diff --git a/Yosemite_CIS.sh b/Yosemite_CIS.sh index 1365b7b..7e92788 100755 --- a/Yosemite_CIS.sh +++ b/Yosemite_CIS.sh @@ -1,24 +1,19 @@ #!/bin/bash ######################################################################## -# CIS Level 1 Benchmark Settings 1.1.0 +# CIS Level 1 Benchmark Settings 1.2.0 # Yosemite (10.10) # Kris Payne +# Run as root ######################################################################## -# Log and log archive location -log_location="/var/log/cis_install.log" -archive_log_location="/var/log/cis_install-`date +%Y-%m-%d-%H-%M-%S`.log" - # 1 Install Updates, Patches and Additional Security Software softwareUpdates() { ScriptLogging "1 Install Updates, Patches, and Additional Security Software" ScriptLogging " ------------------- " - # 1.1 Verify all Apple provided software is current (Scored) - local softwareUpdateChecl - softwareUpdateCheck="$( /usr/sbin/softwareupdate -l | grep -ic "No new software available." )" - if [[ "$softwareUpdateCheck" -eq 0 ]]; then + # 1.1 Verify all Apple provided software is current + if [[ "$(/usr/sbin/softwareupdate -l | grep -ic "No new software available.")" -eq 0 ]]; then ScriptLogging " No new software available." else ScriptLogging " Installing Software Updates." @@ -26,51 +21,38 @@ softwareUpdates() { fi # 1.2 Enable Auto Update - # Checks to see if computer is polling automatically for updates from Apple - if [[ "$(/usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled)" = 1 ]]; then ScriptLogging " Automatic Update Check already enabled." else /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1 2>&1 >> ScriptLogging fi - # SWU managed via policy in Casper - # 1.3 Enable app update installs - # Sets Mac App Store auto-update for installed apps. - + # Requires log out to take visual effect in GUI. if [[ "$(/usr/bin/defaults read /Library/Preferences/com.apple.commerce AutoUpdate)" = "1" ]]; then ScriptLogging " Auto Update Apps already enabled." else /usr/bin/defaults write /Library/Preferences/com.apple.storeagent AutoUpdate -bool TRUE 2>&1 >> ScriptLogging fi - # Policies via AutoPKG and Casper - # 1.4 Enable system data files and security update installs - - if [[ "$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep ConfigDataInstall)" = "ConfigDataInstall = 1;" ]]; then + if [[ "$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | egrep '(ConfigDataInstall)')" = "ConfigDataInstall = 1;" ]]; then ScriptLogging " ConfigDataInstall is 1." - elif [[ "$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep CriticalUpdateInstall)" = "CriticalUpdateInstall = 1;" ]]; then - printf " ConfigDataInstall is 1.\n" + elif [[ "$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | egrep '(CriticalUpdateInstall)')" = "CriticalUpdateInstall = 1;" ]]; then + ScriptLogging " CriticalUpdateInstall is 1." else ScriptLogging " Enabling system data files and security updates." /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true 2>&1 >> ScriptLogging /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true 2>&1 >> ScriptLogging fi - # Policy in Casper - # 1.5 Enable OS X update installs - if [[ "$(/usr/bin/defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired)" = "1" ]]; then ScriptLogging " OS X is set to auto update." else ScriptLogging " Setting OS X to auto update." /usr/bin/defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE 2>&1 >> ScriptLogging fi - # Policy in Casper -sleep 5 } # 2 System Preferences @@ -82,7 +64,8 @@ systemPreferences() { ScriptLogging " 2.1 Bluetooth" # 2.1 Bluetooth - # 2.1.1 Turn off Bluetooth, if no paired devices exist (Scored) + # 2.1.1 Turn off Bluetooth, if no paired devices exist + # Requires `killall -HUP blued` found in cleanAndReboot() ScriptLogging " Turn off Bluetooth, if no paired devices exist." if [[ "$(/usr/bin/defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState)" = "1" ]]; then ScriptLogging " Bluetooth ControllerPowerState is 1." @@ -105,31 +88,28 @@ systemPreferences() { # is selected. To ensure that the computer is not Discoverable do not leave that preference open. if [[ "$(/usr/sbin/system_profiler SPBluetoothDataType | grep -i discoverable | awk '{ print $2 }')" = "Off" ]]; then - ScriptLogging " Bluetooth Discoverable is off." + ScriptLogging " Bluetooth is not discoverable." fi - # uuid=`/usr/sbin/system_profiler SPHardwareDataType | grep "Hardware UUID" | cut -c22-57` - # /usr/bin/defaults write /Users/$@/Library/Preferences/ByHost/com.apple.Bluetooth.$uuid DiscoverableState -bool no - # /usr/sbin/chown $@ /Users/$@/Library/Preferences/ByHost/com.apple.Bluetooth.