├── .gitignore
├── OSX
├── OSX_ElCapitan_Server
│ ├── .DS_Store
│ ├── CIS_Apple_OSX_10.11_Benchmark_v1.0.0.pdf
│ ├── CIS_MacOSX_1011_Audit-Servers.sh
│ └── CIS_MacOSX_1011_Hardening-Servers.sh
├── additionalSecurityConfigs
│ ├── instalDMGFromCLI.sh
│ ├── GetLastPasswordModificationTimeOfLocalUser.sh
│ ├── CreateMacAdmin.sh
│ ├── UseAppleScriptToTurnOffServices.sh
│ └── macAudit.sh
└── OSX_Yosemite_Server
│ ├── CIS_OSX_Yosemite_Server_Audit.sh
│ └── CIS_OSX_Yosemite_Server_Hardening.sh
├── Linux
└── additionalSecurityConfigs
│ ├── doesUserExist.sh
│ ├── ConfigureSSH.sh
│ ├── ConfigureIptables.sh
│ ├── AdditionalSecurityLogging.sh
│ └── linuxAudit.sh
├── FOR518
├── AdditionalOSXAppsIUse.csv
└── OSX_BashHistory_logging.sh
├── README.md
├── WindowAuditing
└── windowsAudit.ps1
└── LICENSE
/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 |
--------------------------------------------------------------------------------
/OSX/OSX_ElCapitan_Server/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sonofagl1tch/OSHardening/master/OSX/OSX_ElCapitan_Server/.DS_Store
--------------------------------------------------------------------------------
/Linux/additionalSecurityConfigs/doesUserExist.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | if id -u localuserName >/dev/null 2>&1; then
3 | echo "user exists"
4 | else
5 | echo "user does not exist"
6 | fi
7 |
--------------------------------------------------------------------------------
/OSX/OSX_ElCapitan_Server/CIS_Apple_OSX_10.11_Benchmark_v1.0.0.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sonofagl1tch/OSHardening/master/OSX/OSX_ElCapitan_Server/CIS_Apple_OSX_10.11_Benchmark_v1.0.0.pdf
--------------------------------------------------------------------------------
/OSX/additionalSecurityConfigs/instalDMGFromCLI.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # install a DMG from CLI
3 | # Author Ryan Nolette
4 | # Date Modified 06/26/2016
5 | ######################################################################
6 | echo "hostname: "
7 | read hostname
8 | echo "DA username fo join: "
9 | read DAuser
10 |
11 | #join system to domain
12 | dsconfigad -a $hostname -u $DAuser -ou "CN=Computers,DC=network,DC=domain,DC=com" -domain domain.com -mobile enable -localhome enable -groups "Domain Admins,Enterprise Admins" -alldomains enable
13 |
14 |
15 | #mounting dmg
16 | hdid package.dmg
17 |
18 | #change directory
19 | cd /Volumes/package/
20 |
21 | #Install pkg
22 | sudo /usr/sbin/installer -verbose -pkg package.pkg -target /
23 |
24 | #unmounting dmg
25 | hdiutil detach /Volumes/package
26 |
--------------------------------------------------------------------------------
/OSX/additionalSecurityConfigs/GetLastPasswordModificationTimeOfLocalUser.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #
3 | #get the last modification time of a local user in OSX
4 | #v1.1.0 - 08-10-2016
5 | #author rnolette
6 | #date 06/06/2016
7 | #version 1.0
8 | #description: This script will query and OSX el capitan system for the last
9 | # password modification timestamp in mac epoch format
10 | #####################################################################
11 | #query local user data via Directory Service command line utility
12 | #grep result for "passwordLastSetTime" string plus the next Line
13 | #remove the "passwordLastSetTime" result line from the results
14 | #remove the "" and """ strings from the result
15 | #remaining string is the mac epoch timestamp
16 | #The difference between the Unix timestamp epoch (1970) and the Mac timestamp
17 | #epoch (1904) is 2082844800 seconds.
18 | dscl . read /Users/batman | grep -A1 'passwordLastSetTime' | grep -v 'passwordLastSetTime' | sed -e 's/\\(.*\)\<\/real\>/\1/'
19 |
--------------------------------------------------------------------------------
/FOR518/AdditionalOSXAppsIUse.csv:
--------------------------------------------------------------------------------
1 | Application,function,source
2 | AppCleaner,automates application removal for cleaner uninstalls,http://www.freemacsoft.net/appcleaner/
3 | create a dmg,create a dmg out of .app,http://blog.nngafook.com/2012/07/app-to-dmg/
4 | Cyberduck,FTP/SCP/etc GUI application,https://cyberduck.io/?l=en
5 | Flux,tunes the screen colors to be kinder to your eyes,https://justgetflux.com/news/pages/mac/
6 | Google Chrome,browser,http://www.google.com/chrome/
7 | Google Drive,mounted drive storage,https://support.google.com/a/answer/2490101?hl=en
8 | iTerm2,terminal replacement,http://www.iterm2.com/#/section/features
9 | HomeBrew,package manager for mac,http://brew.sh/
10 | Keka,"archive application. Handles 7zip, zip, rar, etc",http://www.kekaosx.com/en/
11 | login screen,how to make any picture your lockscreen,http://lifehacker.com/customize-the-login-screen-on-os-x-yosemite-1683740565#_ga=1.193139629.1055861349.1441835238
12 | Microsoft Remote Desktop,remote desktop application,https://itunes.apple.com/us/app/microsoft-remote-desktop/id715768417?mt=12
13 | Pycharm,python IDE,https://www.jetbrains.com/pycharm/download/
14 | Spectacle,allows for window snap feature similar to windows via keyboard commands,http://spectacleapp.com/
15 | Spotify,personal music streaming,https://www.spotify.com/us/download/mac/
16 | Sublime Text,"text editor for coding, notes, etc",http://www.sublimetext.com/
17 | The unarchiver,"archive application. Handles 7zip, zip, rar, etc",http://wakaba.c3.cx/s/apps/unarchiver.html
18 | Tunnelblick,openVPN client,https://code.google.com/p/tunnelblick/
19 | VLC,video player,http://www.videolan.org/vlc/download-macosx.html
20 | VMware Fusion,virtual machines application. Not as robust as vmware workstation,http://www.vmware.com/products/fusion
21 | VMware Horizon Client,virtual appliance connector,https://my.vmware.com/web/vmware/login
22 | Wireshark,capture network traffic,https://www.wireshark.org/download.html
23 | Xcode,OSX application framework,https://developer.apple.com/xcode/
24 | XtraFinder,adds more options and features to the default system explorer application,https://www.trankynam.com/xtrafinder/
--------------------------------------------------------------------------------
/Linux/additionalSecurityConfigs/ConfigureSSH.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Configuring SSH script Centos 6
3 | # Author Ryan Nolette
4 | # Date Modified 06/26/2016
5 | ######################################################################
6 | #check to see if script is being run as root
7 | if [ "$EUID" -ne 0 ]
8 | then echo "Please run as root"
9 | exit
10 | fi
11 | ######################################################################
12 | echo "--- Securing the SSH Daemon ---"
13 | #echo "Backing up previous SSHd configurations"
14 | mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
15 | /bin/cat << EOM > /etc/ssh/sshd_config
16 | ## Random SSH port
17 | Port 22
18 | ## Sets listening address on server. default=0.0.0.0
19 | #ListenAddress 192.168.0.1
20 | ## Enforcing SSH Protocol 2 only
21 | Protocol 2
22 | ## Checks users on their home directority and rhosts, that they arent world-writable
23 | StrictModes yes
24 | ## The option IgnoreRhosts specifies whether rhosts or shosts files should not be used -i in authentication
25 | IgnoreRhosts yes
26 | ## Disable direct root login, with no you need to login with account, then "su" you into root
27 | PermitRootLogin no
28 | UsePrivilegeSeparation yes
29 | UsePAM yes
30 | PasswordAuthentication yes
31 | ChallengeResponseAuthentication no
32 | AllowTcpForwarding yes
33 | X11Forwarding no
34 | PubkeyAuthentication yes
35 | RSAAuthentication no
36 | GSSAPIAuthentication no
37 | KerberosAuthentication no
38 | HostbasedAuthentication no
39 | RhostsRSAAuthentication no
40 | LogLevel INFO
41 | PermitUserEnvironment no
42 | Ciphers aes128-ctr,aes192-ctr,aes256-ctr
43 | ClientAliveInterval 300
44 | ClientAliveCountMax 0
45 | MaxAuthTries 4
46 | PermitEmptyPasswords no
47 | ## Adds a login banner that the user can see
48 | #Banner /etc/motd
49 | PrintMotd yes
50 | ## Add users or groups that are allowed to log in
51 | #AllowUsers serveradmin
52 | AllowGroups admins users whomever
53 | #if you run a command through SSH directly without going interactive (EX: ssh root@system COMMAND), the command won’t be logged anywhere.
54 | #this line will fix that
55 | ForceCommand if [[ -z \$SSH_ORIGINAL_COMMAND ]]; then bash; else printf "\x23\`date +%s\`\n\$SSH_ORIGINAL_COMMAND\n" >> .bash_history; bash -c "\$SSH_ORIGINAL_COMMAND"; fi
56 | EOM
57 | #start ssh services
58 | #service sshd start
59 | #configure sshd to start at boot
60 | chkconfig --level 3 sshd on
61 | chkconfig --level 5 sshd on
62 | #Set Permissions on /etc/ssh/sshd_config
63 | chown root:root /etc/ssh/sshd_config
64 | chmod 600 /etc/ssh/sshd_config
65 | #commit changes to sshd config
66 | /etc/init.d/sshd restart
--------------------------------------------------------------------------------
/OSX/additionalSecurityConfigs/CreateMacAdmin.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #
3 | #Create batman
4 | #v1.1.0 - 08-08-2015
5 | #author rnoloette
6 | #date 08/08/2016
7 | #version 1.0
8 | #description:
9 | # This script will check if the local hidden user batman exists the if the
10 | # script find that batman does not exist or is unable to authenticate as
11 | # batman, it will create a local batman account.
