /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library 2>&1 >> ScriptLogging
+ /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences 2>&1 >> ScriptLogging
+ fi
+ if [ -d "${USER_HOME}"/Library/Preferences ]; then
+ /usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.finder EmptyTrashSecurely 1 2>&1 >> ScriptLogging
+ fi
+ fi
+ done
}
# 3 Logging and Auditing
@@ -263,27 +419,27 @@ loggingAndAuditing() {
ScriptLogging "3 Logging and Audting"
ScriptLogging " ------------------- "
- # Test implementation with SumoLogic: http://www.sumologic.com/applications/mac-osx/
- # 3.1 Configure asl.conf
ScriptLogging " Configure asl.conf"
+ # 3.1 Configure asl.conf
- # 3.1.1 Retain system.log for 90 or more days (Scored)
- # Contributed by John Oliver on CIS forums
- # https://community.cisecurity.org/collab/public/index.php?path_info=projects%2F28%2Fcomments%2F15292
- /usr/bin/sed -i.bak 's/^>\ system\.log.*/>\ system\.log\ mode=640\ format=bsd\ rotate=seq\ ttl=90/' /etc/asl.conf 2>&1 >> ScriptLogging
+ # 3.1.1 Retain system.log for 90 or more days
+ # Contributed by John Oliver on CIS forums
+ # https://community.cisecurity.org/collab/public/index.php?path_info=projects%2F28%2Fcomments%2F15292
+ /usr/bin/sed -i.bak 's/^>\ system\.log.*/>\ system\.log\ mode=640\ format=bsd\ rotate=seq\ ttl=90/' /etc/asl.conf 2>&1 >> ScriptLogging
- # 3.1.2 Retain appfirewall.log for 90 or more days (Scored)
- # Contributed by John Oliver on CIS forums
- # https://community.cisecurity.org/collab/public/index.php?path_info=projects%2F28%2Fcomments%2F15292
- /usr/bin/sed -i.bak 's/^\?\ \[=\ Facility\ com.apple.alf.logging\]\ .*/\?\ \[=\ Facility\ com.apple.alf.logging\]\ file\ appfirewall.log\ rotate=seq\ ttl=90/' /etc/asl.conf 2>&1 >> ScriptLogging
+ # 3.1.2 Retain appfirewall.log for 90 or more days
+ # Contributed by John Oliver on CIS forums
+ # https://community.cisecurity.org/collab/public/index.php?path_info=projects%2F28%2Fcomments%2F15292
+ /usr/bin/sed -i.bak 's/^\?\ \[=\ Facility\ com.apple.alf.logging\]\ .*/\?\ \[=\ Facility\ com.apple.alf.logging\]\ file\ appfirewall.log\ rotate=seq\ ttl=90/' /etc/asl.conf 2>&1 >> ScriptLogging
- # 3.1.3 Retain authd.log for 90 or more days (Scored)
- # Contributed by John Oliver on CIS forums
- # https://community.cisecurity.org/collab/public/index.php?path_info=projects%2F28%2Fcomments%2F15292
- /usr/bin/sed -i.bak 's/^\*\ file\ \/var\/log\/authd\.log.*/\*\ file\ \/var\/log\/authd\.log\ mode=640\ format=bsd\ rotate=seq\ ttl=90/' /etc/asl/com.apple.authd 2>&1 >> ScriptLogging
+ # 3.1.3 Retain authd.log for 90 or more days
+ # Contributed by John Oliver on CIS forums
+ # https://community.cisecurity.org/collab/public/index.php?path_info=projects%2F28%2Fcomments%2F15292
+ /usr/bin/sed -i.bak 's/^\*\ file\ \/var\/log\/authd\.log.*/\*\ file\ \/var\/log\/authd\.log\ mode=640\ format=bsd\ rotate=seq\ ttl=90/' /etc/asl/com.apple.authd 2>&1 >> ScriptLogging
- # 3.2 Enable security auditing (Scored)
+ # 3.2 Enable security auditing
+ # Security auditing is listed as Recommendations, not subsections. They are all listed as Level 1 profile, though.
if [[ "$(/bin/launchctl list | grep -i auditd | awk '{ print $3 }')" = "com.apple.auditd" ]]; then
ScriptLogging " Security Auditing enabled."
else
@@ -291,19 +447,20 @@ loggingAndAuditing() {
fi
# 3.3 Configure Security Auditing Flags
+ # Security Auditing Flags are listed in Level 2 profile. They are also listed as recommendation.
