From c01b7faffba004c625c986f6d5a22ab342973a73 Mon Sep 17 00:00:00 2001 From: oliverlind Date: Wed, 3 Jan 2018 02:02:47 -0500 Subject: [PATCH] Add files via upload Experimental/Untested. Adds a second pref for each item so you can decide separately which items should be scored/reported, and which should also be remediated. --- 1_Set_Organization_Priorities.sh | 354 ++++++-- 2.5_Audit_List.sh | 4 +- 2.6_Audit_Count.sh | 5 +- 3_Security_Remediation.sh | 1295 +++++++++++++----------------- README.md | 47 +- 5 files changed, 875 insertions(+), 830 deletions(-) diff --git a/1_Set_Organization_Priorities.sh b/1_Set_Organization_Priorities.sh index b7844a7..d063112 100755 --- a/1_Set_Organization_Priorities.sh +++ b/1_Set_Organization_Priorities.sh @@ -51,281 +51,353 @@ plistlocation="$dir/org_security_score.plist" ############### ADMINS DESIGNATE ORG VALUES BELOW ################ ################################################################## +# Note that the remediations script does not handle all items, but we have included a pref +# for them in case you want to add your own remediation code. + # 1.1 Verify all Apple provided software is current -# OrgScore1_1="true" -OrgScore1_1="false" +# Default setting for 1_1: Score "true", Remediate "false" +OrgScore1_1="true" +OrgRemediate1_1="false" # 1.2 Enable Auto Update +# Default setting for 1_2: "true" OrgScore1_2="true" -# OrgScore1_2="false" +OrgRemediate1_2="true" # 1.3 Enable app update installs +# Default setting for 1_3: "true" OrgScore1_3="true" -# OrgScore1_3="false" +OrgRemediate1_3="true" # 1.4 Enable system data files and security update installs +# Default setting for 1_4: "true" OrgScore1_4="true" -# OrgScore1_4="false" +OrgRemediate1_4="true" # 1.5 Enable OS X update installs +# Default setting for 1_5: "true" OrgScore1_5="true" -# OrgScore1_5="false" +OrgRemediate1_5="true" # 2.1.1 Turn off Bluetooth, if no paired devices exist +# Default setting for 2_1_1: "true" OrgScore2_1_1="true" -# OrgScore2_1_1="false" +OrgRemediate2_1_1="true" # 2.1.3 Show Bluetooth status in menu bar +# Default setting for 2_1_3: "true" OrgScore2_1_3="true" -# OrgScore2_1_3="false" +OrgRemediate2_1_3="true" # 2.2.2 Ensure time set is within appropriate limits +# Default setting for 2_2_2: "true" OrgScore2_2_2="true" -# OrgScore2_2_2="false" +OrgRemediate2_2_2="true" # 2.2.3 Restrict NTP server to loopback interface +# Default setting for 2_2_3: "true" OrgScore2_2_3="true" -# OrgScore2_2_3="false" +OrgRemediate2_2_3="true" # 2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver +# Default setting for 2_3_1: "true" OrgScore2_3_1="true" -# OrgScore2_3_1="false" +OrgRemediate2_3_1="true" # 2.3.2 Secure screen saver corners +# Default setting for 2_3_2: "true" OrgScore2_3_2="true" -# OrgScore2_3_2="false" +OrgRemediate2_3_2="true" # 2.3.4 Set a screen corner to Start Screen Saver +# Default setting for 2_3_4: "true" OrgScore2_3_4="true" -# OrgScore2_3_4="false" +OrgRemediate2_3_4="true" # 2.4.1 Disable Remote Apple Events +# Default setting for 2_4_1: "true" OrgScore2_4_1="true" -# OrgScore2_4_1="false" +OrgRemediate2_4_1="true" # 2.4.2 Disable Internet Sharing +# Default setting for 2_4_2: "true" OrgScore2_4_2="true" -# OrgScore2_4_2="false" +OrgRemediate2_4_2="true" # 2.4.3 Disable Screen Sharing +# Default setting for 2_4_3: "true" OrgScore2_4_3="true" -# OrgScore2_4_3="false" +OrgRemediate2_4_3="true" # 2.4.4 Disable Printer Sharing +# Default setting for 2_4_4: "true" OrgScore2_4_4="true" -# OrgScore2_4_4="false" +OrgRemediate2_4_4="true" # 2.4.5 Disable Remote Login +# Default setting for 2_4_5: "true" OrgScore2_4_5="true" -# OrgScore2_4_5="false" +OrgRemediate2_4_5="true" # 2.4.6 Disable DVD or CD Sharing +# Default setting for 2_4_6: "true" OrgScore2_4_6="true" -# OrgScore2_4_6="false" +OrgRemediate2_4_6="true" # 2.4.7 Disable Bluetooth Sharing +# Default setting for 2_4_7: "true" OrgScore2_4_7="true" -# OrgScore2_4_7="false" +OrgRemediate2_4_7="true" # 2.4.8 Disable File Sharing +# Default setting for 2_4_8: "true" OrgScore2_4_8="true" -# OrgScore2_4_8="false" +OrgRemediate2_4_8="true" # 2.4.9 Disable Remote Management +# Default setting for 2_4_9: "true" OrgScore2_4_9="true" -# OrgScore2_4_9="false" +OrgRemediate2_4_9="true" # 2.5.1 Disable "Wake for network access" +# Default setting for 2_5_1: "true" OrgScore2_5_1="true" -# OrgScore2_5_1="false" +OrgRemediate2_5_1="true" # 2.5.2 Disable sleeping the computer when connected to power +# Default setting for 2_5_2: "true" OrgScore2_5_2="true" -# OrgScore2_5_2="false" +OrgRemediate2_5_2="true" # 2.6.1 Enable FileVault +# Default setting for 2_6_1: Score "true", Remediate "false" OrgScore2_6_1="true" -# OrgScore2_6_1="false" +OrgRemediate2_6_1="false" # 2.6.2 Enable Gatekeeper +# Default setting for 2_6_2: "true" OrgScore2_6_2="true" -# OrgScore2_6_2="false" +OrgRemediate2_6_2="true" # 2.6.3 Enable Firewall +# Default setting for 2_6_3: "true" OrgScore2_6_3="true" -# OrgScore2_6_3="false" +OrgRemediate2_6_3="true" # 2.6.4 Enable Firewall Stealth Mode +# Default setting for 2_6_4: "true" OrgScore2_6_4="true" -# OrgScore2_6_4="false" +OrgRemediate2_6_4="true" # 2.6.5 Review Application Firewall Rules +# Default setting for 2_6_5: "true" OrgScore2_6_5="true" -# OrgScore2_6_5="false" +OrgRemediate2_6_5="true" # 2.7.4 iCloud Drive Document sync +# Default setting for 2_7_4: "true" OrgScore2_7_4="true" -# OrgScore2_7_4="false" +OrgRemediate2_7_4="true" # 2.7.5 iCloud Drive Desktop sync +# Default setting for 2_7_5: "true" OrgScore2_7_5="true" -# OrgScore2_7_5="false" +OrgRemediate2_7_5="true" # 2.8.1 Time Machine Auto-Backup +# Default setting for 2_8_1: "true" OrgScore2_8_1="true" -# OrgScore2_8_1="false" +OrgRemediate2_8_1="true" # 2.9 Pair the remote control infrared receiver if enabled +# Default setting for 2_9: "true" OrgScore2_9="true" -# OrgScore2_9="false" +OrgRemediate2_9="true" # 2.10 Enable Secure Keyboard Entry in terminal.app +# Default setting for 2_10: "true" OrgScore2_10="true" -# OrgScore2_10="false" +OrgRemediate2_10="true" # 2.11 Java 6 is not the default Java runtime +# Default setting for 2_11: "true" OrgScore2_11="true" -# OrgScore2_11="false" +OrgRemediate2_11="true" # 3.1.1 Retain system.log for 90 or more days +# Default setting for 3_1_1: "true" OrgScore3_1_1="true" -# OrgScore3_1_1="false" +OrgRemediate3_1_1="true" # 3.1.2 Retain appfirewall.log for 90 or more days +# Default setting for 3_1_2: "true" OrgScore3_1_2="true" -# OrgScore3_1_2="false" +OrgRemediate3_1_2="true" # 3.1.3 Retain authd.log for 90 or more days +# Default setting for 3_1_3: "true" OrgScore3_1_3="true" -# OrgScore3_1_3="false" +OrgRemediate3_1_3="true" # 3.2 Enable security auditing +# Default setting for 3_2: "true" OrgScore3_2="true" -# OrgScore3_2="false" +OrgRemediate3_2="true" # 3.3 Configure Security Auditing Flags +# Default setting for 3_3: "true" OrgScore3_3="true" -# OrgScore3_3="false" +OrgRemediate3_3="true" # 3.5 Retain install.log for 365 or more days +# Default setting for 3_5: "true" OrgScore3_5="true" -# OrgScore3_5="false" +OrgRemediate3_5="true" # 4.1 Disable Bonjour advertising service +# Default setting for 4_1: "true" OrgScore4_1="true" -# OrgScore4_1="false" +OrgRemediate4_1="true" # 4.2 Enable "Show Wi-Fi status in menu bar" +# Default setting for 4_2: "true" OrgScore4_2="true" -# OrgScore4_2="false" +OrgRemediate4_2="true" # 4.4 Ensure http server is not running +# Default setting for 4_4: "true" OrgScore4_4="true" -# OrgScore4_4="false" +OrgRemediate4_4="true" # 4.5 Ensure ftp server is not running +# Default setting for 4_5: "true" OrgScore4_5="true" -# OrgScore4_5="false" +OrgRemediate4_5="true" # 4.6 Ensure nfs server is not running +# Default setting for 4_6: "true" OrgScore4_6="true" -# OrgScore4_6="false" +OrgRemediate4_6="true" # 5.1.1 Secure Home Folders +# Default setting for 5_1_1: "true" OrgScore5_1_1="true" -# OrgScore5_1_1="false" +OrgRemediate5_1_1="true" # 5.1.2 Check System Wide Applications for appropriate permissions +# Default setting for 5_1_2: "true" OrgScore5_1_2="true" -# OrgScore5_1_2="false" +OrgRemediate5_1_2="true" # 5.1.3 Check System folder for world writable files +# Default setting for 5_1_3: "true" OrgScore5_1_3="true" -# OrgScore5_1_3="false" +OrgRemediate5_1_3="true" # 5.1.4 Check Library folder for world writable files +# Default setting for 5_1_4: "true" OrgScore5_1_4="true" -# OrgScore5_1_4="false" +OrgRemediate5_1_4="true" # 5.3 Reduce the sudo timeout period +# Default setting for 5_3: "true" OrgScore5_3="true" -# OrgScore5_3="false" +OrgRemediate5_3="true" # 5.4 Automatically lock the login keychain for inactivity +# Default setting for 5_4: "true" OrgScore5_4="true" -# OrgScore5_4="false" +OrgRemediate5_4="true" # 5.5 Ensure login keychain is locked when the computer sleeps +# Default setting for 5_5: "true" OrgScore5_5="true" -# OrgScore5_5="false" +OrgRemediate5_5="true" # 5.6 Enable OCSP and CRL certificate checking -# OrgScore5_6="true" -OrgScore5_6="false" +# Default setting for 5_6: Score "true", Remediate "false" +OrgScore5_6="true" +OrgRemediate5_6="false" # 5.7 Do not enable the "root" account +# Default setting for 5_7: "true" OrgScore5_7="true" -# OrgScore5_7="false" +OrgRemediate5_7="true" # 5.8 Disable automatic login +# Default setting for 5_8: "true" OrgScore5_8="true" -# OrgScore5_8="false" +OrgRemediate5_8="true" # 5.9 Require a password to wake the computer from sleep or screen saver +# Default setting for 5_9: "true" OrgScore5_9="true" -# OrgScore5_9="false" +OrgRemediate5_9="true" # 5.10 Require an administrator password to access system-wide preferences +# Default setting for 5_10: "true" OrgScore5_10="true" -# OrgScore5_10="false" +OrgRemediate5_10="true" # 5.11 Disable ability to login to another user's active and locked session +# Default setting for 5_11: "true" OrgScore5_11="true" -# OrgScore5_11="false" +OrgRemediate5_11="true" # 5.12 Create a custom message for the Login Screen +# Default setting for 5_12: "true" OrgScore5_12="true" -# OrgScore5_12="false" +OrgRemediate5_12="true" # 5.13 Create a Login window banner +# Default setting for 5_13: "true" OrgScore5_13="true" -# OrgScore5_13="false" +OrgRemediate5_13="true" # 5.18 System Integrity Protection status +# Default setting for 5_18: "true" OrgScore5_18="true" -# OrgScore5_18="false" +OrgRemediate5_18="true" # 5.19 Install an approved tokend for smartcard authentication +# Default setting for 5_19: "true" OrgScore5_19="true" -# OrgScore5_19="false" +OrgRemediate5_19="true" # 6.1.1 Display login window as name and password +# Default setting for 6_1_1: "true" OrgScore6_1_1="true" -# OrgScore6_1_1="false" +OrgRemediate6_1_1="true" # 6.1.2 Disable "Show password hints" +# Default setting for 6_1_2: "true" OrgScore6_1_2="true" -# OrgScore6_1_2="false" +OrgRemediate6_1_2="true" # 