├── .gitignore
├── CIS License.md
├── ElCapitan_CIS.sh
├── LICENSE.md
├── Mavericks_CIS.sh
├── README.md
├── Yosemite_CIS.sh
├── cis-1.2-enableAutoUpdate.plist
├── cis-1.3-enableAppAutoUpdate.plist
├── cis-1.4-XProtect.plist
├── cis-1.5-OSUpdateInstalls.plist
├── cis-2.8-disableIRReciever.plist
├── cis-2.9-enableSecureKeyboardEntryTerminal.plist
├── cis-5.9-requirePasswordScreensaver.plist
├── cis-AFPGuestAccess.plist
├── cis-SMBGuestAccess.plist
├── cis-automaticAppStore.plist
└── cis-automaticSoftwareUpdate.plist
/.gitignore:
--------------------------------------------------------------------------------
1 |
2 | cislevels.sh
3 |
4 | CIS_ElCapitan.py
5 |
6 | fut.sh
7 |
8 | user_template.sh
9 |
10 | cis.log
11 |
12 | .DS_Store
13 |
14 | CIS-Settings.sublime-project
15 |
16 | CIS-Settings.sublime-workspace
17 |
18 | CIS.py
19 |
--------------------------------------------------------------------------------
/CIS License.md:
--------------------------------------------------------------------------------
1 | The CIS Security Benchmarks division provides consensus-oriented information security products, services, tools, metrics, suggestions, and recommendations (the “SB Products”) as a public service to Internet users worldwide. Downloading or using SB Products in any way signifies and confirms your acceptance of and your binding agreement to these CIS Security Benchmarks Terms of Use.
2 |
3 | ***CIS SECURITY BENCHMARKS TERMS OF USE***
4 |
5 | ***BOTH CIS SECURITY BENCHMARKS DIVISION MEMBERS AND NON-MEMBERS MAY:***
6 | - Download, install, and use each of the SB Products on a single computer, and/or
7 | - Print one or more copies of any SB Product that is in a .txt, .pdf, .doc, .mcw, or .rtf format, but only if each such copy is printed in
8 | its entirety and is kept intact, including without limitation the text of these CIS Security Benchmarks Terms of Use.
9 |
10 | ***UNDER THE FOLLOWING TERMS AND CONDITIONS:***
11 | - **SB Products Provided As Is.** CIS is providing the SB Products “as is” and “as available” without: (1) any representations, warranties, or covenants of any kind whatsoever (including the absence of any warranty regarding: (a) the effect or lack of effect of any SB Product on the operation or the security of any network, system, software, hardware, or any component of any of them, and (b) the accuracy, utility, reliability, timeliness, or completeness of any SB Product); or (2) the responsibility to make or notify you of any corrections, updates, upgrades, or fixes.
12 | - **Intellectual Property and Rights Reserved.** You are not acquiring any title or ownership rights in or to any SB Product, and full title and all ownership rights to the SB Products remain the exclusive property of CIS. All rights to the SB Products not expressly granted in these Terms of Use are hereby reserved.
13 | - **Restrictions.** You acknowledge and agree that you may not: (1) decompile, dis-assemble, alter, reverse engineer, or otherwise attempt to derive the source code for any software SB Product that is not already in the form of source code; (2) distribute, redistribute, sell, rent, lease, sublicense or otherwise transfer or exploit any rights to any SB Product in any way or for any purpose; (3) post any SB Product on any website, bulletin board, ftp server, newsgroup, or other similar mechanism or device; (4) remove from or alter these CIS Security Benchmarks Terms of Use on any SB Product; (5) remove or alter any proprietary notices on any SB Product; (6) use any SB Product or any component of an SB Product with any derivative works based directly on an SB Product or any component of an SB Product; (7) use any SB Product or any component of an SB Product with other products or applications that are directly and specifically dependent on such SB Product or any component for any part of their functionality; (8) represent or claim a particular level of compliance or consistency with any SB Product; or (9) facilitate or otherwise aid other individuals or entities in violating these CIS Security Benchmarks Terms of Use.
14 | - **Your Responsibility to Evaluate Risks.** You acknowledge and agree that: (1) no network, system, device, hardware, software, or component can be made fully secure; (2) you have the sole responsibility to evaluate the risks and benefits of the SB Products to your particular circumstances and requirements; and (3) CIS is not assuming any of the liabilities associated with your use of any or all of the SB Products.
15 | - **CIS Liability.** You acknowledge and agree that neither CIS nor any of its employees, officers, directors, agents or other service providers has or will have any liability to you whatsoever (whether based in contract, tort, strict liability or otherwise) for any direct, indirect, incidental, consequential, or special damages that arise out of or are connected in any way with your use of any SB Product.
16 | - **Indemnification.** You agree to indemnify, defend, and hold CIS and all of CIS's employees, officers, directors, agents and other service providers harmless from and against any liabilities, costs and expenses incurred by any of them in connection with your violation of these CIS Security Benchmarks Terms of Use.
17 | - **Jurisdiction.** You acknowledge and agree that: (1) these CIS Security Benchmarks Terms of Use will be governed by and construed in accordance with the laws of the State of Maryland; (2) any action at law or in equity arising out of or relating to these CIS Security Benchmarks Terms of Use shall be filed only in the courts located in the State of Maryland; and (3) you hereby consent and submit to the personal jurisdiction of such courts for the purposes of litigating any such action.
18 | - **U.S. Export Control and Sanctions laws.** Regarding your use of the SB Products with any non-U.S. entity or country, you acknowledge that it is your responsibility to understand and abide by all U.S. sanctions and export control laws as set from time to time by the U.S. Bureau of Industry and Security (BIS) and the U.S. Office of Foreign Assets Control (OFAC).
19 |
20 | ***SPECIAL RULES FOR CIS MEMBER ORGANIZATIONS:*** CIS reserves the right to create special rules for: (1) CIS Members; and (2) Non- Member organizations and individuals with which CIS has a written contractual relationship. CIS hereby grants to each CIS Member Organization in good standing the right to distribute the SB Products within such Member's own organization, whether by manual or electronic means. Each such Member Organization acknowledges and agrees that the foregoing grants in this paragraph are subject to the terms of such Member's membership arrangement with CIS and may, therefore, be modified or terminated by CIS at any time.
--------------------------------------------------------------------------------
/ElCapitan_CIS.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | ########################################################################
3 | # CIS Benchmark Settings 1.1.0
4 | # El Capitan (10.10)
5 | # Kris Payne
6 | #
7 | # Run as root
8 | # Usage: scriptname.sh [-l|--level] [1,2,1.5]
9 | # 1 = All Scored Level 1 benchmarks (default)
10 | # 2 = All Scored Level 1 and 2 benchmarks (coming someday)
11 | # 1.5 = All Scored Level 1 benchmarks with sensible secure recommendations as well as some Level 2
12 | ########################################################################
13 |
14 | softwareUpdates() {
15 | # 1 Install Updates, Patches and Additional Security Software
16 | ScriptLogging "1 Install Updates, Patches, and Additional Security Software"
17 |
18 | # 1.1 Verify all Apple provided software is current
19 | # Level 1 Scored
20 | ScriptLogging " Checking for software updates from Apple..."
21 | local SoftwareUpdateCommand
22 | SoftwareUpdateCommand="$(/usr/sbin/softwareupdate -l | wc -l)"
23 | if [[ ${SoftwareUpdateCommand} -eq 4 ]]; then
24 | ScriptLogging " All available software updates have been installed."
25 | else
26 | ScriptLogging " Installing Software Updates."
27 | /usr/sbin/softwareupdate -i -a
28 | ScriptLogging " All available software updates have been installed."
29 | fi
30 |
31 | # 1.2 Enable Auto Update
32 | # Level 1 Scored
33 | local AutoSoftwareUpdateCheck
34 | AutoSoftwareUpdateCheck="$(/usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticCheckEnabled)"
35 | if [[ ${AutoSoftwareUpdateCheck} = "1" ]]; then
36 | ScriptLogging " Automatic Update Check enabled."
37 | else
38 | ScriptLogging " Automatic Update Check NOT enabled. Enabling..."
39 | /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticCheckEnabled -bool TRUE
40 | # comment out below to disable for Sierra auto downloads.
41 | /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticDownload -bool TRUE
42 | /usr/sbin/softwareupdate --schedule on
43 | ScriptLogging " Automatic Update Check enabled."
44 | fi
45 |
46 | # 1.3 Enable app update installs
47 | # Level 1 Scored
48 | local AppAutoUpdate
49 | AppAutoUpdate="$(/usr/bin/defaults read /Library/Preferences/com.apple.commerce AutoUpdate)"
50 | if [[ ${AppAutoUpdate} = "1" ]]; then
51 | ScriptLogging " Auto Update Apps enabled."
52 | else
53 | ScriptLogging " Auto Update Apps NOT enabled. Enabling..."
54 | /usr/bin/defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool TRUE
55 | ScriptLogging " Auto Update Apps enabled."
56 | fi
57 |
58 | # 1.4 Enable system data files and security update installs
59 | # Level 1 Scored
60 | local ConfigDataInstall
61 | local CriticalUpdateInstall
62 | ConfigDataInstall="$(/usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist | grep "ConfigDataInstall" | awk '{ print $3 }')"
63 | CriticalUpdateInstall="$(/usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist | grep "CriticalUpdateInstall" | awk '{ print $3 }')"
64 |
65 | if [[ ${ConfigDataInstall} = "1;" ]]; then
66 | ScriptLogging " Configuration Data updates enabled."
67 | else
68 | ScriptLogging " Configuration Data updates NOT enabled. Enabling..."
69 | /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist ConfigDataInstall -bool TRUE
70 | ScriptLogging " Configuration Data updates enabled."
71 | fi
72 |
73 | if [[ ${CriticalUpdateInstall} = "1;" ]]; then
74 | ScriptLogging " Critical security updates enabled."
75 | else
76 | ScriptLogging " Critical security updates NOT enabled. Enabling..."
77 | /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist CriticalUpdateInstall -bool TRUE
78 | ScriptLogging " Critical security updates enabled."
79 | fi
80 |
81 | # 1.5 Enable OS X update installs
82 | # Level 1 Scored
83 | local AutoRestartReq
84 | AutoRestartReq="$(/usr/bin/defaults read /Library/Preferences/com.apple.commerce.plist AutoUpdateRestartRequired)"
85 | if [[ ${AutoRestartReq} = "1" ]]; then
86 | ScriptLogging " OS X Auto Updates enabled."
87 | else
88 | ScriptLogging " OS X Auto Updates NOT enabled. Enabling..."
89 | /usr/bin/defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdateRestartRequired -bool TRUE
90 | ScriptLogging " OS X Auto Updates enabled."
91 | fi
92 | }
93 |
94 | systemPreferences() {
95 | # 2 System Preferences
96 | ScriptLogging "2 System Preferences"
97 |
98 | # 2.1 Bluetooth
99 | # 2.1.1 Turn off Bluetooth, if no paired devices exist
100 | # Level 1 Scored
101 |
102 | local BTControllerPowerState
103 | BTControllerPowerState="$(/usr/bin/defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState)"
104 | local BTSysPaired
105 | BTSysPaired="$(/usr/sbin/system_profiler | grep "Bluetooth:" -A 20 | grep Connectable | awk '{ print $2 }' 2>/dev/null)"
106 | if [[ ${BTControllerPowerState} = "0" ]]; then
107 | ScriptLogging " Bluetooth is powered off."
108 | elif [[ ${BTControllerPowerState} = "1" ]]; then
109 | ScriptLogging " Bluetooth is powered on. Searching for paired devices..."
110 | if [[ ${BTSysPaired} = "Yes" ]]; then
111 | ScriptLogging " Bluetooth has found a paired device."
112 | elif [[ ${BTSysPaired} = "No" ]]; then
113 | ScriptLogging " Bluetooth has NOT found a paired device. Turning off Bluetooth..."
114 | /usr/bin/defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0
115 | ScriptLogging " Bluetooth is powered off."
116 | fi
117 | fi
118 |
119 | # 2.1.2 Turn off Bluetooth "Discoverable" mode when not pairing devices
120 | # Level 1 Scored
121 | # Starting with OS X (10.9) Bluetooth is only set to Discoverable when the Bluetooth System Preference
122 | # is selected. To ensure that the computer is not Discoverable do not leave that preference open.
123 |
124 | if [[ "$(/usr/sbin/system_profiler SPBluetoothDataType | grep -i discoverable | awk '{ print $2 }')" = "Off" ]]; then
125 | ScriptLogging " Bluetooth is not discoverable."
126 | else
127 | ScriptLogging " Bluetooth is discoverable, please close System Preferences."
128 | fi
129 |
130 | # 2.1.3 Show Bluetooth status in menu bar
131 | # Level 1 Scored
132 | # TODO: Test new audit/remidiate
133 | # This possibly may not work anymore.
134 |
135 | local BluetoothMenuStatus
136 | BluetoothMenuStatus="$(/usr/bin/defaults read com.apple.systemuiserver menuExtras | grep Bluetooth.menu)"
137 | if [[ "${BluetoothMenuStatus}" = "/System/Library/CoreServices/Menu Extras/Bluetooth.menu" ]]; then
138 | ScriptLogging " Bluetooth shown in menu bar."
139 | else
140 | ScriptLogging " Bluetooth Not shown in menu bar. Enabling..."
141 | user_template com.apple.systemuiserver menuExtras -array-add "/System/Library/CoreServices/Menu Extras/Bluetooth.menu"
142 | ScriptLogging " Bluetooth shown in menu bar."
143 | fi
144 |
145 | # 2.2 Date & Time
146 | # 2.2.1 Enable "Set time and date automatically"
147 | # no need to remediate, just set.
148 | # If you want to remediate first, please feel free to fork and pull
149 | # Level 2 Not Scored, Level 1.5 Not Scored
150 | if [[ ${CISLEVEL} = "1.5" ]]; then
151 | if [[ ! -e /etc/ntp.conf ]]; then
152 | ScriptLogging " Create '/etc/ntp.conf'"
153 | /usr/bin/touch /etc/ntp.conf
154 | fi
155 |
156 | ScriptLogging " Ensure NetworkTime is on."
157 | /usr/sbin/systemsetup -setusingnetworktime on
158 |
159 | ScriptLogging " Set NetworkTime to time.apple.com."