# Contributed by John Oliver on CIS forums
# https://community.cisecurity.org/collab/public/index.php?path_info=projects%2F28%2Fcomments%2F15292
/usr/bin/sed -i '' 's/^flags:.*/flags:ad,aa,lo/' /etc/security/audit_control 2>&1 >> ScriptLogging
/usr/bin/sed -i '' 's/^expire-after:.*/expire-after:90d\ AND\ 1G/' /etc/security/audit_control 2>&1 >> ScriptLogging
# 3.4 Enable remote logging for Desktops on trusted networks
- # Needs work. Do not have remote logging server setup in my environment to test.
+ # Remote Logging is listed in Level 2 profile. It is also listed as a recommendation.
+ # Audit procedure is not listed. Seems nearly impossible to audit this in an automated general way.
# 3.5 Retain install.log for 365 or more days
# Contributed by John Oliver on CIS forums
# https://community.cisecurity.org/collab/public/index.php?path_info=projects%2F28%2Fcomments%2F15292
/usr/bin/sed -i.bak 's/^\*\ file\ \/var\/log\/install\.log.*/\*\ file\ \/var\/log\/install\.log\ mode=640\ format=bsd\ rotate=seq\ ttl=365/' /etc/asl/com.apple.install 2>&1 >> ScriptLogging
-sleep 5
}
# 4 Network Configurations
@@ -313,50 +470,61 @@ networkConfigurations() {
ScriptLogging " ------------------- "
# 4.1 Disable Bonjour advertising service
- export checkBonjourAdvertising
- checkBonjourAdvertising="$(defaults read /Library/Preferences/com.apple.alf globalstate)"
+ # Level 2 profile
+
+ #TODO: Test. New audit/remediation written.
+
+ local checkBonjourAdvertising="$(/usr/bin/defaults read /Library/Preferences/com.apple.alf globalstate)"
if [ "$checkBonjourAdvertising" = "1" ] || [ "$checkBonjourAdvertising" = "2" ]; then
ScriptLogging " Bonjour Advertising is off."
else
- # need to work this section out. Editing a plist.
ScriptLogging " Bonjour Advertising is on. Shut it down."
+ defaults write /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist ProgramArguements -array-add '{-NoMulticastAdvertisements;}' 2>&1 >> ScriptLogging
+ ScriptLogging " Bonjour Advertising is off."
fi
# 4.2 Enable "Show Wi-Fi status in menu bar" (Scored)
- # Set via script and policy in Casper
+ # This is user level. This script is not run at user level.
+
+ #TODO: Test. New audit/remediation written.
+
+ if [[ "$(/usr/bin/defaults read com.apple.systemuiserver menuExtras | grep AirPort.menu)" = "/System/Library/CoreServices/Menu Extras/AirPort.menu" ]]; then
+ ScriptLogging " Airport shown in menu bar."
+ else
+ /usr/bin/defaults write com.apple.systemuiserver menuExtras -array-add "/System/Library/CoreServices/Menu Extras/AirPort.menu" 2>&1 >> ScriptLogging
+ fi
# 4.3 Create network specific locations
+ # Level 2 profile
# 4.4 Ensure http server is not running
# TODO
- # Getting an error here
- # HTTP server is running. Shut it down.
- # /System/Library/LaunchDaemons/org.apache.httpd.plist: Could not find specified service
- if /bin/ps -ef | grep -i httpd > /dev/null; then
- ScriptLogging " HTTP server is running. Shut it down."
- /usr/sbin/apachectl stop && /usr/bin/defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled -bool true 2>&1 >> ScriptLogging
- else
- ScriptLogging " HTTP server not enabled."