6.1.3 Disable guest account +# Default setting for 6_1_3: "true" OrgScore6_1_3="true" -# OrgScore6_1_3="false" +OrgRemediate6_1_3="true" # 6.1.4 Disable "Allow guests to connect to shared folders" +# Default setting for 6_1_4: "true" OrgScore6_1_4="true" -# OrgScore6_1_4="false" +OrgRemediate6_1_4="true" # 6.1.5 Remove Guest home folder +# Default setting for 6_1_5: "true" OrgScore6_1_5="true" -# OrgScore6_1_5="false" +OrgRemediate6_1_5="true" # 6.2 Turn on filename extensions +# Default setting for 6_2: "true" OrgScore6_2="true" -# OrgScore6_2="false" +OrgRemediate6_2="true" # 6.3 Disable the automatic run of safe files in Safari +# Default setting for 6_3: "true" OrgScore6_3="true" -# OrgScore6_3="false" +OrgRemediate6_3="true" @@ -339,145 +411,283 @@ cat << EOF > "$plistlocation" - + OrgScore1_1 <${OrgScore1_1}/> + OrgRemediate1_1 + <${OrgScore1_1}/> OrgScore1_2 <${OrgScore1_2}/> + OrgRemediate1_2 + <${OrgScore1_1}/> OrgScore1_3 <${OrgScore1_3}/> + OrgRemediate1_3 + <${OrgScore1_1}/> OrgScore1_4 <${OrgScore1_4}/> + OrgRemediate1_4 + <${OrgScore1_1}/> OrgScore1_5 <${OrgScore1_5}/> + OrgRemediate1_5 + <${OrgScore1_1}/> OrgScore2_1_1 <${OrgScore2_1_1}/> + OrgRemediate2_1_1 + <${OrgScore1_1}/> OrgScore2_1_3 <${OrgScore2_1_3}/> + OrgRemediate2_1_3 + <${OrgScore1_1}/> OrgScore2_2_2 <${OrgScore2_2_2}/> + OrgRemediate2_2_2 + <${OrgScore1_1}/> OrgScore2_2_3 <${OrgScore2_2_3}/> + OrgRemediate2_2_3 + <${OrgScore1_1}/> OrgScore2_3_1 <${OrgScore2_3_1}/> + OrgRemediate2_3_1 + <${OrgScore1_1}/> OrgScore2_3_2 <${OrgScore2_3_2}/> + OrgRemediate2_3_2 + <${OrgScore1_1}/> OrgScore2_3_4 <${OrgScore2_3_4}/> + OrgRemediate2_3_4 + <${OrgScore1_1}/> OrgScore2_4_1 <${OrgScore2_4_1}/> + OrgRemediate2_4_1 + <${OrgScore1_1}/> OrgScore2_4_2 <${OrgScore2_4_2}/> + OrgRemediate2_4_2 + <${OrgScore1_1}/> OrgScore2_4_3 <${OrgScore2_4_3}/> + OrgRemediate2_4_3 + <${OrgScore1_1}/> OrgScore2_4_4 <${OrgScore2_4_4}/> + OrgRemediate2_4_4 + <${OrgScore1_1}/> OrgScore2_4_5 <${OrgScore2_4_5}/> + OrgRemediate2_4_5 + <${OrgScore1_1}/> OrgScore2_4_6 <${OrgScore2_4_6}/> + OrgRemediate2_4_6 + <${OrgScore1_1}/> OrgScore2_4_7 <${OrgScore2_4_7}/> + OrgRemediate2_4_7 + <${OrgScore1_1}/> OrgScore2_4_8 <${OrgScore2_4_8}/> + OrgRemediate2_4_8 + <${OrgScore1_1}/> OrgScore2_4_9 <${OrgScore2_4_9}/> + OrgRemediate2_4_9 + <${OrgScore1_1}/> OrgScore2_5_1 <${OrgScore2_5_1}/> + OrgRemediate2_5_1 + <${OrgScore1_1}/> OrgScore2_5_2 <${OrgScore2_5_2}/> + OrgRemediate2_5_2 + <${OrgScore1_1}/> OrgScore2_6_1 <${OrgScore2_6_1}/> + OrgRemediate2_6_1 + <${OrgScore1_1}/> OrgScore2_6_2 <${OrgScore2_6_2}/> + OrgRemediate2_6_2 + <${OrgScore1_1}/> OrgScore2_6_3 <${OrgScore2_6_3}/> + OrgRemediate2_6_3 + <${OrgScore1_1}/> OrgScore2_6_4 <${OrgScore2_6_4}/> + OrgRemediate2_6_4 + <${OrgScore1_1}/> OrgScore2_6_5 <${OrgScore2_6_5}/> + OrgRemediate2_6_5 + <${OrgScore1_1}/> OrgScore2_7_4 <${OrgScore2_7_4}/> + OrgRemediate2_7_4 + <${OrgScore1_1}/> OrgScore2_7_5 <${OrgScore2_7_5}/> + OrgRemediate2_7_5 + <${OrgScore1_1}/> OrgScore2_8_1 <${OrgScore2_8_1}/> + OrgRemediate2_8_1 + <${OrgScore1_1}/> OrgScore2_9 <${OrgScore2_9}/> + OrgRemediate2_9 + <${OrgScore1_1}/> OrgScore2_10 <${OrgScore2_10}/> + OrgRemediate2_10 + <${OrgScore1_1}/> OrgScore2_11 <${OrgScore2_11}/> + OrgRemediate2_11 + <${OrgScore1_1}/> OrgScore3_1_1 <${OrgScore3_1_1}/> + OrgRemediate3_1_1 + <${OrgScore1_1}/> OrgScore3_1_2 <${OrgScore3_1_2}/> + OrgRemediate3_1_2 + <${OrgScore1_1}/> OrgScore3_1_3 <${OrgScore3_1_3}/> + OrgRemediate3_1_3 + <${OrgScore1_1}/> OrgScore3_2 <${OrgScore3_2}/> + OrgRemediate3_2 + <${OrgScore1_1}/> OrgScore3_3 <${OrgScore3_3}/> + OrgRemediate3_3 + <${OrgScore1_1}/> OrgScore3_5 <${OrgScore3_5}/> + OrgRemediate3_5 + <${OrgScore1_1}/> OrgScore4_1 <${OrgScore4_1}/> + OrgRemediate4_1 + <${OrgScore1_1}/> OrgScore4_2 <${OrgScore4_2}/> + OrgRemediate4_2 + <${OrgScore1_1}/> OrgScore4_4 <${OrgScore4_4}/> + OrgRemediate4_4 + <${OrgScore1_1}/> OrgScore4_5 <${OrgScore4_5}/> + OrgRemediate4_5 + <${OrgScore1_1}/> OrgScore4_6 <${OrgScore4_6}/> + OrgRemediate4_6 + <${OrgScore1_1}/> OrgScore5_1_1 <${OrgScore5_1_1}/> + OrgRemediate5_1_1 + <${OrgScore1_1}/> OrgScore5_1_2 <${OrgScore5_1_2}/> + OrgRemediate5_1_2 + <${OrgScore1_1}/> OrgScore5_1_3 <${OrgScore5_1_3}/> + OrgRemediate5_1_3 + <${OrgScore1_1}/> OrgScore5_1_4 <${OrgScore5_1_4}/> + OrgRemediate5_1_4 + <${OrgScore1_1}/> OrgScore5_3 <${OrgScore5_3}/> + OrgRemediate5_3 + <${OrgScore1_1}/> OrgScore5_4 <${OrgScore5_4}/> + OrgRemediate5_4 + <${OrgScore1_1}/> OrgScore5_5 <${OrgScore5_5}/> + OrgRemediate5_5 + <${OrgScore1_1}/> OrgScore5_6 <${OrgScore5_6}/> + OrgRemediate5_6 + <${OrgScore1_1}/> OrgScore5_7 <${OrgScore5_7}/> + OrgRemediate5_7 + <${OrgScore1_1}/> OrgScore5_8 <${OrgScore5_8}/> + OrgRemediate5_8 + <${OrgScore1_1}/> OrgScore5_9 <${OrgScore5_9}/> + OrgRemediate5_9 + <${OrgScore1_1}/> OrgScore5_10 <${OrgScore5_10}/> + OrgRemediate5_10 + <${OrgScore1_1}/> OrgScore5_11 <${OrgScore5_11}/> + OrgRemediate5_11 + <${OrgScore1_1}/> OrgScore5_12 <${OrgScore5_12}/> + OrgRemediate5_12 + <${OrgScore1_1}/> OrgScore5_13 <${OrgScore5_13}/> + OrgRemediate5_13 + <${OrgScore1_1}/> OrgScore5_18 <${OrgScore5_18}/> + OrgRemediate5_18 + <${OrgScore1_1}/> OrgScore5_19 <${OrgScore5_19}/> + OrgRemediate5_19 + <${OrgScore1_1}/> OrgScore6_1_1 <${OrgScore6_1_1}/> + OrgRemediate6_1_1 + <${OrgScore1_1}/> OrgScore6_1_2 <${OrgScore6_1_2}/> + OrgRemediate6_1_2 + <${OrgScore1_1}/> OrgScore6_1_3 <${OrgScore6_1_3}/> + OrgRemediate6_1_3 + <${OrgScore1_1}/> OrgScore6_1_4 <${OrgScore6_1_4}/> + OrgRemediate6_1_4 + <${OrgScore1_1}/> OrgScore6_1_5 <${OrgScore6_1_5}/> + OrgRemediate6_1_5 + <${OrgScore1_1}/> OrgScore6_2 <${OrgScore6_2}/> + OrgRemediate6_2 + <${OrgScore1_1}/> OrgScore6_3 <${OrgScore6_3}/> + OrgRemediate6_3 + <${OrgScore1_1}/> EOF \ No newline at end of file diff --git a/2.5_Audit_List.sh b/2.5_Audit_List.sh index 19761d0..16b8791 100755 --- a/2.5_Audit_List.sh +++ b/2.5_Audit_List.sh @@ -2,5 +2,5 @@ # Security Reporting - List Risks -auditfile=/Library/Application\ Support/SecurityScoring/org_audit -echo "$(cat "$auditfile")" \ No newline at end of file +auditfile='/Library/Application Support/SecurityScoring/org_audit' +echo "$(cat "$auditfile")" diff --git a/2.6_Audit_Count.sh b/2.6_Audit_Count.sh index b4bb472..c48e4ae 100755 --- a/2.6_Audit_Count.sh +++ b/2.6_Audit_Count.sh @@ -2,5 +2,6 @@ # Security Reporting - Count Risks -auditfile=/Library/Application\ Support/SecurityScoring/org_audit -echo "$(cat "$auditfile" | grep "*" | wc -l | tr -d '[:space:]')" \ No newline at end of file +auditfile='/Library/Application Support/SecurityScoring/org_audit' +$result=$(cat "$auditfile" | grep "*" | wc -l | tr -d '[:space:]') +echo "${result}" diff --git a/3_Security_Remediation.sh b/3_Security_Remediation.sh index 88b749c..deba1f5 100755 --- a/3_Security_Remediation.sh +++ b/3_Security_Remediation.sh @@ -32,834 +32,695 @@ # updated for 10.12 CIS benchmarks by Katie English, Jamf February 2017 # github.com/jamfprofessionalservices +# Change History: +# 2018/01/03 ol Changed current user method to allow for running when nobody is logged in. +# Moved logging to a function to shorten the script. +# Added a preference for each scored item to say if it should be remediated. +# Misc. formatting +# Added killall cfprefsd to end to reset prefs cache. + # USAGE -# Reads from plist at /Library/Application Support/SecurityScoring/org_security_score.plist by default. -# For "true" items, runs query for current computer/user compliance. -# Non-compliant items are logged to /Library/Application Support/SecurityScoring/org_audit +# Reads from plist at /Library/Application Support/SecurityScoring/org_security_score.plist. +# For remediate="true" items, runs query for current computer/user compliance and attempts +# to update settings as needed. plistlocation="/Library/Application Support/SecurityScoring/org_security_score.plist" -currentUser=$( ls -l /dev/console | cut -d " " -f4 ) + + +jamfReportedUser=$3 +loggedInUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");') +# We're trying the python way above because the below common ways don't work as well when multiple consoles are in use with fast user switching. +# loggedInUser=$(stat -f "%Su" /dev/console) +# loggedInUser=$( ls -l /dev/console | cut -d " " -f4 ) +mostFrequentUser=$( last | cut -f 1 -d ' ' | sort | grep -vE "reboot|shutdown|root|_.*|wtmp|^$|jamfadmin" | uniq -c | sort -nr | cut -f 3 -d ' ' ) + +# Some preferences are user-level, not system level. Which user should we run this for? +if [[ $(ps aux | grep "[S]elf Service" | wc -l) -gt 0 ]]; then + # Self Service is running + currentUser="$jamfReportedUser" +elif [[ ! -z "$loggedInUser" ]]; then + currentUser="$loggedInUser" +else + # If nobody is logged in... + currentUser="$mostFrequentUser" +fi + + +# If you wanted to run this for the currently logged-in user, you could use this. +# This would be a good way if you have this script in self-service, for example... +# This is more complicated but figures out the username based on who's been logging in the most. +# It works even if nobody is currently logged in... + + hardwareUUID=$(/usr/sbin/system_profiler SPHardwareDataType | grep "Hardware UUID" | awk -F ": " '{print $2}' | xargs) logFile="/Library/Application Support/SecurityScoring/remediation.log" -echo $(date -u) "Beginning remediation" > "$logFile" +############################################################## +## functions +############################################################## + +writelog () { + writelog "$1" +} + +remediateRequested () { + # The initial run of the "Set Organization Priorities" script created a plist with + # key-value pairs that indicate which items should be scored, and, of those, which + # should be remediated. + + # E.g.: + # OrgScore6_1_5="true" <= The item will be scored/reported + # OrgRemediate6_1_5="true" <= The item will be remediated + + # To help prevent mistakes, we will not remediate un-scored items + + # If organizational score is 1 or true, check status of client + # If client fails, then remediate + + cisNumber="$1" + local isScored = "$(defaults read ${plistlocation} \"$cisNumber\")" + local isRemediated = "$(defaults read ${plistlocation} \"$cisNumber\")" + + if [["$isScored" = "1" && "$isRemediated" = "1" ]]; then + writelog "Checking $cisNumber" + return 0 + else + return 1 + fi +} + + +############################################################## +## code +############################################################## + +writelog "Beginning remediation" + if [[ ! -e $plistlocation ]]; then - echo "No scoring file present" - exit 0 + echo "Error: No scoring file present" + exit -1 fi + # 1.1 Verify all Apple provided software is current -# Verify organizational score -Audit1_1="$(defaults read "$plistlocation" OrgScore1_1)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit1_1" = "1" ]; then -echo $(date -u) "Checking 1.1" | tee -a "$logFile" -countAvailableSUS="$(softwareupdate -l | grep "*" | wc -l | tr -d ' ')" -if [ "$countAvailableSUS" = "0" ]; then - echo $(date -u) "1.1 passed" | tee -a "$logFile"; else - # NOTE: INSTALLS ALL RECOMMENDED SOFTWARE UPDATES FROM CLIENT'S CONFIGURED SUS SERVER - softwareupdate -i -r -fi +if [[ remediateRequested "1_1" ]]; then + countAvailableSUS="$(softwareupdate -l | grep "*" | wc -l | tr -d ' ')" + if [ "$countAvailableSUS" = "0" ]; then + writelog "1.1 passed"; + else + # NOTE: INSTALLS ALL RECOMMENDED SOFTWARE UPDATES FROM CLIENT'S CONFIGURED SUS SERVER + softwareupdate -i -r + fi fi # 1.2 Enable Auto Update -# Verify organizational score -Audit1_2="$(defaults read "$plistlocation" OrgScore1_2)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit1_2" = "1" ]; then -echo $(date -u) "Checking 1.2" | tee -a "$logFile" -automaticUpdates="$(defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled)" -if [ "$automaticUpdates" = "1" ]; then - echo $(date -u) "1.2 passed" | tee -a "$logFile"; else - defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1 - echo $(date -u) "1.2 remediated" | tee -a "$logFile" -fi +if [[ remediateRequested "1_2" ]]; then + automaticUpdates="$(defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled)" + if [ "$automaticUpdates" = "1" ]; then + writelog "1.2 passed"; + else + defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1 + writelog "1.2 remediated" + fi fi # 1.3 Enable app update installs -# Verify organizational score -Audit1_3="$(defaults read "$plistlocation" OrgScore1_3)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit1_3" = "1" ]; then -echo $(date -u) "Checking 1.3" | tee -a "$logFile" -automaticAppUpdates="$(defaults read /Library/Preferences/com.apple.commerce AutoUpdate)" -if [ "$automaticAppUpdates" = "1" ]; then - echo $(date -u) "1.3 passed" | tee -a "$logFile"; else - defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool true - echo $(date -u) "1.3 remediated" | tee -a "$logFile" -fi +if [[ remediateRequested "1_3" ]]; then + automaticAppUpdates="$(defaults read /Library/Preferences/com.apple.commerce AutoUpdate)" + if [ "$automaticAppUpdates" = "1" ]; then + writelog "1.3 passed"; + else + defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool true + writelog "1.3 remediated" + fi fi # 1.4 Enable system data files and security update installs -# Verify organizational score -Audit1_4="$(defaults read "$plistlocation" OrgScore1_4)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit1_4" = "1" ]; then -echo $(date -u) "Checking 1.4" | tee -a "$logFile" -criticalUpdates="$(defaults read /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall)" -if [ "$criticalUpdates" = "1" ]; then - echo $(date -u) "1.4 passed" | tee -a "$logFile"; else - defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true - defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true - echo $(date -u) "1.4 remediated" | tee -a "$logFile" -fi +if [[ remediateRequested "1_4" ]]; then + criticalUpdates="$(defaults read /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall)" + if [ "$criticalUpdates" = "1" ]; then + writelog "1.4 passed"; + else + defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true + defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true + writelog "1.4 remediated" + fi fi # 1.5 Enable OS X update installs -# Verify organizational score -Audit1_5="$(defaults read "$plistlocation" OrgScore1_5)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit1_5" = "1" ]; then -echo $(date -u) "Checking 1.5" | tee -a "$logFile" -updateRestart="$(defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired)" -if [ "$updateRestart" = "1" ]; then - echo $(date -u) "1.5 passed" | tee -a "$logFile"; else - defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool true - echo $(date -u) "1.5 remediated" | tee -a "$logFile" -fi +if [[ remediateRequested "1_5" ]]; then + updateRestart="$(defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired)" + if [ "$updateRestart" = "1" ]; then + writelog "1.5 passed"; + else + defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool true + writelog "1.5 remediated" + fi fi -# 2.1.1 Turn off Bluetooth, if no paired devices exist -# Verify organizational score -Audit2_1_1="$(defaults read "$plistlocation" OrgScore2_1_1)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit2_1_1" = "1" ]; then -echo $(date -u) "Checking 2.1.1" | tee -a "$logFile" -btPowerState="$(defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState)" -if [ "$btPowerState" = "0" ]; then - echo $(date -u) "2.1.1 passed" | tee -a "$logFile"; else - connectable=$( system_profiler SPBluetoothDataType | grep Connectable | awk '{print $2}' | head -1 ) - echo $(date -u) "2.1.1 remediated" | tee -a "$logFile" -if [ "$connectable" = "Yes" ] - then -echo $(date -u) "2.1.1 passed" | tee -a "$logFile"; else - defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0 - killall -HUP blued - echo $(date -u) "2.1.1 remediated" | tee -a "$logFile" -fi -fi +# 2.1.1 Turn off Bluetooth if no paired devices exist +### +if [[ remediateRequested "2_1_1" ]]; then + btPowerState="$(defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState)" + connectable=$( system_profiler SPBluetoothDataType | grep Connectable | awk '{print $2}' | head -1 ) + if [[ "$btPowerState" = "0" || "$connectable" = "Yes" ]]; then + writelog "2.1.1 passed"; + else + defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0 + killall -HUP blued + writelog "2.1.1 remediated" + fi fi # 2.1.3 Show Bluetooth status in menu bar -# Verify organizational score -Audit2_1_3="$(defaults read "$plistlocation" OrgScore2_1_3)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit2_1_3" = "1" ]; then -echo $(date -u) "Checking 2.1.3" | tee -a "$logFile" -btMenuBar="$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.systemuiserver menuExtras | grep -c Bluetooth.menu)" -if [ "$btMenuBar" -gt "0" ]; then - echo $(date -u) "2.1.3 passed" | tee -a "$logFile"; else - open "/System/Library/CoreServices/Menu Extras/Bluetooth.menu" - echo $(date -u) "2.1.3 remediated" | tee -a "$logFile" -fi +if [[ remediateRequested "2_1_3" ]]; then + btMenuBar="$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.systemuiserver menuExtras | grep -c Bluetooth.menu)" + if [ "$btMenuBar" -gt "0" ]; then + writelog "2.1.3 passed"; + else + open "/System/Library/CoreServices/Menu Extras/Bluetooth.menu" + writelog "2.1.3 remediated" + fi fi # 2.2.2 Ensure time set is within appropriate limits # Not audited - only enforced if identified as priority -# Verify organizational score -Audit2_2_2="$(defaults read "$plistlocation" OrgScore2_2_2)" -# If organizational score is 1 or true, check status of client -if [ "$Audit2_2_2" = "1" ]; then - echo $(date -u) "Checking 2.2.2" | tee -a "$logFile" +if [[ remediateRequested "2_2_2" ]]; then timeServer=$(systemsetup -getnetworktimeserver | awk '{print $4}') ntpdate -sv "$timeServer" - echo $(date -u) "2.2.2 enforced" | tee -a "$logFile" + writelog "2.2.2 enforced" fi # 2.2.3 Restrict NTP server to loopback interface -# Verify organizational score -Audit2_2_3="$(defaults read "$plistlocation" OrgScore2_2_3)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit2_2_3" = "1" ]; then - echo $(date -u) "Checking 2.2.3" | tee -a "$logFile" +if [[ remediateRequested "2_2_3" ]]; then restrictNTP=$(cat /etc/ntp-restrict.conf | grep -c "restrict lo") if [ "$restrictNTP" = "0" ]; then cp /etc/ntp-restrict.conf /etc/ntp-restrict_old.conf echo -n "restrict lo interface ignore wildcard interface listen lo" >> /etc/ntp-restrict.conf - echo $(date -u) "2.2.3 remediated" | tee -a "$logFile"; else - echo $(date -u) "2.2.3 passed" | tee -a "$logFile" + writelog "2.2.3 remediated"; + else + writelog "2.2.3 passed" fi fi # 2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver -# Verify organizational score -Audit2_3_1="$(defaults read "$plistlocation" OrgScore2_3_1)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit2_3_1" = "1" ]; then - echo $(date -u) "Checking 2.3.1" | tee -a "$logFile" +if [[ remediateRequested "2_3_1" ]]; then screenSaverTime="$(defaults read /Users/"$currentUser"/Library/Preferences/ByHost/com.apple.screensaver."$hardwareUUID" idleTime)" if [ "$screenSaverTime" -le "1200" ]; then - echo $(date -u) "2.3.1 passed" | tee -a "$logFile"; else - defaults write /Users/"$currentUser"/Library/Preferences/ByHost/com.apple.screensaver."$hardwareUUID".plist idleTime -int 1200 - echo $(date -u) "2.3.1 remediated" | tee -a "$logFile" + writelog "2.3.1 passed"; + else + defaults write /Users/"$currentUser"/Library/Preferences/ByHost/com.apple.screensaver."$hardwareUUID".plist idleTime -int 1200 + writelog "2.3.1 remediated" fi fi # 2.3.2 Secure screen saver corners -# Verify organizational score -Audit2_3_2="$(defaults read "$plistlocation" OrgScore2_3_2)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit2_3_2" = "1" ]; then - echo $(date -u) "Checking 2.3.2" | tee -a "$logFile" +if [[ remediateRequested "2_3_2" ]]; then bl_corner=$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.dock wvous-bl-corner) tl_corner=$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.dock wvous-tl-corner) tr_corner=$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.dock wvous-tr-corner) br_corner=$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.dock wvous-br-corner) if [ "$bl_corner" != "6" ] && [ "$tl_corner" != "6" ] && [ "$tr_corner" != "6" ] && [ "$br_corner" != "6" ]; then - echo $(date -u) "2.3.2 passed" | tee -a "$logFile" + writelog "2.3.2 passed" fi if [ "$bl_corner" = "6" ]; then - echo "Disabling hot corner" - defaults write /Users/"$currentUser"/Library/Preferences/com.apple.dock wvous-bl-corner 1 - echo $(date -u) "2.3.2 remediated" | tee -a "$logFile" + echo "Disabling hot corner" + defaults write /Users/"$currentUser"/Library/Preferences/com.apple.dock wvous-bl-corner 1 + writelog "2.3.2 remediated" fi if [ "$tl_corner" = "6" ]; then - echo "Disabling hot corner" - defaults write /Users/"$currentUser"/Library/Preferences/com.apple.dock wvous-tl-corner 1 - echo $(date -u) "2.3.2 remediated" | tee -a "$logFile" + echo "Disabling hot corner" + defaults write /Users/"$currentUser"/Library/Preferences/com.apple.dock wvous-tl-corner 1 + writelog "2.3.2 remediated" fi if [ "$tr_corner" = "6" ]; then - echo "Disabling hot corner" - defaults write /Users/"$currentUser"/Library/Preferences/com.apple.dock wvous-tr-corner 1 - echo $(date -u) "2.3.2 remediated" | tee -a "$logFile" + echo "Disabling hot corner" + defaults write /Users/"$currentUser"/Library/Preferences/com.apple.dock wvous-tr-corner 1 + writelog "2.3.2 remediated" fi if [ "$br_corner" = "6" ]; then - echo "Disabling hot corner" - defaults write /Users/"$currentUser"/Library/Preferences/com.apple.dock wvous-br-corner 1 - echo $(date -u) "2.3.2 remediated" | tee -a "$logFile" + echo "Disabling hot corner" + defaults write /Users/"$currentUser"/Library/Preferences/com.apple.dock wvous-br-corner 1 + writelog "2.3.2 remediated" fi fi # 2.3.4 Set a screen corner to Start Screen Saver -# Verify organizational score -Audit2_3_4="$(defaults read "$plistlocation" OrgScore2_3_4)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit2_3_4" = "1" ]; then -echo $(date -u) "Checking 2.3.4" | tee -a "$logFile" -bl_corner=$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.dock wvous-bl-corner) -tl_corner=$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.dock wvous-tl-corner) -tr_corner=$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.dock wvous-tr-corner) -br_corner=$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.dock wvous-br-corner) -if [ "$bl_corner" = "5" ] || [ "$tl_corner" = "5" ] || [ "$tr_corner" = "5" ] || [ "$br_corner" = "5" ]; then - echo $(date -u) "2.3.4 passed" | tee -a "$logFile"; else - defaults write /Users/"$currentUser"/Library/Preferences/com.apple.dock wvous-bl-corner 5 - echo $(date -u) "2.3.4 remediated" | tee -a "$logFile" -fi +if [[ remediateRequested "2_3_4" ]]; then + bl_corner=$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.dock wvous-bl-corner) + tl_corner=$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.dock wvous-tl-corner) + tr_corner=$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.dock wvous-tr-corner) + br_corner=$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.dock wvous-br-corner) + if [ "$bl_corner" = "5" ] || [ "$tl_corner" = "5" ] || [ "$tr_corner" = "5" ] || [ "$br_corner" = "5" ]; then + writelog "2.3.4 passed"; + else + defaults write /Users/"$currentUser"/Library/Preferences/com.apple.dock wvous-bl-corner 5 + writelog "2.3.4 remediated" + fi fi # 2.4.1 Disable Remote Apple Events -# Verify organizational score -Audit2_4_1="$(defaults read "$plistlocation" OrgScore2_4_1)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit2_4_1" = "1" ]; then -echo $(date -u) "Checking 2.4.1" | tee -a "$logFile" -remoteAppleEvents=$(systemsetup -getremoteappleevents | awk '{print $4}') -if [ "$remoteAppleEvents" = "Off" ]; then - echo $(date -u) "2.4.1 passed" | tee -a "$logFile"; else - systemsetup -setremoteappleevents off - echo $(date -u) "2.4.1 remediated" | tee -a "$logFile" -fi +if [[ remediateRequested "2_4_1" ]]; then + remoteAppleEvents=$(systemsetup -getremoteappleevents | awk '{print $4}') + if [ "$remoteAppleEvents" = "Off" ]; then + writelog "2.4.1 passed"; + else + systemsetup -setremoteappleevents off + writelog "2.4.1 remediated" + fi fi # 2.4.2 Disable Internet Sharing -# Verify organizational score -Audit2_4_2="$(defaults read "$plistlocation" OrgScore2_4_2)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit2_4_2" = "1" ]; then -echo $(date -u) "Checking 2.4.2" | tee -a "$logFile" -if [ -e /Library/Preferences/SystemConfiguration/com.apple.nat.plist ]; then - /usr/libexec/PlistBuddy -c "Delete :NAT:AirPort:Enabled" /Library/Preferences/SystemConfiguration/com.apple.nat.plist - /usr/libexec/PlistBuddy -c "Add :NAT:AirPort:Enabled bool false" /Library/Preferences/SystemConfiguration/com.apple.nat.plist - /usr/libexec/PlistBuddy -c "Delete :NAT:Enabled" /Library/Preferences/SystemConfiguration/com.apple.nat.plist - /usr/libexec/PlistBuddy -c "Add :NAT:Enabled bool false" /Library/Preferences/SystemConfiguration/com.apple.nat.plist - /usr/libexec/PlistBuddy -c "Delete :NAT:PrimaryInterface:Enabled" /Library/Preferences/SystemConfiguration/com.apple.nat.plist - /usr/libexec/PlistBuddy -c "Add :NAT:PrimaryInterface:Enabled bool false" /Library/Preferences/SystemConfiguration/com.apple.nat.plist - echo $(date -u) "2.4.2 enforced" | tee -a "$logFile"; else - echo $(date -u) "2.4.2 passed" | tee -a "$logFile" +if [[ remediateRequested "2_4_2" ]]; then + if [ -e /Library/Preferences/SystemConfiguration/com.apple.nat.plist ]; then + /usr/libexec/PlistBuddy -c "Delete :NAT:AirPort:Enabled" /Library/Preferences/SystemConfiguration/com.apple.nat.plist + /usr/libexec/PlistBuddy -c "Add :NAT:AirPort:Enabled bool false" /Library/Preferences/SystemConfiguration/com.apple.nat.plist + /usr/libexec/PlistBuddy -c "Delete :NAT:Enabled" /Library/Preferences/SystemConfiguration/com.apple.nat.plist + /usr/libexec/PlistBuddy -c "Add :NAT:Enabled bool false" /Library/Preferences/SystemConfiguration/com.apple.nat.plist + /usr/libexec/PlistBuddy -c "Delete :NAT:PrimaryInterface:Enabled" /Library/Preferences/SystemConfiguration/com.apple.nat.plist + /usr/libexec/PlistBuddy -c "Add :NAT:PrimaryInterface:Enabled bool false" /Library/Preferences/SystemConfiguration/com.apple.nat.plist + writelog "2.4.2 enforced"; + else + writelog "2.4.2 passed" fi fi # 2.4.3 Disable Screen Sharing -# Verify organizational score -Audit2_4_3="$(defaults read "$plistlocation" OrgScore2_4_3)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit2_4_3" = "1" ]; then -echo $(date -u) "Checking 2.4.3" | tee -a "$logFile" -screenSharing=$(defaults read /System/Library/LaunchDaemons/com.apple.screensharing Disabled) -if [ "$screenSharing" = "1" ]; then - echo $(date -u) "2.4.3 passed" | tee -a "$logFile"; else - defaults write /System/Library/LaunchDaemons/com.apple.screensharing Disabled -bool true - echo $(date -u) "2.4.3 remediated" | tee -a "$logFile" -fi +if [[ remediateRequested "2_4_3" ]]; then + screenSharing=$(defaults read /System/Library/LaunchDaemons/com.apple.screensharing Disabled) + if [ "$screenSharing" = "1" ]; then + writelog "2.4.3 passed"; + else + defaults write /System/Library/LaunchDaemons/com.apple.screensharing Disabled -bool true + writelog "2.4.3 remediated" + fi fi # 2.4.5 Disable Remote Login -# Verify organizational score -Audit2_4_5="$(defaults read "$plistlocation" OrgScore2_4_5)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit2_4_5" = "1" ]; then -echo $(date -u) "Checking 2.4.5" | tee -a "$logFile" -remoteLogin=$(systemsetup -getremotelogin | awk '{print $3}') -if [ "$remoteLogin" = "Off" ]; then - echo $(date -u) "2.4.5 passed" | tee -a "$logFile"; else - systemsetup -f -setremotelogin off - echo $(date -u) "2.4.5 remediated" | tee -a "$logFile" -fi +if [[ remediateRequested "2_4_5" ]]; then + remoteLogin=$(systemsetup -getremotelogin | awk '{print $3}') + if [ "$remoteLogin" = "Off" ]; then + writelog "2.4.5 passed"; + else + systemsetup -f -setremotelogin off + writelog "2.4.5 remediated" + fi fi # 2.4.6 Disable DVD or CD Sharing -# Verify organizational score -Audit2_4_6="$(defaults read "$plistlocation" OrgScore2_4_6)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit2_4_6" = "1" ]; then - echo $(date -u) "Checking 2.4.6" | tee -a "$logFile" +if [[ remediateRequested "2_4_6" ]]; then discSharing=$(launchctl list | egrep ODSAgent) if [ "$discSharing" = "" ]; then - echo $(date -u) "2.4.6 passed" | tee -a "$logFile"; else + writelog "2.4.6 passed"; + else launchctl unload -w /System/Library/LaunchDaemons/com.apple.ODSAgent.plist - echo $(date -u) "2.4.6 remediated" | tee -a "$logFile" + writelog "2.4.6 remediated" fi fi # 2.4.7 Disable Bluetooth Sharing -# Verify organizational score -Audit2_4_7="$(defaults read "$plistlocation" OrgScore2_4_7)" # If organizational score is 1 or true, check status of client and user -# If client fails, then remediate -if [ "$Audit2_4_7" = "1" ]; then -echo $(date -u) "Checking 2.4.7" | tee -a "$logFile" -btSharing=$(/usr/libexec/PlistBuddy -c "print :PrefKeyServicesEnabled" /Users/"$currentUser"/Library/Preferences/ByHost/com.apple.Bluetooth."$hardwareUUID".plist) -if [ "$btSharing" = "false" ]; then - echo $(date -u) "2.4.7 passed" | tee -a "$logFile"; else - /usr/libexec/PlistBuddy -c "Delete :PrefKeyServicesEnabled" /Users/"$currentUser"/Library/Preferences/ByHost/com.apple.Bluetooth."$hardwareUUID".plist - /usr/libexec/PlistBuddy -c "Add :PrefKeyServicesEnabled bool false" /Users/"$currentUser"/Library/Preferences/ByHost/com.apple.Bluetooth."$hardwareUUID".plist - echo $(date -u) "2.4.7 remediated" | tee -a "$logFile" -fi +if [[ remediateRequested "2_4_7" ]]; then + btSharing=$(/usr/libexec/PlistBuddy -c "print :PrefKeyServicesEnabled" /Users/"$currentUser"/Library/Preferences/ByHost/com.apple.Bluetooth."$hardwareUUID".plist) + if [ "$btSharing" = "false" ]; then + writelog "2.4.7 passed"; + else + /usr/libexec/PlistBuddy -c "Delete :PrefKeyServicesEnabled" /Users/"$currentUser"/Library/Preferences/ByHost/com.apple.Bluetooth."$hardwareUUID".plist + /usr/libexec/PlistBuddy -c "Add :PrefKeyServicesEnabled bool false" /Users/"$currentUser"/Library/Preferences/ByHost/com.apple.Bluetooth."$hardwareUUID".plist + writelog "2.4.7 remediated" + fi fi # 2.4.8 Disable File Sharing -# Verify organizational score -Audit2_4_8="$(defaults read "$plistlocation" OrgScore2_4_8)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit2_4_8" = "1" ]; then -echo $(date -u) "Checking 2.4.8" | tee -a "$logFile" -afpEnabled=$(launchctl list | egrep AppleFileServer) -smbEnabled=$(launchctl list | egrep smbd) -if [ "$afpEnabled" = "" ] && [ "$smbEnabled" = "" ]; then - echo $(date -u) "2.4.8 passed" | tee -a "$logFile"; else - launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist - echo $(date -u) "2.4.8 remediated" | tee -a "$logFile" -fi +if [[ remediateRequested "2_4_8" ]]; then + afpEnabled=$(launchctl list | egrep AppleFileServer) + smbEnabled=$(launchctl list | egrep smbd) + if [ "$afpEnabled" = "" ] && [ "$smbEnabled" = "" ]; then + writelog "2.4.8 passed"; + else + launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist + launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist + writelog "2.4.8 remediated" + fi fi # 2.4.9 Disable Remote Management -# Verify organizational score -Audit2_4_9="$(defaults read "$plistlocation" OrgScore2_4_9)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit2_4_9" = "1" ]; then -echo $(date -u) "Checking 2.4.9" | tee -a "$logFile" -remoteManagement=$(ps -ef | egrep ARDAgent | grep -c "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent") -if [ "$remoteManagement" = "1" ]; then - echo $(date -u) "2.4.9 passed" | tee -a "$logFile"; else - /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off - echo $(date -u) "2.4.9 remediated" | tee -a "$logFile" -fi +if [[ remediateRequested "2_4_9" ]]; then + remoteManagement=$(ps -ef | egrep ARDAgent | grep -c "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent") + if [ "$remoteManagement" = "1" ]; then + writelog "2.4.9 passed"; + else + /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off + writelog "2.4.9 remediated" + fi fi # 2.5.1 Disable "Wake for network access" -# Verify organizational