$uuid.plist - # Stolen from http://krypted.com/mac-security/disabling-bluetooth-discoverable-mode/ - # Need to test. - - # 2.1.3 Show Bluetooth status in menu bar (Scored) + # 2.1.3 Show Bluetooth status in menu bar + # This is user level. This script is not run at user level. if [[ "$(/usr/bin/defaults read com.apple.systemuiserver menuExtras | grep Bluetooth.menu)" = "/System/Library/CoreServices/Menu Extras/Bluetooth.menu" ]]; then ScriptLogging " Bluetooth shown in menu bar." else /usr/bin/defaults write com.apple.systemuiserver menuExtras -array-add "/System/Library/CoreServices/Menu Extras/Bluetooth.menu" 2>&1 >> ScriptLogging fi + + ScriptLogging " 2.2 Date & Time" # 2.2 Date & Time - ScriptLogging " 2.2 Date & Time" - # 2.2.1 Enable "Set time and date automatically" (Scored) + # 2.2.1 Enable "Set time and date automatically" + # Listed as Level 2 profile, however, it does not get in the way of the user and provides great benefit. if [[ "$(/usr/sbin/systemsetup -getusingnetworktime | awk '{ print $3 }')" = "On" ]]; then - ScriptLogging " NetworkTime already on. Ensuring server is time.apple.com." + ScriptLogging " NetworkTime on. Ensuring server is time.apple.com." if [[ "$(/usr/sbin/systemsetup -getnetworktimeserver | awk '{ print $4 }')" = "time.apple.com" ]]; then - ScriptLogging " NetworkTime is set and is set to time.apple.com." + ScriptLogging " NetworkTime is on and set to time.apple.com." fi else @@ -139,7 +119,7 @@ systemPreferences() { fi ScriptLogging " Set NetworkTime to time.apple.com." - /usr/sbin/systemsetup -setnetworktimeserver time.apple.com + /usr/sbin/systemsetup -setnetworktimeserver time.apple.com 2>&1 >> ScriptLogging ScriptLogging " Ensure NetworkTime is on." /usr/sbin/systemsetup -setusingnetworktime on 2>&1 >> ScriptLogging @@ -148,113 +128,289 @@ systemPreferences() { # 2.2.2 Ensure time set is within appropriate limits /usr/sbin/ntpdate -sv time.apple.com 2>&1 >> ScriptLogging - # 2.3 Desktop & Screen Saver + ScriptLogging " 2.3 Desktop & Screen Saver" + # 2.3 Desktop & Screen Saver # 2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver - /usr/bin/defaults -currentHost write com.apple.screensaver idleTime 600 2>&1 >> ScriptLogging - # going to move this to a user based configuration profile + # User configuration profiles are more useful here. + # Make sure what is set in the config profile is smaller than section 2.3.3 + + #/usr/bin/defaults -currentHost write com.apple.screensaver idleTime 600 2>&1 >> ScriptLogging # 2.3.2 Secure screen saver corners - # going to move this to a user based configuration profile + # Listed as Level 2 profile, however, it does not get in the way of the user and provides great benefit. + # Take a "clear-all" approach here, as 2.3.4 sets an active corner for enabling screensaver. + + # Set in User Template + for USER_TEMPLATE in "/System/Library/User Template"/* + do + /usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.dock wvous-tl-corner 1 2>&1 >> ScriptLogging + /usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.dock wvous-tr-corner 1 2>&1 >> ScriptLogging + /usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.dock wvous-bl-corner 1 2>&1 >> ScriptLogging + /usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.dock wvous-br-corner 1 2>&1 >> ScriptLogging + done + + # Set for already created users + for USER_HOME in /Users/* + do + USER_UID=`basename "${USER_HOME}"` + if [ ! "${USER_UID}" = "Shared" ]; then + if [ ! -d "${USER_HOME}"/Library/Preferences ]; then + /bin/mkdir -p "${USER_HOME}"/Library/Preferences 2>&1 >> ScriptLogging + /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library 2>&1 >> ScriptLogging + /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences 2>&1 >> ScriptLogging + fi + if [ -d "${USER_HOME}"/Library/Preferences ]; then + /usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.dock wvous-tl-corner 1 2>&1 >> ScriptLogging + /usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.dock wvous-tr-corner 1 2>&1 >> ScriptLogging + /usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.dock wvous-bl-corner 1 2>&1 >> ScriptLogging + /usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.dock wvous-br-corner 1 2>&1 >> ScriptLogging + fi + fi + done # 2.3.3 Verify Display Sleep is set to a value larger than the Screen Saver (Not Scored) /usr/bin/pmset -a displaysleep 15 2>&1 >> ScriptLogging # 2.3.4 Set a screen corner to Start Screen Saver - #/usr/bin/defaults write ~/Library/Preferences/com.apple.dock wvous-tl-corner 5 + /usr/bin/defaults write ~/Library/Preferences/com.apple.dock wvous-br-corner 5 2>&1 >> ScriptLogging + - # 2.4 Sharing ScriptLogging " 2.4 Sharing" + # 2.4 Sharing + # Sharing is listed as Recommendations, not subsections. They are all listed as Level 1 profile, though. # 2.4.1 Disable Remote Apple Events (Scored) if [[ "$(/usr/sbin/systemsetup -getremoteappleevents | awk '{ print $4 }')" = "Off" ]]; then - ScriptLogging " Remote Apple Events already set to off." + ScriptLogging " Remote Apple Events set to off." else /usr/sbin/systemsetup -setremoteappleevents off 2>&1 >> ScriptLogging + ScriptLogging " Remote Apple Events set to off." fi # 2.4.2 Disable Internet Sharing (Scored) + + #TODO: Test. New audit/remediation written. + # Internet Sharing is off by default. Running these commands without checking # first will send the machine into a downward sprial of doom and depair. # It's your funeral if you uncomment. Left in for remediation/completeness sake. - # /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict Enabled -int 0 - # /bin/launchctl unload -w /System/Library/LaunchDaemons/ com.apple.InternetSharing.plist - + # if [[ ! -e "/Library/Preferences/SystemConfiguration/com.apple.nat" ]]; then + # ScriptLogging " No 'com.apple.nat' file present. Internet Sharing Disabled." + # else + # /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict Enabled -int 0 2>&1 >> ScriptLogging + # /bin/launchctl unload -w /System/Library/LaunchDaemons/ com.apple.InternetSharing.plist 2>&1 >> ScriptLogging + # fi # 2.4.3 Disable Screen Sharing (Scored) - # Screen sharing controlled by Remote Management Preferences + + #TODO: Test. New audit/remediation written. + + if [[ "$(/bin/launchctl load /System/Library/LaunchDaemons/com.apple.screensharing.plist)" = "/System/Library/LaunchDaemons/com.apple.screensharing.plist: Service is disabled" ]]; then + ScriptLogging " Screen Sharing Disabled." + else + /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off 2>&1 >> ScriptLogging + fi # 2.4.4 Disable Printer Sharing (Scored) + # No need to audit, just remediate. /usr/sbin/cupsctl --no-share-printers 2>&1 >> ScriptLogging # 2.4.5 Disable Remote Login (Scored) - # Controlled at Firewall - # Also, open only for one user on systems. Defined in Casper + # Only open to service accounts. + #TODO: Test. New audit/remediation written. + if [[ "$(/usr/sbin/systemsetup -getremotelogin | awk '{ print $3 }')" = "Off" ]]; then + ScriptLogging " Remote Login Disabled." + else + /usr/sbin/systemsetup -setremotelogin off 2>&1 >> ScriptLogging + ScriptLogging " Remote Login Disabled." + fi # 2.4.6 Disable DVD or CD Sharing (Scored) # Devices do not have Optical Drives # 2.4.7 Disable Bluetooth Sharing - # Needs work. + + #TODO: Test. New audit/remediation written. + + if [[ "$(/usr/sbin/system_profiler SPBluetoothDataType | grep State)" = "Disabled\nDisabled\nDisabled"]]; then + ScriptLogging " Bluetooth Sharing Disabled." + else + local hardwareUUID=$(/usr/sbin/system_profiler SPHardwareDataType | grep "Hardware UUID" | awk -F ": " '{print $2}') + for USER_HOME in /Users/* + do + USER_UID=`basename "${USER_HOME}"` + if [ ! "${USER_UID}" = "Shared" ]; then + if [ ! -d "${USER_HOME}"/Library/Preferences ]; then + /bin/mkdir -p "${USER_HOME}"/Library/Preferences 2>&1 >> ScriptLogging + /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library 2>&1 >> ScriptLogging + /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences 2>&1 >> ScriptLogging + fi + if [ ! -d "${USER_HOME}"/Library/Preferences/ByHost ]; then + /bin/mkdir -p "${USER_HOME}"/Library/Preferences/ByHost 2>&1 >> ScriptLogging + /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library 2>&1 >> ScriptLogging + /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences 2>&1 >> ScriptLogging + /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences/ByHost 2>&1 >> ScriptLogging + fi + if [ -d "${USER_HOME}"/Library/Preferences/ByHost ]; then + /usr/bin/defaults write "$USER_HOME"/Library/Preferences/ByHost/com.apple.Bluetooth.$hardwareUUID.plist PrefKeyServicesEnabled -bool false 2>&1 >> ScriptLogging + #/usr/libexec/PlistBuddy -c "Delete :PrefKeyServicesEnabled" "$USER_HOME"/Library/Preferences/ByHost/com.apple.Bluetooth.$hardwareUUID.plist + #/usr/libexec/PlistBuddy -c "Add :PrefKeyServicesEnabled bool false" "$USER_HOME"/Library/Preferences/ByHost/com.apple.Bluetooth.$hardwareUUID.plist + /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences/ByHost/com.apple.Bluetooth.$hardwareUUID.plist 2>&1 >> ScriptLogging + fi + fi + done + fi # 2.4.8 Disable File Sharing (Scored) - # Handled in netShareOff.sh + + #TODO: Test. New audit/remediation written. + + if [[ "$(/bin/launchctl list | egrep AppleFileServer)" -eq 0 ]]; then + ScriptLogging " AFP is enabled. Disabling..." + echo "Disable AFP..." + else + ScriptLogging " AFP is Disabled." + fi + + if [[ "$(/bin/launchctl list | egrep smbd)" -eq 0 ]]; then + ScriptLogging " SMB is enabled. Disabling..." + echo "Disable SMB..." + else + ScriptLogging " SMB is Disbled." + fi # 2.4.9 Disable Remote Management (Scored) - # Used in our environment. Disabling not preferred. Limited to one user, defined in Casper. - # 2.5 Energy Saver + # TODO + # design audit/remediate + + ScriptLogging " 2.5 Energy Saver" + # 2.5 Energy Saver # 2.5.1 Disable "Wake for network access" + # Listed as Level 2 profile, however, it does not get in the way of the user and provides great benefit. + # Take a "clear-all" approach here /usr/bin/pmset -a womp 0 2>&1 >> ScriptLogging # 2.5.2 Disable sleeping the computer when connected to power + # Listed as Level 2 profile, however, it does not get in the way of the user and provides great benefit. + # Take a "clear-all" approach here /usr/bin/pmset -c sleep 0 2>&1 >> ScriptLogging - # 2.6 Security & Privacy + ScriptLogging " 2.6 Security & Privacy" + # 2.6 Security & Privacy # 2.6.1 Enable FileVault (Scored) - # We do not use FileVault in our environment + # This should be handled by an MDM with institutional keys. + # audit is `diskutil cs list | grep -i encryption` # 2.6.2 Enable Gatekeeper (Scored) - /usr/sbin/spctl --master-enable 2>&1 >> ScriptLogging + + #TODO: Test. New audit/remediation written. + + if [[ "$(/usr/sbin/spctl --status)" = "assessments disabled" ]]; then + ScriptLogging " Gatekeeper