160 | /usr/sbin/systemsetup -setnetworktimeserver time.apple.com
161 | fi
162 |
163 | # 2.2.2 Ensure time set is within appropriate limits
164 | # Level 1 Scored
165 | ScriptLogging " Checking time.apple.com skew..."
166 | /usr/sbin/ntpdate -sv time.apple.com
167 |
168 | # 2.3 Desktop & Screen Saver
169 | # 2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver
170 | # Level 1 Scored
171 | # User configuration profiles are more useful here.
172 | # Make sure what is set in the config profile is less than section 2.3.3
173 | # This will also set this as root, not the actual user.
174 | # Could do User Template like as in 2.3.2, however this has not been tested.
175 | #/usr/bin/defaults -currentHost write com.apple.screensaver idleTime 600
176 |
177 | # 2.3.2 Secure screen saver corners
178 | # Level 2 Scored, Level 1.5 Not Scored
179 | # Take a "clear-all" approach here, as 2.3.4 sets an active corner for enabling screensaver.
180 | if [[ ${CISLEVEL} = "2" ]] || [[ ${CISLEVEL} = "1.5" ]]; then
181 | ScriptLogging " Setting all corners to '1'..."
182 | user_template com.apple.dock wvous-tl-corner 1
183 | user_template com.apple.dock wvous-tr-corner 1
184 | user_template com.apple.dock wvous-bl-corner 1
185 | user_template com.apple.dock wvous-br-corner 1
186 | fi
187 |
188 | # 2.3.3 Verify Display Sleep is set to a value larger than the Screen Saver
189 | # Level 1 Not Scored, Level 1.5
190 | if [[ ${CISLEVEL} = "1.5" ]]; then
191 | ScriptLogging " Setting Display Sleep to 15 minutes..."
192 | /usr/bin/pmset -a displaysleep 15
193 | fi
194 |
195 | # 2.3.4 Set a screen corner to Start Screen Saver
196 | # Level 1 Scored
197 | # Not currently setting.
198 | # TODO
199 | #ScriptLogging " Setting bottom right corner to enable screensaver..."
200 | #user_template com.apple.dock wvous-br-corner 5
201 | #user_template com.apple.dock wvous-br-modifier 0
202 |
203 | # 2.4 Sharing
204 | # 2.4.1 Disable Remote Apple Events
205 | # Level 1 Scored
206 | if [[ "$(/usr/sbin/systemsetup -getremoteappleevents | awk '{ print $4 }')" = "Off" ]]; then
207 | ScriptLogging " Remote Apple Events disabled."
208 | else
209 | ScriptLogging " Remote Apple Events NOT disabled. Disabling..."
210 | /usr/sbin/systemsetup -setremoteappleevents off
211 | ScriptLogging " Remote Apple Events disabled."
212 | fi
213 |
214 | # 2.4.2 Disable Internet Sharing
215 | # Level 1 Scored
216 |
217 | # Internet Sharing is off by default. Running these commands without checking
218 | # first will send the machine into a downward sprial of doom and depair.
219 | # It's your funeral if you uncomment. Left in for remediation/completeness sake.
220 |
221 | # if [[ ! -e "/Library/Preferences/SystemConfiguration/com.apple.nat" ]]; then
222 | # ScriptLogging " No 'com.apple.nat' file present. Internet Sharing Disabled."
223 | # else
224 | # ScriptLogging " 'com.apple.nat' file present. Internet Sharing Enabled. Disabling..."
225 | # /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict Enabled -int 0
226 | # /bin/launchctl unload -w /System/Library/LaunchDaemons/ com.apple.InternetSharing.plist
227 | # ScriptLogging " Internet Sharing Disabled."
228 | # fi
229 |
230 | # 2.4.3 Disable Screen Sharing
231 | # Level 1 Scored
232 | local ScreenSharing
233 | ScreenSharing="$(/usr/bin/defaults read /System/Library/LaunchDaemons/com.apple.screensharing.plist | grep "Disabled" | awk '{ print $3 }')"
234 | if [[ ${ScreenSharing} = "1;" ]]; then
235 | ScriptLogging " Screen Sharing Disabled."
236 | else
237 | ScriptLogging " Screen Sharing Enabled. Disabling..."
238 | /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off
239 | ScriptLogging " Screen Sharing Disabled."
240 | fi
241 |
242 | # 2.4.4 Disable Printer Sharing
243 | # Level 1 Scored
244 | # No need to audit, just remediate.
245 | ScriptLogging " Disabling printer sharing..."
246 | /usr/sbin/cupsctl --no-share-printers
247 |
248 | # 2.4.5 Disable Remote Login
249 | # Level 1 Scored
250 | # Only open to administrator accounts. Best practice is for service accounts only.
251 | local RemoteLogin
252 | RemoteLogin="$(/usr/sbin/systemsetup -getremotelogin | awk '{ print $3 }')"
253 | if [[ ${RemoteLogin} = "Off" ]]; then
254 | ScriptLogging " Remote Login disabled."
255 | elif [[ ${RemoteLogin} = "administrator" ]]; then
256 | ScriptLogging " Remote Login enabled for Administrators. Consider removing if not needed."
257 | else
258 | ScriptLogging " Remote Login enabled. Disabling..."
259 | /usr/sbin/systemsetup -setremotelogin off
260 | ScriptLogging " Remote Login disabled."
261 | fi
262 |
263 | # 2.4.6 Disable DVD or CD Sharing
264 | # Level 1 Scored
265 | # Newer devices do not have Optical Drives
266 | # code not tested. unable to test as I haven't seen a CD/DVD drive on a machine in many years.
267 | #local OpticalSharingAudit
268 | #OpticalSharingAudit=$(/bin/launchctl list | egrep ODSAgent)
269 | #if [[ ${OpticalSharingAudit} -ge 0 ]]; then
270 | # ScriptLogging " Optical Drive Sharing is disabled."
271 | #else
272 | # ScriptLogging " Optical Drive Sharing is NOT disabled. Disabling..."
273 | # /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.ODSAgent.plist
274 | # ScriptLogging " Optical Drive Sharing is disabled."
275 | #fi
276 |
277 | # 2.4.7 Disable Bluetooth Sharing
278 | # Level 1 Scored
279 | #TODO: Test. New audit/remediation written.
280 |
281 | #local BTSharing
282 | #BTSharing="$(/usr/sbin/system_profiler SPBluetoothDataType | grep State)"
283 | #if [[ ${BTSharing} = "Disabled\nDisabled\nDisabled" ]]; then
284 | # ScriptLogging " Bluetooth Sharing disabled."
285 | #else
286 | # local hardwareUUID
287 | # hardwareUUID=$(/usr/sbin/system_profiler SPHardwareDataType | grep "Hardware UUID" | awk -F ": " '{print $2}')
288 | # ScriptLogging " Bluetooth Sharing disabling..."
289 | # for USER_HOME in /Users/*
290 | # do
291 | # USER_UID=$(basename "${USER_HOME}")
292 | # if [ ! "${USER_UID}" = "Shared" ]; then
293 | # if [ ! -d "${USER_HOME}"/Library/Preferences ]; then
294 | # /bin/mkdir -p "${USER_HOME}"/Library/Preferences
295 | # /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library
296 | # /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences
297 | # fi
298 | # if [ ! -d "${USER_HOME}"/Library/Preferences/ByHost ]; then
299 | # /bin/mkdir -p "${USER_HOME}"/Library/Preferences/ByHost
300 | # /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library
301 | # /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences
302 | # /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences/ByHost
303 | # fi
304 | # if [ -d "${USER_HOME}"/Library/Preferences/ByHost ]; then
305 | # /usr/bin/defaults write "$USER_HOME"/Library/Preferences/ByHost/com.apple.Bluetooth.$hardwareUUID.plist PrefKeyServicesEnabled -bool false
306 | # #/usr/libexec/PlistBuddy -c "Delete :PrefKeyServicesEnabled" "$USER_HOME"/Library/Preferences/ByHost/com.apple.Bluetooth.$hardwareUUID.plist
307 | # #/usr/libexec/PlistBuddy -c "Add :PrefKeyServicesEnabled bool false" "$USER_HOME"/Library/Preferences/ByHost/com.apple.Bluetooth.$hardwareUUID.plist
308 | # /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences/ByHost/com.apple.Bluetooth.$hardwareUUID.plist
309 | # fi
310 | # fi
311 | # done
312 | #fi
313 |
314 | # 2.4.8 Disable File Sharing
315 | # Level 1 Scored
316 | #TODO: Test. New audit/remediation written.
317 | # these two are made into profiles.
318 |
319 | local AppleFileServerAudit
320 | AppleFileServerAudit="$(/bin/launchctl list | egrep AppleFileServer)"
321 | if [[ "${AppleFileServerAudit}" -ge 0 ]]; then
322 | ScriptLogging " AFP is disabled."
323 | else
324 | ScriptLogging " AFP is NOT disabled. Disabling..."
325 | /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist
326 | ScriptLogging " AFP is disabled."
327 | fi
328 |
329 | local SMBAudit
330 | SMBAudit="$(/bin/launchctl list | egrep smbd)"
331 | if [[ ${SMBAudit} -ge 0 ]]; then
332 | ScriptLogging " SMB is disbled."
333 | else
334 | ScriptLogging " SMB is NOT disabled. Disabling..."
335 | /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist
336 | ScriptLogging " SMB is disbled."
337 | fi
338 |
339 | # 2.4.9 Disable Remote Management
340 | # Level 1 Scored
341 |
342 | local ARDAgentAudit
343 | ARDAgentAudit="$(ps -ef | egrep ARDAgent)"
344 | if [[ ${ARDAgentAudit} -ge 0 ]]; then
345 | ScriptLogging " Remote Management is disabled."
346 | else
347 | ScriptLogging " Remote Management is NOT disabled. Disabling..."
348 | /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop
349 | ScriptLogging " Remote Management is disabled."
350 | fi
351 |
352 | # 2.5 Energy Saver
353 | # 2.5.1 Disable "Wake for network access"
354 | # Level 2 Scored, Level 1.5 Not Scored
355 | # Take a "clear-all" approach here
356 | if [[ ${CISLEVEL} = "2" ]] || [[ ${CISLEVEL} = "1.5" ]]; then
357 | ScriptLogging " Wake for network Access disabling."
358 | /usr/bin/pmset -a womp 0
359 | ScriptLogging " Wake for network Access disabled."
360 | fi
361 |
362 | # 2.5.2 Disable sleeping the computer when connected to power
363 | # Level 2 Scored, Level 1.5 Not Scored
364 | # Take a "clear-all" approach here
365 | if [[ ${CISLEVEL} = "2" ]] || [[ ${CISLEVEL} = "1.5" ]]; then
366 | ScriptLogging " Sleep when connected to power disabling."
367 | /usr/bin/pmset -c sleep 0
368 | ScriptLogging " Sleep when connected to power disabled."
369 | fi
370 |
371 | # 2.6 Security & Privacy
372 | # 2.6.1 Enable FileVault
373 | # Level 1 Scored
374 | # This should be handled by an MDM with personal/institutional keys.
375 | # audit is `diskutil cs list | grep -i encryption`
376 |
377 | # 2.6.2 Enable Gatekeeper
378 | # Level 1 Scored
379 | if [[ "$(/usr/sbin/spctl --status)" = "assessments disabled" ]]; then
380 | ScriptLogging " Gatekeeper is disabled. Enabling..."
381 | /usr/sbin/spctl --master-enable
382 | ScriptLogging " Gatekeeper is enabled."
383 | else
384 | ScriptLogging " Gatekeeper is enabled."
385 | fi
386 |
387 | # 2.6.3 Enable Firewall
388 | # Level 1 Scored
389 | local SysFirewall
390 | SysFirewall="$(/usr/bin/defaults read /Library/Preferences/com.apple.alf globalstate)"
391 | if [[ ${SysFirewall} -ge 1 ]]; then
392 | ScriptLogging " Firewall enabled."
393 | else
394 | ScriptLogging " Firewall NOT enabled. Enabling..."
395 | /usr/bin/defaults write /Library/Preferences/com.apple.alf globalstate -int 1
396 | ScriptLogging " Firewall enabled."
397 | fi
398 |
399 | # 2.6.4 Enable Firewall Stealth Mode
400 | # Level 1 Scored
401 | local SysFirewallStealth
402 | SysFirewallStealth="$(/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode | grep -ic "Stealth mode enabled")"
403 | if [[ ${SysFirewallStealth} -ge 1 ]]; then
404 | ScriptLogging " Firewall Stealth Mode enabled."
405 | else
406 | ScriptLogging " Firewall Stealth Mode NOT enabled. Enabling..."
407 | /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
408 | ScriptLogging " Firewall Stealth Mode enabled."
409 | fi
410 |
411 | # 2.6.5 Review Application Firewall Rules
412 | # Level 1 Scored
413 | local AppFirewall
414 | AppFirewall="$(/usr/libexec/ApplicationFirewall/socketfilterfw --listapps | grep "ALF" | awk '{ print $7 }')"
415 | if [[ ${AppFirewall} -lt 10 ]]; then
416 | ScriptLogging " Application Firewall exception list is less than 10."
417 | else
418 | ScriptLogging "***** Application Firewall exception list is greater than 10, please investigate! *****"
419 | fi
420 |
421 | # 2.7 iCloud
422 | # This section has moved from Recommendations over to Subsections, however, no audit or remidiation guideleins are given.
423 | # General thought (mine, not CIS) is that if you are Level 1, these can be left alone. Anything above (1.5+) should be audited.
424 | # This should be handled via configuration profile.
425 | # Level 2 Not Scored
426 | # 2.7.1 iCloud configuration
427 | # 2.7.2 iCloud keychain
428 | # 2.7.3 iCloud Drive
429 |
430 | # 2.8 Pair the remote control infrared receiver if enabled
431 | # Level 1 Scored
432 | #TODO: Getting errors in STDOUT.
433 | #./Yosemite_CIS.sh: line 507: [[: Jun 22, 2016, 11:53:31 AM CIS_SETTINGS[74183]: No IR Receiver present.
434 | #Jun 22 11:53:31 kvoleon CIS_SETTINGS[74183]: No IR Receiver present.: syntax error in expression (error token is "22, 2016, 11:53:31 AM CIS_SETTINGS[74183]: No IR Receiver present.
435 | #Jun 22 11:53:31 kvoleon CIS_SETTINGS[74183]: No IR Receiver present.")
436 | #./Yosemite_CIS.sh: line 509: [[: Jun 22, 2016, 11:53:31 AM CIS_SETTINGS[74183]: No IR Receiver present.