score -Audit2_5_1="$(defaults read "$plistlocation" OrgScore2_5_1)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit2_5_1" = "1" ]; then -echo $(date -u) "Checking 2.5.1" | tee -a "$logFile" -wompEnabled=$(pmset -g | grep womp | awk '{print $2}') -if [ "$wompEnabled" = "0" ]; then - echo $(date -u) "2.5.1 passed" | tee -a "$logFile"; else - pmset -a womp 0 - echo $(date -u) "2.5.1 remediated" | tee -a "$logFile" -fi +if [[ remediateRequested "2_5_1" ]]; then + wompEnabled=$(pmset -g | grep womp | awk '{print $2}') + if [ "$wompEnabled" = "0" ]; then + writelog "2.5.1 passed"; + else + pmset -a womp 0 + writelog "2.5.1 remediated" + fi fi # 2.5.2 Disable sleeping the computer when connected to power -# Verify organizational score -Audit2_5_2="$(defaults read "$plistlocation" OrgScore2_5_2)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit2_5_2" = "1" ]; then -echo $(date -u) "Checking 2.5.2" | tee -a "$logFile" -disksleepEnabled=$(pmset -g | grep disksleep | awk '{print $2}') -if [ "$disksleepEnabled" = "0" ]; then - echo $(date -u) "2.5.2 passed" | tee -a "$logFile"; else - pmset -c disksleep 0 - pmset -c sleep 0 - echo $(date -u) "2.5.2 remediated" | tee -a "$logFile" -fi +if [[ remediateRequested "2_5_2" ]]; then + disksleepEnabled=$(pmset -g | grep disksleep | awk '{print $2}') + if [ "$disksleepEnabled" = "0" ]; then + writelog "2.5.2 passed"; + else + pmset -c disksleep 0 + pmset -c sleep 0 + writelog "2.5.2 remediated" + fi fi # 2.6.2 Enable Gatekeeper -# Verify organizational score -Audit2_6_2="$(defaults read "$plistlocation" OrgScore2_6_2)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit2_6_2" = "1" ]; then - echo $(date -u) "Checking 2.6.2" | tee -a "$logFile" - gatekeeperEnabled=$(spctl --status | grep -c "assessments enabled") +if [[ remediateRequested "2_6_2" ]]; then + gatekeeperEnabled=$(spctl --status | grep -c "assessments enabled") if [ "$gatekeeperEnabled" = "1" ]; then - echo $(date -u) "2.6.2 passed" | tee -a "$logFile"; else + writelog "2.6.2 passed"; + else spctl --master-enable - echo $(date -u) "2.6.2 remediated" | tee -a "$logFile" + writelog "2.6.2 remediated" fi fi # 2.6.3 Enable Firewall -# Verify organizational score -Audit2_6_3="$(defaults read "$plistlocation" OrgScore2_6_3)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit2_6_3" = "1" ]; then -echo $(date -u) "Checking 2.6.3" | tee -a "$logFile" -firewallEnabled=$(defaults read /Library/Preferences/com.apple.alf globalstate) -if [ "$firewallEnabled" = "0" ]; then - defaults write /Library/Preferences/com.apple.alf globalstate -int 2 - echo $(date -u) "2.6.3 remediated" | tee -a "$logFile"; else - echo $(date -u) "2.6.3 passed" | tee -a "$logFile" -fi +if [[ remediateRequested "2_6_3" ]]; then + firewallEnabled=$(defaults read /Library/Preferences/com.apple.alf globalstate) + if [ "$firewallEnabled" = "0" ]; then + defaults write /Library/Preferences/com.apple.alf globalstate -int 2 + writelog "2.6.3 remediated"; + else + writelog "2.6.3 passed" + fi fi # 2.6.4 Enable Firewall Stealth Mode -# Verify organizational score -Audit2_6_4="$(defaults read "$plistlocation" OrgScore2_6_4)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit2_6_4" = "1" ]; then -echo $(date -u) "Checking 2.6.4" | tee -a "$logFile" -stealthEnabled=$(/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode | awk '{print $3}') -if [ "$stealthEnabled" = "enabled" ]; then - echo $(date -u) "2.6.4 passed" | tee -a "$logFile"; else - /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on - echo $(date -u) "2.6.4 remediated" | tee -a "$logFile" -fi +if [[ remediateRequested "2_6_4" ]]; then + stealthEnabled=$(/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode | awk '{print $3}') + if [ "$stealthEnabled" = "enabled" ]; then + writelog "2.6.4 passed"; + else + /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on + writelog "2.6.4 remediated" + fi fi # 2.6.5 Review Application Firewall Rules -# Verify organizational score -Audit2_6_5="$(defaults read "$plistlocation" OrgScore2_6_5)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit2_6_5" = "1" ]; then -echo $(date -u) "Checking 2.6.5" | tee -a "$logFile" -appsInbound=$(/usr/libexec/ApplicationFirewall/socketfilterfw --listapps | grep ALF | awk '{print $7}') -if [ "$appsInbound" -le "10" ] || [ -z "$appsInbound" ]; then - echo $(date -u) "2.6.5 passed" | tee -a "$logFile"; else - echo $(date -u) "2.6.5 not remediated" | tee -a "$logFile" -fi +if [[ remediateRequested "2_6_5" ]]; then + appsInbound=$(/usr/libexec/ApplicationFirewall/socketfilterfw --listapps | grep ALF | awk '{print $7}') + if [ "$appsInbound" -le "10" ] || [ -z "$appsInbound" ]; then + writelog "2.6.5 passed"; + else + writelog "2.6.5 not remediated" + fi fi # 2.8.1 Time Machine Auto-Backup -# Verify organizational score -Audit2_8_1="$(defaults read "$plistlocation" OrgScore2_8_1)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit2_8_1" = "1" ]; then -echo $(date -u) "Checking 2.8.1" | tee -a "$logFile" +if [[ remediateRequested "2_8_1" ]]; then timeMachineAuto=$( defaults read /Library/Preferences/com.apple.TimeMachine.plist AutoBackup ) if [ "$timeMachineAuto" != "1" ]; then defaults write /Library/Preferences/com.apple.TimeMachine.plist AutoBackup 1 - echo $(date -u) "2.8.1 remediated" | tee -a "$logFile"; else - echo $(date -u) "2.8.1 passed" | tee -a "$logFile" + writelog "2.8.1 remediated"; + else + writelog "2.8.1 passed" fi fi # 2.9 Pair the remote control infrared receiver if enabled -# Verify organizational score -Audit2_9="$(defaults read "$plistlocation" OrgScore2_9)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit2_9" = "1" ]; then -echo $(date -u) "Checking 2.9" | tee -a "$logFile" -IRPortDetect=$(system_profiler SPUSBDataType | egrep "IR Receiver" -c) -if [ "$IRPortDetect" = "0" ]; then - echo $(date -u) "2.9 passed" | tee -a "$logFile"; else - defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false - echo $(date -u) "2.9 remediated" | tee -a "$logFile" -fi +if [[ remediateRequested "2_9" ]]; then + IRPortDetect=$(system_profiler SPUSBDataType | egrep "IR Receiver" -c) + if [ "$IRPortDetect" = "0" ]; then + writelog "2.9 passed"; + else + defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false + writelog "2.9 remediated" + fi fi # 2.10 Enable Secure Keyboard Entry in terminal.app -# Verify organizational score -Audit2_10="$(defaults read "$plistlocation" OrgScore2_10)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit2_10" = "1" ]; then -echo $(date -u) "Checking 2.10" | tee -a "$logFile" -secureKeyboard=$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.Terminal SecureKeyboardEntry) -if [ "$secureKeyboard" = "1" ]; then - echo $(date -u) "2.10 passed" | tee -a "$logFile"; else - defaults write /Users/"$currentUser"/Library/Preferences/com.apple.Terminal SecureKeyboardEntry -bool true - echo $(date -u) "2.10 remediated" | tee -a "$logFile" -fi +if [[ remediateRequested "2_10" ]]; then + secureKeyboard=$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.Terminal SecureKeyboardEntry) + if [ "$secureKeyboard" = "1" ]; then + writelog "2.10 passed"; + else + defaults write /Users/"$currentUser"/Library/Preferences/com.apple.Terminal SecureKeyboardEntry -bool true + writelog "2.10 remediated" + fi fi # 3.1.1 Retain system.log for 90 or more days -# Verify organizational score -Audit3_1_1="$(defaults read "$plistlocation" OrgScore3_1_1)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit3_1_1" = "1" ]; then - echo $(date -u) "Checking 3.1.1" | tee -a "$logFile" +if [[ remediateRequested "3_1_1" ]]; then sysRetention=$(grep "system.log" /etc/asl.conf | grep "ttl" | awk -F'ttl=' '{print $2}') if [ "$sysRetention" -gt "89" ]; then - echo $(date -u) "3.1.1 passed" | tee -a "$logFile"; else - if [ "$sysRetention" = "" ]; then + writelog "3.1.1 passed"; + elif [ "$sysRetention" = "" ]; then mv /etc/asl.conf /etc/asl_sys_old.conf awk '/system\.log /{$0=$0 " ttl=90"}1' /etc/asl_sys_old.conf > /etc/asl.conf chmod 644 /etc/asl.conf chown root:wheel /etc/asl.conf - echo $(date -u) "3.1.1 remediated" | tee -a "$logFile"; else - if [ "$sysRetention" -lt "90" ]; then + writelog "3.1.1 remediated"; + elif [ "$sysRetention" -lt "90" ]; then mv /etc/asl.conf /etc/asl_sys_old.conf sed "s/"ttl=$sysRetention"/"ttl=90"/g" /etc/asl_sys_old.conf > /etc/asl.conf chmod 644 /etc/asl.conf chown root:wheel /etc/asl.conf - echo $(date -u) "3.1.1 remediated" | tee -a "$logFile" - fi - fi + writelog "3.1.1 remediated" fi fi -# 3.1.2 Retain appfirewall.log for 90 or more days -# Verify organizational score -Audit3_1_2="$(defaults read "$plistlocation" OrgScore3_1_2)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit3_1_2" = "1" ]; then - echo $(date -u) "Checking 3.1.2" | tee -a "$logFile" +# 3.1.2 Retain appfirewall.log for at least 90 days +if [[ remediateRequested "3_1_2" ]]; then alfRetention=$(grep "appfirewall.log" /etc/asl.conf | grep "ttl" | awk -F'ttl=' '{print $2}') if [ "$alfRetention" -gt "89" ]; then - echo $(date -u) "3.1.2 passed" | tee -a "$logFile"; else + writelog "3.1.2 passed"; + else + mv /etc/asl.conf /etc/asl_alf_old.conf if [ "$alfRetention" = "" ]; then - mv /etc/asl.conf /etc/asl_alf_old.conf awk '/appfirewall\.log /{$0=$0 " ttl=90"}1' /etc/asl_alf_old.conf > /etc/asl.conf - chmod 644 /etc/asl.conf - chown root:wheel /etc/asl.conf - echo $(date -u) "3.1.2 remediated" | tee -a "$logFile"; else - if [ "$alfRetention" -lt "90" ]; then - mv /etc/asl.conf /etc/asl_alf_old.conf - sed "s/"ttl=$alfRetention"/"ttl=90"/g" /etc/asl_alf_old.conf > /etc/asl.conf - chmod 644 /etc/asl.conf - chown root:wheel /etc/asl.conf - echo $(date -u) "3.1.2 remediated" | tee -a "$logFile" - fi + elif [ "$alfRetention" -lt "90" ]; then + sed "s/"ttl=$alfRetention"/"ttl=90"/g" /etc/asl_alf_old.conf > /etc/asl.conf fi + chmod 644 /etc/asl.conf + chown root:wheel /etc/asl.conf + writelog "3.1.2 remediated" fi fi # 3.1.3 Retain authd.log for 90 or more days -# Verify organizational score -Audit3_1_3="$(defaults read "$plistlocation" OrgScore3_1_3)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit3_1_3" = "1" ]; then - echo $(date -u) "Checking 3.1.3" | tee -a "$logFile" +if [[ remediateRequested "3_1_3" ]]; then authdRetention=$(grep -i ttl /etc/asl/com.apple.authd | awk -F'ttl=' '{print $2}') - if [ "$authdRetention" -gt "89" ]; then - echo $(date -u) "3.1.3 passed" | tee -a "$logFile"; else - if [ "$authdRetention" = "" ]; then - mv /etc/asl/com.apple.authd /etc/asl/com.apple.authd.old - sed "s/"all_max=20M"/"all_max=20M\ ttl=90"/g" /etc/asl/com.apple.authd.old > /etc/asl/com.apple.authd - chmod 644 /etc/asl/com.apple.authd - chown root:wheel /etc/asl/com.apple.authd - echo $(date -u) "3.1.3 remediated" | tee -a "$logFile"; else - if [ "$authdRetention" -lt "90" ]; then - mv /etc/asl/com.apple.authd /etc/asl/com.apple.authd.old - sed "s/"ttl=$authdRetention"/"ttl=90"/g" /etc/asl/com.apple.authd.old > /etc/asl/com.apple.authd - chmod 644 /etc/asl/com.apple.authd - chown root:wheel /etc/asl/com.apple.authd - echo $(date -u) "3.1.3 remediated" | tee -a "$logFile" - fi - fi - fi + if [ "$authdRetention" -gt "89" ]; then + writelog "3.1.3 passed"; + elif [ "$authdRetention" = "" ]; then + mv /etc/asl/com.apple.authd /etc/asl/com.apple.authd.old + sed "s/"all_max=20M"/"all_max=20M\ ttl=90"/g" /etc/asl/com.apple.authd.old > /etc/asl/com.apple.authd + chmod 644 /etc/asl/com.apple.authd + chown root:wheel /etc/asl/com.apple.authd + writelog "3.1.3 remediated"; + elif [ "$authdRetention" -lt "90" ]; then + mv /etc/asl/com.apple.authd /etc/asl/com.apple.authd.old + sed "s/"ttl=$authdRetention"/"ttl=90"/g" /etc/asl/com.apple.authd.old > /etc/asl/com.apple.authd + chmod 644 /etc/asl/com.apple.authd + chown root:wheel /etc/asl/com.apple.authd + writelog "3.1.3 remediated" + fi fi # 3.2 Enable security auditing -# Verify organizational score -Audit3_2="$(defaults read "$plistlocation" OrgScore3_2)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit3_2" = "1" ]; then - echo $(date -u) "Checking 3.2" | tee -a "$logFile" +if [[ remediateRequested "3_2" ]]; then auditdEnabled=$(launchctl list | grep -c auditd) if [ "$auditdEnabled" -gt "0" ]; then - echo $(date -u) "3.1.3 passed" | tee -a "$logFile"; else + writelog "3.1.3 passed"; + else launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist - echo $(date -u) "3.2 remediated" | tee -a "$logFile" + writelog "3.2 remediated" fi fi # 3.3 Configure Security Auditing Flags -# Verify organizational score -Audit3_3="$(defaults read "$plistlocation" OrgScore3_3)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit3_3" = "1" ]; then - echo $(date -u) "Checking 3.3" | tee -a "$logFile" +if [[ remediateRequested "3_3" ]]; then auditFlags=$(egrep "^flags:" /etc/security/audit_control) if [[ ${auditFlags} != *"ad"* ]];then - cp /etc/security/audit_control /etc/security/audit_control_old - sed "s/"flags:lo,aa"/"flags:lo,ad,fd,fm,-all"/g" /etc/security/audit_control_old > /etc/security/audit_control - chmod 644 /etc/security/audit_control - chown root:wheel /etc/security/audit_control - echo $(date -u) "3.3 remediated" | tee -a "$logFile"; else - echo $(date -u) "3.3 passed" | tee -a "$logFile" + cp /etc/security/audit_control /etc/security/audit_control_old + sed "s/"flags:lo,aa"/"flags:lo,ad,fd,fm,-all"/g" /etc/security/audit_control_old > /etc/security/audit_control + chmod 644 /etc/security/audit_control + chown root:wheel /etc/security/audit_control + writelog "3.3 remediated"; + else + writelog "3.3 passed" fi fi -# 3.5 Retain install.log for 365 or more days -# Verify organizational score -Audit3_5="$(defaults read "$plistlocation" OrgScore3_5)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit3_5" = "1" ]; then -echo $(date -u) "Checking 3.5" | tee -a "$logFile" -installRetention=$(grep -i ttl /etc/asl/com.apple.install | awk -F'ttl=' '{print $2}') +# 3.5 Retain install.log for at least 365 days +if [[ remediateRequested "3_5" ]]; then + installRetention=$(grep -i ttl /etc/asl/com.apple.install | awk -F'ttl=' '{print $2}') if [ "$installRetention" -gt "364" ]; then - echo $(date -u) "3.5 passed" | tee -a "$logFile" + writelog "3.5 passed" fi -if [ "$installRetention" = "" ] || [ "$installRetention" -lt "365" ]; then - if [ "$installRetention" = "" ]; then - mv /etc/asl/com.apple.install /etc/asl/com.apple.install.old - sed "s/"format=bsd"/"format=bsd\ ttl=365"/g" /etc/asl/com.apple.install.old > /etc/asl/com.apple.install - chmod 644 /etc/asl/com.apple.install - chown root:wheel /etc/asl/com.apple.install - echo $(date -u) "3.5 remediated" | tee -a "$logFile" - fi - -installRetention=$(grep -i ttl /etc/asl/com.apple.install | awk -F'ttl=' '{print $2}') - if [ "$installRetention" -lt "365" ]; then - mv /etc/asl/com.apple.install /etc/asl/com.apple.install.old - sed "s/"ttl=$installRetention"/"ttl=365"/g" /etc/asl/com.apple.install.old > /etc/asl/com.apple.install - chmod 644 /etc/asl/com.apple.install - chown root:wheel /etc/asl/com.apple.install - echo $(date -u) "3.5 remediated" | tee -a "$logFile" - fi -fi + if [ "$installRetention" = "" ] || [ "$installRetention" -lt "365" ]; then + if [ "$installRetention" = "" ]; then + mv /etc/asl/com.apple.install /etc/asl/com.apple.install.old + sed "s/"format=bsd"/"format=bsd\ ttl=365"/g" /etc/asl/com.apple.install.old > /etc/asl/com.apple.install + chmod 644 /etc/asl/com.apple.install + chown root:wheel /etc/asl/com.apple.install + writelog "3.5 remediated" + fi + # if it still doesn't pass, try this... + installRetention=$(grep -i ttl /etc/asl/com.apple.install | awk -F'ttl=' '{print $2}') + if [ "$installRetention" -lt "365" ]; then + mv /etc/asl/com.apple.install /etc/asl/com.apple.install.old + sed "s/"ttl=$installRetention"/"ttl=365"/g" /etc/asl/com.apple.install.old > /etc/asl/com.apple.install + chmod 644 /etc/asl/com.apple.install + chown root:wheel /etc/asl/com.apple.install + writelog "3.5 remediated" + fi + fi fi # 4.1 Disable Bonjour advertising service -# Verify organizational score -Audit4_1="$(defaults read "$plistlocation" OrgScore4_1)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit4_1" = "1" ]; then -echo $(date -u) "Checking 4.1" | tee -a "$logFile" -bonjourAdvertise=$(defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements) +if [[ remediateRequested "4_1" ]]; then + bonjourAdvertise=$(defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements) if [ "$bonjourAdvertise" != "1" ]; then defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -int 1 - echo $(date -u) "4.1 remediated" | tee -a "$logFile"; else - echo $(date -u) "4.1 passed" | tee -a "$logFile" + writelog "4.1 remediated"; + else + writelog "4.1 passed" fi fi # 4.2 Enable "Show Wi-Fi status in menu bar" -# Verify organizational score -Audit4_2="$(defaults read "$plistlocation" OrgScore4_2)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit4_2" = "1" ]; then -echo $(date -u) "Checking 4.2" | tee -a "$logFile" -wifiMenuBar="$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.systemuiserver menuExtras | grep -c AirPort.menu)" -if [ "$wifiMenuBar" = "0" ]; then - open "/System/Library/CoreServices/Menu Extras/AirPort.menu" - echo $(date -u) "4.2 remediated" | tee -a "$logFile"; else - echo $(date -u) "4.2 passed" | tee -a "$logFile" -fi +if [[ remediateRequested "4_2" ]]; then + wifiMenuBar="$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.systemuiserver menuExtras | grep -c AirPort.menu)" + if [ "$wifiMenuBar" = "0" ]; then + open "/System/Library/CoreServices/Menu Extras/AirPort.menu" + writelog "4.2 remediated"; + else + writelog "4.2 passed" + fi fi # 4.4 Ensure http server is not running -# Verify organizational score -Audit4_4="$(defaults read "$plistlocation" OrgScore4_4)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit4_4" = "1" ]; then - echo $(date -u) "Checking 4.4" | tee -a "$logFile" - if /bin/launchctl list | egrep httpd > /dev/null; then +if [[ remediateRequested "4_4" ]]; then + if /bin/launchctl list | egrep httpd > /dev/null; then apachectl stop defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled -bool true - echo $(date -u) "4.4 remediated" | tee -a "$logFile"; else - echo $(date -u) "4.4 passed" | tee -a "$logFile" + writelog "4.4 remediated"; + else + writelog "4.4 passed" fi fi # 4.5 Ensure ftp server is not running -# Verify organizational score -Audit4_5="$(defaults read "$plistlocation" OrgScore4_5)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit4_5" = "1" ]; then -echo $(date -u) "Checking 4.5" | tee -a "$logFile" -ftpEnabled=$(launchctl list | egrep ftp | grep -c "com.apple.ftpd") -if [ "$ftpEnabled" -lt "1" ]; then - echo $(date -u) "4.5 passed" | tee -a "$logFile"; else - launchctl unload -w /System/Library/LaunchDaemons/ftp.plist - echo $(date -u) "4.5 remediated" | tee -a "$logFile" -fi +if [[ remediateRequested "4_5" ]]; then + ftpEnabled=$(launchctl list | egrep ftp | grep -c "com.apple.ftpd") + if [ "$ftpEnabled" -lt "1" ]; then + writelog "4.5 passed"; + else + launchctl unload -w /System/Library/LaunchDaemons/ftp.plist + writelog "4.5 remediated" + fi fi # 4.6 Ensure nfs server is not running -# Verify organizational score -Audit4_6="$(defaults read "$plistlocation" OrgScore4_6)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit4_6" = "1" ]; then -echo $(date -u) "Checking 4.6" | tee -a "$logFile" -if [ -e /etc/exports ]; then - nfsd disable - rm /etc/export - echo $(date -u) "4.6 remediated" | tee -a "$logFile"; else - echo $(date -u) "4.6 passed" | tee -a "$logFile" -fi +if [[ remediateRequested "4_6" ]]; then + if [ -e /etc/exports ]; then + nfsd disable + rm /etc/export + writelog "4.6 remediated"; + else + writelog "4.6 passed" + fi fi # 5.1.1 Secure Home Folders -# Verify organizational score -Audit5_1_1="$(defaults read "$plistlocation" OrgScore5_1_1)" -# If organizational score is 1 or true, check status of client -if [ "$Audit5_1_1" = "1" ]; then -echo $(date -u) "Checking 5.1.1" | tee -a "$logFile" -# If client fails, then remediate - for userDirs in $( find /Users -mindepth 1 -maxdepth 1 -type d -perm -1 | grep -v "Shared" | grep -v "Guest" ); do +if [[ remediateRequested "5_1_1" ]]; then + for userDirs in $( find /Users -mindepth 1 -maxdepth 1 -type d -perm -1 | grep -v "Shared" | grep -v "Guest" ); do chmod -R og-rwx "$userDirs" done - echo $(date -u) "5.1.1 enforced" | tee -a "$logFile" + writelog "5.1.1 enforced" fi # 5.1.2 Check System Wide Applications for appropriate permissions -# Verify organizational score -Audit5_1_2="$(defaults read "$plistlocation" OrgScore5_1_2)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit5_1_2" = "1" ]; then -echo $(date -u) "Checking 5.1.2" | tee -a "$logFile" -for apps in $( find /Applications -iname "*\.app" -type d -perm -2 -ls ); do - chmod -R o-w "$apps" - done - echo $(date -u) "5.1.2 enforced" | tee -a "$logFile" +if [[ remediateRequested "5_1_2" ]]; then + for apps in $( find /Applications -iname "*\.app" -type d -perm -2 -ls ); do + chmod -R o-w "$apps" + done + writelog "5.1.2 enforced" fi # 5.1.3 Check System folder for world writable files -# Verify organizational score -Audit5_1_3="$(defaults read "$plistlocation" OrgScore5_1_3)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit5_1_3" = "1" ]; then -echo $(date -u) "Checking 5.1.3" | tee -a "$logFile" -for sysPermissions in $( find /System -type d -perm -2 -ls | grep -v "Public/Drop Box" ); do - chmod -R o-w "$sysPermissions" - done - echo $(date -u) "5.1.3 enforced" | tee -a "$logFile" +if [[ remediateRequested "5_1_3" ]]; then + for sysPermissions in $( find /System -type d -perm -2 -ls | grep -v "Public/Drop