- fi
+ #if /bin/ps -ef | grep -i httpd > /dev/null; then
+ # ScriptLogging " HTTP server is running. Shut it down."
+ # /usr/sbin/apachectl stop && /usr/bin/defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled -bool true 2>&1 >> ScriptLogging
+ #else
+ # ScriptLogging " HTTP server not enabled."
+ #fi
# 4.5 Ensure ftp server is not running
- if /bin/launchctl list | egrep ftp > /dev/null; then
- ScriptLogging " FTP server is running. Shut it down."
- /usr/sbin/launchctl unload -w /System/Library/LaunchDaemons/ftp.plist 2>&1 >> ScriptLogging
- else
- ScriptLogging " FTP server not enabled."
- fi
+ # TODO
+ #if /bin/launchctl list | egrep ftp > /dev/null; then
+ # ScriptLogging " FTP server is running. Shut it down."
+ # /usr/sbin/launchctl unload -w /System/Library/LaunchDaemons/ftp.plist 2>&1 >> ScriptLogging
+ #else
+ # ScriptLogging " FTP server not enabled."
+ #fi
# 4.6 Ensure nfs server is not running
- if /bin/ps -ef | grep -i nfsd > /dev/null; then
- ScriptLogging " NFS server is running. Shut it down."
- /sbin/nfsd disable 2>&1 >> ScriptLogging
- elif [[ -e /etc/exports ]]; then
- rm /etc/export
- else
- ScriptLogging " NFS server not enabled."
- fi
-sleep 5
+ # TODO
+ #if /bin/ps -ef | grep -i nfsd > /dev/null; then
+ # ScriptLogging " NFS server is running. Shut it down."
+ # /sbin/nfsd disable 2>&1 >> ScriptLogging
+ #elif [[ -e /etc/exports ]]; then
+ # rm /etc/export
+ #else
+ # ScriptLogging " NFS server not enabled."
+ #fi
}
# 5 System Access, Authentication and Authorization
@@ -368,81 +536,158 @@ systemAccess() {
# 5.1 File System Permissions and Access Controls
ScriptLogging " 5.1 File System Permissions and Access Controls"
- # 5.1.1 Secure Home Folders (Scored)
- # Home folders are owned by the user only by default
+ # 5.1.1 Secure Home Folders
+ # This script is intended to run BEFORE a system is deployed. Maybe a umask here, but not sure how to implement it.
- # 5.1.2 Check System Wide Applications for appropriate permissions
- # TODO
+ # 5.1.2 Repair permissions regularly to ensure binaries and other System files have appropriate permissions
+ # Can either set this in the weekly cron, or use the MDM to control this. MDM is prefered, as it is more maleable to timing/editing.
- # 5.1.3 Check System folder for world writable files (Scored)
- # TODO
+ # 5.1.3 Check System Wide Applications for appropriate permissions
+ # This should be checked prior to deployment within your apps/packages.
- # 5.1.4 Check Library folder for world writable files (Scored)
- # TODO
+ # 5.1.4 Check System folder for world writable files
+ # So long as you do not introduce this into your environment through bad packaging, there's no need to remediate this.
+
+ # 5.1.5 Check Library folder for world writable files
+ # Level 2
+ # GarageBand looks to be a culprit here. Should be removed/repackaged.
# 5.2 Password Management
ScriptLogging " 5.2 Password Management"
# TODO
- # This is set by AD in our environment, but doesn't account for local-only users
# Need to find a way to set the pwpolicy for users that don't yet exist in the system. The remidiation procedure is for a logged in user.