is disabled. Enabling..." + /usr/sbin/spctl --master-enable 2>&1 >> ScriptLogging + else + ScriptLogging " Gatekeeper is enabled." + fi # 2.6.3 Enable Firewall (Scored) - /usr/bin/defaults write /Library/Preferences/com.apple.alf globalstate -int 1 2>&1 >> ScriptLogging + + #TODO: Test. New audit/remediation written. + + if [[ "$(/usr/bin/defaults read /Library/Preferences/com.apple.alf globalstate)" -ge 1 ]]; then + ScriptLogging " Firewall enabled." + else + /usr/bin/defaults write /Library/Preferences/com.apple.alf globalstate -int 1 2>&1 >> ScriptLogging + ScriptLogging " Firewall enabled." + fi # 2.6.4 Enable Firewall Stealth Mode - local stealthMode - stealthMode="$( /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode | grep -ic "Stealth mode enabled" )" - if [[ "$stealthMode" -eq 0 ]]; then + + #TODO: Test. New audit/remediation written. + + if [[ "$( /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode | grep -ic "Stealth mode enabled" )" -eq 0 ]]; then ScriptLogging " Firewall Stealth Mode enabled." else ScriptLogging " Enabling Firewall Stealth Mode." - /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on 2>&1 >> ScriptLogging + /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on 2>&1 >> ScriptLogging + ScriptLogging " Firewall Stealth Mode enabled." fi # 2.6.5 Review Application Firewall Rules - # Needs work. - # 2.7 iCloud - # printf "2.7 iCloud" - # this section is currently only set for Recommendations, not Published standards. + #TODO: Test. New audit/remediation written. - # 2.8 Pair the remote control infrared receiver if enabled (Scored) - # Disable: - /usr/bin/defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled 0 2>&1 >> ScriptLogging + if [[ "$(/usr/libexec/ApplicationFirewall/socketfilterfw --listapps | grep "ALF" | awk '{ print $7 }')" -lt 10 ]]; then + ScriptLogging " Number of apps is less than 10." + else + ScriptLogging "***** Number of apps is greater than 10, please investigate! *****" - # 2.9 Enable Secure Keyboard Entry in terminal.app (Scored) + # 2.7 iCloud + # This section has moved from Recommendations over to Subsections, however, no audit or remidiation guideleins are given. + # The following recommedations are listed in Level 2 profile. + # 2.7.1 iCloud configuration + # 2.7.2 iCloud keychain + # 2.7.3 iCloud Drive + + # 2.8 Pair the remote control infrared receiver if enabled + # Listed as Level 1 recommendation + + #TODO: Test. New audit/remediation written. + + if [[ "$(/usr/sbin/system_profiler 2>/dev/null | egrep "IR Receiver")" -eq 0 ]]; then + ScriptLogging " No IR Receiver present." + elif [[ "$(/usr/sbin/system_profiler 2>/dev/null | egrep "IR Receiver")" -gt 0 ]]; then + ScriptLogging " IR Receiver present. Check to see if the interface is enabled." + if [[ "$(/usr/bin/defaults read /Library/Preferences/com.apple.driver.AppleIRController | awk '{ print $3 }')" = "0" ]]; then + ScriptLogging " IR Receiever Disabled." + else + /usr/bin/defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled 0 2>&1 >> ScriptLogging + ScriptLogging " IR Receiever Disabled." + fi + fi + + # 2.9 Enable Secure Keyboard Entry in terminal.app + # Listed as Level 1 recommendation + # Let's not audit, let's just force it. /usr/bin/defaults write -app Terminal SecureKeyboardEntry 1 2>&1 >> ScriptLogging # 2.10 Java 6 is not the default Java runtime - - # 2.11 Securely delete files as needed (Recommended) - # Need to re-work this into either configuration profile or User Template. - # /usr/bin/defaults write ~/Library/Preferences/com.apple.finder EmptyTrashSecurely 1 -sleep 5 + # Listed as Level 1 recommendation + # Java is the devil, installing it means you're a bad person. + + # 2.11 Configure Secure Empty Trash + # Listed as Level 1 recommendation + # Can be secured more securely with a configuration profile. + # Issues with config profile, especially if they are not user removable, in the event that a large file has been + # trashed, productivity can be hindered when emptying the trash. (only speaking from experience.) Gather requirements! + # If configured here through the script, the user can easily enable/disable at will in Finder Preferences. + + for USER_TEMPLATE in "/System/Library/User Template"/* + do + /usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.finder EmptyTrashSecurely 1 2>&1 >> ScriptLogging + done + + # Set for already created users + for USER_HOME in /Users/* + do + USER_UID=`basename "${USER_HOME}"` + if [ ! "${USER_UID}" = "Shared" ]; then + if [ ! -d "${USER_HOME}"/Library/Preferences ]; then + /bin/mkdir -p "${USER_HOME}"/Library/Preferences 2>&1 >> ScriptLogging + /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library 2>&1 >> ScriptLogging + /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences 2>&1 >> ScriptLogging + fi + if [ -d "${USER_HOME}"/Library/Preferences ]; then + /usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.finder EmptyTrashSecurely 1 2>&1 >> ScriptLogging + fi + fi + done } # 3 Logging and Auditing @@ -263,27 +419,27 @@ loggingAndAuditing() { ScriptLogging "3 Logging and Audting" ScriptLogging " ------------------- " - # Test implementation with SumoLogic: http://www.sumologic.com/applications/mac-osx/ - # 3.1 Configure asl.conf ScriptLogging " Configure asl.conf" + # 3.1 Configure asl.conf - # 3.1.1 Retain system.log for 90 or more days (Scored) - # Contributed by John Oliver on CIS forums - # https://community.cisecurity.org/collab/public/index.php?path_info=projects%2F28%2Fcomments%2F15292 - /usr/bin/sed -i.bak 's/^>\ system\.log.