Box" ); do + chmod -R o-w "$sysPermissions" + done + writelog "5.1.3 enforced" fi # 5.1.4 Check Library folder for world writable files -# Verify organizational score -Audit5_1_4="$(defaults read "$plistlocation" OrgScore5_1_4)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit5_1_4" = "1" ]; then -echo $(date -u) "Checking 5.1.4" | tee -a "$logFile" -# Exempts Adobe files by default! -# for libPermissions in $( find /Library -type d -perm -2 -ls | grep -v Caches ); do -for libPermissions in $( find /Library -type d -perm -2 -ls | grep -v Caches | grep -v Adobe); do - chmod -R o-w "$libPermissions" - done - echo $(date -u) "5.1.4 enforced" | tee -a "$logFile" +if [[ remediateRequested "5_1_4" ]]; then + # Exempts Adobe files by default! + # for libPermissions in $( find /Library -type d -perm -2 -ls | grep -v Caches ); do + for libPermissions in $( find /Library -type d -perm -2 -ls | grep -v Caches | grep -v Adobe); do + chmod -R o-w "$libPermissions" + done + writelog "5.1.4 enforced" fi # 5.3 Reduce the sudo timeout period -# Verify organizational score -Audit5_3="$(defaults read "$plistlocation" OrgScore5_3)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit5_3" = "1" ]; then -echo $(date -u) "Checking 5.3" | tee -a "$logFile" -sudoTimeout=$(cat /etc/sudoers | grep timestamp) -if [ "$sudoTimeout" = "" ]; then - echo "Defaults timestamp_timeout=0" >> /etc/sudoers - echo $(date -u) "5.3 remediated" | tee -a "$logFile"; else - echo $(date -u) "5.3 passed" | tee -a "$logFile" -fi +if [[ remediateRequested "5_3" ]]; then + sudoTimeout=$(cat /etc/sudoers | grep timestamp) + if [ "$sudoTimeout" = "" ]; then + echo "Defaults timestamp_timeout=0" >> /etc/sudoers + writelog "5.3 remediated"; + else + writelog "5.3 passed" + fi fi # 5.4 Automatically lock the login keychain for inactivity -# Verify organizational score -Audit5_4="$(defaults read "$plistlocation" OrgScore5_4)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit5_4" = "1" ]; then -echo $(date -u) "Checking 5.4" | tee -a "$logFile" -keyTimeout=$(security show-keychain-info /Users/"$currentUser"/Library/Keychains/login.keychain 2>&1 | grep -c "no-timeout") +if [[ remediateRequested "5_4" ]]; then + keyTimeout=$(security show-keychain-info /Users/"$currentUser"/Library/Keychains/login.keychain 2>&1 | grep -c "no-timeout") if [ "$keyTimeout" -gt 0 ]; then - security set-keychain-settings -u -t 21600s /Users/"$currentUser"/Library/Keychains/login.keychain - echo $(date -u) "5.4 remediated" | tee -a "$logFile"; else - echo $(date -u) "5.4 passed" | tee -a "$logFile" -fi + security set-keychain-settings -u -t 21600s /Users/"$currentUser"/Library/Keychains/login.keychain + writelog "5.4 remediated"; + else + writelog "5.4 passed" + fi fi # 5.5 Ensure login keychain is locked when the computer sleeps -# Verify organizational score -Audit5_5="$(defaults read "$plistlocation" OrgScore5_5)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit5_5" = "1" ]; then -echo $(date -u) "Checking 5.5" | tee -a "$logFile" - lockSleep=$(security show-keychain-info /Users/"$currentUser"/Library/Keychains/login.keychain 2>&1 | grep -c "lock-on-sleep") +if [[ remediateRequested "5_5" ]]; then + lockSleep=$(security show-keychain-info /Users/"$currentUser"/Library/Keychains/login.keychain 2>&1 | grep -c "lock-on-sleep") if [ "$lockSleep" = 0 ]; then security set-keychain-settings -l /Users/"$currentUser"/Library/Keychains/login.keychain - echo $(date -u) "5.5 remediated" | tee -a "$logFile"; else - echo $(date -u) "5.5 passed" | tee -a "$logFile" + writelog "5.5 remediated"; + else + writelog "5.5 passed" fi fi # 5.6 Enable OCSP and CRL certificate checking -# Verify organizational score -Audit5_6="$(defaults read "$plistlocation" OrgScore5_6)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit5_6" = "1" ]; then - echo $(date -u) "Checking 5.6" | tee -a "$logFile" - certificateCheckOCSP=$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.security.revocation OCSPStyle) +if [[ remediateRequested "5_6" ]]; then + certificateCheckOCSP=$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.security.revocation OCSPStyle) certificateCheckCRL=$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.security.revocation CRLStyle) # If client fails, then note category in audit file if [ "$certificateCheckOCSP" != "RequireIfPresent" ] || [ "$certificateCheckCRL" != "RequireIfPresent" ]; then @@ -867,219 +728,173 @@ if [ "$Audit5_6" = "1" ]; then defaults write com.apple.security.revocation CRLStyle -string RequireIfPresent defaults write /Users/"$currentUser"/Library/Preferences/com.apple.security.revocation OCSPStyle -string RequireIfPresent defaults write /Users/"$currentUser"/Library/Preferences/com.apple.security.revocation CRLStyle -string RequireIfPresent - echo $(date -u) "5.6 remediated" | tee -a "$logFile" - else - echo $(date -u) "5.6 passed" | tee -a "$logFile" + writelog "5.6 remediated" + else + writelog "5.6 passed" fi fi # 5.7 Do not enable the "root" account -# Verify organizational score -Audit5_7="$(defaults read "$plistlocation" OrgScore5_7)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit5_7" = "1" ]; then -echo $(date -u) "Checking 5.7" | tee -a "$logFile" -rootEnabled=$(dscl . -read /Users/root AuthenticationAuthority 2>&1 | grep -c "No such key") -if [ "$rootEnabled" = "1" ]; then - echo $(date -u) "5.7 passed" | tee -a "$logFile"; else - dscl . -create /Users/root UserShell /usr/bin/false - echo $(date -u) "5.7 remediated" | tee -a "$logFile" -fi +if [[ remediateRequested "5_7" ]]; then + rootEnabled=$(dscl . -read /Users/root AuthenticationAuthority 2>&1 | grep -c "No such key") + if [ "$rootEnabled" = "1" ]; then + writelog "5.7 passed"; + else + dscl . -create /Users/root UserShell /usr/bin/false + writelog "5.7 remediated" + fi fi # 5.8 Disable automatic login -# Verify organizational score -Audit5_8="$(defaults read "$plistlocation" OrgScore5_8)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit5_8" = "1" ]; then -echo $(date -u) "Checking 5.8" | tee -a "$logFile" -autologinEnabled=$(defaults read /Library/Preferences/com.apple.loginwindow | grep autoLoginUser) -if [ "$autologinEnabled" = "" ]; then - echo $(date -u) "5.8 passed" | tee -a "$logFile"; else - defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser - echo $(date -u) "5.8 remediated" | tee -a "$logFile" -fi +if [[ remediateRequested "5_8" ]]; then + autologinEnabled=$(defaults read /Library/Preferences/com.apple.loginwindow | grep autoLoginUser) + if [ "$autologinEnabled" = "" ]; then + writelog "5.8 passed"; + else + defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser + writelog "5.8 remediated" + fi fi # 5.9 Require a password to wake the computer from sleep or screen saver -# Verify organizational score -Audit5_9="$(defaults read "$plistlocation" OrgScore5_9)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit5_9" = "1" ]; then -echo $(date -u) "Checking 5.9" | tee -a "$logFile" -screensaverPwd=$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.screensaver askForPassword) -if [ "$screensaverPwd" = "1" ]; then - echo $(date -u) "5.9 passed" | tee -a "$logFile"; else - defaults write /Users/"$currentUser"/Library/Preferences/com.apple.screensaver askForPassword -int 1 - echo $(date -u) "5.9 remediated" | tee -a "$logFile" -fi +if [[ remediateRequested "5_9" ]]; then + screensaverPwd=$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.screensaver askForPassword) + if [ "$screensaverPwd" = "1" ]; then + writelog "5.9 passed"; + else + defaults write /Users/"$currentUser"/Library/Preferences/com.apple.screensaver askForPassword -int 1 + writelog "5.9 remediated" + fi fi # 5.10 Require an administrator password to access system-wide preferences -# Verify organizational score -Audit5_10="$(defaults read "$plistlocation" OrgScore5_10)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit5_10" = "1" ]; then -echo $(date -u) "Checking 5.10" | tee -a "$logFile" -adminSysPrefs=$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep -c "true") -if [ "$adminSysPrefs" = "1" ]; then - security authorizationdb read system.preferences > /tmp/system.preferences.plist - /usr/libexec/PlistBuddy -c "Set :shared false" /tmp/system.preferences.plist - security authorizationdb write system.preferences < /tmp/system.preferences.plist - echo $(date -u) "5.10 remediated" | tee -a "$logFile"; else - echo $(date -u) "5.10 passed" | tee -a "$logFile" -fi +if [[ remediateRequested "5_10" ]]; then + adminSysPrefs=$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep -c "true") + if [ "$adminSysPrefs" = "1" ]; then + security authorizationdb read system.preferences > /tmp/system.preferences.plist + /usr/libexec/PlistBuddy -c "Set :shared false" /tmp/system.preferences.plist + security authorizationdb write system.preferences < /tmp/system.preferences.plist + writelog "5.10 remediated"; + else + writelog "5.10 passed" + fi fi # 5.11 Disable ability to login to another user's active and locked session -# Verify organizational score -Audit5_11="$(defaults read "$plistlocation" OrgScore5_11)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit5_11" = "1" ]; then -echo $(date -u) "Checking 5.11" | tee -a "$logFile" - screensaverGroups=$(grep -c "group=admin,wheel fail_safe" /etc/pam.d/screensaver) +if [[ remediateRequested "5_11" ]]; then + screensaverGroups=$(grep -c "group=admin,wheel fail_safe" /etc/pam.d/screensaver) if [ "$screensaverGroups" = "1" ]; then - cp /etc/pam.d/screensaver /etc/pam.d/screensaver_old - sed "s/"group=admin,wheel\ fail_safe"/"group=wheel\ fail_safe"/g" /etc/pam.d/screensaver_old > /etc/pam.d/screensaver - chmod 644 /etc/pam.d/screensaver - chown root:wheel /etc/pam.d/screensaver - echo $(date -u) "5.11 remediated" | tee -a "$logFile"; else - echo $(date -u) "5.11 passed" | tee -a "$logFile" + cp /etc/pam.d/screensaver /etc/pam.d/screensaver_old + sed "s/"group=admin,wheel\ fail_safe"/"group=wheel\ fail_safe"/g" /etc/pam.d/screensaver_old > /etc/pam.d/screensaver + chmod 644 /etc/pam.d/screensaver + chown root:wheel /etc/pam.d/screensaver + writelog "5.11 remediated"; + else + writelog "5.11 passed" fi fi # 5.18 System Integrity Protection status -# Verify organizational score -Audit5_18="$(defaults read "$plistlocation" OrgScore5_18)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit5_18" = "1" ]; then -echo $(date -u) "Checking 5.18" | tee -a "$logFile" -sipEnabled=$(/usr/bin/csrutil status | awk '{print $5}') -if [ "$sipEnabled" = "enabled." ]; then - echo $(date -u) "5.18 passed" | tee -a "$logFile"; else - /usr/bin/csrutil enable - echo $(date -u) "5.18 remediated" | tee -a "$logFile" -fi +if [[ remediateRequested "5_18" ]]; then + sipEnabled=$(/usr/bin/csrutil status | awk '{print $5}') + if [ "$sipEnabled" = "enabled." ]; then + writelog "5.18 passed"; + else + /usr/bin/csrutil enable + writelog "5.18 remediated" + fi fi # 6.1.1 Display login window as name and password -# Verify organizational score -Audit6_1_1="$(defaults read "$plistlocation" OrgScore6_1_1)" -# If organizational score is 1 or true, check status of client -if [ "$Audit6_1_1" = "1" ]; then -echo $(date -u) "Checking 6.1.1" | tee -a "$logFile" +if [[ remediateRequested "6_1_1" ]]; then loginwindowFullName=$(defaults read /Library/Preferences/com.apple.loginwindow SHOWFULLNAME) - # If client fails, then remediate - if [ "$loginwindowFullName" != "1" ]; then + if [ "$loginwindowFullName" != "1" ]; then defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -int 1 - echo $(date -u) "6.1.1 remediated" | tee -a "$logFile"; else - echo $(date -u) "6.1.1 passed" | tee -a "$logFile" + writelog "6.1.1 remediated"; + else + writelog "6.1.1 passed" fi fi # 6.1.2 Disable "Show password hints" -# Verify organizational score -Audit6_1_2="$(defaults read "$plistlocation" OrgScore6_1_2)" -# If organizational score is 1 or true, check status of client -if [ "$Audit6_1_2" = "1" ]; then -echo $(date -u) "Checking 6.1.2" | tee -a "$logFile" +if [[ remediateRequested "6_1_2" ]]; then passwordHints=$(defaults read /Library/Preferences/com.apple.loginwindow RetriesUntilHint) - # If client fails, then remediate - if [ "$passwordHints" -gt 0 ]; then + if [ "$passwordHints" -gt 0 ]; then defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0 - echo $(date -u) "6.1.2 remediated" | tee -a "$logFile"; else - echo $(date -u) "6.1.2 passed" | tee -a "$logFile" + writelog "6.1.2 remediated"; + else + writelog "6.1.2 passed" fi fi # 6.1.3 Disable guest account -# Verify organizational score -Audit6_1_3="$(defaults read "$plistlocation" OrgScore6_1_3)" -# If organizational score is 1 or true, check status of client -if [ "$Audit6_1_3" = "1" ]; then -echo $(date -u) "Checking 6.1.3" | tee -a "$logFile" +if [[ remediateRequested "6_1_3" ]]; then guestEnabled=$(defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled) - # If client fails, then remediate - if [ "$guestEnabled" = 1 ]; then + if [ "$guestEnabled" = 1 ]; then defaults write /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -bool false - echo $(date -u) "6.1.3 remediated" | tee -a "$logFile"; else - echo $(date -u) "6.1.3 passed" | tee -a "$logFile" + writelog "6.1.3 remediated"; + else + writelog "6.1.3 passed" fi fi # 6.1.4 Disable "Allow guests to connect to shared folders" -# Verify organizational score -Audit6_1_4="$(defaults read "$plistlocation" OrgScore6_1_4)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit6_1_4" = "1" ]; then -echo $(date -u) "Checking 6.1.4" | tee -a "$logFile" +if [[ remediateRequested "6_1_4" ]]; then afpGuestEnabled=$(defaults read /Library/Preferences/com.apple.AppleFileServer guestAccess) smbGuestEnabled=$(defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess) if [ "$afpGuestEnabled" = "0" ] && [ "$smbGuestEnabled" = "0" ]; then - echo $(date -u) "6.1.4 passed" | tee -a "$logFile" + writelog "6.1.4 passed" fi if [ "$afpGuestEnabled" = "1" ]; then defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool no - echo $(date -u) "6.1.4 remediated" | tee -a "$logFile"; + writelog "6.1.4 remediated"; fi if [ "$smbGuestEnabled" = "1" ]; then defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool no - echo $(date -u) "6.1.4 remediated" | tee -a "$logFile"; + writelog "6.1.4 remediated"; fi fi # 6.1.5 Remove Guest home folder -# Verify organizational score -Audit6_1_5="$(defaults read "$plistlocation" OrgScore6_1_5)" -# If organizational score is 1 or true, check status of client -if [ "$Audit6_1_5" = "1" ]; then -echo $(date -u) "Checking 6.1.5" | tee -a "$logFile" - # If client fails, then remediate - if [ -e /Users/Guest ]; then +if [[ remediateRequested "6_1_5" ]]; then + if [ -e /Users/Guest ]; then rm /Users/Guest - echo $(date -u) "6.1.5 remediated" | tee -a "$logFile"; else - echo $(date -u) "6.1.5 passed" | tee -a "$logFile" + writelog "6.1.5 remediated"; + else + writelog "6.1.5 passed" fi fi # 6.2 Turn on filename extensions -# Verify organizational score -Audit6_2="$(defaults read "$plistlocation" OrgScore6_2)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit6_2" = "1" ]; then -echo $(date -u) "Checking 6.2" | tee -a "$logFile" -filenameExt=$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.finder AppleShowAllExtensions) -if [ "$filenameExt" = "1" ]; then - echo $(date -u) "6.2 passed" | tee -a "$logFile"; else - sudo -u "$currentUser" defaults write NSGlobalDomain AppleShowAllExtensions -bool true - pkill -u "$currentUser" Finder - echo $(date -u) "6.2 remediated" | tee -a "$logFile" - # defaults write /Users/"$currentUser"/Library/Preferences/.GlobalPreferences.plist AppleShowAllExtensions -bool true -fi +if [[ remediateRequested "6_2" ]]; then + filenameExt=$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.finder AppleShowAllExtensions) + if [ "$filenameExt" = "1" ]; then + writelog "6.2 passed"; + else + sudo -u "$currentUser" defaults write NSGlobalDomain AppleShowAllExtensions -bool true + pkill -u "$currentUser" Finder + writelog "6.2 remediated" + # defaults write /Users/"$currentUser"/Library/Preferences/.GlobalPreferences.plist AppleShowAllExtensions -bool true + fi fi # 6.3 Disable the automatic run of safe files in Safari -# Verify organizational score -Audit6_3="$(defaults read "$plistlocation" OrgScore6_3)" -# If organizational score is 1 or true, check status of client -# If client fails, then remediate -if [ "$Audit6_3" = "1" ]; then -echo $(date -u) "Checking 6.3" | tee -a "$logFile" -safariSafe=$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads) -if [ "$safariSafe" = "1" ]; then - defaults write /Users/"$currentUser"/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false - echo $(date -u) "6.3 remediated" | tee -a "$logFile"; else - echo $(date -u) "6.3 passed" | tee -a "$logFile" -fi +if [[ remediateRequested "6_3" ]]; then + safariSafe=$(defaults read /Users/"$currentUser"/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads) + if [ "$safariSafe" = "1" ]; then + defaults write /Users/"$currentUser"/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false + writelog "6.3 remediated"; + else + writelog "6.3 passed" + fi fi -echo $(date -u) "Remediation complete" | tee -a "$logFile" +# Reset the preference caching process... +killall cfprefsd +# There may be times when cfprefsd will have written over the changes we just made here +# and the changes won't take. It may take a few times through this script before everything +# is remedited takes. + + +writelog "Remediation complete" exit 0 diff --git a/README.md b/README.md index 83ee7d3..0dbf39f 100644 --- a/README.md +++ b/README.md @@ -5,22 +5,41 @@ Refers to document CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf, available at https: USAGE: -# 1_Set_Organization_Priorities +#Script: 1\_Set\_Organization\_Priorities -Policy: Generally "Once per computer" unless organizational values change. +**Description:** -Admins set organizational compliance for each listed item, which gets written to plist. The values default to "true," meaning if an organization wishes to disregard a given item they must set the value to false by changing the associated comment: +Policy: Generally run with a "Once per computer" frequency. Can be re-run as needed if organizational values change. -OrgScore1_1="true" or OrgScore1_1="false" +This creates a settings plist file used by the other CIS scripts which will run on the client. Edit the file to indicate which CIS items you wish to score and, optionally, remediate. The script writes to /Library/Application Support/SecurityScoring/org_security_score.plist by default. -NOTES: +**Settings:** -Item "1.1 Verify all Apple provided software is current" is disabled by default. -Item "5.6 Enable OCSP and CRL certificate checking" is disabled by default. +Admins set organizational compliance preferences for each listed item. The values should be set to true when you wish to consider any given item and false to disregard that item. -# 2_Security_Audit_Compliance +**Example 1:** + + OrgScore6_1_5="true" + OrgRemediate6_1_5="true" + +CIS 6.1.5 will be scored and remediated. + +**Example 2:** + + OrgScore6_1_5="true" + OrgRemediate6_1_5="false" + +CIS 6\_1_5 will be audited but will not be remediated. Another policy or profile may be implemented separately to remediate this item. Note: The script will not attempt to remediate any item unless it is also being scored. + +When the defaul settins are used, the following items are scored but will not be remediated: + +* Item "1.1 Verify all Apple provided software is current". +* Item "5.6 Enable OCSP and CRL certificate checking". + + +#Script: 2\_Security\_Audit\_Compliance Policy: Some recurring trigger to track compliance over time. @@ -28,19 +47,19 @@ Reads the plist at /Library/Application Support/SecurityScoring/org_security_sco Non-compliant items are recorded at /Library/Application Support/SecurityScoring/org_audit -# 2.5_Audit_List Extension Attribute +#Script: 2.5\_Audit\_List Extension Attribute Set as Data Type "String." Reads contents of /Library/Application Support/SecurityScoring/org_audit file and records to Jamf Pro inventory record. -# 2.6_Audit_Count Extension Attribute +#Script: 2.6\_Audit\_Count Extension Attribute Set as Data Type "Integer." -Reads contents of /Library/Application Support/SecurityScoring/org_audit file and records count of items to Jamf Pro inventory record. Usable with smart group logic (2.6_Audit_Count greater than 0) to immediately determine computers not in compliance. +Reads contents of /Library/Application Support/SecurityScoring/org\_audit file and records count of items to Jamf Pro inventory record. Usable with smart group logic (2.6\_Audit\_Count greater than 0) to immediately determine computers not in compliance. -# 3_Security_Remediation +#Script: 3\_Security\_Remediation Policy: Some recurring trigger to enforce compliance over time. @@ -49,11 +68,11 @@ Reads the plist at /Library/Application Support/SecurityScoring/org_security_sco SCORED CIS EXCEPTIONS: - Does not implement pwpolicy commands (5.2.1 - 5.2.8) -- Audits but does not actively remediate (due to alternate profile/policy functionality within Jamf Pro): +- Audits but does not actively remediate (Typicall, other Jamf Pro profile/policy functionality is ued to manages these items): * 2.4.4 Disable Printer Sharing * 2.6.1 Enable FileVault * 2.7.4 iCloud Drive Document sync * 2.7.5 iCloud Drive Desktop sync * 2.11 Java 6 is not the default Java runtime * 5.12 Create a custom message for the Login Screen -* 5.13 Create a Login window banner \ No newline at end of file +* 5.13 Create a Login window banner