12 | #additional information:
13 | #
14 | #
15 | #####################################################################
16 | # This function creates a new hidden user called batman
17 | function createbatman () {
18 | # prompt user for batman password to use
19 | #echo "Please enter the password for the batman user: "
20 | #read batmanpassword
21 | # Create the batman user manually
22 | dscl . -create /Users/batman #create new user object
23 | dscl . -create /Users/batman UserShell /bin/bash #set shell
24 | dscl . -create /Users/batman RealName "Bruce Wayne" #set real name of user
25 | dscl . -create /Users/batman UniqueID "499" #any user below 500 is a hidden user in osx
26 | dscl . -create /Users/batman PrimaryGroupID 20 #group 20 is (staff)
27 | dscl . -create /Users/batman NFSHomeDirectory /private/var/batman #create user directory outside of the normal location
28 | dscl . -create /Users/batman IsHidden 1 #hide user from login page and preferences
29 | #dscl . -passwd /Users/batman $batmanpassword
30 | dscl . -passwd /Users/batman B@tmanPa55wordz123! #set password
31 | dscl . -append /Groups/admin GroupMembership batman #create user group
32 | }
33 | # This function checks for the existance of the user batman
34 | # If batman is not found it will be created
35 | # If batman is found the script will exit
36 | function checkForbatman () {
37 | #if user batman has UniqueID of 499 which is a hidden user
38 | #> is for redirect
39 | # /dev/null is a black hole where any data sent, will be discarded
40 | # 2 is the file descriptor for Standard Error
41 | # > is for redirect
42 | # & is the symbol for file descriptor (without it, the following 1 would be considered a filename)
43 | # 1 is the file descriptor for Standard Out
44 | # Therefore >/dev/null 2>&1 is redirect the output of your program to /dev/null. Include both the Standard Error and Standard Out.
45 | if id -u batman = 499 >/dev/null 2>&1; then #write command output to
46 | #echo "user exists as desired"
47 | # Will exit with status of last command.
48 | exit
49 | else
50 | #echo "user does not exist"
51 | #start fresh by deleting existing batman user if it exists
52 | cleanup
53 | # create batman user
54 | createbatman
55 | fi
56 | }
57 | # This function deleting an existing batman user
58 | function cleanup () {
59 | #remove existing previous batman user and directory if it exists
60 | if [ -d "/Users/batman" >/dev/null 2>&1 ]; then #redirect the output of your program to /dev/null
61 | dscl . -delete /Users/batman #delete user and setting using native osx tool
62 | rm -rf /Users/batman #delete old batman user directory
63 | fi
64 | }
65 | #############################################
66 | #check to see if script is being run as root
67 | if [ "$EUID" -ne 0 ] #if userID does not equal 0 (aka root)
68 | then echo "Please run as root"
69 | exit
70 | fi
71 | # Does the batman user exist?
72 | checkForbatman
73 |
--------------------------------------------------------------------------------
/FOR518/OSX_BashHistory_logging.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Additional security logging features for OSX 10.10 Yosemite
3 | # Author Ryan Nolette
4 | # Date Modified 06/18/2016
5 | ################################################################################
6 | #check to see if script is being run as root
7 | if [ "$EUID" -ne 0 ]
8 | then echo "Please run as root"
9 | exit
10 | fi
11 | # - configure security logging
12 | #backup /etc/audit/audit.rules
13 | cp /etc/audit/audit.rules /etc/audit/audit.rules.bk
14 | #reconfigure /etc/audit/audit.rules
15 | echo "--- Configuring advanced auditd logging ---"
16 | #This configuration change will not work until after a reboot.
17 | #This may not work in your OSX build. YMMV. Comment it out if you are worried.
18 | #backup pam modules
19 | cp /private/etc/pam.d/login /private/etc/pam.d/login.bk
20 | cp /private/etc/pam.d/gdm /private/etc/pam.d/gdm
21 | #reconfigure pam
22 | #This will allow auditd to get the calling user's uid correctly when calling sudo or su.
23 | echo -e "session\trequired\tpam_loginuid.so" >> /private/etc/pam.d/login
24 | echo -e "session\trequired\tpam_loginuid.so" >> /private/etc/pam.d/gdm
25 | echo -e "session\trequired\tpam_loginuid.so" >> /private/etc/pam.d/sshd
26 | ################################################################################
27 | #backup bashrc
28 | echo "--- Configuring bashrc for all users found on the system ---"
29 | echo " This configuration change will not work until after a reboot"
30 | for user in `ls /Users | grep -v .localized`; do
31 | cp /Users/$user/.bashrc /Users/$user/.bashrc.bk
32 | done
33 | #reconfigure bashrc
34 | echo "--- Enabling Real time bash history for all current users ---"
35 | for user in `ls /Users | grep -v .localized`; do
36 | echo 'export HISTCONTROL=ignoredups:erasedups # no duplicate entries' >> /Users/$user/.bashrc
37 | echo 'export HISTSIZE=100000 # big big history' >> /Users/$user/.bashrc
38 | echo 'export HISTFILESIZE=100000 # big big history' >> /Users/$user/.bashrc
39 | echo 'export HISTTIMEFORMAT="%m/%d/%y %T " # Add timestamp' >> /Users/$user/.bashrc
40 | echo "shopt -s histappend # append to history, don't overwrite it" >> /Users/$user/.bashrc
41 | echo '# After each command, append to the history file and reread it' >> /Users/$user/.bashrc
42 | echo 'export PROMPT_COMMAND="history -a; history -c; history -r; $PROMPT_COMMAND"' >> /Users/$user/.bashrc
43 | done
44 | #backup bashrc for root
45 | cp /private/etc/bashrc /private/etc/bashrc.bk
46 | #reconfigure /root/bashrc
47 | echo "--- Enabling Real time bash history for root ---"
48 | /bin/cat << EOM >> /private/etc/bashrc
49 | # .bashrc
50 | # User specific aliases and functions
51 | alias rm='rm -i' # force interactive mode
52 | alias cp='cp -i' # force interactive mode
53 | alias mv='mv -i' # force interactive mode
54 | # Source global definitions
55 | if [ -f /private/etc/bashrc ]; then
56 | . /private/etc/bashrc
57 | fi
58 | export HISTCONTROL=ignoredups:erasedups # no duplicate entries
59 | export HISTSIZE=100000 # big big history
60 | export HISTFILESIZE=100000 # big big history
61 | export HISTTIMEFORMAT="%m/%d/%y %T " # Add timestamp
62 | shopt -s histappend # append to history, don't overwrite it
63 | # After each command, append to the history file and reread it
64 | export PROMPT_COMMAND="history -a; history -c; history -r; $PROMPT_COMMAND"
65 | EOM
66 | #complete
67 |
--------------------------------------------------------------------------------
/OSX/additionalSecurityConfigs/UseAppleScriptToTurnOffServices.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # install a DMG from CLI
3 | # Author Ryan Nolette
4 | # Date Modified 06/26/2016
5 | ######################################################################
6 | #Secure screen saver corners
7 | # Perform the following to implement the prescribed state:
8 | # 1. Open System Preferences
9 | # 2. Select Mission Control
10 | # 3. Select Hot Corners
11 | # 4. Remove any corners which are set to Disable Screen Saver
12 | #below is an applescript equivalent of these steps
13 | touch disableSharing.scpt
14 | /bin/cat << EOM > disableSharing.scpt
15 | property theSavedValues : {"Mission Control", "Desktop", "Dashboard", "Launchpad"} -- for example
16 | tell application "System Preferences"
17 | activate
18 | set current pane to pane id "com.apple.preference.expose"
19 | tell application "System Events"
20 | tell window "Mission Control" of process "System Preferences"
21 | click button "Hot Corners…"
22 | tell sheet 1
23 | tell group 1
24 | set theCurrentValues to value of pop up buttons
25 | if theCurrentValues is {"-", "-", "-", "-"} then
26 | --do nothing
27 | else
28 | copy theCurrentValues to theSavedValues
29 | repeat with i from 1 to 4
30 | tell pop up button i
31 | click
32 | click last menu item of menu 1
33 | end tell
34 | end repeat
35 | end if
36 | end tell
37 | click button "OK"
38 | end tell
39 | end tell
40 | end tell
41 | quit
42 | end tell
43 | EOM
44 | #Enable Access for Assistive Devices Command Line
45 | sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceAccessibility','com.apple.Terminal',0,1,1,NULL);"
46 | #run applescript
47 | osascript disableSharing.scpt
48 | #Disable Access for Assistive Devices Command Line
49 | sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "delete from access where client='com.apple.Terminal';"
50 | #remove script after usage
51 | rm -r disableSharing.scpt
52 |
53 | #2.4.2 Disable Internet Sharing
54 | # Remediation:
55 | # Perform the following to implement the prescribed state:
56 | # 1. Open System Preferences
57 | # 2. Select Sharing
58 | # 3. Uncheck Internet Sharing
59 | #below is an applescript equivalent of these steps
60 | touch disableSharing.scpt
61 | /bin/cat << EOM > disableSharing.scpt
62 | tell application "System Preferences" to set current pane to pane "com.apple.preferences.sharing"
63 | tell application "System Events" to tell process "System Preferences"
64 | tell row 8 of table 1 of scroll area 1 of group 1 of window "Sharing"
65 | tell checkbox 1 to if value is 1 then click -- checkbox was not checked.