437 | #Jun 22 11:53:31 kvoleon CIS_SETTINGS[74183]: No IR Receiver present.: syntax error in expression (error token is "22, 2016, 11:53:31 AM CIS_SETTINGS[74183]: No IR Receiver present.
438 | #Jun 22 11:53:31 kvoleon CIS_SETTINGS[74183]: No IR Receiver present.")
439 |
440 | # These errors are because system_profiler is searching the system.log and this script has already been run.
441 | # Need to find a way to grep/sed out the system.log output
442 |
443 | local SysProfIRReciever
444 | SysProfIRReciever="$(/usr/sbin/system_profiler 2>/dev/null | egrep "IR Receiver")"
445 | local AppleIRController
446 | AppleIRController="$(/usr/bin/defaults read /Library/Preferences/com.apple.driver.AppleIRController | grep "DeviceEnabled" | awk '{ print $3 }')"
447 | if [[ ${SysProfIRReciever} -eq 0 ]]; then
448 | ScriptLogging " No IR Receiver present."
449 | elif [[ ${SysProfIRReciever} -gt 0 ]]; then
450 | ScriptLogging " IR Receiver present. Checking status..."
451 | if [[ ${AppleIRController} = "0;" ]]; then
452 | ScriptLogging " IR Receiever disabled."
453 | else
454 | ScriptLogging " IR Receiever enabled. Disabling..."
455 | /usr/bin/defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled 0
456 | ScriptLogging " IR Receiever disabled."
457 | fi
458 | fi
459 |
460 | # 2.9 Enable Secure Keyboard Entry in terminal.app
461 | # Level 1 Scored
462 | # Let's not audit, let's just force it.
463 | ScriptLogging " Enabling secure text entry in Terminal.app..."
464 | user_template com.apple.Terminal.plist SecureKeyboardEntry 1
465 |
466 | # 2.10 Java 6 is not the default Java runtime
467 | # Level 2 Scored
468 | # Java is the devil, installing it means you're a bad person.
469 |
470 | # 2.11 Configure Secure Empty Trash
471 | # Level 2 Scored, Level 1.5 Not Scored
472 | # Can be secured more appropriately with a configuration profile.
473 | # Issues with config profile, especially if they are not user removable, in the event that a large file has been
474 | # trashed, productivity can be hindered when emptying the trash. (only speaking from experience.) Gather requirements!
475 | # If configured here through the script, the user can easily enable/disable at will in Finder Preferences.
476 |
477 | if [[ ${CISLEVEL} = "2" ]] || [[ ${CISLEVEL} = "1.5" ]]; then
478 | ScriptLogging " Enabling Secure Empty Trash..."
479 | user_template com.apple.finder EmptyTrashSecurely 1
480 | ScriptLogging " Secure Empty Trash enabled."
481 | fi
482 | }
483 |
484 | loggingAndAuditing() {
485 | # 3 Logging and Auditing
486 | ScriptLogging "3 Logging and Audting"
487 |
488 | # 3.1 Configure asl.conf
489 | # 3.1.1 Retain system.log for 90 or more days
490 | # Level 1 Scored
491 | # Contributed by John Oliver on CIS forums
492 | # https://community.cisecurity.org/collab/public/index.php?path_info=projects%2F28%2Fcomments%2F15292
493 | ScriptLogging " Setting system.log to be kept for 90 Days..."
494 | /usr/bin/sed -i.bak 's/^>\ system\.log.*/>\ system\.log\ mode=640\ format=bsd\ rotate=seq\ ttl=90/' /etc/asl.conf
495 |
496 | # 3.1.2 Retain appfirewall.log for 90 or more days
497 | # Level 1 Scored
498 | # Contributed by John Oliver on CIS forums
499 | # https://community.cisecurity.org/collab/public/index.php?path_info=projects%2F28%2Fcomments%2F15292
500 | ScriptLogging " Setting appfirewall.log to be kept for 90 Days..."
501 | /usr/bin/sed -i.bak 's/^\?\ \[=\ Facility\ com.apple.alf.logging\]\ .*/\?\ \[=\ Facility\ com.apple.alf.logging\]\ file\ appfirewall.log\ rotate=seq\ ttl=90/' /etc/asl.conf
502 |
503 | # 3.1.3 Retain authd.log for 90 or more days
504 | # Level 1 Scored
505 | # Contributed by John Oliver on CIS forums
506 | # https://community.cisecurity.org/collab/public/index.php?path_info=projects%2F28%2Fcomments%2F15292
507 | ScriptLogging " Setting authd.log to be kept for 90 Days..."
508 | /usr/bin/sed -i.bak 's/^\*\ file\ \/var\/log\/authd\.log.*/\*\ file\ \/var\/log\/authd\.log\ mode=640\ format=bsd\ rotate=seq\ ttl=90/' /etc/asl/com.apple.authd
509 |
510 | # 3.2 Enable security auditing
511 | # Level 1 Scored
512 | local AuditD
513 | AuditD="$(/bin/launchctl list | grep -i auditd | awk '{ print $3 }')"
514 | if [[ ${AuditD} = "com.apple.auditd" ]]; then
515 | ScriptLogging " Security Auditing enabled."
516 | else
517 | ScriptLogging " Security Auditing NOT enabled."
518 | /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist
519 | ScriptLogging " Security Auditing enabled."
520 | fi
521 |
522 | # 3.3 Configure Security Auditing Flags
523 | # Level 2 Scored, Level 1.5 Not Scored
524 | # Contributed by John Oliver on CIS forums
525 | # https://community.cisecurity.org/collab/public/index.php?path_info=projects%2F28%2Fcomments%2F15292
526 | if [[ ${CISLEVEL} = "2" ]] || [[ ${CISLEVEL} = "1.5" ]]; then
527 | /usr/bin/sed -i '' 's/^flags:.*/flags:ad,aa,lo/' /etc/security/audit_control
528 | /usr/bin/sed -i '' 's/^expire-after:.*/expire-after:90d\ AND\ 1G/' /etc/security/audit_control
529 | fi
530 |
531 | # 3.4 Enable remote logging for Desktops on trusted networks
532 | # Level 2 Not Scored
533 | # Audit procedure is not listed. Seems nearly impossible to audit this in an automated general way.
534 |
535 | # 3.5 Retain install.log for 365 or more days
536 | # Level 1 Scored
537 | # Contributed by John Oliver on CIS forums
538 | # https://community.cisecurity.org/collab/public/index.php?path_info=projects%2F28%2Fcomments%2F15292
539 | ScriptLogging " Setting install.log to be kept for 365 Days..."
540 | /usr/bin/sed -i.bak 's/^\*\ file\ \/var\/log\/install\.log.*/\*\ file\ \/var\/log\/install\.log\ mode=640\ format=bsd\ rotate=seq\ ttl=365/' /etc/asl/com.apple.install
541 | }
542 |
543 | networkConfigurations() {
544 | # 4 Network Configurations
545 | ScriptLogging "4 Network Configurations"
546 |
547 | # 4.1 Disable Bonjour advertising service
548 | # Level 2 Scored, Level 1.5 Not Scored
549 | #TODO: Test. New audit/remediation written.
550 |
551 | if [[ ${CISLEVEL} = "2" ]] || [[ ${CISLEVEL} = "1.5" ]]; then
552 | local checkBonjourAdvertising
553 | checkBonjourAdvertising="$(/usr/bin/defaults read /Library/Preferences/com.apple.alf globalstate)"
554 | if [ "$checkBonjourAdvertising" = "1" ] || [ "$checkBonjourAdvertising" = "2" ]; then
555 | ScriptLogging " Bonjour Advertising is disabled."
556 | else
557 | ScriptLogging " Bonjour Advertising is enabled. Disabling..."
558 | /usr/bin/defaults write /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist ProgramArguements -array-add '{-NoMulticastAdvertisements;}'
559 | ScriptLogging " Bonjour Advertising is disabled."
560 | fi
561 | fi
562 |
563 | # 4.2 Enable "Show Wi-Fi status in menu bar"
564 | # Level 1 Scored
565 | # TODO
566 | ScriptLogging " Ensuring Wi-Fi is shown in MenuBar..."
567 | user_template com.apple.systemuiserver menuExtras -array-add "/System/Library/CoreServices/Menu Extras/Airport.menu"
568 | ScriptLogging " Wi-Fi is shown in MenuBar."
569 |
570 | # 4.3 Create network specific locations
571 | # Level 2 Not Scored
572 | # TODO
573 |
574 | # 4.4 Ensure http server is not running
575 | # Level 1 Scored
576 | if /bin/launchctl list | egrep httpd > /dev/null; then
577 | ScriptLogging " HTTP server is enabled. Disabling..."
578 | /usr/sbin/apachectl stop && /usr/bin/defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled -bool true
579 | ScriptLogging " HTTP server disabled."
580 | else
581 | ScriptLogging " HTTP server disabled."
582 | fi
583 |
584 | # 4.5 Ensure ftp server is not running
585 | # Level 1 Scored
586 | if /bin/launchctl list | egrep ftp > /dev/null; then
587 | ScriptLogging " FTP server is enabled. Disabling..."
588 | /usr/sbin/launchctl unload -w /System/Library/LaunchDaemons/ftp.plist
589 | ScriptLogging " FTP server disabled."
590 | else
591 | ScriptLogging " FTP server disabled."
592 | fi
593 |
594 | # 4.6 Ensure nfs server is not running
595 | # Level 1 Scored
596 | if /bin/launchctl list | egrep nfsd > /dev/null; then
597 | ScriptLogging " NFS server is enabled. Disabling..."
598 | /sbin/nfsd disable
599 | ScriptLogging " NFS server disabled."
600 | elif [[ -e /etc/exports ]]; then
601 | rm /etc/export
602 | else
603 | ScriptLogging " NFS server disabled."
604 | fi
605 | }
606 |
607 | systemAccess() {
608 | # 5 System Access, Authentication and Authorization
609 | ScriptLogging "5 System Access, Authenticationn and Authorization"
610 |
611 | # 5.1 File System Permissions and Access Controls
612 | # 5.1.1 Secure Home Folders
613 | # Level 1 Scored
614 | # TODO
615 | # This script is intended to run BEFORE a system is deployed. Maybe a umask here, but not sure how to implement it.
616 |
617 | # 5.1.2 Repair permissions regularly to ensure binaries and other System files have appropriate permissions
618 | # Level 1 Not Scored
619 | # Can either set this in the weekly cron, or use the MDM to control this. MDM is prefered, as it is more maleable to timing/editing.
620 |
621 | # 5.1.3 Check System Wide Applications for appropriate permissions
622 | # Level 1 Scored
623 | # This should be checked prior to deployment within your apps/packages. Can also be run as a weekly cron or use MDM.
624 |
625 | # 5.1.4 Check System folder for world writable files
626 | # Level 1 Scored
627 | # So long as you do not introduce this into your environment through bad packaging, there's no need to remediate this. Can also be run as a weekly cron or use MDM.
628 |
629 | # 5.1.5 Check Library folder for world writable files
630 | # Level 2 Scored
631 | # GarageBand looks to be a culprit here. Should be removed/repackaged on systems through imaging/MDM.
632 |
633 | # 5.2 Password Management
634 | # This should be set within a configuration profile in the Passcode payload.
635 | # See Section 8.1 and 8.2 for possible plist that can be packaged and deployed.
636 |
637 | # 5.2.1 Configure account lockout threshold
638 | # Level 1 Scored
639 |
640 | # 5.2.2 Set a minimum password length
641 | # Level 1 Scored
642 |
643 | # 5.2.3 Complex passwords must contain an Alphabetic Character
644 | # Level 1 Scored
645 |
646 | # 5.2.4 Complex passwords must contain a Numeric Character
647 | # Level 1 Scored
648 |
649 | # 5.2.5 Complex passwords must contain a Special Character
650 | # Level 1 Scored
651 |
652 | # 5.2.6 Complex passwords must [contain] uppercase and lowercase letters
653 | # Level 1 Scored
654 |
655 | # 5.2.7 Password Age
656 | # Level 1 Scored
657 |
658 | # 5.2.8 Password History
659 | # Level 1 Scored
660 |
661 | # 5.3 Reduce the sudo timeout period
662 | # Level 1 Scored
663 | if [[ "$(< /etc/sudoers | grep timestamp)" -eq 0 ]]; then
664 | echo "No sudo timeout modification present. Default is 5 minutes."
665 | else
666 | echo "sudo timeout modification present."
667 | fi
668 |
669 | # 5.4 Automatically lock the login keychain for inactivity
670 | # Level 2 Scored
671 | # User specific. Check to see if can be implemented via config profile. Default is 'no limit.'
672 |
673 | # 5.5 Ensure login keychain is locked when the computer sleeps
674 | # Level 2 Scored
675 | # User specific. Check to see if can be implemented via config profile. Default is 'no limit.'
676 |
677 | # 5.6 Enable OCSP and CRL certificate checking
678 | # Level 2 Scored
679 |
680 | # 5.7 Do not enable the "root" account
681 | # Level 1 Scored
682 | #TODO: Test. New audit/remediation written.
683 | # this is requiring expected statements. will look into expect
684 |
685 | #if [[ "$(/usr/bin/dscl . -read /Users/root AuthenticationAuthority)" = "No such key: AuthenticationAuthority" ]]; then
686 | # ScriptLogging " Root user is disabled."
687 | #else
688 | # ScriptLogging " Root user is enabled. Disabling..."
689 | # /usr/sbin/dsenableroot -d
690 | # ScriptLogging " Root user is disabled."
691 | #fi
692 |
693 | # 5.8 Disable automatic login
694 | # Level 1 Scored
695 |
696 | if [[ "$(/usr/bin/defaults read /Library/Preferences/com.apple.loginwindow | grep autoLoginUser > /dev/null)" -eq 0 ]]; then
697 | ScriptLogging " Auto login is disabled."
698 | else
699 | ScriptLogging " Auto login enabled. Disabling..."
700 | /usr/bin/defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
701 | ScriptLogging " Auto login is disabled."
702 | fi
703 |
704 | # 5.9 Require a password to wake the computer from sleep or screen saver
705 | # Level 1 Scored
706 | # This should be within a configuration profile so that it is set and not changeable.
707 |
708 | #if [[ "$(/usr/bin/defaults read com.apple.screensaver askForPassword)" = "1" ]]; then
709 | # ScriptLogging " Password required to wake from sleep or screensaver."