*/>\ system\.log\ mode=640\ format=bsd\ rotate=seq\ ttl=90/' /etc/asl.conf 2>&1 >> ScriptLogging + # 3.1.1 Retain system.log for 90 or more days + # Contributed by John Oliver on CIS forums + # https://community.cisecurity.org/collab/public/index.php?path_info=projects%2F28%2Fcomments%2F15292 + /usr/bin/sed -i.bak 's/^>\ system\.log.*/>\ system\.log\ mode=640\ format=bsd\ rotate=seq\ ttl=90/' /etc/asl.conf 2>&1 >> ScriptLogging - # 3.1.2 Retain appfirewall.log for 90 or more days (Scored) - # Contributed by John Oliver on CIS forums - # https://community.cisecurity.org/collab/public/index.php?path_info=projects%2F28%2Fcomments%2F15292 - /usr/bin/sed -i.bak 's/^\?\ \[=\ Facility\ com.apple.alf.logging\]\ .*/\?\ \[=\ Facility\ com.apple.alf.logging\]\ file\ appfirewall.log\ rotate=seq\ ttl=90/' /etc/asl.conf 2>&1 >> ScriptLogging + # 3.1.2 Retain appfirewall.log for 90 or more days + # Contributed by John Oliver on CIS forums + # https://community.cisecurity.org/collab/public/index.php?path_info=projects%2F28%2Fcomments%2F15292 + /usr/bin/sed -i.bak 's/^\?\ \[=\ Facility\ com.apple.alf.logging\]\ .*/\?\ \[=\ Facility\ com.apple.alf.logging\]\ file\ appfirewall.log\ rotate=seq\ ttl=90/' /etc/asl.conf 2>&1 >> ScriptLogging - # 3.1.3 Retain authd.log for 90 or more days (Scored) - # Contributed by John Oliver on CIS forums - # https://community.cisecurity.org/collab/public/index.php?path_info=projects%2F28%2Fcomments%2F15292 - /usr/bin/sed -i.bak 's/^\*\ file\ \/var\/log\/authd\.log.*/\*\ file\ \/var\/log\/authd\.log\ mode=640\ format=bsd\ rotate=seq\ ttl=90/' /etc/asl/com.apple.authd 2>&1 >> ScriptLogging + # 3.1.3 Retain authd.log for 90 or more days + # Contributed by John Oliver on CIS forums + # https://community.cisecurity.org/collab/public/index.php?path_info=projects%2F28%2Fcomments%2F15292 + /usr/bin/sed -i.bak 's/^\*\ file\ \/var\/log\/authd\.log.*/\*\ file\ \/var\/log\/authd\.log\ mode=640\ format=bsd\ rotate=seq\ ttl=90/' /etc/asl/com.apple.authd 2>&1 >> ScriptLogging - # 3.2 Enable security auditing (Scored) + # 3.2 Enable security auditing + # Security auditing is listed as Recommendations, not subsections. They are all listed as Level 1 profile, though. if [[ "$(/bin/launchctl list | grep -i auditd | awk '{ print $3 }')" = "com.apple.auditd" ]]; then ScriptLogging " Security Auditing enabled." else @@ -291,19 +447,20 @@ loggingAndAuditing() { fi # 3.3 Configure Security Auditing Flags + # Security Auditing Flags are listed in Level 2 profile. They are also listed as recommendation. # Contributed by John Oliver on CIS forums # https://community.cisecurity.org/collab/public/index.php?path_info=projects%2F28%2Fcomments%2F15292 /usr/bin/sed -i '' 's/^flags:.*/flags:ad,aa,lo/' /etc/security/audit_control 2>&1 >> ScriptLogging /usr/bin/sed -i '' 's/^expire-after:.*/expire-after:90d\ AND\ 1G/' /etc/security/audit_control 2>&1 >> ScriptLogging # 3.4 Enable remote logging for Desktops on trusted networks - # Needs work. Do not have remote logging server setup in my environment to test. + # Remote Logging is listed in Level 2 profile. It is also listed as a recommendation. + # Audit procedure is not listed. Seems nearly impossible to audit this in an automated general way. # 3.5 Retain install.log for 365 or more days # Contributed by John Oliver on CIS forums # https://community.cisecurity.org/collab/public/index.php?path_info=projects%2F28%2Fcomments%2F15292 /usr/bin/sed -i.bak 's/^\*\ file\ \/var\/log\/install\.log.*/\*\ file\ \/var\/log\/install\.log\ mode=640\ format=bsd\ rotate=seq\ ttl=365/' /etc/asl/com.apple.install 2>&1 >> ScriptLogging -sleep 5 } # 4 Network Configurations @@ -313,50 +470,61 @@ networkConfigurations() { ScriptLogging " ------------------- " # 4.1 Disable Bonjour advertising service - export checkBonjourAdvertising - checkBonjourAdvertising="$(defaults read /Library/Preferences/com.apple.alf globalstate)" + # Level 2 profile + + #TODO: Test. New audit/remediation written. + + local checkBonjourAdvertising="$(/usr/bin/defaults read /Library/Preferences/com.apple.alf globalstate)" if [ "$checkBonjourAdvertising" = "1" ] || [ "$checkBonjourAdvertising" = "2" ]; then ScriptLogging " Bonjour Advertising is off." else - # need to work this section out. Editing a plist. ScriptLogging " Bonjour Advertising is on. Shut it down." + defaults write /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist ProgramArguements -array-add '{-NoMulticastAdvertisements;}' 2>&1 >> ScriptLogging + ScriptLogging " Bonjour Advertising is off." fi # 4.2 Enable "Show Wi-Fi status in menu bar" (Scored) - # Set via script and policy in Casper + # This is user level. This script is not run at user level. + + #TODO: Test. New audit/remediation written. + + if [[ "$(/usr/bin/defaults read com.apple.systemuiserver menuExtras | grep AirPort.menu)" = "/System/Library/CoreServices/Menu Extras/AirPort.menu" ]]; then + ScriptLogging " Airport shown in menu bar." + else + /usr/bin/defaults write com.apple.systemuiserver menuExtras -array-add "/System/Library/CoreServices/Menu Extras/AirPort.menu" 2>&1 >> ScriptLogging + fi # 4.3 Create network specific locations + # Level 2 profile # 4.4 Ensure http server is not running # TODO - # Getting an error here - # HTTP server is running. Shut it down. - # /System/Library/LaunchDaemons/org.apache.httpd.plist: Could not find specified service - if /bin/ps -ef | grep -i httpd > /dev/null; then - ScriptLogging " HTTP server is running. Shut it down." - /usr/sbin/apachectl stop && /usr/bin/defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled -bool true 2>&1 >> ScriptLogging - else - ScriptLogging " HTTP server not enabled." - fi + #if /bin/ps -ef | grep -i httpd > /dev/null; then + # ScriptLogging " HTTP server is running. Shut it down." + # /usr/sbin/apachectl stop && /usr/bin/defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled -bool true 2>&1 >> ScriptLogging + #else + # ScriptLogging " HTTP server not enabled." + #fi # 4.5 Ensure ftp server is not running - if /bin/launchctl list | egrep ftp > /dev/null; then - ScriptLogging " FTP server is running. Shut it down." - /usr/sbin/launchctl unload -w /System/Library/LaunchDaemons/ftp.plist 2>&1 >> ScriptLogging - else - ScriptLogging " FTP server not enabled." - fi + # TODO + #if /bin/launchctl list | egrep ftp > /dev/null; then + # ScriptLogging " FTP server is running. Shut it down." + # /usr/sbin/launchctl unload -w /System/Library/LaunchDaemons/ftp.plist 2>&1 >> ScriptLogging + #else + # ScriptLogging " FTP server not enabled." + #fi # 4.6 Ensure nfs server is not running - if /bin/ps -ef | grep -i nfsd > /dev/null; then - ScriptLogging " NFS server is running. Shut it down." - /sbin/nfsd disable 2>&1 >> ScriptLogging - elif [[ -e /etc/exports ]]; then - rm /etc/export - else - ScriptLogging " NFS server not enabled." - fi -sleep 5 + # TODO + #if /bin/ps -ef | grep -i nfsd > /dev/null; then + # ScriptLogging " NFS server is running. Shut it down." + # /sbin/nfsd disable 2>&1 >> ScriptLogging + #elif [[ -e /etc/exports ]]; then + # rm /etc/export + #else + # ScriptLogging " NFS server not enabled." + #fi } # 5 System Access, Authentication and Authorization @@ -368,81 +536,158 @@ systemAccess() { # 5.1 File System Permissions and Access Controls ScriptLogging " 5.1 File System Permissions and Access Controls" - # 5.1.1 Secure Home Folders (Scored) - # Home folders are owned by the user only by default + # 5.1.1 Secure Home Folders + # This script is intended to run BEFORE a system is deployed. Maybe a umask here, but not sure how to implement it. - # 5.1.2 Check System Wide Applications for appropriate permissions - # TODO + # 5.1.2 Repair permissions regularly to ensure binaries and other System files have appropriate permissions + # Can either set this in the weekly cron, or use the MDM to control this. MDM is prefered, as it is more maleable to timing/editing. - # 5.1.3 Check System folder for world writable files (Scored) - # TODO + # 5.1.3 Check System Wide Applications for appropriate permissions + # This should be checked prior to deployment within your apps/packages. - # 5.1.4 Check Library folder for world writable files (Scored) - # TODO + # 5.1.4 Check System folder for world writable files + # So long as you do not introduce this into your environment through bad packaging, there's no need to remediate this. + + # 5.1.5 Check Library folder for world writable files + # Level 2 + # GarageBand looks to be a culprit here. Should be removed/repackaged. # 5.2 Password Management ScriptLogging " 5.2 Password Management" # TODO - # This is set by AD in our environment, but doesn't account for local-only users # Need to find a way to set the pwpolicy for users that don't yet exist in the system. The remidiation procedure is for a logged in user. # It might be that this should be configured via Configuration Policy instead - # 5.2.1 Configure account lockout threshold - # Audit: - # pwpolicy -getaccountpolicies | grep -A 1 'policyAttributeMaximumFailedAuthentications' | tail -1 | cut -d'>' -f2 | cut -d '<' -f1 - # Remediation - # pwpolicy -setaccountpolicies - - # 5.2.2 Set a minimum password length - # 5.2.3 Complex passwords must contain an Alphabetic Character - # 5.2.4 Complex passwords must contain a Numeric Character - # 5.2.5 Complex passwords must contain a Special Character - # 5.2.6 Complex passwords must uppercase and lowercase letters - # 5.2.7 Password Age - # 5.2.8 Password History + # 5.2.1 Configure account lockout threshold + # pwpolicy -getaccountpolicies | grep -A 1 'policyAttributeMaximumFailedAuthentications' | tail -1 | cut -d'>' -f2 | cut -d '<' -f1 + # pwpolicy -setaccountpolicies + # 5.2.2 Set a minimum password length + # 5.2.3 Complex passwords must contain an Alphabetic Character + # 5.2.4 Complex passwords must contain a Numeric Character + # 5.2.5 Complex passwords must contain a