66 | end tell
67 | end tell
68 | ignoring application responses
69 | tell application "System Preferences" to quit
70 | end ignoring
71 | EOM
72 | #Enable Access for Assistive Devices Command Line
73 | sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceAccessibility','com.apple.Terminal',0,1,1,NULL);"
74 | #run applescript
75 | osascript disableSharing.scpt
76 | #Disable Access for Assistive Devices Command Line
77 | sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "delete from access where client='com.apple.Terminal';"
78 | #remove script after usage
79 | rm -r disableSharing.scpt
80 |
--------------------------------------------------------------------------------
/Linux/additionalSecurityConfigs/ConfigureIptables.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Configuring IPtables script Centos 6
3 | # Author Ryan Nolette
4 | # Date Modified 06/26/2016
5 | ######################################################################
6 | #check to see if script is being run as root
7 | if [ "$EUID" -ne 0 ]
8 | then echo "Please run as root"
9 | exit
10 | fi
11 | ######################################################################
12 | echo "configure firewall"
13 | #opens http, https, ftp, and ssh
14 | TCPPORTS=( 80 443 22 )
15 | UDPPORTS=( 21 )
16 | echo "--- Install and Clear IPTables Firewall ---"
17 | yum -y install -y iptables
18 | chkconfig iptables on
19 | /sbin/service iptables start
20 | /sbin/iptables -F
21 | /sbin/iptables -X
22 | /etc/init.d/iptables save
23 | echo "--- Running Firewall Configurations ---"
24 | # By default reject all traffic
25 | # /sbin/iptables -P INPUT DROP
26 | # /sbin/iptables -P OUTPUT DROP
27 | # /sbin/iptables -P FORWARD DROP
28 | # Allow localhost
29 | /sbin/iptables -A INPUT -i lo -j ACCEPT
30 | /sbin/iptables -A OUTPUT -o lo -j ACCEPT
31 | # Allow output for new, related and established connections
32 | /sbin/iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
33 | echo "--- Blocking Common Attacks ---"
34 | echo "Forcing SYN packets check"
35 | /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
36 | echo "Forcing Fragments packets check"
37 | /sbin/iptables -A INPUT -f -j DROP
38 | echo "Dropping malformed XMAS packets"
39 | /sbin/iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
40 | echo "Drop all NULL packets"
41 | /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
42 | echo "Limiting pings to 1 per second"
43 | /sbin/iptables -N PACKET
44 | /sbin/iptables -A DEFAULT_RULES -p icmp -m limit --limit 3/sec --limit-burst 25 -j ACCEPT
45 | echo "Setup Connection Tracking"
46 | /sbin/iptables -N STATE_TRACK
47 | /sbin/iptables -A STATE_TRACK -m state --state RELATED,ESTABLISHED -j ACCEPT
48 | /sbin/iptables -A STATE_TRACK -m state --state INVALID -j DROP
49 | echo "Discouraging Port Scanning"
50 | /sbin/iptables -N PORTSCAN
51 | /sbin/iptables -A PORTSCAN -p tcp --tcp-flags ACK,FIN FIN -j DROP
52 | /sbin/iptables -A PORTSCAN -p tcp --tcp-flags ACK,PSH PSH -j DROP
53 | /sbin/iptables -A PORTSCAN -p tcp --tcp-flags ACK,URG URG -j DROP
54 | /sbin/iptables -A PORTSCAN -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
55 | /sbin/iptables -A PORTSCAN -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
56 | /sbin/iptables -A PORTSCAN -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
57 | /sbin/iptables -A PORTSCAN -p tcp --tcp-flags ALL ALL -j DROP
58 | /sbin/iptables -A PORTSCAN -p tcp --tcp-flags ALL NONE -j DROP
59 | /sbin/iptables -A PORTSCAN -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
60 | /sbin/iptables -A PORTSCAN -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
61 | /sbin/iptables -A PORTSCAN -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
62 | echo "--- configuring IPTables ---"
63 | /sbin/iptables -N COMMON
64 | /sbin/iptables -A COMMON -j STATE_TRACK
65 | /sbin/iptables -A COMMON -j PORTSCAN
66 | /sbin/iptables -A COMMON -j PACKET
67 | /sbin/iptables -A INPUT -j COMMON
68 | /sbin/iptables -A OUTPUT -j COMMON
69 | /sbin/iptables -A FORWARD -j COMMON
70 | /sbin/iptables -A FORWARD -j PACKET
71 | /etc/init.d/iptables save
72 | # Open TCP Ports
73 | for port in ${TCPPORTS[@]}
74 | do
75 | echo "Opening TCP Port $port"
76 | /sbin/iptables -A INPUT -p tcp -m tcp --dport $port -j ACCEPT
77 | done
78 | # Open UDP Ports
79 | for port in ${UDPPORTS[@]}
80 | do
81 | echo "Opening UDP Port $port"
82 | /sbin/iptables -A INPUT -p udp -m udp --dport $port -j ACCEPT
83 |
84 | done
85 | #save iptables config and restart iptables
86 | /etc/init.d/iptables save
87 | service iptables restart
--------------------------------------------------------------------------------
/Linux/additionalSecurityConfigs/AdditionalSecurityLogging.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # additional security logging script Centos 6
3 | # Author Ryan Nolette
4 | # Date Modified 06/26/2016
5 | ######################################################################
6 | #check to see if script is being run as root
7 | if [ "$EUID" -ne 0 ]
8 | then echo "Please run as root"
9 | exit
10 | fi
11 | ######################################################################
12 | echo "Configuring Security Logging"
13 | #backup /etc/audit/audit.rules
14 | cp /etc/audit/audit.rules /etc/audit/audit.rules.bk
15 | #reconfigure /etc/audit/audit.rules
16 | echo "--- Configuring auditd ---"
17 | echo " This configuration change will not work until after a reboot"
18 | #backup pam modules
19 | cp /etc/pam.d/login /etc/pam.d/login.bk
20 | cp /etc/pam.d/gdm /etc/pam.d/gdm
21 | #reconfigure pam
22 | #This will allow auditd to get the calling user's uid correctly when calling sudo or su.
23 | echo -e "session\trequired\tpam_loginuid.so" >> /etc/pam.d/login
24 | echo -e "session\trequired\tpam_loginuid.so" >> /etc/pam.d/gdm
25 | echo -e "session\trequired\tpam_loginuid.so" >> /etc/pam.d/sshd
26 | #backup bashrc
27 | for user in `ls /home`; do
28 | cp /home/$user/.bashrc /home/$user/.bashrc.bk
29 | done
30 | #reconfigure bashrc
31 | echo "--- Enabling Real time bash history for all current users ---"
32 | for user in `ls /home`; do
33 | echo 'export HISTCONTROL=ignoredups:erasedups # no duplicate entries' >> /home/$user/.bashrc
34 | echo 'export HISTSIZE=100000 # big big history' >> /home/$user/.bashrc
35 | echo 'export HISTFILESIZE=100000 # big big history' >> /home/$user/.bashrc
36 | echo 'export HISTTIMEFORMAT="%m/%d/%y %T " # Add timestamp' >> /home/$user/.bashrc
37 | echo "shopt -s histappend # append to history, don't overwrite it" >> /home/$user/.bashrc
38 | echo '# After each command, append to the history file and reread it' >> /home/$user/.bashrc
39 | echo 'export PROMPT_COMMAND="history -a; history -c; history -r; $PROMPT_COMMAND"' >> /home/$user/.bashrc
40 | done
41 | #backup bashrc for root
42 | cp /root/.bashrc /root/.bashrc.bk
43 | #reconfigure /root/bashrc
44 | echo "--- Enabling Real time bash history for root ---"
45 | /bin/cat << EOM > /root/.bashrc
46 | # .bashrc
47 | # User specific aliases and functions
48 | alias rm='rm -i`
49 | alias cp='cp -i`
50 | alias mv='mv -i`
51 | # Source global definitions
52 | if [ -f /etc/bashrc ]; then
53 | . /etc/bashrc
54 | fi
55 | export HISTCONTROL=ignoredups:erasedups # no duplicate entries
56 | export HISTSIZE=100000 # big big history
57 | export HISTFILESIZE=100000 # big big history
58 | export HISTTIMEFORMAT="%m/%d/%y %T " # Add timestamp
59 | shopt -s histappend # append to history, don't overwrite it
60 | # After each command, append to the history file and reread it
61 | export PROMPT_COMMAND="history -a; history -c; history -r; $PROMPT_COMMAND"
62 | EOM
63 | #backup skel bashrc
64 | cp /etc/skel/.bashrc /etc/skel/.bashrc.bk
65 | #reconfigure /etc/skel/.bashrc
66 | echo "--- Enabling Real time bash history for all future users ---"
67 | /bin/cat << EOM > /etc/skel/.bashrc
68 | # .bashrc
69 | # User specific aliases and functions
70 | alias rm='rm -i`
71 | alias cp='cp -i`
72 | alias mv='mv -i`
73 | # Source global definitions
74 | if [ -f /etc/bashrc ]; then
75 | . /etc/bashrc
76 | fi
77 | export HISTCONTROL=ignoredups:erasedups # no duplicate entries
78 | export HISTSIZE=100000 # big big history
79 | export HISTFILESIZE=100000 # big big history
80 | export HISTTIMEFORMAT="%m/%d/%y %T " # Add timestamp
81 | shopt -s histappend # append to history, don't overwrite it
82 | # After each command, append to the history file and reread it
83 | export PROMPT_COMMAND="history -a; history -c; history -r; $PROMPT_COMMAND"
84 | EOM
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # OSHardening
2 | This repo contains all of my OS hardening scripts
3 |
4 | # Cross over for mac and linux
5 | I also use CrossOver to support variou windows based binaries and applications on my osx and linux systems
6 |
7 | 
8 |
9 | ## SANS FOR518
10 | This directory contains a snippet of my larger OS hardening scripts for the SANS FOR518 class. These changes are specific to OSX bashrc additional logging configuration.
11 | - AdditionalOSXAppsIUse.csv
12 | - CSV list of the tools i install on a fresh OSX build to make my life easier
13 | - OSX_BashHistory_logging.sh
14 | - added additional logic to check if script is running with elevated privs or not. Script will now exit if it is not running with root privs.
15 |
16 | ## Linux
17 | ### Centos 6
18 | - CIS_Centos6_Audit.sh
19 | - This script will audit a centos 6 system and give you a CIS compliance score based on it's findings.
20 | - CIS_Centos6_Hardening.sh
21 | - This script will harden a fresh build Centos 6 minimal system to CIS compliance.
22 |
23 | ### Additional Security Configurations
24 | These are additional security configuration changes that i suggest be made to centos/RHEL linux systems. I have included these outside of the CIS hardening script in the event that you do not want to use CIS for compliance but want some benefits of locking down your system anyways.