# It might be that this should be configured via Configuration Policy instead
- # 5.2.1 Configure account lockout threshold
- # Audit:
- # pwpolicy -getaccountpolicies | grep -A 1 'policyAttributeMaximumFailedAuthentications' | tail -1 | cut -d'>' -f2 | cut -d '<' -f1
- # Remediation
- # pwpolicy -setaccountpolicies
-
- # 5.2.2 Set a minimum password length
- # 5.2.3 Complex passwords must contain an Alphabetic Character
- # 5.2.4 Complex passwords must contain a Numeric Character
- # 5.2.5 Complex passwords must contain a Special Character
- # 5.2.6 Complex passwords must uppercase and lowercase letters
- # 5.2.7 Password Age
- # 5.2.8 Password History
+ # 5.2.1 Configure account lockout threshold
+ # pwpolicy -getaccountpolicies | grep -A 1 'policyAttributeMaximumFailedAuthentications' | tail -1 | cut -d'>' -f2 | cut -d '<' -f1
+ # pwpolicy -setaccountpolicies
+ # 5.2.2 Set a minimum password length
+ # 5.2.3 Complex passwords must contain an Alphabetic Character
+ # 5.2.4 Complex passwords must contain a Numeric Character
+ # 5.2.5 Complex passwords must contain a Special Character
+ # 5.2.6 Complex passwords must uppercase and lowercase letters
+ # 5.2.7 Password Age
+ # 5.2.8 Password History
# 5.3 Reduce the sudo timeout period
+ if [[ "$(/bin/cat /etc/sudoers | grep timestamp)" -eq 0 ]]; then
+ echo "No sudo timeout modification present. Default is 5 minutes."
+ else
+ echo "Change sudo timeout."
+ fi
# listed as issue on github : https://github.com/krispayne/CIS-Settings/issues/2
# 5.4 Automatically lock the login keychain for inactivity
- # Cannot be easily implmented in our environment
+ # User specific. Check to see if can be implemented via config profile. Default is 'no limit.'
# 5.5 Ensure login keychain is locked when the computer sleeps
+ # User specific. Check to see if can be implemented via config profile. Default is 'no limit.'
+
# 5.6 Enable OCSP and CRL certificate checking
- # 5.7 Do not enable the "root" account (Scored)
- # Disabled by default
+ # TODO not enabled by default
+
+ # 5.7 Do not enable the "root" account
+
+ #TODO: Test. New audit/remediation written.
+
+
+ if [[ "$(/usr/bin/dscl . -read /Users/root AuthenticationAuthority)" = "No such key: AuthenticationAuthority" ]]; then
+ ScriptLogging " 'root' is disabled."
+ else
+ ScriptLogging " 'root' is enabled. Disabling..."
+ /usr/sbin/dsenableroot -d 2>&1 >> ScriptLogging
+ ScriptLogging " 'root' is disabled."
+ fi
+
+ # 5.8 Disable automatic login
- # 5.8 Disable automatic login (Scored)
+ #TODO: Test. New audit/remediation written.
- if /usr/bin/defaults read /Library/Preferences/com.apple.loginwindow | grep autoLoginUser > /dev/null; then
+ if [[ "$(/usr/bin/defaults read /Library/Preferences/com.apple.loginwindow | grep autoLoginUser > /dev/null)" -eq 0 ]]; then
ScriptLogging " Auto login is disabled."
else
- ScriptLogging " Auto login enabled. Disabling."
+ ScriptLogging " Auto login enabled. Disabling..."
/usr/bin/defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser 2>&1 >> ScriptLogging
+ ScriptLogging " Auto login is disabled."
fi
- # 5.9 Require a password to wake the computer from sleep or screen saver (Scored)
- # /usr/bin/defaults write com.apple.screensaver askForPassword -int 1
+ # 5.9 Require a password to wake the computer from sleep or screen saver
+
+ #TODO: Test. New audit/remediation written.
+
+ if [[ "$(/usr/bin/defaults read com.apple.screensaver askForPassword)" = "1" ]]; then
+ ScriptLogging " Password required to wake from sleep or screensaver."
+ else
+ ScriptLogging " Password NOT required to wake from sleep or screensaver. Fixing..."
+ /usr/bin/defaults write com.apple.screensaver askForPassword -int 1 2>&1 >> ScriptLogging
+ ScriptLogging " Password required to wake from sleep or screensaver."