710 | #else
711 | # ScriptLogging " Password NOT required to wake from sleep or screensaver. Enabling..."
712 | # /usr/bin/defaults write com.apple.screensaver askForPassword -int 1
713 | # ScriptLogging " Password required to wake from sleep or screensaver."
714 | #fi
715 |
716 | # 5.10 Require an administrator password to access system-wide preferences
717 | # Level 1 Scored
718 |
719 | if [[ "$(/usr/bin/security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)')" = " " ]]; then
720 | ScriptLogging " Password required to access system-wide preferences."
721 | else
722 | ScriptLogging " Password NOT required to access system-wide preferences. Enabling..."
723 | /usr/bin/security authorizationdb read system.preferences > /tmp/system.preferences.plist
724 | /usr/bin/defaults write /tmp/system.preferences.plist shared -bool false
725 | /usr/bin/security authorizationdb write system.preferences < /tmp/system.preferences.plist
726 | rm /tmp/system.preferences.plist
727 | ScriptLogging " Password required to access system-wide preferences."
728 | fi
729 |
730 | # 5.11 Disable ability to login to another user's active and locked session
731 | # Level 1 Scored
732 |
733 | if [[ $(/usr/bin/grep -ic "group=admin,wheel fail_safe" /etc/pam.d/screensaver) -eq 0 ]]; then
734 | ScriptLogging " Admins disabled from unlocking other users sessions."
735 | else
736 | ScriptLogging " Admins allowed to unlock other users sessions...."
737 | /usr/bin/sed -i.bak s/admin,//g /etc/pam.d/screensaver
738 | ScriptLogging " Admins disabled from unlocking other users sessions."
739 | fi
740 |
741 | # 5.12 Create a custom message for the Login Screen
742 | # Level 1 Scored
743 | if [[ "$(/usr/bin/defaults read /Library/Preferences/com.apple.loginwindow.plist | grep LoginwindowText 2> /dev/null)" ]]; then
744 | ScriptLogging " Login Message set."
745 | else
746 | ScriptLogging " Login Message not set. Setting..."
747 | /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "This system is reserved for authorized use only. The use of this system may be monitored."
748 | ScriptLogging " Login Message set."
749 | fi
750 |
751 | # 5.13 Create a Login window banner
752 | # Level 2 Scored
753 | if [[ ${CISLEVEL} = "2" ]]; then
754 | if [[ ! -e /Library/Security/PolicyBanner.txt ]]; then
755 | ScriptLogging " 'PolicyBanner.txt' not found."
756 | echo "This system is reserved for authorized use only. The use of this system may be monitored." > /Library/Security/PolicyBanner.txt
757 | ScriptLogging " Login Window banner set."
758 | else
759 | ScriptLogging " Login Window banner set."
760 | fi
761 | fi
762 |
763 | # 5.14 Do not enter a password-related hint
764 | # Level 1 Scored
765 | # Should be inside a configuration profile with the Login Window payload.
766 |
767 | # 5.15 Disable Fast User Switching
768 | # Level 2 Not Scored
769 | # Level 1.5 Not Scored
770 |
771 | if [[ ${CISLEVEL} = "2" ]] || [[ ${CISLEVEL} = "1.5" ]]; then
772 | if [[ "$(/usr/bin/defaults read /Library/Preferences/.GlobalPreferences.plist MultipleSessionEnabled)" = "0" ]]; then
773 | ScriptLogging " Fast User Switching disabled."
774 | else
775 | ScriptLogging " Fast User Switching enabled. Disabling..."
776 | /usr/bin/defaults write /Library/Preferences/.GlobalPreferences MultipleSessionEnabled -bool NO
777 | ScriptLogging " Fast User Switching disabled."
778 | fi
779 | fi
780 |
781 | # 5.16 Secure individual keychain items
782 | # Level 2 Not Scored
783 |
784 | # 5.17 Create specialized keychains for different purposes
785 | # Level 2 Not Scored
786 |
787 | # 5.18 Install an approved tokend for smartcard authentication
788 | # Level 2 Scored
789 | # TODO
790 | }
791 |
792 | userEnvironment() {
793 | # 6 User Accounts and Environment
794 | ScriptLogging "6 User Accounts and Environment"
795 |
796 | # 6.1 Accounts Preferences Action Items
797 | # 6.1.1 Display login window as name and password
798 | # Level 1 Scored
799 | # No audit, just do it.
800 | # If using FileVault 2, this does not matter and should be commented out.
801 | ScriptLogging " Setting LoginWindow to display as username and password..."
802 | /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool yes
803 |
804 | # 6.1.2 Disable "Show password hints"
805 | # Level 1 Scored
806 | # No audit, just do it.
807 | ScriptLogging " Disabling password hints..."
808 | /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0
809 |
810 | # 6.1.3 Disable guest account login
811 | # Level 1 Scored
812 | # No audit, just do it.
813 | ScriptLogging " Disabling the Guest account..."
814 | /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool NO
815 |
816 | # 6.1.4 Disable "Allow guests to connect to shared folders"
817 | # Level 1 Scored
818 | # No audit, just do it.
819 | ScriptLogging " Disabling Guests from connecting to Shared folders..."
820 | /usr/bin/defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool no
821 | /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool no
822 |
823 | # 6.2 Turn on filename extensions
824 | # Level 1 Scored
825 | # No audit, just do it.
826 | ScriptLogging " Enabling file extensions..."
827 | /usr/bin/defaults write NSGlobalDomain AppleShowAllExtensions -bool true
828 |
829 | # 6.3 Disable the automatic run of safe files in Safari (Scored)
830 | # Level 1 Scored
831 | # No audit, just do it.
832 | ScriptLogging " Disabling auto-run of safe files in Safari..."
833 | /usr/bin/defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no
834 |
835 | # 6.4 Use parental controls for systems that are not centrally managed
836 | # Level 2 Not Scored
837 | }
838 |
839 | cleanAndReboot() {
840 | # Reboot function
841 | # left as a function in case you don't want to reboot after running the rest of the script
842 | ScriptLogging " Rebooting for CIS Settings "
843 | /sbin/shutdown -r now
844 | }
845 |
846 | mainScript() {
847 | ScriptLogging " "
848 | ScriptLogging " ************************************************** "
849 | ScriptLogging " Starting CIS Level ${CISLEVEL} Settings"
850 | ScriptLogging " ************************************************** "
851 | ScriptLogging " $(date +%Y-%m-%d\ %H:%M:%S)"
852 |
853 | if [[ ${CISLEVEL} = "1" ]] || [[ ${CISLEVEL} = "2" ]] || [[ ${CISLEVEL} = "1.5" ]]; then
854 | ScriptLogging " "
855 | else
856 | ScriptLogging " OH NO! You picked a CIS Level that doesn't exist. Maybe try again?"
857 | exit 1;
858 | fi
859 |
860 | # comment out sections you do not want to run.
861 | softwareUpdates
862 | systemPreferences
863 | loggingAndAuditing
864 | networkConfigurations
865 | systemAccess
866 | userEnvironment
867 |
868 | ScriptLogging " "
869 | ScriptLogging " CIS Level ${CISLEVEL} Settings Finished! Time to restart..."
870 | ScriptLogging " ************************************************** "
871 | ScriptLogging " $(date +%Y-%m-%d\ %H:%M:%S)"
872 |
873 | #cleanAndReboot
874 | }
875 |
876 | ScriptLogging() {
877 | # ScriptLogging
878 | # Dumps to system.log with prefix "CIS_SETTINGS"
879 | logger -t CIS_SETTINGS "$@"; echo "$@";
880 | }
881 |
882 | user_template() {
883 | # Usage: user_template domain key action action action action action
884 | # Ex: user_template com.apple.systemuiserver menuExtras -array-add "/System/Library/CoreServices/Menu Extras/Airport.menu"
885 |
886 | local PREFERENCE_DOMAIN=$1
887 | local PREFERENCE_KEY=$2
888 | PREFERENCE_ARGS=( $3 $4 $5 $6 $7 )
889 |
890 | # Set for user template
891 | for USER_TEMPLATE in "/System/Library/User Template"/*
892 | do
893 | /usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/"${PREFERENCE_DOMAIN}" "${PREFERENCE_KEY}" "${PREFERENCE_ARGS[@]}"
894 | done
895 |
896 | # Set for already created users
897 | for USER_HOME in /Users/*
898 | do
899 | USER_UID=$(basename "${USER_HOME}")
900 | if [ ! "${USER_UID}" = "Shared" ]; then
901 | if [ ! -d "${USER_HOME}"/Library/Preferences ]; then
902 | /bin/mkdir -p "${USER_HOME}"/Library/Preferences
903 | /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library
904 | /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences
905 | fi
906 | if [ -d "${USER_HOME}"/Library/Preferences ]; then
907 | /usr/bin/defaults write "${USER_HOME}"/Library/Preferences/"${PREFERENCE_DOMAIN}" "${PREFERENCE_KEY}" "${PREFERENCE_ARGS[@]}"
908 | fi
909 | fi
910 | done
911 | }
912 |
913 | # Set up args for level selection
914 | CISLEVEL=""
915 | while [[ $# -gt 1 ]]
916 | do
917 | key="$1"
918 |
919 | case $key in
920 | -l|--level)
921 | CISLEVEL="$2"
922 | shift # past argument
923 | ;;
924 | --default)
925 | DEFAULT=YES
926 | ;;
927 | *)
928 | # unknown option
929 | ;;
930 | esac
931 | shift # past argument or value
932 | done
933 |
934 | if [[ ${CISLEVEL} = "" ]]; then
935 | CISLEVEL="1" # Make sure this is a string, not an integer.
936 | fi
937 | # Run mainScript
938 | mainScript
939 |
--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
1 | The MIT License (MIT)
2 |
3 | Copyright (c) 2014-2016 Kris Payne
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/Mavericks_CIS.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | ########################################################################
3 | # CIS Level 1 Benchmark Settings
4 | # for 10.9
5 | # Kris Payne
6 | ########################################################################
7 |
8 | echo Starting...
9 |
10 | ########################################################################
11 | ### SUDO UP, MF
12 | ########################################################################
13 | sudo -v
14 |
15 | # Keep-alive: update existing `sudo` time stamp until `109CIS.sh` has finished
16 | while true; do sudo -n true; sleep 60; kill -0 "$$" || exit; done 2>/dev/null &
17 |
18 | ########################################################################
19 | ### 1 Install Updates, Patches and Additional Security Software
20 | ########################################################################
21 | echo 1 Software Updates
22 | #sleep 3
23 |
24 | # Auto update is mandated in Level 1, however we set this in a Casper policy to limit bandwidth during critical hours
25 | # SWU server points internally via policy. Updates are then controlled at the server level
26 |
27 | # 1.1 Verify all application software is current (Scored)
28 | sudo softwareupdate -i -a -v
29 | # Benchmark audit: `softwareupdate -l`
30 |
31 | ########################################################################
32 | ### 2 System Preferences
33 | ########################################################################
34 | echo 2 System Preferences
35 | #sleep 3
36 |
37 | # 2.1.1 Disable Bluetooth, if no paired devices exist (Scored)
38 | # sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0
39 |
40 | # 2.1.2 Disable Bluetooth "Discoverable" mode when not pairing devices (Scored)
41 |
42 | # 2.1.3 Show Bluetooth status in menu bar (Scored)
43 | # sudo defaults write com.apple.systemuiserver menuExtras -array-add "/System/Library/CoreServices/Menu Extras/Bluetooth.menu"
44 |
45 | # 2.2.1 Enable "Set time and date automatically" (Scored)
46 | # sudo systemsetup -setnetworktimeserver time.apple.com
47 | # sudo systemsetup -setusingnetworktime on
48 |
49 | # 2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver (Scored)
50 | # Set for 10 minutes in our environment
51 | # defaults -currentHost write com.apple.screensaver idleTime 600
52 |
53 | # 2.3.3 Verify Display Sleep is set to a value larger than the Screen Saver (Not Scored)
54 | sudo pmset -a displaysleep 15 sleep 15
55 |
56 | # 2.4.1 Disable Remote Apple Events (Scored)
57 | sudo systemsetup -setremoteappleevents off
58 |
59 | # 2.4.2 Disable Internet Sharing (Scored)
60 | # Handled in netShareOff.sh
61 |
62 | # 2.4.3 Disable Screen Sharing (Scored)
63 | # Screen sharing controlled by Remote Management
64 |
65 | # 2.4.4 Disable Printer Sharing (Scored)
66 | cupsctl --no-share-printers
67 |
68 | # 2.4.5 Disable Remote Login (Scored)
69 | # Controlled at Firewall
70 |
71 | # 2.4.6 Disable DVD or CD Sharing (Scored)
72 |
73 | # 2.4.8 Disable File Sharing (Scored)
74 | # Handled in netShareOff.sh
75 |
76 | # 2.4.9 Disable Remote Management (Scored)
77 | # Remote Management is used in our environment
78 |
79 | # 2.6.1 Enable FileVault (Scored)
80 | # We do not use FileVault in our environment
81 |
82 | # 2.6.1 Enable Gatekeeper (Scored)
83 | sudo spctl --master-enable
84 |
85 | # 2.6.2 Enable Firewall (Scored)
86 | sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 1
87 |
88 | # 2.7 Pair the remote control infrared receiver if enabled (Scored)
89 |
90 | # 2.8 Enable Secure Keyboard Entry in terminal.app (Scored)
91 | defaults write -app Terminal SecureKeyboardEntry 1
92 |
93 | # 2.11 Configure Secure Empty Trash (Scored) (Level 2)
94 | # defaults write ~/Library/Preferences/com.apple.finder EmptyTrashSecurely 1
95 |
96 | ########################################################################
97 | ### 3 Logging and Auditing
98 | ########################################################################
99 | echo 3 Logging and Audting
100 |
101 | # 3.1.2 Retain system.log for 90 or more days (Scored)
102 | # 3.1.3 Retain appfirewall.log for 90 or more days (Scored)
103 | # 3.1.4 Retain authd.log for 90 or more days (Scored)
104 | # Set via script
105 |
106 | # 3.2 Enable security auditing (Scored)
107 | #sudo launchctl load -w /System/Library/LaunchDaemons/.auditd.plist
108 |
109 | # 3.3 Configure Security Auditing Flags (Scored)
110 | # Set via script
111 |
112 | # 3.4 Retain install.log for 365 or more days (Scored)
113 | # Set via script
114 |
115 | ########################################################################
116 | ### 4 Network Configurations
117 | ########################################################################
118 | echo 4 Network Configurations
119 |
120 | # 4.2 Enable "Show Wi-Fi status in menu bar" (Scored)
121 | # Set via script
122 |
123 | ########################################################################
124 | ### 5 System Access, Authentication and Authorization
125 | ########################################################################
126 | echo 5 System Access, Authentication and Authorization
127 |
128 | # 5.1.1 Secure Home Folders (Scored)
129 | # Set via script: foreach $user sudo chmod -R og-rwx /Users/$user
130 |
131 | # 5.1.2 Repair permissions regularly to ensure binaries and other System files have appropriate permissions (Not Scored)
132 | # Set via policy in Casper
133 |
134 | # 5.1.3 Check System Wide Applications for appropriate permissions (Scored)
135 |
136 | # 5.1.4 Check System folder for world writable files (Scored)
137 |
138 | # 5.1.5 Check Library folder for world writable files (Scored)
139 |
140 | # 5.2 Reduce the sudo timeout period (Scored)
141 | # Set via script
142 |
143 | # 5.3 Automatically lock the login keychain after 15 minutes of inactivity and when sleeping (Scored)
144 |
145 | # 5.4 Do not enable the "root" account (Scored)
146 |
147 | # 5.5 Disable automatic login (Scored)
148 | #sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
149 |
150 | # 5.6 Require a password to wake the computer from sleep or screen saver (Scored)
151 | # defaults write com.apple.screensaver askForPassword -int 1
152 |
153 | # 5.7 Require an administrator password to access system-wide preferences (Not Scored)
154 |
155 | # 5.8 Disable ability to login to another user's active and locked session (Scored)
156 |
157 | # 5.9 Complex passwords must contain an Alphabetic Character (Scored)
158 | # 5.10 Complex passwords must contain a Numeric Character (Scored)
159 | # 5.11 Complex passwords must contain a Symbolic Character (Scored)
160 | # 5.12 Set a minimum password length (Scored)
161 | # 5.13 Configure account lockout threshold (Scored)
162 | # Password policy is set via Active Directory
163 |
164 | # 5.14 Create an access warning for the login window (Scored)
165 | # sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "This system is reserved for authorized use only. The use of this system may be monitored."