25 |
26 | - AdditionalSecurityLogging.sh
27 | - modifies bashrc for additional logging configurations that i have found useful
28 | - ConfigureIptables.sh
29 | - Configures iptables to defend against common attacks
30 | - ConfigureSSH.sh
31 | - Configures the SSH server for most common hardening settings
32 | - doesUserExist.sh
33 | - simple test to see if a local user exists
34 | - linuxAudit.sh
35 | - This script was used as an example on different methods to search a linux system
36 |
37 | ## OSX
38 | ### OSX 10.10 Yosemite
39 | - CIS_OSX_Yosemite_Server_Audit.sh
40 | - This script will audit a OSX 10.10 Yosemite system and give you a CIS compliance score based on it's findings.
41 | - CIS_OSX_Yosemite_Server_Hardening.sh
42 | - This script will harden a fresh build OSX 10.10 Yosemite system to CIS compliance.
43 |
44 | ### OSX 10.11 El Capitan
45 | - CIS_MacOSX_1011_Audit-Servers.sh
46 | - This script will audit a OSX 10.11 El Capitan system and give you a CIS compliance score based on it's findings.
47 | - CIS_MacOSX_1011_Hardening-Servers.sh
48 | - This script will harden a fresh build OSX 10.11 El Capitan system to CIS compliance.
49 | - CIS_MacOSX_1011_Hardening-Desktops.sh
50 | - This script will harden a fresh build OSX 10.11 El Capitan desktop system to CIS compliance. This is based off the server script with additional sections commented out so it is more user friendly rather than server restricted.
51 |
52 | ### Additional Security Configurations
53 | These are additional scripts that i suggest be used on OSX systems. I have included these outside of the CIS hardening script in the event that you do not want to use CIS for compliance but want some benefits of locking down your system anyways.
54 | - UseAppleScriptToTurnOffServices.sh
55 | - This script give examples of how to use applescript to emulate configuration of the OSX system that cannot be done via CLI. THis basically emulates a user clicking these items.
56 | - instalDMGFromCLI.sh
57 | - This script demonstrates how to install a DMG from CLI or a bash script
58 | - CreateMacAdmin.sh
59 | - This script is used to add a hidden admin user to an OSX system
60 | - GetLastPasswordModificationTimeOfLocalUser.sh
61 | - This script is used to This script will query and OSX el capitan system for the last password modification timestamp in mac epoch format
62 | - macAudit.sh
63 | - This script was used as an example on different methods to search a OSX system
64 |
65 | ## Windows
66 | ### Windows 10
67 | ### Additional Security Configurations
68 | These are additional scripts that i suggest be used on Windows systems. I have included these outside of the CIS hardening script in the event that you do not want to use CIS for compliance but want some benefits of locking down your system anyways.
69 | - windowsAudit.ps1
70 | - This script was used as an example on different methods to search a Windows system
71 |
--------------------------------------------------------------------------------
/OSX/additionalSecurityConfigs/macAudit.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #####################################################################
3 | #get hostname
4 | host=`hostname`
5 | #get current date
6 | dateTime=`date +"%m%d%y-%H%M"`
7 | #get curent username and not root
8 | realUser=`sudo sh -c 'echo $SUDO_USER'`
9 | #####################################################################
10 | #are security services setup to start on boot in different usermodes
11 | /usr/bin/cat /etc/*-release | grep -i "release 6." &> /dev/null
12 | if [ $? == 0 ]; then
13 | chkconfig --list | grep -iE "serviceName" >> $dateTime"_"$host"_applications.txt"
14 | fi
15 | /usr/bin/cat /etc/*-release | grep -i "release 7." &> /dev/null
16 | if [ $? == 0 ]; then
17 | chkconfig --list | grep -iE "serviceName" >> $dateTime"_"$host"_applications.txt"
18 | systemctl status serviceName >> $dateTime"_"$host"_applications.txt"
19 | systemctl status serviceName >> $dateTime"_"$host"_applications.txt"
20 | systemctl status serviceName >> $dateTime"_"$host"_applications.txt"
21 | systemctl status serviceName >> $dateTime"_"$host"_applications.txt"
22 | systemctl status serviceName >> $dateTime"_"$host"_applications.txt"
23 | fi
24 | echo "###########################################################" >> $dateTime"_"$host"_applications.txt"
25 | #are security services currently running
26 | ps aux | grep -iE "serviceName" >> $dateTime"_"$host"_applications.txt"
27 | echo "###########################################################" >> $dateTime"_"$host"_applications.txt"
28 | #is linuxusers enabled for ssh access to resecure servers? it should not be
29 | grep -i "userName" /etc/ssh/sshd_config >> $dateTime"_"$host"_applications.txt"
30 | echo "###########################################################" >> $dateTime"_"$host"_applications.txt"
31 | # view ssh config file
32 | cat /etc/ssh/sshd_config >> $dateTime"_"$host"_applications.txt"
33 | echo "###########################################################" >> $dateTime"_"$host"_applications.txt"
34 | # is admin user a member of the wheel group?
35 | grep -i wheel /etc/sudoers >> $dateTime"_"$host"_applications.txt"
36 | echo "###########################################################" >> $dateTime"_"$host"_applications.txt"
37 | # view sudoers file
38 | cat /etc/sudoers >> $dateTime"_"$host"_applications.txt"
39 | echo "###########################################################" >> $dateTime"_"$host"_applications.txt"
40 | # show me everything in /opt to make sure users arent abusing it
41 | ls -lah /opt >> $dateTime"_"$host"_applications.txt"
42 | echo "###########################################################" >> $dateTime"_"$host"_applications.txt"
43 | #when was the lasttime the local user passwords where changed
44 | #loop through all local Users
45 | #For lines with UID>=500 (field 3) grab username
46 | usrInfo=$(awk -F'[/:]' '{if ($3 >= 500) print $1}' /etc/passwd)
47 | IFS=$'\n' #Use newline as delimiter for for-loop
48 | for usrLine in $usrInfo
49 | do
50 | #Do processing on each line
51 | #get last password change timestamp, remove leading whitespace, remove comma
52 | lastchangetime=$(chage -l $usrLine | grep 'Last password change' | cut -f2- -d':' | sed -e 's/^[ \t]*//' | sed 's/,//g')
53 | echo $usrLine,$lastchangetime >> $dateTime"_"$host"_applications.txt"
54 | done
55 | echo "###########################################################" >> $dateTime"_"$host"_applications.txt"
56 | #view bashrc for root user
57 | cat ~/.bashrc >> $dateTime"_"$host"_applications.txt"
58 | echo "###########################################################" >> $dateTime"_"$host"_applications.txt"
59 | #search for certificates on the file system
60 | #ignore splunk, docker, pki, docs, and python directories as they have a bunch of cert examples
61 | nohup find / -iname \*.pfx -o -iname \*.p12 -o -iname \*.cer -o -iname \*.csr -o -iname \*.crl -o -iname \*.crt -o -iname \*.der -o -iname \*.p7b -o -iname \*.p7r -o -iname \*.spc -o -iname \*.sst -o -iname \*.stl -o -iname \*.pem -o -iname \*.key -o -iname \*.pub | grep -v -E '/opt/splunkforwarder|/var/lib/docker|/etc/pki|/usr/share/doc|/usr/lib/python2.6|/usr/share/pki' >> $dateTime"_"$host"_findCerts.txt" &
62 | ######################################################################
63 | #search for bit9/carbonblack email addresses on the file system
64 | nohup grep -rsiEI "\@company.com|\@company2.com" /home/ >> $dateTime"_"$host"_grepEmail.txt" &
65 | disown -h
66 | #####################################################################
67 | #search for cleartext passwords in the home directory of all users
68 | nohup grep -irsEI 'pass=|pwd=|login=|pw=|passw=|passwd=|password=|pass:|password:|login:' /home/ | grep -v '.bash_history' >> $dateTime"_"$host"_grepPasswords.txt" &
69 | disown -h
70 | #####################################################################
71 | #search for all world writable files on the file system
72 | nohup df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 >> $dateTime"_"$host"_worldWritable.txt" &
73 | disown -h
74 | #####################################################################
75 | #sleep 5 seconds to allow for jobs to kick off in the background
76 | sleep 5
77 | #take ownership of all output files from script
78 | chown $realUser:$realUser *
79 | #list running jobs from background
80 | jobs -l >> $dateTime"_"$host"_applications.txt"
81 | echo "###########################################################" >> $dateTime"_"$host"_applications.txt"
82 | #running this command from / has some fallout effects that need to be manually adjusted.
83 | #setfacl -R -m g:userGroup:r /var/log/
84 | #echo "###########################################################" >> $dateTime"_"$host"_applications.txt"
85 |
--------------------------------------------------------------------------------
/Linux/additionalSecurityConfigs/linuxAudit.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #####################################################################
3 | #get hostname
4 | host=`hostname`
5 | #get current date
6 | dateTime=`date +"%m%d%y-%H%M"`
7 | #get curent username and not root
8 | realUser=`sudo sh -c 'echo $SUDO_USER'`
9 | #####################################################################
10 | #are security services setup to start on boot in different usermodes
11 | /usr/bin/cat /etc/*-release | grep -i "release 6." &> /dev/null
12 | if [ $? == 0 ]; then
13 | chkconfig --list | grep -iE "serviceName" >> $dateTime"_"$host"_applications.txt"
14 | fi
15 | /usr/bin/cat /etc/*-release | grep -i "release 7." &> /dev/null
16 | if [ $? == 0 ]; then
17 | chkconfig --list | grep -iE "serviceName" >> $dateTime"_"$host"_applications.txt"
18 | systemctl status serviceName >> $dateTime"_"$host"_applications.txt"
19 | systemctl status serviceName >> $dateTime"_"$host"_applications.txt"
20 | systemctl status serviceName >> $dateTime"_"$host"_applications.txt"
21 | systemctl status serviceName >> $dateTime"_"$host"_applications.txt"
22 | systemctl status serviceName >> $dateTime"_"$host"_applications.txt"
23 | fi
24 | echo "###########################################################" >> $dateTime"_"$host"_applications.txt"
25 | #are security services currently running
26 | ps aux | grep -iE "serviceName" >> $dateTime"_"$host"_applications.txt"
27 | echo "###########################################################" >> $dateTime"_"$host"_applications.txt"
28 | #is linuxusers enabled for ssh access to resecure servers? it should not be
29 | grep -i "userName" /etc/ssh/sshd_config >> $dateTime"_"$host"_applications.txt"
30 | echo "###########################################################" >> $dateTime"_"$host"_applications.txt"
31 | # view ssh config file
32 | cat /etc/ssh/sshd_config >> $dateTime"_"$host"_applications.txt"
33 | echo "###########################################################" >> $dateTime"_"$host"_applications.txt"
34 | # is admin user a member of the wheel group?