+ fi
- # 5.10 Require an administrator password to access system-wide preferences (Not Scored)
- # Set via script sysPrefAdmin.sh
+ # 5.10 Require an administrator password to access system-wide preferences
+
+ #TODO: Test. New audit/remediation written.
+
+ if [[ "$(/usr/bin/security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)')" = "" ]]; then
+ ScriptLogging " Password required to access system-wide preferences."
+ else
+ ScriptLogging " Password NOT required to access system-wide preferences. Fixing..."
+ /usr/bin/security authorizationdb read system.preferences > /tmp/system.preferences.plist
+ /usr/bin/defaults write /tmp/system.preferences.plist shared -bool false
+ /usr/bin/security authorizationdb write system.preferences < /tmp/system.preferences.plist
+ ScriptLogging " Password required to access system-wide preferences."
+ fi
- # 5.11 Disable ability to login to another user's active and locked session (Scored)
+ # 5.11 Disable ability to login to another user's active and locked session
+ # Need sed here to edit /etc/pam.d/screensaver
# 5.12 Create a custom message for the Login Screen
+ if [[ "$(/usr/bin/defaults read /Library/Preferences/com.apple.loginwindow.plist | grep LoginwindowText)" -eq 0 ]]; then
+ ScriptLogging " Login Message not set. Setting..."
+ /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "This system is reserved for authorized use only. The use of this system may be monitored." 2>&1 >> ScriptLogging
+ ScriptLogging " Login Message set."
+ else
+ ScriptLogging " Login Message set."
+ fi
# 5.13 Create a Login window banner
- /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "This system is reserved for authorized use only. The use of this system may be monitored."
+ # Level 2
+
+ #TODO: Test. New audit/remediation written.
+
+ if [[ ! -e /Library/Security/PolicyBanner.txt ]]; then
+ ScriptLogging " 'PolicyBanner.txt' not found."
+ echo "This system is reserved for authorized use only. The use of this system may be monitored." > /Library/Security/PolicyBanner.txt
+ ScriptLogging " Login Window banner set."
+ else
+ ScriptLogging " Login Window banner set."
+ fi
# 5.14 Do not enter a password-related hint
+ # Per user. Need to find away to mass audit/remediate
+
# 5.15 Disable Fast User Switching
+ # Level 2
+
+ #TODO: Test. New audit/remediation written.
+
+ if [[ "$(/usr/bin/defaults read /Library/Preferences/.GlobalPreferences.plist MultipleSessionEnabled)" = "0" ]]; then
+ ScriptLogging " Fast User Switching disabled."
+ else
+ ScriptLogging " Fast User Switching enabled. Disabling..."
+ /usr/bin/defaults write /Library/Preferences/.GlobalPreferences MultipleSessionEnabled -bool NO 2>&1 >> ScriptLogging
+ ScriptLogging " Fast User Switching disabled."
+ fi
+
# 5.16 Secure individual keychain items
+ # Level 2
+
# 5.17 Create specialized keychains for different purposes
- # 5.18 System Integrity Protection status
- # 5.19 Install an approved tokend for smartcard authentication
-sleep 5
+ # Level 2
+
+ # 5.18 Install an approved tokend for smartcard authentication
+ # Level 2
}
# 6 User Accounts and Environment
@@ -451,62 +696,95 @@ userEnvironment() {
ScriptLogging "6 User Accounts and Environment"
ScriptLogging " ------------------- "
- # 6.1 Accounts Preferences Action Items
+
ScriptLogging " 6.1 Accounts Preferences Action Items"
+ # 6.1 Accounts Preferences Action Items
- # 6.1.1 Display login window as name and password (Scored)
- /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool yes 2>&1 >> ScriptLogging
+ # 6.1.1 Display login window as name and password
+ # No audit, just do it.
+ /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool yes 2>&1 >> ScriptLogging
- # 6.1.2 Disable "Show password hints" (Scored)
- /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0 2>&1 >> ScriptLogging
+ # 6.1.2 Disable "Show password hints"
+ # No audit, just do it.