166 |
167 | ########################################################################
168 | ### 6 User Accounts and Environment
169 | ########################################################################
170 | echo 6 User Accounts and Environment
171 |
172 | # 6.1.1 Display login window as name and password (Scored)
173 | # sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool yes
174 |
175 | # 6.1.2 Disable "Show password hints" (Scored)
176 | # sudo defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0
177 |
178 | # 6.1.3 Disable guest account login (Scored)
179 | # sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool NO
180 |
181 | # 6.1.4 Disable "Allow guests to connect to shared folders" (Scored)
182 | # sudo defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool no
183 | # sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool no
184 |
185 | # 6.2 Turn on filename extensions (Scored)
186 | defaults write NSGlobalDomain AppleShowAllExtensions -bool true
187 |
188 | # 6.3 Disable the automatic run of safe files in Safari (Scored)
189 | defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no
190 |
191 | ########################################################################
192 | ### 7 Additional Considerations
193 | ########################################################################
194 |
195 | echo Finished!
196 |
197 | ########################################################################
198 | ### The Restarts
199 | ########################################################################
200 |
201 | sudo killall Finder
202 | sudo killall SystemUIServer
203 | sudo killall -HUP blued
204 | #sudo shutdown -r now
205 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | CIS Settings
2 | ========
3 |
4 | ## CIS settings for Mac (~~10.9~~, 10.10, and 10.11)
5 |
6 | As of Oct 2017, I am attempting to migrate all of these settings to Config Profiles, rather than Bash or Python. These settings should be configurable via MDM and not set once and forget it. Setting via Bash is inevitably insecure, as anyone with Google can figure out how to change the settings back to whatever they want. Config profiles via MDM at least require considerable effort to remove.
7 |
8 | This is an attempt at checking off the list for auditing and remediating CIS Level 1 settings on an OS X installation. Some Level 2 sections are implemented as well, as they make sense in the two environments this has been used in. All Level 2 Scored coming soon. For now, the script defaults to Level 1.
9 |
10 | There are some elements of Level 2 that I consider to be important. These elements have been deemed Level 1.5 by me. You can now select `[-l|--level] [1, 1.5, 2]` when running the script. Defaults to Level 1.
11 | - Level 1 attempts to include all Scored recommendations from the benchmark
12 | - Level 1.5 includes all from Level 1, plus additional considerations from Level 2.
13 | - Level 2 includes all from Level 1, plus attempts to include all Scored Level 2 recommendations.
14 |
15 | **Use at your own risk, please. There may be dragons.** Certain aspects of this script can completely hose a perfectly good system. **Test in your own environment on non-production equipment!**
16 |
17 | - 10.9 Mavericks file is mostly here just for posterity. Based off 1.0 benchmarks. *Please don't use.*
18 | - 10.10 Yosemite is based off 1.2.0 benchmarks.
19 | - 10.11 El Capitan is based off 1.1.0 benchmarks.
20 |
21 | The benchmarks are available at the [Center for Internet Security] (https://benchmarks.cisecurity.org/)
22 |
23 | ### Usage
24 |
25 | To use this script on an already online and available system, download the appropriate `benchmark.sh` file and then `chmod +x` then run it `./benchmark.sh [-l|--level] [1, 1.5, 2]`
26 |
27 | The prefered method of running this is during a first boot after imaging. This has been tested with Casper v9+.
28 |
--------------------------------------------------------------------------------
/Yosemite_CIS.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | ########################################################################
3 | # CIS Level 1 Benchmark Settings 1.2.0
4 | # Yosemite (10.10)
5 | # Kris Payne
6 | #
7 | # Run as root
8 | # Usage: scriptname.sh [-l|--level] [1,2,1.5]
9 | # 1 = All Scored Level 1 benchmarks (default)
10 | # 2 = All Scored Level 1 and 2 benchmarks (coming someday)
11 | # 1.5 = All Scored Level 1 benchmarks with sensible secure recommendations as well as some Level 2
12 | ########################################################################
13 |
14 | softwareUpdates() {
15 | # 1 Install Updates, Patches and Additional Security Software
16 | ScriptLogging "1 Install Updates, Patches, and Additional Security Software"
17 |
18 | # 1.1 Verify all Apple provided software is current
19 | # Level 1 Scored
20 | ScriptLogging "Checking for software updates from Apple..."
21 | local SoftwareUpdateCommand
22 | SoftwareUpdateCommand="$(/usr/sbin/softwareupdate -l | wc -l)"
23 | if [[ ${SoftwareUpdateCommand} -eq 4 ]]; then
24 | ScriptLogging " All available software updates have been installed."
25 | else
26 | ScriptLogging " Installing Software Updates."
27 | /usr/sbin/softwareupdate -i -a
28 | ScriptLogging " All available software updates have been installed."
29 | fi
30 |
31 | # 1.2 Enable Auto Update
32 | # Level 1 Scored
33 | local AutoSoftwareUpdateCheck
34 | AutoSoftwareUpdateCheck="$(/usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticCheckEnabled)"
35 | if [[ ${AutoSoftwareUpdateCheck} = "1" ]]; then
36 | ScriptLogging " Automatic Update Check enabled."
37 | else
38 | ScriptLogging " Automatic Update Check NOT enabled. Enabling..."
39 | /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticCheckEnabled -bool TRUE
40 | /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticDownload -bool TRUE
41 | /usr/sbin/softwareupdate --schedule on
42 | ScriptLogging " Automatic Update Check enabled."
43 | fi
44 |
45 | # 1.3 Enable app update installs
46 | # Level 1 Scored
47 | local AppAutoUpdate
48 | AppAutoUpdate="$(/usr/bin/defaults read /Library/Preferences/com.apple.commerce AutoUpdate)"
49 | if [[ ${AppAutoUpdate} = "1" ]]; then
50 | ScriptLogging " Auto Update Apps enabled."
51 | else
52 | ScriptLogging " Auto Update Apps NOT enabled. Enabling..."
53 | /usr/bin/defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool TRUE
54 | ScriptLogging " Auto Update Apps enabled."
55 | fi
56 |
57 | # 1.4 Enable system data files and security update installs
58 | # Level 1 Scored
59 | local ConfigDataInstall
60 | local CriticalUpdateInstall
61 | ConfigDataInstall="$(/usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist | grep "ConfigDataInstall" | awk '{ print $3 }')"
62 | CriticalUpdateInstall="$(/usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist | grep "CriticalUpdateInstall" | awk '{ print $3 }')"
63 |
64 | if [[ ${ConfigDataInstall} = "1;" ]]; then
65 | ScriptLogging " Configuration Data updates enabled."
66 | else
67 | ScriptLogging " Configuration Data updates NOT enabled. Enabling..."
68 | /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist ConfigDataInstall -bool TRUE
69 | ScriptLogging " Configuration Data updates enabled."
70 | fi
71 |
72 | if [[ ${CriticalUpdateInstall} = "1;" ]]; then
73 | ScriptLogging " Critical security updates enabled."
74 | else
75 | ScriptLogging " Critical security updates NOT enabled. Enabling..."
76 | /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist CriticalUpdateInstall -bool TRUE
77 | ScriptLogging " Critical security updates enabled."
78 | fi
79 |
80 | # 1.5 Enable OS X update installs
81 | # Level 1 Scored
82 | local AutoRestartReq
83 | AutoRestartReq="$(/usr/bin/defaults read /Library/Preferences/com.apple.commerce.plist AutoUpdateRestartRequired)"
84 | if [[ ${AutoRestartReq} = "1" ]]; then
85 | ScriptLogging " OS X Auto Updates enabled."
86 | else
87 | ScriptLogging " OS X Auto Updates NOT enabled. Enabling..."
88 | /usr/bin/defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdateRestartRequired -bool TRUE
89 | ScriptLogging " OS X Auto Updates enabled."
90 | fi
91 | }
92 |
93 | systemPreferences() {
94 | # 2 System Preferences
95 | ScriptLogging "2 System Preferences"
96 |
97 | # 2.1 Bluetooth
98 | # 2.1.1 Turn off Bluetooth, if no paired devices exist
99 | # Level 1 Scored
100 | # TODO
101 | # Getting errors in STDOUT
102 | # Could be related to Server.app
103 | # 2016-06-22 12:54:21.315 system_profiler[77638:1038574] httpdEnabled is deprecated !!
104 | # 2016-06-22 12:54:30.842 system_profiler[77675:1038866] __agent_connection_block_invoke_2: Connection error - Connection invalid
105 |
106 | local BTControllerPowerState
107 | BTControllerPowerState="$(/usr/bin/defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState)"
108 | local BTSysPaired
109 | BTSysPaired="$(/usr/sbin/system_profiler | grep "Bluetooth:" -A 20 | grep Connectable | awk '{ print $2 }' 2>/dev/null)"
110 | if [[ ${BTControllerPowerState} = "0" ]]; then
111 | ScriptLogging " Bluetooth is powered off."
112 | elif [[ ${BTControllerPowerState} = "1" ]]; then
113 | ScriptLogging " Bluetooth is powered on. Searching for paired devices..."
114 | if [[ ${BTSysPaired} = "Yes" ]]; then
115 | ScriptLogging " Bluetooth has found a paired device."
116 | elif [[ ${BTSysPaired} = "No" ]]; then
117 | ScriptLogging " Bluetooth has NOT found a paired device. Turning off Bluetooth..."
118 | /usr/bin/defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0
119 | ScriptLogging " Bluetooth is powered off."
120 | fi
121 | fi
122 |
123 | # 2.1.2 Turn off Bluetooth "Discoverable" mode when not pairing devices
124 | # Level 1 Scored
125 | # Starting with OS X (10.9) Bluetooth is only set to Discoverable when the Bluetooth System Preference
126 | # is selected. To ensure that the computer is not Discoverable do not leave that preference open.
127 |
128 | if [[ "$(/usr/sbin/system_profiler SPBluetoothDataType | grep -i discoverable | awk '{ print $2 }')" = "Off" ]]; then
129 | ScriptLogging " Bluetooth is not discoverable."
130 | else
131 | ScriptLogging " Bluetooth is discoverable, please close System Preferences."
132 | fi
133 |
134 | # 2.1.3 Show Bluetooth status in menu bar
135 | # Level 1 Scored
136 | # TODO: Test new audit/remidiate
137 |
138 | local BluetoothMenuStatus
139 | BluetoothMenuStatus="$(/usr/bin/defaults read com.apple.systemuiserver menuExtras | grep Bluetooth.menu)"
140 | if [[ "${BluetoothMenuStatus}" = "/System/Library/CoreServices/Menu Extras/Bluetooth.menu" ]]; then
141 | ScriptLogging " Bluetooth shown in menu bar."
142 | else
143 | ScriptLogging " Bluetooth Not shown in menu bar. Enabling..."
144 | user_template com.apple.systemuiserver menuExtras -array-add "/System/Library/CoreServices/Menu Extras/Bluetooth.menu"
145 | ScriptLogging " Bluetooth shown in menu bar."
146 | fi
147 |
148 | # 2.2 Date & Time
149 | # 2.2.1 Enable "Set time and date automatically"
150 | # Level 2 Not Scored, Level 1.5 Not Scored
151 | if [[ ${CISLEVEL} = "1.5" ]]; then
152 | if [[ "$(/usr/sbin/systemsetup -getusingnetworktime | awk '{ print $3 }')" = "On" ]]; then
153 | ScriptLogging " NetworkTime on. Ensuring server is time.apple.com."
154 |
155 | if [[ "$(/usr/sbin/systemsetup -getnetworktimeserver | awk '{ print $4 }')" = "time.apple.com" ]]; then
156 | ScriptLogging " NetworkTime is on and set to time.apple.com."
157 | fi
158 | else
159 | if [[ ! -e /etc/ntp.conf ]]; then
160 | ScriptLogging " Create '/etc/ntp.conf'"
161 | /usr/bin/touch /etc/ntp.conf
162 | fi
163 | ScriptLogging " Set NetworkTime to time.apple.com."
164 | /usr/sbin/systemsetup -setnetworktimeserver time.apple.com
165 | ScriptLogging " Ensure NetworkTime is on."