35 | grep -i wheel /etc/sudoers >> $dateTime"_"$host"_applications.txt"
36 | echo "###########################################################" >> $dateTime"_"$host"_applications.txt"
37 | # view sudoers file
38 | cat /etc/sudoers >> $dateTime"_"$host"_applications.txt"
39 | echo "###########################################################" >> $dateTime"_"$host"_applications.txt"
40 | # show me everything in /opt to make sure users arent abusing it
41 | ls -lah /opt >> $dateTime"_"$host"_applications.txt"
42 | echo "###########################################################" >> $dateTime"_"$host"_applications.txt"
43 | #when was the lasttime the local user passwords where changed
44 | #loop through all local Users
45 | #For lines with UID>=500 (field 3) grab username
46 | usrInfo=$(awk -F'[/:]' '{if ($3 >= 500) print $1}' /etc/passwd)
47 | IFS=$'\n' #Use newline as delimiter for for-loop
48 | for usrLine in $usrInfo
49 | do
50 | #Do processing on each line
51 | #get last password change timestamp, remove leading whitespace, remove comma
52 | lastchangetime=$(chage -l $usrLine | grep 'Last password change' | cut -f2- -d':' | sed -e 's/^[ \t]*//' | sed 's/,//g')
53 | echo $usrLine,$lastchangetime >> $dateTime"_"$host"_applications.txt"
54 | done
55 | echo "###########################################################" >> $dateTime"_"$host"_applications.txt"
56 | #view bashrc for root user
57 | cat ~/.bashrc >> $dateTime"_"$host"_applications.txt"
58 | echo "###########################################################" >> $dateTime"_"$host"_applications.txt"
59 | #search for certificates on the file system
60 | #ignore splunk, docker, pki, docs, and python directories as they have a bunch of cert examples
61 | nohup find / -iname \*.pfx -o -iname \*.p12 -o -iname \*.cer -o -iname \*.csr -o -iname \*.crl -o -iname \*.crt -o -iname \*.der -o -iname \*.p7b -o -iname \*.p7r -o -iname \*.spc -o -iname \*.sst -o -iname \*.stl -o -iname \*.pem -o -iname \*.key -o -iname \*.pub | grep -v -E '/opt/splunkforwarder|/var/lib/docker|/etc/pki|/usr/share/doc|/usr/lib/python2.6|/usr/share/pki' >> $dateTime"_"$host"_findCerts.txt" &
62 | ######################################################################
63 | #search for bit9/carbonblack email addresses on the file system
64 | nohup grep -rsiEI "\@company.com|\@company2.com" /home/ >> $dateTime"_"$host"_grepEmail.txt" &
65 | disown -h
66 | #####################################################################
67 | #search for cleartext passwords in the home directory of all users
68 | nohup grep -irsEI 'pass=|pwd=|login=|pw=|passw=|passwd=|password=|pass:|password:|login:' /home/ | grep -v '.bash_history' >> $dateTime"_"$host"_grepPasswords.txt" &
69 | disown -h
70 | #####################################################################
71 | #search for all world writable files on the file system
72 | nohup df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 >> $dateTime"_"$host"_worldWritable.txt" &
73 | disown -h
74 | #####################################################################
75 | #sleep 5 seconds to allow for jobs to kick off in the background
76 | sleep 5
77 | #take ownership of all output files from script
78 | chown $realUser:$realUser *
79 | #list running jobs from background
80 | jobs -l >> $dateTime"_"$host"_applications.txt"
81 | echo "###########################################################" >> $dateTime"_"$host"_applications.txt"
82 | #running this command from / has some fallout effects that need to be manually adjusted.
83 | #setfacl -R -m g:userGroup:r /var/log/
84 | #echo "###########################################################" >> $dateTime"_"$host"_applications.txt"
85 |
--------------------------------------------------------------------------------
/WindowAuditing/windowsAudit.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script: Windows Audit Script
3 | Author: Ryan Nolette
4 | Date: 09/18/2016
5 | Version: 1.0
6 | Description:
7 | This script will be run on systems to collect system information for auditing
8 | purposes.
9 | #>
10 | ####################################################
11 | #set powershell execution mode to allow for scripts to run
12 | #set-executionpolicy remotesigned
13 | ####################################################
14 | $hostname=$env:computername
15 | $date =Get-Date -format MMddyyyy_HHmmss
16 | $scriptPath=split-path -parent $MyInvocation.MyCommand.Definition
17 | #$UserDesktop=[Environment]::GetFolderPath("Desktop")
18 | #$outputFile="$UserDesktop\$hostname-$date.txt"
19 | $outputFile="$scriptPath\$hostname-$date.txt"
20 | ####################################################
21 | #start transcript
22 | #$ErrorActionPreference = "Continue"
23 | #Start-Transcript -path $USerDesktop\transcript.txt -append
24 | ####################################################
25 | #create file and write out hostname and date to file
26 | "hostname,$hostname" 2>&1 | out-file -Filepath $outputFile
27 | "Date,$date" 2>&1 | out-file -Filepath $outputFile -append
28 | "####################################################" 2>&1 | out-file -Filepath $outputFile -append
29 | #query all users and what groups they are in
30 | echo "Users and what groups they are in" 2>&1 | out-file -Filepath $outputFile -append
31 | $adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
32 | $adsi.Children | where {$_.SchemaClassName -eq 'user'} | Foreach-Object {
33 | $groups = $_.Groups() | Foreach-Object {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
34 | $_ | Select-Object @{n='UserName';e={$_.Name}},@{n='Groups';e={$groups -join ';'}} 2>&1 | out-file -Filepath $outputFile -append
35 | }
36 | "####################################################" 2>&1 | out-file -Filepath $outputFile -append
37 | #is service running
38 | $processName="service"
39 | $ProcessActive = Get-Process $processName -ErrorAction SilentlyContinue
40 | if($ProcessActive -eq $null)
41 | {
42 | "$processName not running" 2>&1 | out-file -Filepath $outputFile -append
43 | }
44 | else
45 | {
46 | "$processName is running" 2>&1 | out-file -Filepath $outputFile -append
47 | }
48 | #is EMET running
49 | $processName="EMET_Service"
50 | $ProcessActive = Get-Process $processName -ErrorAction SilentlyContinue
51 | if($ProcessActive -eq $null)
52 | {
53 | "$processName not running" 2>&1 | out-file -Filepath $outputFile -append
54 | }
55 | else
56 | {
57 | "$processName is running" 2>&1 | out-file -Filepath $outputFile -append
58 | }
59 | "####################################################" 2>&1 | out-file -Filepath $outputFile -append
60 | #is system on domain
61 | if ((gwmi win32_computersystem).partofdomain -eq $true) {
62 | "I am domain joined!" 2>&1 | out-file -Filepath $outputFile -append
63 | } else {
64 | "I am not on the domain" 2>&1 | out-file -Filepath $outputFile -append
65 | }
66 | "####################################################" 2>&1 | out-file -Filepath $outputFile -append
67 | #list files in Directories
68 | echo "list files in directories" 2>&1 | out-file -Filepath $outputFile -append
69 | #root C
70 | Get-ChildItem -Path c:\ 2>&1 | out-file -Filepath $outputFile -append
71 | #appdata
72 | $users=Get-ChildItem -Path c:\Users\
73 | Foreach ($user IN $users)
74 | {
75 | #C:\Users\master\AppData\Local
76 | Get-ChildItem -Path "c:\Users\$user\AppData -ErrorAction SilentlyContinue" 2>&1 | out-file -Filepath $outputFile -append
77 | Get-ChildItem -Path "c:\Users\$user\AppData\Roaming -ErrorAction SilentlyContinue" 2>&1 | out-file -Filepath $outputFile -append
78 | Get-ChildItem -Path "c:\Users\$user\AppData\local -ErrorAction SilentlyContinue" 2>&1 | out-file -Filepath $outputFile -append
79 | Get-ChildItem -Path "c:\Users\$user\AppData\locallow -ErrorAction SilentlyContinue" 2>&1 | out-file -Filepath $outputFile -append
80 | Get-ChildItem -Path "c:\Users\$user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup -ErrorAction SilentlyContinue" 2>&1 | out-file -Filepath $outputFile -append
81 | }
82 | "####################################################" 2>&1 | out-file -Filepath $outputFile -append
83 | #This command uses the CodeSigningCert and Recurse parameters of the Get-ChildItem
84 | #cmdlet to get all of the certificates on the computer that have code-signing authority.
85 | #Because the full path is specified, this command can be run in any Windows PowerShell drive.