+ /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0 2>&1 >> ScriptLogging
- # 6.1.3 Disable guest account login (Scored)
- /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool NO 2>&1 >> ScriptLogging
+ # 6.1.3 Disable guest account login
+ # No audit, just do it.
+ /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool NO 2>&1 >> ScriptLogging
- # 6.1.4 Disable "Allow guests to connect to shared folders" (Scored)
- /usr/bin/defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool no 2>&1 >> ScriptLogging
- /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool no 2>&1 >> ScriptLogging
+ # 6.1.4 Disable "Allow guests to connect to shared folders"
+ # No audit, just do it.
+ /usr/bin/defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool no 2>&1 >> ScriptLogging
+ /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool no 2>&1 >> ScriptLogging
- # 6.2 Turn on filename extensions (Scored)
+ # 6.2 Turn on filename extensions
+ # Recommendation
+ # No audit, just do it.
/usr/bin/defaults write NSGlobalDomain AppleShowAllExtensions -bool true 2>&1 >> ScriptLogging
# 6.3 Disable the automatic run of safe files in Safari (Scored)
+ # Recommendation
+ # No audit, just do it.
/usr/bin/defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no 2>&1 >> ScriptLogging
# 6.4 Use parental controls for systems that are not centrally managed
- # Centrally Managed
-sleep 5
+ # Recommendation
+ # Level 2
}
-# 7 Additional Considerations
+# 7 Appendix: Additional Considerations
additionalConsiderations() {
+ # These have been removed from the mainScript () to be cleaner, since they don't do anything.
+ # Leaving the function as a "completionist"
+
ScriptLogging "7 Appendix: Additional Considerations"
ScriptLogging " ------------------- "
# 7.1 Wireless technology on OS X
+ # Level 2
+
# 7.2 iSight Camera Privacy and Confidentiality Concerns
+ # Level 2
+
# 7.3 Computer Name Considerations
+ # Level 2
+
# 7.4 Software Inventory Considerations
+ # Level 2
+
# 7.5 Firewall Consideration
+ # Level 2
+
# 7.6 Automatic Actions for Optical Media
+ # Level 1
+ # No optical media drives on any endpoints.
+
# 7.7 App Store Automatically download apps purchased on other Macs Considerations
+ # Level 2
+
# 7.8 Extensible Firmware Interface (EFI) password
+ # Level 2
+ # Implement via your MDM/Imaging solution. If at all. FV2
+
# 7.9 Apple ID password reset
- # 7.10 Repairing permissions is no longer needed with 10.11
- # 7.11 App Store Password Settings
-sleep 5
+ # Level 2
}
# 8 Artifacts
artifacts() {
+ # These have been removed from the mainScript () to be cleaner, since they don't do anything.
+ # Leaving the function as a "completionist"
+
ScriptLogging "8 Artifacts"
ScriptLogging " ------------------- "
# 8.1 Password Policy Plist generated through OS X Server
+ # No Rationale, Audit or remediation provided by CIS
+
# 8.2 Password Policy Plist from man page
-sleep 5
+ # No Rationale, Audit or remediation provided by CIS
}
# The Restarts
@@ -526,26 +804,10 @@ cleanAndReboot() {
/sbin/shutdown -r now
}
-ScriptLogging(){
-
- if [ -n "$1" ]; then
- IN="$1"
- else
- read IN # This reads a string from stdin and stores it in a variable called IN
- fi
-
- DATE=`date +%Y-%m-%d\ %H:%M:%S`
- LOG="$log_location"
-
- echo "$DATE" " $IN" >> $LOG
-}
+ScriptLogging() { logger -t CIS_SETTINGS "$@"; echo "$@"; }
mainScript() {
- if [[ -f "$log_location" ]]; then
- /bin/mv $log_location $archive_log_location
- fi
-
ScriptLogging " ------------------- "
ScriptLogging " Starting CIS Settings "
ScriptLogging " ------------------- "
@@ -560,8 +822,6 @@ mainScript() {
networkConfigurations
systemAccess
userEnvironment
- additionalConsiderations
- artifacts
cleanAndReboot
}