166 | /usr/sbin/systemsetup -setusingnetworktime on
167 | fi
168 | fi
169 |
170 | # 2.2.2 Ensure time set is within appropriate limits
171 | # Level 1 Scored
172 | ScriptLogging " Checking time.apple.com skew..."
173 | /usr/sbin/ntpdate -sv time.apple.com
174 |
175 | # 2.3 Desktop & Screen Saver
176 | # 2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver
177 | # Level 1 Scored
178 | # User configuration profiles are more useful here.
179 | # Make sure what is set in the config profile is less than section 2.3.3
180 | # This will also set this as root, not the actual user.
181 | # Could do User Template like as in 2.3.2, however this has not been tested.
182 | #/usr/bin/defaults -currentHost write com.apple.screensaver idleTime 600
183 |
184 | # 2.3.2 Secure screen saver corners
185 | # Level 2 Scored, Level 1.5 Not Scored
186 | # Take a "clear-all" approach here, as 2.3.4 sets an active corner for enabling screensaver.
187 | if [[ ${CISLEVEL} = "2" ]] || [[ ${CISLEVEL} = "1.5" ]] || [[ ${CISLEVEL} = "1" ]]; then
188 | ScriptLogging " Setting all corners to '1'..."
189 | user_template com.apple.dock wvous-tl-corner 1
190 | user_template com.apple.dock wvous-tr-corner 1
191 | user_template com.apple.dock wvous-bl-corner 1
192 | user_template com.apple.dock wvous-br-corner 1
193 | fi
194 |
195 | # 2.3.3 Verify Display Sleep is set to a value larger than the Screen Saver
196 | # Level 1 Not Scored, Level 1.5
197 | if [[ ${CISLEVEL} = "1.5" ]]; then
198 | ScriptLogging " Setting Display Sleep to 15 minutes..."
199 | /usr/bin/pmset -a displaysleep 15
200 | fi
201 |
202 | # 2.3.4 Set a screen corner to Start Screen Saver
203 | # Level 1 Scored
204 | ScriptLogging " Setting bottom right corner to enable screensaver..."
205 | user_template com.apple.dock wvous-br-corner 5
206 | user_template com.apple.dock wvous-br-modifier 0
207 |
208 | # 2.4 Sharing
209 | # 2.4.1 Disable Remote Apple Events
210 | # Level 1 Scored
211 | if [[ "$(/usr/sbin/systemsetup -getremoteappleevents | awk '{ print $4 }')" = "Off" ]]; then
212 | ScriptLogging " Remote Apple Events disabled."
213 | else
214 | ScriptLogging " Remote Apple Events NOT disabled. Disabling..."
215 | /usr/sbin/systemsetup -setremoteappleevents off
216 | ScriptLogging " Remote Apple Events disabled."
217 | fi
218 |
219 | # 2.4.2 Disable Internet Sharing
220 | # Level 1 Scored
221 |
222 | # Internet Sharing is off by default. Running these commands without checking
223 | # first will send the machine into a downward sprial of doom and depair.
224 | # It's your funeral if you uncomment. Left in for remediation/completeness sake.
225 |
226 | # if [[ ! -e "/Library/Preferences/SystemConfiguration/com.apple.nat" ]]; then
227 | # ScriptLogging " No 'com.apple.nat' file present. Internet Sharing Disabled."
228 | # else
229 | # ScriptLogging " 'com.apple.nat' file present. Internet Sharing Enabled. Disabling..."
230 | # /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict Enabled -int 0
231 | # /bin/launchctl unload -w /System/Library/LaunchDaemons/ com.apple.InternetSharing.plist
232 | # ScriptLogging " Internet Sharing Disabled."
233 | # fi
234 |
235 | # 2.4.3 Disable Screen Sharing
236 | # Level 1 Scored
237 | local ScreenSharing
238 | ScreenSharing="$(/usr/bin/defaults read /System/Library/LaunchDaemons/com.apple.screensharing.plist | grep "Disabled" | awk '{ print $3 }')"
239 | if [[ ${ScreenSharing} = "1;" ]]; then
240 | ScriptLogging " Screen Sharing Disabled."
241 | else
242 | ScriptLogging " Screen Sharing Enabled. Disabling..."
243 | /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off
244 | ScriptLogging " Screen Sharing Disabled."
245 | fi
246 |
247 | # 2.4.4 Disable Printer Sharing
248 | # Level 1 Scored
249 | # No need to audit, just remediate.
250 | ScriptLogging " Disabling printer sharing..."
251 | /usr/sbin/cupsctl --no-share-printers
252 |
253 | # 2.4.5 Disable Remote Login
254 | # Level 1 Scored
255 | # Only open to administrator accounts. Best practice is for service accounts only.
256 | local RemoteLogin
257 | RemoteLogin="$(/usr/sbin/systemsetup -getremotelogin | awk '{ print $3 }')"
258 | if [[ ${RemoteLogin} = "Off" ]]; then
259 | ScriptLogging " Remote Login disabled."
260 | elif [[ ${RemoteLogin} = "administrator" ]]; then
261 | ScriptLogging " Remote Login enabled for Administrators. Consider removing if not needed."
262 | else
263 | ScriptLogging " Remote Login enabled. Disabling..."
264 | /usr/sbin/systemsetup -setremotelogin off
265 | ScriptLogging " Remote Login disabled."
266 | fi
267 |
268 | # 2.4.6 Disable DVD or CD Sharing
269 | # Level 1 Scored
270 | # Newer devices do not have Optical Drives
271 | # TODO Test. New audit/remediation written.
272 | local OpticalSharingAudit
273 | OpticalSharingAudit=$(/bin/launchctl list | egrep ODSAgent)
274 | if [[ ${OpticalSharingAudit} -ge 0 ]]; then
275 | ScriptLogging " Optical Drive Sharing is disabled."
276 | else
277 | ScriptLogging " Optical Drive Sharing is NOT disabled. Disabling..."
278 | /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.ODSAgent.plist
279 | ScriptLogging " Optical Drive Sharing is disabled."
280 | fi
281 |
282 | # 2.4.7 Disable Bluetooth Sharing
283 | # Level 1 Scored
284 | #TODO: Test. New audit/remediation written.
285 |
286 | #local BTSharing
287 | #BTSharing="$(/usr/sbin/system_profiler SPBluetoothDataType | grep State)"
288 | #if [[ ${BTSharing} = "Disabled\nDisabled\nDisabled" ]]; then
289 | # ScriptLogging " Bluetooth Sharing disabled."
290 | #else
291 | # local hardwareUUID
292 | # hardwareUUID=$(/usr/sbin/system_profiler SPHardwareDataType | grep "Hardware UUID" | awk -F ": " '{print $2}')
293 | # ScriptLogging " Bluetooth Sharing disabling..."
294 | # for USER_HOME in /Users/*
295 | # do
296 | # USER_UID=$(basename "${USER_HOME}")
297 | # if [ ! "${USER_UID}" = "Shared" ]; then
298 | # if [ ! -d "${USER_HOME}"/Library/Preferences ]; then
299 | # /bin/mkdir -p "${USER_HOME}"/Library/Preferences
300 | # /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library
301 | # /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences
302 | # fi
303 | # if [ ! -d "${USER_HOME}"/Library/Preferences/ByHost ]; then
304 | # /bin/mkdir -p "${USER_HOME}"/Library/Preferences/ByHost
305 | # /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library
306 | # /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences
307 | # /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences/ByHost
308 | # fi
309 | # if [ -d "${USER_HOME}"/Library/Preferences/ByHost ]; then
310 | # /usr/bin/defaults write "$USER_HOME"/Library/Preferences/ByHost/com.apple.Bluetooth.$hardwareUUID.plist PrefKeyServicesEnabled -bool false
311 | # #/usr/libexec/PlistBuddy -c "Delete :PrefKeyServicesEnabled" "$USER_HOME"/Library/Preferences/ByHost/com.apple.Bluetooth.$hardwareUUID.plist
312 | # #/usr/libexec/PlistBuddy -c "Add :PrefKeyServicesEnabled bool false" "$USER_HOME"/Library/Preferences/ByHost/com.apple.Bluetooth.$hardwareUUID.plist
313 | # /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences/ByHost/com.apple.Bluetooth.$hardwareUUID.plist
314 | # fi
315 | # fi
316 | # done
317 | #fi
318 |
319 | # 2.4.8 Disable File Sharing
320 | # Level 1 Scored
321 | #TODO: Test. New audit/remediation written.
322 |
323 | local AppleFileServerAudit
324 | AppleFileServerAudit="$(/bin/launchctl list | egrep AppleFileServer)"
325 | if [[ "${AppleFileServerAudit}" -ge 0 ]]; then
326 | ScriptLogging " AFP is disabled."
327 | else
328 | ScriptLogging " AFP is NOT disabled. Disabling..."
329 | /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist
330 | ScriptLogging " AFP is disabled."
331 | fi
332 |
333 | local SMBAudit
334 | SMBAudit="$(/bin/launchctl list | egrep smbd)"
335 | if [[ ${SMBAudit} -ge 0 ]]; then
336 | ScriptLogging " SMB is disbled."
337 | else
338 | ScriptLogging " SMB is NOT disabled. Disabling..."
339 | /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist
340 | ScriptLogging " SMB is disbled."
341 | fi
342 |
343 | # 2.4.9 Disable Remote Management
344 | # Level 1 Scored
345 | # TODO: Test. New audit/remediation written.
346 |
347 | local ARDAgentAudit
348 | ARDAgentAudit="$(ps -ef | egrep ARDAgent)"
349 | if [[ ${ARDAgentAudit} -ge 0 ]]; then
350 | ScriptLogging " Remote Management is disabled."
351 | else
352 | ScriptLogging " Remote Management is NOT disabled. Disabling..."
353 | /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop
354 | ScriptLogging " Remote Management is disabled."
355 | fi
356 |
357 | # 2.5 Energy Saver
358 | # 2.5.1 Disable "Wake for network access"
359 | # Level 2 Scored, Level 1.5 Not Scored
360 | # Take a "clear-all" approach here
361 | if [[ ${CISLEVEL} = "2" ]] || [[ ${CISLEVEL} = "1.5" ]]; then
362 | ScriptLogging " Wake for network Access disabling."
363 | /usr/bin/pmset -a womp 0
364 | ScriptLogging " Wake for network Access disabled."
365 | fi
366 |
367 | # 2.5.2 Disable sleeping the computer when connected to power
368 | # Level 2 Scored, Level 1.5 Not Scored
369 | # Take a "clear-all" approach here
370 | if [[ ${CISLEVEL} = "2" ]] || [[ ${CISLEVEL} = "1.5" ]]; then
371 | ScriptLogging " Sleep when connected to power disabling."
372 | /usr/bin/pmset -c sleep 0
373 | ScriptLogging " Sleep when connected to power disabled."
374 | fi
375 |
376 | # 2.6 Security & Privacy
377 | # 2.6.1 Enable FileVault
378 | # Level 1 Scored
379 | # This should be handled by an MDM with personal/institutional keys.
380 | # audit is `diskutil cs list | grep -i encryption`
381 |
382 | # 2.6.2 Enable Gatekeeper
383 | # Level 1 Scored
384 | if [[ "$(/usr/sbin/spctl --status)" = "assessments disabled" ]]; then
385 | ScriptLogging " Gatekeeper is disabled. Enabling..."
386 | /usr/sbin/spctl --master-enable
387 | ScriptLogging " Gatekeeper is enabled."
388 | else
389 | ScriptLogging " Gatekeeper is enabled."
390 | fi
391 |
392 | # 2.6.3 Enable Firewall
393 | # Level 1 Scored
394 | local SysFirewall
395 | SysFirewall="$(/usr/bin/defaults read /Library/Preferences/com.apple.alf globalstate)"
396 | if [[ ${SysFirewall} -ge 1 ]]; then
397 | ScriptLogging " Firewall enabled."
398 | else
399 | ScriptLogging " Firewall NOT enabled. Enabling..."
400 | /usr/bin/defaults write /Library/Preferences/com.apple.alf globalstate -int 1
401 | ScriptLogging " Firewall enabled."
402 | fi
403 |
404 | # 2.6.4 Enable Firewall Stealth Mode
405 | # Level 1 Scored
406 | local SysFirewallStealth
407 | SysFirewallStealth="$(/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode | grep -ic "Stealth mode enabled")"
408 | if [[ ${SysFirewallStealth} -ge 1 ]]; then
409 | ScriptLogging " Firewall Stealth Mode enabled."
410 | else
411 | ScriptLogging " Firewall Stealth Mode NOT enabled. Enabling..."
412 | /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
413 | ScriptLogging " Firewall Stealth Mode enabled."
414 | fi
415 |
416 | # 2.6.5 Review Application Firewall Rules
417 | # Level 1 Scored
418 | local AppFirewall
419 | AppFirewall="$(/usr/libexec/ApplicationFirewall/socketfilterfw --listapps | grep "ALF" | awk '{ print $7 }')"
420 | if [[ ${AppFirewall} -lt 10 ]]; then
421 | ScriptLogging " Application Firewall exception list is less than 10."
422 | else
423 | ScriptLogging "***** Application Firewall exception list is greater than 10, please investigate! *****"
424 | fi
425 |
426 | # 2.7 iCloud
427 | # This section has moved from Recommendations over to Subsections, however, no audit or remidiation guideleins are given.
428 | # General thought (mine, not CIS) is that if you are Level 1, these can be left alone. Anything above (1.5+) should be audited,
429 | # Level 2 Not Scored
430 | # 2.7.1 iCloud configuration
431 | # 2.7.2 iCloud keychain
432 | # 2.7.3 iCloud Drive
433 |
434 | # 2.8 Pair the remote control infrared receiver if enabled
435 | # Level 1 Scored
436 | #TODO: Getting errors in STDOUT.
437 | #./Yosemite_CIS.sh: line 507: [[: Jun 22, 2016, 11:53:31 AM CIS_SETTINGS[74183]: No IR Receiver present.
438 | #Jun 22 11:53:31 kvoleon CIS_SETTINGS[74183]: No IR Receiver present.: syntax error in expression (error token is "22, 2016, 11:53:31 AM CIS_SETTINGS[74183]: No IR Receiver present.
439 | #Jun 22 11:53:31 kvoleon CIS_SETTINGS[74183]: No IR Receiver present.")
440 | #./Yosemite_CIS.sh: line 509: [[: Jun 22, 2016, 11:53:31 AM CIS_SETTINGS[74183]: No IR Receiver present.