86 | echo "look for code signing cert type" 2>&1 | out-file -Filepath $outputFile -append
87 | #Get-ChildItem -path cert:\ -Recurse -ErrorAction SilentlyContinue 2>&1 | out-file -Filepath $outputFile -append
88 | "####################################################" 2>&1 | out-file -Filepath $outputFile -append
89 | #search for loose certs by extension
90 | echo "search for loose certs by extension" 2>&1 | out-file -Filepath $outputFile -append
91 | $extensions = '*.pfx', '*.p12', '*.cer', '*.csr', '*.crl', '*.crt', '*.der', '*.p7b', '*.p7r', '*.spc', '*.sst', '*.stl', '*.pem', '*.key'
92 | Get-Childitem "c:\Users" -Include $extensions -Recurse -Force -ErrorAction SilentlyContinue 2>&1 | out-file -Filepath $outputFile -append
93 | "####################################################" 2>&1 | out-file -Filepath $outputFile -append
94 | #search for emails
95 | echo "search for emails" 2>&1 | out-file -Filepath $outputFile -append
96 | $ErrorActionPreference = "SilentlyContinue"
97 | Get-ChildItem “c:\Users" -recurse | Select-String -pattern '(@company.com)|(@company2.com)' -ErrorAction SilentlyContinue | group path | select name 2>&1 | out-file -Filepath $outputFile -append
98 | "####################################################" 2>&1 | out-file -Filepath $outputFile -append
99 | #search for cleartext passwords
100 | echo "search for cleartext passwords" 2>&1 | out-file -Filepath $outputFile -append
101 | $ErrorActionPreference = "SilentlyContinue"
102 | Get-ChildItem “c:\Users" -recurse -ErrorAction SilentlyContinue | Select-String -pattern '(pass=)|(pwd=)|(login=)|(pw=)|(passw=)|(passwd=)|(password=)|(pass:)|(password:)|(login:)' | group path | select name 2>&1 | out-file -Filepath $outputFile -append
103 | "####################################################" 2>&1 | out-file -Filepath $outputFile -append
104 | echo "search for over priveleged files in user directories" 2>&1 | out-file -Filepath $outputFile -append
105 |
106 | $ErrorActionPreference = "SilentlyContinue"
107 | $rootFolder = 'C:\Users\'
108 |
109 | $directory = Get-ChildItem $rootFolder -Recurse
110 | foreach($item in $directory) {
111 | if ((get-acl $item.fullname).access.identityreference -match 'Everyone') {
112 | echo $item.fullname 2>&1 | out-file -Filepath $outputFile -append
113 | }
114 | }
115 |
116 | $rootFolder = 'C:\'
117 | echo "search for over priveleged files in root c directory" 2>&1 | out-file -Filepath $outputFile -append
118 |
119 | $directory = Get-ChildItem $rootFolder
120 | foreach($item in $directory) {
121 | if ((get-acl $item.fullname).access.identityreference -match 'Everyone') {
122 | echo $item.fullname 2>&1 | out-file -Filepath $outputFile -append
123 | }
124 | }
125 | "####################################################" 2>&1 | out-file -Filepath $outputFile -append
126 | #get system GPO settings
127 | echo "get system GPO settings" 2>&1 | out-file -Filepath $outputFile -append
128 | gpresult /Scope User /v 2>&1 | out-file -Filepath $outputFile -append
129 | gpresult /Scope Computer /v 2>&1 | out-file -Filepath $outputFile -append
130 | "####################################################" 2>&1 | out-file -Filepath $outputFile -append
131 | #set powershell execution mode back to default
132 | #Set-ExecutionPolicy restricted 2>&1 | out-file -Filepath $outputFile -append
133 | ####################################################
134 | #stop transcript
135 | #Stop-Transcript | out-null
136 | ####################################################
137 |
--------------------------------------------------------------------------------
/OSX/OSX_ElCapitan_Server/CIS_MacOSX_1011_Audit-Servers.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
#
#CIS MacOSX 10.11 audit Benchmark
#v1.1.0 - 04-02-2015
#author rnolette
#date 07/06/2016
#version 1.0
#description: This script will audit a system for compliance with the CIS V1.1.0 hardening guide for MacOSX
#####################################################################
function audit_WithOutput () {
if [[ $2 ]]; then
echo "$1,pass" >> $filename
else
echo "$1,fail" >> $filename
fi
}
function audit_WithNoOutput () {
if [[ $2 ]]; then
echo "$1,fail" >> $filename
else
echo "$1,pass" >> $filename
fi
}
function audit_Exception () {
echo "$1,exception" >> $filename
}
#####################################################################
#get hostname
host=`hostname`
#get current date
dateTime=`date +"%m%d%y-%H%M"`
#create filename
filename="CIS_MacOSX-"$host"-"$dateTime".csv"
#create new file
touch $filename
#####################################################################
#1 Install Updates, Patches and Additional Security Software
#1.1 Verify all application software is current
auditStep="1.1 Verify all application software is current (Scored)"
#auditCmd=`softwareupdate -l |grep -i "No new software available."`
authdCmd=``
audit_Exception "$auditStep" "$auditCmd"
#1.2 Enable Auto Update (Scored)
auditStep="1.2 Enable Auto Update (Scored)"
auditCmd=`defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled |grep 1`
audit_WithOutput "$auditStep" "$auditCmd"
#1.3 Enable app update installs (Scored)
auditStep="1.3 Enable app update installs (Scored)"
auditCmd=`defaults read /Library/Preferences/com.apple.storeagent.plist |grep 1`
audit_WithOutput "$auditStep" "$auditCmd"
#1.4 Enable system data files and security update installs (Scored)
auditStep="1.4 Enable system data files and security update installs (Scored)"
auditCmd=`defaults read /Library/Preferences/com.apple.SoftwareUpdate | egrep '(ConfigDataInstall = 1 |CriticalUpdateInstall = 1)'`
#Make sure the result is: ConfigDataInstall = 1; CriticalUpdateInstall = 1
audit_WithOutput "$auditStep" "$auditCmd"
#1.5 Enable OS X update installs (scored)
auditStep="1.5 EEnable OS X update installs (Scored)"
auditCmd=`defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep 0`
#Make sure the result is: ConfigDataInstall = 1; CriticalUpdateInstall = 1
audit_WithOutput "$auditStep" "$auditCmd"
######################################################################
#2 System Preferences
#2.1 Bluetooth
#2.1.1 Disable Bluetooth, if no paired devices exist (Scored)
auditStep="2.1.1 Disable Bluetooth if no paired devices exist (Scored)"
#auditCmd=`defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState | grep "0"`
auditCmd=``
audit_Exception "$auditStep - Security chose not to disable" "$auditCmd"
#2.1.2 Disable Bluetooth "Discoverable" mode when not pairing devices (Scored) - Is not applicable to servers because they do not have Bluetooth.
auditStep="2.1.2 Disable Bluetooth \"Discoverable\" mode when not pairing devices (Scored)"
#auditCmd=`/usr/sbin/system_profiler SPBluetoothDataType | grep -i discoverable`
auditCmd=``
audit_Exception "$auditStep - Security chose not to disable" "$auditCmd"
#2.1.3 Show Bluetooth status in menu bar (Scored)
auditStep="2.1.3 Show Bluetooth status in menu bar (Scored)" #is not applicable to servers because they do not have screen savers.
#auditCmd=`defaults read com.apple.systemuiserver menuExtras | grep Bluetooth.menu`
auditCmd=``
audit_Exception "$auditStep - Security chose not to disable" "$auditCmd"
##########################
#2.2 Date & Time
#2.2.1 Enable "Set time and date automatically" (Not Scored)
auditStep="2.2.1 Enable Set time and date automatically (Not Scored)"
auditCmd=`systemsetup -setnetworktimeserver on | grep -E "setNetworkTimeServer:\s+on"`
audit_WithOutput "$auditStep" "$auditCmd"
#2.2.2 Ensure time set is within appropriate limits (Scored)
auditStep="2.2.2 Ensure time set is within appropriate limits (Scored)"
auditCmd=`systemsetup -getnetworktimeserver | grep -E "Network\s+Time\s+Server:\s+on"`
audit_WithOutput "$auditStep" "$auditCmd"
##########################
#2.3 Desktop & Screen Saver
#2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver (Scored)
auditStep="2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver (Scored)"
auditCmd=`defaults -currentHost read com.apple.screensaver |grep -E "idleTime\s+=\s+600"`
audit_WithOutput "$auditStep" "$auditCmd"
#2.3.2 Secure screen saver corners (Scored)
#exception because of servers
auditStep="2.3.2 Secure screen saver corners (Scored)"
#auditCmd=`defaults read /Library/Preferences/com.apple.dock | grep -i corner`
auditCmd=``
audit_Exception "$auditStep - casper enforced" "$auditCmd"
#2.3.3 Verify Display Sleep is set to a value larger than the Screen Saver (Not Scored)
auditStep="2.3.3 Verify Display Sleep is set to a value larger than the Screen Saver (Not Scored)" #is not applicable to servers because they do not have screen savers.
#auditCmd=`/usr/bin/pmset -g | grep -iE "displaysleep\s+15"`
auditCmd=``
audit_Exception "$auditStep - casper enforced" "$auditCmd"
#2.3.4 Set a screen corner to Start Screen Saver (Scored)
auditStep="2.3.4 Set a screen corner to Start Screen Saver (Scored)" #is not applicable to servers because they do not have screen savers.
#auditCmd=`defaults read /Library/Preferences/com.apple.dock | grep -i corner`
#This is trypically run for each user of the system.