Special Character + # 5.2.6 Complex passwords must uppercase and lowercase letters + # 5.2.7 Password Age + # 5.2.8 Password History # 5.3 Reduce the sudo timeout period + if [[ "$(/bin/cat /etc/sudoers | grep timestamp)" -eq 0 ]]; then + echo "No sudo timeout modification present. Default is 5 minutes." + else + echo "Change sudo timeout." + fi # listed as issue on github : https://github.com/krispayne/CIS-Settings/issues/2 # 5.4 Automatically lock the login keychain for inactivity - # Cannot be easily implmented in our environment + # User specific. Check to see if can be implemented via config profile. Default is 'no limit.' # 5.5 Ensure login keychain is locked when the computer sleeps + # User specific. Check to see if can be implemented via config profile. Default is 'no limit.' + # 5.6 Enable OCSP and CRL certificate checking - # 5.7 Do not enable the "root" account (Scored) - # Disabled by default + # TODO not enabled by default + + # 5.7 Do not enable the "root" account + + #TODO: Test. New audit/remediation written. + + + if [[ "$(/usr/bin/dscl . -read /Users/root AuthenticationAuthority)" = "No such key: AuthenticationAuthority" ]]; then + ScriptLogging " 'root' is disabled." + else + ScriptLogging " 'root' is enabled. Disabling..." + /usr/sbin/dsenableroot -d 2>&1 >> ScriptLogging + ScriptLogging " 'root' is disabled." + fi + + # 5.8 Disable automatic login - # 5.8 Disable automatic login (Scored) + #TODO: Test. New audit/remediation written. - if /usr/bin/defaults read /Library/Preferences/com.apple.loginwindow | grep autoLoginUser > /dev/null; then + if [[ "$(/usr/bin/defaults read /Library/Preferences/com.apple.loginwindow | grep autoLoginUser > /dev/null)" -eq 0 ]]; then ScriptLogging " Auto login is disabled." else - ScriptLogging " Auto login enabled. Disabling." + ScriptLogging " Auto login enabled. Disabling..." /usr/bin/defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser 2>&1 >> ScriptLogging + ScriptLogging " Auto login is disabled." fi - # 5.9 Require a password to wake the computer from sleep or screen saver (Scored) - # /usr/bin/defaults write com.apple.screensaver askForPassword -int 1 + # 5.9 Require a password to wake the computer from sleep or screen saver + + #TODO: Test. New audit/remediation written. + + if [[ "$(/usr/bin/defaults read com.apple.screensaver askForPassword)" = "1" ]]; then + ScriptLogging " Password required to wake from sleep or screensaver." + else + ScriptLogging " Password NOT required to wake from sleep or screensaver. Fixing..." + /usr/bin/defaults write com.apple.screensaver askForPassword -int 1 2>&1 >> ScriptLogging + ScriptLogging " Password required to wake from sleep or screensaver." + fi - # 5.10 Require an administrator password to access system-wide preferences (Not Scored) - # Set via script sysPrefAdmin.sh + # 5.10 Require an administrator password to access system-wide preferences + + #TODO: Test. New audit/remediation written. + + if [[ "$(/usr/bin/security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)')" = "" ]]; then + ScriptLogging " Password required to access system-wide preferences." + else + ScriptLogging " Password NOT required to access system-wide preferences. Fixing..." + /usr/bin/security authorizationdb read system.preferences > /tmp/system.preferences.plist + /usr/bin/defaults write /tmp/system.preferences.plist shared -bool false + /usr/bin/security authorizationdb write system.preferences < /tmp/system.preferences.plist + ScriptLogging " Password required to access system-wide preferences." + fi - # 5.11 Disable ability to login to another user's active and locked session (Scored) + # 5.11 Disable ability to login to another user's active and locked session + # Need sed here to edit /etc/pam.d/screensaver # 5.12 Create a custom message for the Login Screen + if [[ "$(/usr/bin/defaults read /Library/Preferences/com.apple.loginwindow.plist | grep LoginwindowText)" -eq 0 ]]; then + ScriptLogging " Login Message not set. Setting..." + /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "This system is reserved for authorized use only. The use of this system may be monitored." 2>&1 >> ScriptLogging + ScriptLogging " Login Message set." + else + ScriptLogging " Login Message set." + fi # 5.13 Create a Login window banner - /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "This system is reserved for authorized use only. The use of this system may be monitored." + # Level 2 + + #TODO: Test. New audit/remediation written. + + if [[ ! -e /Library/Security/PolicyBanner.txt ]]; then + ScriptLogging " 'PolicyBanner.txt' not found." + echo "This system is reserved for authorized use only. The use of this system may be monitored." > /Library/Security/PolicyBanner.txt + ScriptLogging " Login Window banner set." + else + ScriptLogging " Login Window banner set." + fi # 5.14 Do not enter a password-related hint + # Per user. Need to find away to mass audit/remediate + # 5.15 Disable Fast User Switching + # Level 2 + + #TODO: Test. New audit/remediation written. + + if [[ "$(/usr/bin/defaults read /Library/Preferences/.GlobalPreferences.plist MultipleSessionEnabled)" = "0" ]]; then + ScriptLogging " Fast User Switching disabled." + else + ScriptLogging " Fast User Switching enabled. Disabling..." + /usr/bin/defaults write /Library/Preferences/.GlobalPreferences MultipleSessionEnabled -bool NO 2>&1 >> ScriptLogging + ScriptLogging " Fast User Switching disabled." + fi + # 5.16 Secure individual keychain items + # Level 2 + # 5.17 Create specialized keychains for different purposes - # 5.18 System Integrity Protection status - # 5.19 Install an approved tokend for smartcard authentication -sleep 5 + # Level 2 + + # 5.18 Install an approved tokend for smartcard authentication + # Level 2 } # 6 User Accounts and Environment @@ -451,62 +696,95 @@ userEnvironment() { ScriptLogging "6 User Accounts and Environment" ScriptLogging " ------------------- " - # 6.1 Accounts Preferences Action Items + ScriptLogging " 6.1 Accounts Preferences Action Items" + # 6.1 Accounts Preferences Action Items - # 6.1.1 Display login window as name and password (Scored) - /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool yes 2>&1 >> ScriptLogging + # 6.1.1 Display login window as name and password + # No audit, just do it. + /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool yes 2>&1 >> ScriptLogging - # 6.1.2 Disable "Show password hints" (Scored) - /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0 2>&1 >> ScriptLogging + # 6.1.2 Disable "Show password hints" + # No audit, just do it. + /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0 2>&1 >> ScriptLogging - # 6.1.3 Disable guest account login (Scored) - /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool NO 2>&1 >> ScriptLogging + # 6.1.3 Disable guest account login + # No audit, just do it. + /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool NO 2>&1 >> ScriptLogging - # 6.1.4 Disable "Allow guests to connect to shared folders" (Scored) - /usr/bin/defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool no 2>&1 >> ScriptLogging - /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool no 2>&1 >> ScriptLogging + # 6.1.4 Disable "Allow guests to connect to shared folders" + # No audit, just do it. + /usr/bin/defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool no 2>&1 >> ScriptLogging + /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool no 2>&1 >> ScriptLogging - # 6.2 Turn on filename extensions (Scored) + # 6.2 Turn on filename extensions + # Recommendation + # No audit, just do it. /usr/bin/defaults write NSGlobalDomain AppleShowAllExtensions -bool true 2>&1 >> ScriptLogging # 6.3 Disable the automatic run of safe files in Safari (Scored) + # Recommendation + # No audit, just do it. /usr/bin/defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no 2>&1 >> ScriptLogging # 6.4 Use parental controls for systems that are not centrally managed - # Centrally Managed -sleep 5 + # Recommendation + # Level 2 } -# 7 Additional Considerations +# 7 Appendix: Additional Considerations additionalConsiderations() { + # These have been removed from the mainScript () to be cleaner, since they don't do anything. + # Leaving the function as a "completionist" + ScriptLogging "7 Appendix: Additional Considerations" ScriptLogging " ------------------- " # 7.1 Wireless technology on OS X + # Level 2 + # 7.2 iSight Camera Privacy and Confidentiality Concerns + # Level 2 + # 7.3 Computer Name Considerations + # Level 2 + # 7.4 Software Inventory Considerations + # Level 2 + # 7.5 Firewall Consideration + # Level 2 + # 7.6 Automatic Actions for Optical Media + # Level 1 + # No optical media drives on any endpoints. + # 7.7 App Store Automatically download apps purchased on other Macs Considerations + # Level 2 + # 7.8 Extensible Firmware Interface (EFI) password + # Level 2 + # Implement via your MDM/Imaging solution. If at all. FV2 + # 7.9 Apple ID password reset - # 7.10 Repairing permissions is no longer needed with 10.11 - # 7.11 App Store Password Settings -sleep 5 + # Level 2 } # 8 Artifacts artifacts() { + # These have been removed from the mainScript () to be cleaner, since they don't do anything. + # Leaving the function as a "completionist" + ScriptLogging "8 Artifacts" ScriptLogging " ------------------- " # 8.1 Password Policy Plist generated through OS X Server + # No Rationale, Audit or remediation provided by CIS + # 8.2 Password Policy Plist from man page -sleep 5 + # No Rationale, Audit or remediation provided by CIS } # The Restarts @@ -526,26 +804,10 @@ cleanAndReboot() { /sbin/shutdown -r now } -ScriptLogging(){ - - if [ -n "$1" ]; then - IN="$1" - else - read IN # This reads a string from stdin and stores it in a variable called IN - fi - - DATE=`date +%Y-%m-%d\ %H:%M:%S` - LOG="$log_location" - - echo "$DATE" " $IN" >> $LOG -} +ScriptLogging() { logger -t CIS_SETTINGS "$@"; echo "$@"; } mainScript() { - if [[ -f "$log_location" ]]; then - /bin/mv $log_location $archive_log_location - fi - ScriptLogging " ------------------- " ScriptLogging " Starting CIS Settings " ScriptLogging " ------------------- " @@ -560,8 +822,6 @@ mainScript() { networkConfigurations systemAccess userEnvironment - additionalConsiderations - artifacts cleanAndReboot }