441 | #Jun 22 11:53:31 kvoleon CIS_SETTINGS[74183]: No IR Receiver present.: syntax error in expression (error token is "22, 2016, 11:53:31 AM CIS_SETTINGS[74183]: No IR Receiver present.
442 | #Jun 22 11:53:31 kvoleon CIS_SETTINGS[74183]: No IR Receiver present.")
443 |
444 | # These errors are because system_profiler is searching the system.log and this script has already been run.
445 | # Need to find a way to grep/sed out the system.log output
446 |
447 | local SysProfIRReciever
448 | SysProfIRReciever="$(/usr/sbin/system_profiler 2>/dev/null | egrep "IR Receiver")"
449 | local AppleIRController
450 | AppleIRController="$(/usr/bin/defaults read /Library/Preferences/com.apple.driver.AppleIRController | grep "DeviceEnabled" | awk '{ print $3 }')"
451 | if [[ ${SysProfIRReciever} -eq 0 ]]; then
452 | ScriptLogging " No IR Receiver present."
453 | elif [[ ${SysProfIRReciever} -gt 0 ]]; then
454 | ScriptLogging " IR Receiver present. Checking status..."
455 | if [[ ${AppleIRController} = "0;" ]]; then
456 | ScriptLogging " IR Receiever disabled."
457 | else
458 | ScriptLogging " IR Receiever enabled. Disabling..."
459 | /usr/bin/defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled 0
460 | ScriptLogging " IR Receiever disabled."
461 | fi
462 | fi
463 |
464 | # 2.9 Enable Secure Keyboard Entry in terminal.app
465 | # Level 1 Scored
466 | # Let's not audit, let's just force it.
467 | ScriptLogging " Enabling secure text entry in Terminal.app..."
468 | user_template com.apple.Terminal.plist SecureKeyboardEntry 1
469 |
470 | # 2.10 Java 6 is not the default Java runtime
471 | # Level 2 Scored
472 | # Java is the devil, installing it means you're a bad person.
473 |
474 | # 2.11 Configure Secure Empty Trash
475 | # Level 2 Scored, Level 1.5 Not Scored
476 | # Can be secured more appropriately with a configuration profile.
477 | # Issues with config profile, especially if they are not user removable, in the event that a large file has been
478 | # trashed, productivity can be hindered when emptying the trash. (only speaking from experience.) Gather requirements!
479 | # If configured here through the script, the user can easily enable/disable at will in Finder Preferences.
480 |
481 | if [[ ${CISLEVEL} = "2" ]] || [[ ${CISLEVEL} = "1.5" ]]; then
482 | ScriptLogging " Enabling Secure Empty Trash..."
483 | user_template com.apple.finder EmptyTrashSecurely 1
484 | ScriptLogging " Secure Empty Trash enabled."
485 | fi
486 | }
487 |
488 | loggingAndAuditing() {
489 | # 3 Logging and Auditing
490 | ScriptLogging "3 Logging and Audting"
491 |
492 | # 3.1 Configure asl.conf
493 | # 3.1.1 Retain system.log for 90 or more days
494 | # Level 1 Scored
495 | # Contributed by John Oliver on CIS forums
496 | # https://community.cisecurity.org/collab/public/index.php?path_info=projects%2F28%2Fcomments%2F15292
497 | ScriptLogging " Setting system.log to be kept for 90 Days..."
498 | /usr/bin/sed -i.bak 's/^>\ system\.log.*/>\ system\.log\ mode=640\ format=bsd\ rotate=seq\ ttl=90/' /etc/asl.conf
499 |
500 | # 3.1.2 Retain appfirewall.log for 90 or more days
501 | # Level 1 Scored
502 | # Contributed by John Oliver on CIS forums
503 | # https://community.cisecurity.org/collab/public/index.php?path_info=projects%2F28%2Fcomments%2F15292
504 | ScriptLogging " Setting appfirewall.log to be kept for 90 Days..."
505 | /usr/bin/sed -i.bak 's/^\?\ \[=\ Facility\ com.apple.alf.logging\]\ .*/\?\ \[=\ Facility\ com.apple.alf.logging\]\ file\ appfirewall.log\ rotate=seq\ ttl=90/' /etc/asl.conf
506 |
507 | # 3.1.3 Retain authd.log for 90 or more days
508 | # Level 1 Scored
509 | # Contributed by John Oliver on CIS forums
510 | # https://community.cisecurity.org/collab/public/index.php?path_info=projects%2F28%2Fcomments%2F15292
511 | ScriptLogging " Setting authd.log to be kept for 90 Days..."
512 | /usr/bin/sed -i.bak 's/^\*\ file\ \/var\/log\/authd\.log.*/\*\ file\ \/var\/log\/authd\.log\ mode=640\ format=bsd\ rotate=seq\ ttl=90/' /etc/asl/com.apple.authd
513 |
514 | # 3.2 Enable security auditing
515 | # Level 1 Scored
516 | local AuditD
517 | AuditD="$(/bin/launchctl list | grep -i auditd | awk '{ print $3 }')"
518 | if [[ ${AuditD} = "com.apple.auditd" ]]; then
519 | ScriptLogging " Security Auditing enabled."
520 | else
521 | ScriptLogging " Security Auditing NOT enabled."
522 | /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist
523 | ScriptLogging " Security Auditing enabled."
524 | fi
525 |
526 | # 3.3 Configure Security Auditing Flags
527 | # Level 2 Scored, Level 1.5 Not Scored
528 | # Contributed by John Oliver on CIS forums
529 | # https://community.cisecurity.org/collab/public/index.php?path_info=projects%2F28%2Fcomments%2F15292
530 | if [[ ${CISLEVEL} = "2" ]] || [[ ${CISLEVEL} = "1.5" ]]; then
531 | /usr/bin/sed -i '' 's/^flags:.*/flags:ad,aa,lo/' /etc/security/audit_control
532 | /usr/bin/sed -i '' 's/^expire-after:.*/expire-after:90d\ AND\ 1G/' /etc/security/audit_control
533 | fi
534 |
535 | # 3.4 Enable remote logging for Desktops on trusted networks
536 | # Level 2 Not Scored
537 | # Audit procedure is not listed. Seems nearly impossible to audit this in an automated general way.
538 |
539 | # 3.5 Retain install.log for 365 or more days
540 | # Level 1 Scored
541 | # Contributed by John Oliver on CIS forums
542 | # https://community.cisecurity.org/collab/public/index.php?path_info=projects%2F28%2Fcomments%2F15292
543 | ScriptLogging " Setting install.log to be kept for 365 Days..."
544 | /usr/bin/sed -i.bak 's/^\*\ file\ \/var\/log\/install\.log.*/\*\ file\ \/var\/log\/install\.log\ mode=640\ format=bsd\ rotate=seq\ ttl=365/' /etc/asl/com.apple.install
545 | }
546 |
547 | networkConfigurations() {
548 | # 4 Network Configurations
549 | ScriptLogging "4 Network Configurations"
550 |
551 | # 4.1 Disable Bonjour advertising service
552 | # Level 2 Scored, Level 1.5 Not Scored
553 | #TODO: Test. New audit/remediation written.
554 |
555 | if [[ ${CISLEVEL} = "2" ]] || [[ ${CISLEVEL} = "1.5" ]]; then
556 | local checkBonjourAdvertising
557 | checkBonjourAdvertising="$(/usr/bin/defaults read /Library/Preferences/com.apple.alf globalstate)"
558 | if [ "$checkBonjourAdvertising" = "1" ] || [ "$checkBonjourAdvertising" = "2" ]; then
559 | ScriptLogging " Bonjour Advertising is disabled."
560 | else
561 | ScriptLogging " Bonjour Advertising is enabled. Disabling..."
562 | /usr/bin/defaults write /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist ProgramArguements -array-add '{-NoMulticastAdvertisements;}'
563 | ScriptLogging " Bonjour Advertising is disabled."
564 | fi
565 | fi
566 |
567 | # 4.2 Enable "Show Wi-Fi status in menu bar"
568 | # Level 1 Scored
569 | ScriptLogging " Ensuring Wi-Fi is shown in MenuBar..."
570 | user_template com.apple.systemuiserver menuExtras -array-add "/System/Library/CoreServices/Menu Extras/Airport.menu"
571 | ScriptLogging " Wi-Fi is shown in MenuBar."
572 |
573 | # 4.3 Create network specific locations
574 | # Level 2 Not Scored
575 | # TODO
576 |
577 | # 4.4 Ensure http server is not running
578 | # Level 1 Scored
579 | if /bin/launchctl list | egrep httpd > /dev/null; then
580 | ScriptLogging " HTTP server is enabled. Disabling..."
581 | /usr/sbin/apachectl stop && /usr/bin/defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled -bool true
582 | ScriptLogging " HTTP server disabled."
583 | else
584 | ScriptLogging " HTTP server disabled."
585 | fi
586 |
587 | # 4.5 Ensure ftp server is not running
588 | # Level 1 Scored
589 | if /bin/launchctl list | egrep ftp > /dev/null; then
590 | ScriptLogging " FTP server is enabled. Disabling..."
591 | /usr/sbin/launchctl unload -w /System/Library/LaunchDaemons/ftp.plist
592 | ScriptLogging " FTP server disabled."
593 | else
594 | ScriptLogging " FTP server disabled."
595 | fi
596 |
597 | # 4.6 Ensure nfs server is not running
598 | # Level 1 Scored
599 | if /bin/launchctl list | egrep nfsd > /dev/null; then
600 | ScriptLogging " NFS server is enabled. Disabling..."
601 | /sbin/nfsd disable
602 | ScriptLogging " NFS server disabled."
603 | elif [[ -e /etc/exports ]]; then
604 | rm /etc/export
605 | else
606 | ScriptLogging " NFS server disabled."
607 | fi
608 | }
609 |
610 | systemAccess() {
611 | # 5 System Access, Authentication and Authorization
612 | ScriptLogging "5 System Access, Authenticationn and Authorization"
613 |
614 | # 5.1 File System Permissions and Access Controls
615 | # 5.1.1 Secure Home Folders
616 | # Level 1 Scored
617 | # This script is intended to run BEFORE a system is deployed. Maybe a umask here, but not sure how to implement it.
618 |
619 | # 5.1.2 Repair permissions regularly to ensure binaries and other System files have appropriate permissions
620 | # Level 1 Not Scored
621 | # Can either set this in the weekly cron, or use the MDM to control this. MDM is prefered, as it is more maleable to timing/editing.
622 |
623 | # 5.1.3 Check System Wide Applications for appropriate permissions
624 | # Level 1 Scored
625 | # This should be checked prior to deployment within your apps/packages. Can also be run as a weekly cron or use MDM.
626 |
627 | # 5.1.4 Check System folder for world writable files
628 | # Level 1 Scored
629 | # So long as you do not introduce this into your environment through bad packaging, there's no need to remediate this. Can also be run as a weekly cron or use MDM.
630 |
631 | # 5.1.5 Check Library folder for world writable files
632 | # Level 2 Scored
633 | # GarageBand looks to be a culprit here. Should be removed/repackaged on systems through imaging/MDM.
634 |
635 | # 5.2 Password Management
636 | # TODO
637 | # Need to find a way to set the pwpolicy for users that don't yet exist in the system. The remediation procedure is for a logged in user.
638 | # It might be that this should be configured via Configuration Policy instead
639 | # See Section 8.1 and 8.2 for possible plist that can be packaged and deployed.
640 |
641 | # 5.2.1 Configure account lockout threshold
642 | # Level 1 Scored
643 | # pwpolicy -getaccountpolicies | grep -A 1 'policyAttributeMaximumFailedAuthentications' | tail -1 | cut -d'>' -f2 | cut -d '<' -f1
644 | # pwpolicy -setaccountpolicies
645 |
646 | # 5.2.2 Set a minimum password length
647 | # Level 1 Scored
648 |
649 | # 5.2.3 Complex passwords must contain an Alphabetic Character
650 | # Level 1 Scored
651 |
652 | # 5.2.4 Complex passwords must contain a Numeric Character
653 | # Level 1 Scored
654 |
655 | # 5.2.5 Complex passwords must contain a Special Character
656 | # Level 1 Scored
657 |
658 | # 5.2.6 Complex passwords must [contain] uppercase and lowercase letters
659 | # Level 1 Scored
660 |
661 | # 5.2.7 Password Age
662 | # Level 1 Scored
663 |
664 | # 5.2.8 Password History
665 | # Level 1 Scored
666 |
667 | # 5.3 Reduce the sudo timeout period
668 | # Level 1 Scored
669 | if [[ "$(< /etc/sudoers | grep timestamp)" -eq 0 ]]; then
670 | echo "No sudo timeout modification present. Default is 5 minutes."
671 | else
672 | echo "sudo timeout modification present."
673 | fi
674 |
675 | # 5.4 Automatically lock the login keychain for inactivity
676 | # Level 2 Scored
677 | # User specific. Check to see if can be implemented via config profile. Default is 'no limit.'
678 |
679 | # 5.5 Ensure login keychain is locked when the computer sleeps
680 | # Level 2 Scored
681 | # User specific. Check to see if can be implemented via config profile. Default is 'no limit.'
682 |
683 | # 5.6 Enable OCSP and CRL certificate checking
684 | # Level 2 Scored
685 |
686 | # 5.7 Do not enable the "root" account
687 | # Level 1 Scored
688 | #TODO: Test. New audit/remediation written.
689 | # this is requiring expected statements. will look into expect
690 |
691 | #if [[ "$(/usr/bin/dscl . -read /Users/root AuthenticationAuthority)" = "No such key: AuthenticationAuthority" ]]; then
692 | # ScriptLogging " Root user is disabled."
693 | #else
694 | # ScriptLogging " Root user is enabled. Disabling..."
695 | # /usr/sbin/dsenableroot -d
696 | # ScriptLogging " Root user is disabled."
697 | #fi
698 |
699 | # 5.8 Disable automatic login
700 | # Level 1 Scored
701 | #TODO: Test. New audit/remediation written.
702 |
703 | if [[ "$(/usr/bin/defaults read /Library/Preferences/com.apple.loginwindow | grep autoLoginUser > /dev/null)" -eq 0 ]]; then
704 | ScriptLogging " Auto login is disabled."
705 | else
706 | ScriptLogging " Auto login enabled. Disabling..."
707 | /usr/bin/defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
708 | ScriptLogging " Auto login is disabled."