auditCmd=``
audit_Exception "$auditStep - casper enforced" "$auditCmd"
##########################
#2.4 Sharing
#2.4.1 Disable Remote Apple Events (Scored)
auditStep="2.4.1 Disable Remote Apple Events (Scored)"
auditCmd=`systemsetup -getremoteappleevents |grep -E "Remote\s+Apple\s+Events:\s+Off"`
audit_WithOutput "$auditStep" "$auditCmd"
#2.4.2 Disable Internet Sharing (Scored)
auditStep="2.4.2 Disable Internet Sharing (Scored) - grep not working correctly on this commands output"
#auditCmd=`defaults read /Library/Preferences/SystemConfiguration/com.apple.nat | grep -E "com.apple.nat\s+does\s+not\s+exist"`
auditCmd=``
audit_Exception "$auditStep" "$auditCmd"
#2.4.3 Disable Screen Sharing (Scored)
auditStep="2.4.3 Disable Screen Sharing (Scored)"
auditCmd=`launchctl list | grep com.apple.screensharing`
audit_WithNoOutput "$auditStep" "$auditCmd"
#2.4.4 Disable Printer Sharing (Scored)
auditStep="2.4.4 Disable Printer Sharing (Scored)"
auditCmd=`system_profiler SPPrintersDataType | grep "Status: The printers list is empty."`
audit_WithOutput "$auditStep" "$auditCmd"
#2.4.5 Disable Remote Login (Scored) #This is required for ssh login
auditStep="2.4.5 Disable Remote Login (Scored) - leaving enabled for ssh access to server"
auditCmd=``
audit_Exception "$auditStep - required by Security" "$auditCmd"
#2.4.6 Disable DVD or CD Sharing (Scored)
auditStep="2.4.6 Disable DVD or CD Sharing (Scored)"
auditCmd=`launchctl list | egrep ODSAgent`
audit_WithNoOutput "$auditStep" "$auditCmd"
#2.4.7 Disable Bluetooth Sharing (Scored)
auditStep="2.4.7 Disable Bluetooth Sharing (Scored)"
auditCmd=`system_profiler SPBluetoothDataType | grep -E "State: Enabled"`
audit_WithNoOutput "$auditStep" "$auditCmd"
#2.4.8 Disable File Sharing (Scored)
auditStep="2.4.8 Disable File Sharing (Scored)"
auditCmd=`launchctl list | egrep AppleFileServer`
audit_WithNoOutput "$auditStep" "$auditCmd"
#2.4.9 Disable Remote Management (Scored)
auditStep="2.4.9 Disable Remote Management (Scored)"
auditCmd=`ps -ef | egrep ARDAgent | grep -Eiv "grep ARDAgent"`
audit_WithNoOutput "$auditStep" "$auditCmd"
##########################
#2.5 Energy Saver
#2.5.1 Disable "Wake for network access" (Scored)
auditStep="2.5.1 Disable Wake for network access (Scored)"
#auditCmd=`pmset -g | grep -i 'AC Power'`
auditCmd=``
audit_Exception "$auditStep" "$auditCmd"
#2.5.2 Disable sleeping the computer when connected to power (Scored)
auditStep="2.5.2 Disable sleeping the computer when connected to power (Scored)"
#auditCmd=`pmset -g | grep -E 'sleep\s+0|AC Power'`
auditCmd=``
audit_Exception "$auditStep" "$auditCmd"
##########################
#2.6 Security & Privacy
#2.6.1 Enable FileVault (Scored)
auditStep="2.6.1 Enable FileVault (Scored)"
#auditCmd=`diskutil cs list | grep -iE "Encryption\s+Type:\s+AES-XTS"`
auditCmd=``
audit_Exception "$auditStep" "$auditCmd"
#2.6.2 Enable Gatekeeper (Scored)
auditStep="2.6.2 Enable Gatekeeper (Scored)"
auditCmd=`spctl --status | grep "assessments enabled"`
audit_WithOutput "$auditStep" "$auditCmd"
#2.6.3 Enable Firewall (Scored)
auditStep="2.6.3 Enable Firewall (Scored)"
auditCmd=`defaults read /Library/Preferences/com.apple.alf globalstate | grep "1"`
# is: 1 = on for specific services, 2 = on for essential services
audit_WithOutput "$auditStep" "$auditCmd"
#2.6.4 Enable Firewall Stealth Mode (Scored)
auditStep="2.6.4 Enable Firewall Stealth Mode (Scored) - cannot be turned on and allow ssh inbound"
#auditCmd=`/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode |grep -i "Stealth mode enabled."`
auditCmd=``
audit_Exception "$auditStep" "$auditCmd"
#2.6.5 Review Application Firewall Rules (Scored)
auditStep="2.6.5 Review Application Firewall Rules (Scored)"
auditCmd=`/usr/libexec/ApplicationFirewall/socketfilterfw --listapps | sed -n 'p;$='`
audit_WithNoOutput "$auditStep" "$auditCmd"
##########################
#2.7 iCloud
#2.7.1 iCloud configuration (Not Scored)
auditStep="2.7.1 iCloud configuration (Not Scored)"
authdCmd=``
audit_Exception "$auditStep" "$auditCmd"
#2.7.2 iCloud keychain (Not Scored)
auditStep="2.7.2 iCloud keychain (Not Scored)"
authdCmd=``
audit_Exception "$auditStep" "$auditCmd"
#2.7.3 iCloud Drive (Scored)
auditStep="2.7.3 iCloud Drive (Scored)"
#auditCmd=`defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud |grep "0"`
authdCmd=``
audit_Exception "$auditStep" "$auditCmd"
##########################
#2.8 Pair the remote control infrared receiver if enabled (Scored)
auditStep="2.8 Pair the remote control infrared receiver if enabled (Scored)" #This is not applicable because servers do not utilize infrared technology.
auditCmd=`defaults read /Library/Preferences/com.apple.driver.AppleIRController | grep -E "DeviceEnabled\s+=\s+0;"`
audit_WithOutput "$auditStep" "$auditCmd"
##########################
#2.9 Enable Secure Keyboard Entry in terminal.app (Scored)
auditStep="2.9 Enable Secure Keyboard Entry in terminal.app (Scored)"
auditCmd=`defaults read -app Terminal SecureKeyboardEntry | grep "1"`
audit_WithOutput "$auditStep" "$auditCmd"
##########################
#2.10 Java 8 is not the default Java runtime (Scored) Java is not installed by default.
auditStep="2.10 Java 6 is not the default Java runtime (Scored)"
auditCmd=`pkgutil --packages | grep "com.oracle.*"`
#auditCmd=`java -version | grep `
audit_WithNoOutput "$auditStep" "$auditCmd"
##########################
#2.11 Securely delete files as needed (Not Scored)
auditStep="2.11 Securely delete files as needed (Not Scored)"
auditCmd=`defaults read ~/Library/Preferences/com.apple.finder EmptyTrashSecurely | grep "1"`
audit_WithOutput "$auditStep" "$auditCmd"
####################################################
#3 Logging and Auditing
#3.1 Configure asl.conf
#3.1.1 Retain system.log for 90 or more days (Scored)
auditStep="3.1.1 Retain system.log for 90 or more days (Scored)"
auditCmd=`grep -i "> system.log" /etc/asl.conf | egrep "system.log|tty=90"`
audit_WithOutput "$auditStep" "$auditCmd"
#3.1.2 Retain appfirewall.log for 90 or more days (Scored)
auditStep="3.1.2 Retain appfirewall.log for 90 or more days (Scored)"
auditCmd=`grep -i "appfirewall.log" /etc/asl.conf | grep -i "ttl=90"`
audit_WithOutput "$auditStep" "$auditCmd"
#3.1.3 Retain authd.log for 90 or more days (Scored)
auditStep="3.1.3 Retain authd.log for 90 or more days (Scored)"
auditCmd=`grep -i "authd.log" /etc/asl/com.apple.authd | egrep "authd.conf|ttl=90"`
audit_WithOutput "$auditStep" "$auditCmd"
##########################
#3.2 Enable security auditing (Scored)
auditStep="3.2 Enable security auditing (Scored)"
auditCmd=`/bin/launchctl list | grep -i auditd | awk '{ print $3 }'`
audit_WithOutput "$auditStep" "$auditCmd"
##########################
#3.3 Configure Security Auditing Flags (Scored)
auditStep="3.3 Configure Security Auditing Flags (Scored)"
auditCmd=`egrep "^flags:" /etc/security/audit_control | egrep "^flags:lo,ad,fd,fm,-all"`
audit_WithOutput "$auditStep" "$auditCmd"
##########################
#3.4 Enable remote logging for Desktops on trusted networks (Not Scored)
auditStep="3.4 Enable remote logging for Desktops on trusted networks (Not Scored)"
#auditCmd=`grep "8089" /etc/syslog.conf |egrep "splunk.domain.local:8089"`
auditCmd=``
audit_Exception "$auditStep" "$auditCmd"
##########################
#3.5 Retain install.log for 365 or more days (Scored)
auditStep="3.5 Retain install.log for 365 or more days (Scored)"
auditCmd=`grep -i "ttl=365" /etc/asl/com.apple.install`
audit_WithOutput "$auditStep" "$auditCmd"
####################################################
#4 Network Configurations
#4.1 Enable "Show Wi-Fi status in menu bar" (Scored)
auditStep="4.1 Disable Bonjour advertising service (Scored)"
auditCmd=`defaults read /Library/Preferences/com.apple.alf globalstate`
audit_WithOutput "$auditStep" "$auditCmd"
##########################
#4.2 Enable "Show Wi-Fi status in menu bar" (Scored)
auditStep="4.2 Enable Show Wi-Fi status in menu bar (Scored) - no wifi on servers"
#auditCmd=`defaults read com.apple.systemuiserver menuExtras | grep AirPort.menu
auditCmd=``
audit_Exception "$auditStep" "$auditCmd"
##########################
#4.3 Create network specific locations (Not Scored)
auditStep="4.3 Create network specific locations (Not Scored)"
#auditCmd=``
auditCmd=``
audit_Exception "$auditStep" "$auditCmd"
##########################
#4.4 Ensure http server is not running (Scored)
auditStep="4.4 Ensure http server is not running (Scored)"
auditCmd=`launchctl list |egrep httpd`
audit_WithNoOutput "$auditStep" "$auditCmd"
##########################
#4.5 Ensure ftp server is not running (Scored)
auditStep="4.5 Ensure ftp server is not running (Scored)"
auditCmd=`launchctl list | egrep ftp`
audit_WithNoOutput "$auditStep" "$auditCmd"
##########################
#4.6 Ensure nfs server is not running (Scored)
auditStep="4.6 Ensure nfs server is not running (Scored)"
auditCmd=`launchctl list | egrep nfsd`
audit_WithNoOutput "$auditStep" "$auditCmd"
####################################################
#5 System Access, Authentication and Authorization
#5.1 File System Permissions and Access Controls
#5.1.1 Secure Home Folders (Scored)
auditStep="5.1.1 Secure Home Folders (Scored)"
auditCmd=`ls -l /Users/ | grep "^drwx------"`
audit_WithOutput "$auditStep" "$auditCmd"
#5.1.2 Check System Wide Applications for appropriate permissions (Scored)
auditStep="5.1.2 Check System Wide Applications for appropriate permissions (Scored)"
auditCmd=`find /Applications -iname "*\.app" -type d -perm -2 -ls -fstype local`
audit_WithNoOutput "$auditStep" "$auditCmd"
#5.1.3 Check System folder for world writable files (Scored)
auditStep="5.1.3 Check System folder for world writable files (Scored)"