709 | fi
710 |
711 | # 5.9 Require a password to wake the computer from sleep or screen saver
712 | # Level 1 Scored
713 | #TODO: Test. New audit/remediation written.
714 |
715 | if [[ "$(/usr/bin/defaults read com.apple.screensaver askForPassword)" = "1" ]]; then
716 | ScriptLogging " Password required to wake from sleep or screensaver."
717 | else
718 | ScriptLogging " Password NOT required to wake from sleep or screensaver. Enabling..."
719 | /usr/bin/defaults write com.apple.screensaver askForPassword -int 1
720 | ScriptLogging " Password required to wake from sleep or screensaver."
721 | fi
722 |
723 | # 5.10 Require an administrator password to access system-wide preferences
724 | # Level 1 Scored
725 | #TODO: Test. New audit/remediation written.
726 |
727 | if [[ "$(/usr/bin/security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)')" = " " ]]; then
728 | ScriptLogging " Password required to access system-wide preferences."
729 | else
730 | ScriptLogging " Password NOT required to access system-wide preferences. Enabling..."
731 | /usr/bin/security authorizationdb read system.preferences > /tmp/system.preferences.plist
732 | /usr/bin/defaults write /tmp/system.preferences.plist shared -bool false
733 | /usr/bin/security authorizationdb write system.preferences < /tmp/system.preferences.plist
734 | rm /tmp/system.preferences.plist
735 | ScriptLogging " Password required to access system-wide preferences."
736 | fi
737 |
738 | # 5.11 Disable ability to login to another user's active and locked session
739 | # Level 1 Scored
740 | # Need sed here to edit /etc/pam.d/screensaver
741 | # I believe this is off by default.
742 |
743 | # 5.12 Create a custom message for the Login Screen
744 | # Level 1 Scored
745 | if [[ "$(/usr/bin/defaults read /Library/Preferences/com.apple.loginwindow.plist | grep LoginwindowText 2> /dev/null)" ]]; then
746 | ScriptLogging " Login Message set."
747 | else
748 | ScriptLogging " Login Message not set. Setting..."
749 | /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "This system is reserved for authorized use only. The use of this system may be monitored."
750 | ScriptLogging " Login Message set."
751 | fi
752 |
753 | # 5.13 Create a Login window banner
754 | # Level 2 Scored
755 | #TODO: Test. New audit/remediation written.
756 | if [[ ${CISLEVEL} = "2" ]]; then
757 | if [[ ! -e /Library/Security/PolicyBanner.txt ]]; then
758 | ScriptLogging " 'PolicyBanner.txt' not found."
759 | echo "This system is reserved for authorized use only. The use of this system may be monitored." > /Library/Security/PolicyBanner.txt
760 | ScriptLogging " Login Window banner set."
761 | else
762 | ScriptLogging " Login Window banner set."
763 | fi
764 | fi
765 |
766 | # 5.14 Do not enter a password-related hint
767 | # Level 1 Scored
768 | # TODO
769 | # Per user. for/while in USER_TEMPLATE
770 |
771 | # 5.15 Disable Fast User Switching
772 | # Level 2 Not Scored
773 | # Level 1.5 Not Scored
774 | #TODO: Test. New audit/remediation written.
775 |
776 | if [[ ${CISLEVEL} = "2" ]] || [[ ${CISLEVEL} = "1.5" ]]; then
777 | if [[ "$(/usr/bin/defaults read /Library/Preferences/.GlobalPreferences.plist MultipleSessionEnabled)" = "0" ]]; then
778 | ScriptLogging " Fast User Switching disabled."
779 | else
780 | ScriptLogging " Fast User Switching enabled. Disabling..."
781 | /usr/bin/defaults write /Library/Preferences/.GlobalPreferences MultipleSessionEnabled -bool NO
782 | ScriptLogging " Fast User Switching disabled."
783 | fi
784 | fi
785 |
786 | # 5.16 Secure individual keychain items
787 | # Level 2 Not Scored
788 |
789 | # 5.17 Create specialized keychains for different purposes
790 | # Level 2 Not Scored
791 |
792 | # 5.18 Install an approved tokend for smartcard authentication
793 | # Level 2 Scored
794 | # TODO
795 | }
796 |
797 | userEnvironment() {
798 | # 6 User Accounts and Environment
799 | ScriptLogging "6 User Accounts and Environment"
800 |
801 | # 6.1 Accounts Preferences Action Items
802 | # 6.1.1 Display login window as name and password
803 | # Level 1 Scored
804 | # No audit, just do it.
805 | ScriptLogging " Setting LoginWindow to display as username and password..."
806 | /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool yes
807 |
808 | # 6.1.2 Disable "Show password hints"
809 | # Level 1 Scored
810 | # No audit, just do it.
811 | ScriptLogging " Disabling password hints..."
812 | /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0
813 |
814 | # 6.1.3 Disable guest account login
815 | # Level 1 Scored
816 | # No audit, just do it.
817 | ScriptLogging " Disabling the Guest account..."
818 | /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool NO
819 |
820 | # 6.1.4 Disable "Allow guests to connect to shared folders"
821 | # Level 1 Scored
822 | # No audit, just do it.
823 | ScriptLogging " Disabling Guests from connecting to Shared folders..."
824 | /usr/bin/defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool no
825 | /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool no
826 |
827 | # 6.2 Turn on filename extensions
828 | # Level 1 Scored
829 | # No audit, just do it.
830 | ScriptLogging " Enabling file extensions..."
831 | /usr/bin/defaults write NSGlobalDomain AppleShowAllExtensions -bool true
832 |
833 | # 6.3 Disable the automatic run of safe files in Safari (Scored)
834 | # Level 1 Scored
835 | # No audit, just do it.
836 | ScriptLogging " Disabling auto-run of safe files in Safari..."
837 | /usr/bin/defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no
838 |
839 | # 6.4 Use parental controls for systems that are not centrally managed
840 | # Level 2 Not Scored
841 | }
842 |
843 | additionalConsiderations() {
844 | # 7 Appendix: Additional Considerations
845 | # These have been removed from the mainScript () to be cleaner, since they don't do anything.
846 | # Leaving the function as a "completionist"
847 | ScriptLogging "7 Appendix: Additional Considerations"
848 | ScriptLogging " Please see the Benchmark documentation for Additional Considerations."
849 |
850 | # 7.1 Wireless technology on OS X
851 | # Level 2 Not Scored
852 |
853 | # 7.2 iSight Camera Privacy and Confidentiality Concerns
854 | # Level 2 Not Scored
855 |
856 | # 7.3 Computer Name Considerations
857 | # Level 2 Not Scored
858 |
859 | # 7.4 Software Inventory Considerations
860 | # Level 2 Not Scored
861 |
862 | # 7.5 Firewall Consideration
863 | # Level 2 Not Scored
864 |
865 | # 7.6 Automatic Actions for Optical Media
866 | # Level 1 Not Scored
867 | # No optical media drives on any new endpoints.
868 |
869 | # 7.7 App Store Automatically download apps purchased on other Macs Considerations
870 | # Level 2 Not Scored
871 |
872 | # 7.8 Extensible Firmware Interface (EFI) password
873 | # Level 2 Not Scored
874 | # Implement via your MDM/Imaging solution. If at all. FV2 mitigates much of the need.
875 |
876 | # 7.9 Apple ID password reset
877 | # Level 2 Not Scored
878 | }
879 |
880 | artifacts() {
881 | # 8 Artifacts
882 | # These have been removed from the mainScript() to be cleaner, since they don't do anything.
883 | # Leaving the function as a "completionist"
884 | ScriptLogging "8 Artifacts"
885 | ScriptLogging " Please see the Benchmark documentation for Artifacts."
886 |
887 | # 8.1 Password Policy Plist generated through OS X Server
888 | # Level 1 Not Scored
889 | # No Rationale, Audit or remediation provided by CIS
890 | # plist file is provided
891 |
892 | # 8.2 Password Policy Plist from man page
893 | # Level 1 Not Scored
894 | # No Rationale, Audit or remediation provided by CIS
895 | # plist file is provided
896 | }
897 |
898 | cleanAndReboot() {
899 | # Reboot function
900 | # left as a function in case you don't want to reboot after running the rest of the script
901 | ScriptLogging " Rebooting for CIS Settings "
902 | /sbin/shutdown -r now
903 | }
904 |
905 | mainScript() {
906 | ScriptLogging " "
907 | ScriptLogging " ************************************************** "
908 | ScriptLogging " Starting CIS Level ${CISLEVEL} Settings"
909 | ScriptLogging " ************************************************** "
910 | ScriptLogging " $(date +%Y-%m-%d\ %H:%M:%S)"
911 |
912 | if [[ ${CISLEVEL} = "1" ]] || [[ ${CISLEVEL} = "2" ]] || [[ ${CISLEVEL} = "1.5" ]]; then
913 | ScriptLogging " "
914 | else
915 | ScriptLogging " OH NO! You picked a CIS Level that doesn't exist. Maybe try again?"
916 | exit 1;
917 | fi
918 |
919 | # comment out sections you do not want to run.
920 | softwareUpdates
921 | systemPreferences
922 | loggingAndAuditing
923 | networkConfigurations
924 | systemAccess
925 | userEnvironment
926 |
927 | ScriptLogging " "
928 | ScriptLogging " CIS Level ${CISLEVEL} Settings Finished! Time to restart..."
929 | ScriptLogging " ************************************************** "
930 | ScriptLogging " $(date +%Y-%m-%d\ %H:%M:%S)"
931 |
932 | #cleanAndReboot
933 | }
934 |
935 | ScriptLogging() {
936 | # ScriptLogging
937 | # Dumps to system.log with prefix "CIS_SETTINGS"
938 | logger -t CIS_SETTINGS "$@"; echo "$@";
939 | }
940 |
941 | user_template() {
942 | # Usage: user_template domain key action action action action action
943 | # Ex: user_template com.apple.systemuiserver menuExtras -array-add "/System/Library/CoreServices/Menu Extras/Airport.menu"
944 |
945 | local PREFERENCE_DOMAIN=$1
946 | local PREFERENCE_KEY=$2
947 | PREFERENCE_ARGS=( $3 $4 $5 $6 $7 )
948 |
949 | # Set for user template
950 | for USER_TEMPLATE in "/System/Library/User Template"/*
951 | do
952 | /usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/"${PREFERENCE_DOMAIN}" "${PREFERENCE_KEY}" "${PREFERENCE_ARGS[@]}"
953 | done
954 |
955 | # Set for already created users
956 | for USER_HOME in /Users/*
957 | do
958 | USER_UID=$(basename "${USER_HOME}")
959 | if [ ! "${USER_UID}" = "Shared" ]; then
960 | if [ ! -d "${USER_HOME}"/Library/Preferences ]; then
961 | /bin/mkdir -p "${USER_HOME}"/Library/Preferences
962 | /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library
963 | /usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences
964 | fi
965 | if [ -d "${USER_HOME}"/Library/Preferences ]; then
966 | /usr/bin/defaults write "${USER_HOME}"/Library/Preferences/"${PREFERENCE_DOMAIN}" "${PREFERENCE_KEY}" "${PREFERENCE_ARGS[@]}"
967 | fi
968 | fi
969 | done
970 | }
971 |
972 | # Set up args for level selection
973 | CISLEVEL=""
974 | while [[ $# -gt 1 ]]
975 | do
976 | key="$1"
977 |
978 | case $key in
979 | -l|--level)
980 | CISLEVEL="$2"
981 | shift # past argument
982 | ;;
983 | --default)
984 | DEFAULT=YES
985 | ;;
986 | *)
987 | # unknown option
988 | ;;
989 | esac
990 | shift # past argument or value
991 | done
992 |
993 | if [[ ${CISLEVEL} = "" ]]; then
994 | CISLEVEL="1" # Make sure this is a string, not an integer.
995 | fi
996 | # Run mainScript
997 | mainScript
998 |
--------------------------------------------------------------------------------
/cis-1.2-enableAutoUpdate.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Comment
6 | For use in Custom Setting payload for profiles. Use com.apple.SoftwareUpdate as Preference Domain.
7 | AutomaticCheckEnabled
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/cis-1.3-enableAppAutoUpdate.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Comment
6 | For use in Custom Setting payload for profiles. Use com.apple.commerce as Preference Domain.
7 | AutoUpdate
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/cis-1.4-XProtect.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Comment
6 | For use in Custom Setting payload for profiles. Use com.apple.SoftwareUpdate as Preference Domain.
7 | ConfigDataInstall
8 |
9 | CriticalUpdateInstall
10 |
11 |
12 |
13 |
--------------------------------------------------------------------------------
/cis-1.5-OSUpdateInstalls.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Comment
6 | For use in Custom Setting payload for profiles. Use com.apple.SoftwareUpdate as Preference Domain.
7 | ConfigDataInstall
8 |
9 | CriticalUpdateInstall
10 |
11 |
12 |
13 |
--------------------------------------------------------------------------------
/cis-2.8-disableIRReciever.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Comment
6 | For use in Custom Setting payload for profiles. Use com.apple.driver.AppleIRController as Preference Domain.
7 | DeviceEnabled
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/cis-2.9-enableSecureKeyboardEntryTerminal.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Comment
6 | For use in Custom Setting payload for profiles. Use com.apple.Terminal as Preference Domain.
7 | SecureKeyboardEntry
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/cis-5.9-requirePasswordScreensaver.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Comment
6 | For use in Custom Setting payload for profiles. Use com.apple.screensaver as Preference Domain.
7 | askForPassword
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/cis-AFPGuestAccess.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Comment
6 | For use in Custom Setting payload for profiles. Use com.apple.AppleFileServer as Preference Domain.
7 | guestAccess
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/cis-SMBGuestAccess.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Comment
6 | For use in Custom Setting payload for profiles. Use com.apple.smb.server as Preference Domain.
7 | AllowGuestAccess
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/cis-automaticAppStore.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Comment
6 | For use in Custom Setting payload for profiles. Use com.apple.commerce as Preference Domain.
7 | AutoUpdate
8 |
9 |
11 |
12 |
13 |
--------------------------------------------------------------------------------
/cis-automaticSoftwareUpdate.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Comment
6 | For use in Custom Setting payload for profiles. Use com.apple.SoftwareUpdate as Preference Domain.
7 | AutomaticCheckEnabled
8 | 1
9 | ConfigDataInstall
10 |
11 | CriticalUpdateInstall
12 |
13 |
14 |
15 |
--------------------------------------------------------------------------------