auditCmd=`find /System -type d -perm -2 -ls -fstype local | grep -v "Public/Drop Box"`
audit_WithNoOutput "$auditStep" "$auditCmd"
#5.1.4 Check Library folder for world writable files (Scored)
auditStep="5.1.4 Check Library folder for world writable files (Scored)"
auditCmd=`find /Library -type d -perm -2 -ls -fstype local | grep -v Caches`
audit_WithNoOutput "$auditStep" "$auditCmd"
##########################
#5.2 Password Management
#5.2.1 Configure account lockout threshold (Scored)
auditStep="5.2.1 Configure account lockout threshold (Scored)"
auditCmd=`pwpolicy -getaccountpolicies | grep -A 1 'policyAttributeMaximumFailedAuthentications' | tail -1 | cut -d '>' -f2 | cut -d '<' -f1`
audit_WithOutput "$auditStep" "$auditCmd"
#5.2.2 Set a minimum password length (Scored)
auditStep="5.2.2 Set a minimum password length (Scored)"
auditCmd=`pwpolicy -getglobalpolicy | tr " " "\n" | grep -i "minChars=12"`
audit_WithOutput "$auditStep" "$auditCmd"
#5.2.3 Complex passwords must contain an Alphabetic Character (Scored)
auditStep="5.2.3 Complex passwords must contain an Alphabetic Character (Scored)"
auditCmd=`pwpolicy -getglobalpolicy | tr " " "\n" | grep -i "requiresAlpha=1"`
audit_WithOutput "$auditStep" "$auditCmd"
#5.2.4 Complex passwords must contain a Numeric Character (Scored)
auditStep="5.2.4 Complex passwords must contain a Numeric Character (Scored)"
auditCmd=`pwpolicy -getglobalpolicy | tr " " "\n" | grep -i "requiresNumeric=1"`
audit_WithOutput "$auditStep" "$auditCmd"
#5.2.5 Complex passwords must contain a Symbolic Character (Scored)
auditStep="5.2.5 Complex passwords must contain a Symbolic Character (Scored)"
auditCmd=`pwpolicy -getglobalpolicy | tr " " "\n" | grep -i "requiresSymbol=1"`
audit_WithOutput "$auditStep" "$auditCmd"
#5.2.6 Complex passwords must uppercase and lowercase letters (Scored)
auditStep="5.2.6 Complex passwords must uppercase and lowercase letters (Scored)"
auditCmd=`pwpolicy -getaccountpolicies | egrep com.apple.uppercaseAndLowercase`
audit_WithOutput "$auditStep" "$auditCmd"
#5.2.7 Password Age (Scored)
auditStep="5.2.7 Password Age (Scored)"
auditCmd=`pwpolicy -getaccountpolicies | egrep com.apple.uppercaseAndLowercase`
audit_WithOutput "$auditStep" "$auditCmd"
#5.2.8 Password History (Scored)
auditStep="5.2.8 Password History (Scored)"
auditCmd=`pwpolicy -getaccountpolicies | egrep "differ from past"`
audit_WithOutput "$auditStep" "$auditCmd"
##########################
#5.3 Reduce the sudo timeout period (Scored)
auditStep="5.3 Reduce the sudo timeout period (Scored)"
auditCmd=`cat /etc/sudoers | grep -E "Defaults\s+timestamp_timeout=0"`
#Verify the value returned is: Defaults timestamp_timeout=0
audit_WithOutput "$auditStep" "$auditCmd"
##########################
#5.4 Automatically lock the login keychain for inactivity (Scored)
auditStep="5.4 Automatically lock the login keychain for inactivity (Scored)"
#auditCmd=`security show-keychain-info | grep -i "timeout=21600s"`
auditCmd=``
audit_Exception "$auditStep" "$auditCmd"
##########################
#5.5 Ensure login keychain is locked when the computer sleeps (Scored)
auditStep="5.5 Ensure login keychain is locked when the computer sleeps (Scored)"
#auditCmd=`security show-keychain-info | grep -i "lock-on-sleep"`
auditCmd=``
audit_Exception "$auditStep" "$auditCmd"
##########################
#5.6 Enable OCSP and CRL certificate checking (Scored)
auditStep="5.6 Enable OCSP and CRL certificate checking (Scored)"
auditCmd=`defaults read com.apple.security.revocation | egrep "CRLStyle = RequireIfPresent;|OCSPStyle = RequireIfPresent;"`
#This gives both output results for OCSPStyle and CRLStyle
audit_WithOutput "$auditStep" "$auditCmd"
##########################
#5.7 Do not enable the "root" account (Scored)
auditStep="5.7 Do not enable the "root" account (Scored)"
auditCmd=`dscl . -read /Users/root | grep -q AuthenticationAuthority`
audit_WithNoOutput "$auditStep" "$auditCmd"
##########################
#5.8 Disable automatic login (Scored)
auditStep="5.8 Disable automatic login (Scored)"
auditCmd=`defaults read /Library/Preferences/com.apple.loginwindow | grep autoLoginUser`
audit_WithNoOutput "$auditStep" "$auditCmd"
##########################
#5.9 Require a password to wake the computer from sleep or screen saver (Scored)
auditStep="5.9 Require a password to wake the computer from sleep or screen saver (Scored)"
auditCmd=`defaults read com.apple.screensaver askForPassword | grep "1"`
audit_WithOutput "$auditStep" "$auditCmd"
##########################
#5.10 Require an administrator password to access system-wide preferences (Scored)
auditStep="5.10 Require an administrator password to access system-wide preferences (Scored)"
auditCmd=`security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(false)'`
audit_WithOutput "$auditStep" "$auditCmd"
##########################
#5.11 Disable ability to login to another user's active and locked session (Scored)
auditStep="5.11 Disable ability to login to another user's active and locked session (Scored)"
auditCmd=`grep -i "group=admin,wheel fail_safe" /Private/etc/pam.d/screensaver`
audit_WithNoOutput "$auditStep" "$auditCmd"
##########################
#5.12 Create a custom message for the Login Screen (Scored)
auditStep="5.12 Create a custom message for the Login Screen (Scored)"
#auditCmd=`defaults read /Library/Preferences/com.apple.loginwindow.plist LoginwindowText`
auditCmd=``
audit_Exception "$auditStep" "$auditCmd"
##########################
#5.13 Create a Login window banner (Scored)
auditStep="5.13 Create a Login window banner (Scored)"
#auditCmd=`grep -i Authorized /Library/Security/PolicyBanner.txt`
authdCmd=``
audit_Exception "$auditStep" "$auditCmd"
##########################
#5.14 Do not enter a password-related hint (Not Scored)
auditStep="5.14 Do not enter a password-related hint (Not Scored)"
auditCmd=``
audit_Exception "$auditStep" "$auditCmd"
##########################
#5.15 Disable Fast User Switching (Not Scored)
auditStep="5.15 Disable Fast User Switching (Not Scored)"
auditCmd=`defaults read /Library/Preferences/.GlobalPreferences MultipleSessionEnabled | grep "0"`
audit_WithOutput "$auditStep" "$auditCmd"
##########################
#5.16 Secure individual keychain items (Not Scored)
auditStep="5.16 Secure individual keychain items (Not Scored)"
auditCmd=``
audit_Exception "$auditStep" "$auditCmd"
##########################
#5.17 Create specialized keychains for different purposes (Not Scored)
auditStep="5.17 Create specialized keychains for different purposes (Not Scored)"
auditCmd=``
audit_Exception "$auditStep" "$auditCmd"
##########################
#5.18 System Integrity Protection status (Scored)
auditStep="5.18 System Integrity Protection status (Scored)"
auditCmd=`/usr/bin/csrutil status | grep -i enabled`
audit_WithOutput "$auditStep" "$auditCmd"
##########################
#5.19 Install an approved tokend for smartcard authentication (Not Scored)
auditStep="5.19 Install an approved tokend for smartcard authentication (Not Scored)"
#auditCmd=` ls -l /Library/Security/tokend/ | egrep -i "*.tokend"`
auditCmd=``
audit_Exception "$auditStep" "$auditCmd"
####################################################
#6 User Accounts and Environment
#6.1 Accounts Preferences Action Items
#6.1.1 Display login window as name and password (Scored)
auditStep="6.1.1 Display login window as name and password (Scored)"
auditCmd=`defaults read /Library/Preferences/com.apple.loginwindow SHOWFULLNAME |grep -i "1"`
audit_WithOutput "$auditStep" "$auditCmd"
#6.1.2 Disable Show password hints (Scored)
auditStep="6.1.2 Disable Show password hints (Scored)"
auditCmd=`defaults read /Library/Preferences/com.apple.loginwindow RetriesUntilHint | grep -i "0"`
audit_WithOutput "$auditStep" "$auditCmd"
#6.1.3 Disable guest account login (Scored)
auditStep="6.1.3 Disable guest account login (Scored)"
auditCmd=`defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled | grep "0"`
audit_WithOutput "$auditStep" "$auditCmd"
#6.1.4 Disable Allow guests to connect to shared folders (Scored)
auditStep="6.1.4 Disable Allow guests to connect to shared folders (Scored)"
auditCmd=`defaults read /Library/Preferences/com.apple.AppleFileServer | grep -E "guestAccess\s+=\s+0"`
audit_WithOutput "$auditStep" "$auditCmd"
##########################
#6.2 Turn on filename extensions (Scored)
auditStep="6.2 Turn on filename extensions (Scored)"
auditCmd=`defaults read NSGlobalDomain AppleShowAllExtensions | grep "1"`
audit_WithOutput "$auditStep" "$auditCmd"
##########################
#6.3 Disable the automatic run of safe files in Safari (Scored)
auditStep="6.3 Disable the automatic run of safe files in Safari (Scored)"
auditCmd=`defaults read com.apple.Safari AutoOpenSafeDownloads | grep "0"`
audit_WithOutput "$auditStep" "$auditCmd"
##########################
#6.4 Use parental controls for systems that are not centrally managed (Not Scored)
auditStep="6.4 Use parental controls for systems that are not centrally managed (Not Scored)"
auditCmd=``
audit_Exception "$auditStep" "$auditCmd"
########################################## For Future Desktop / Laptop audits #################################################
#7 Appendix: Additional Considerations
#7.1 Wireless Adapters on Mobile Clients (Not Scored)
#7.2 iSight Camera Privacy and Confidentiality Concerns (Not Scored)
#7.3 Computer Name Considerations (Not Scored)
#7.4 Software Inventory Considerations (Not Scored)
#7.5 Firewall Consideration (Not Scored)
#7.6 Automatic Actions for Optical Media (Not Scored)
#7.7 App Store Automatically download apps purchased on other Macs Considerations (Not Scored)
#7.8 Extensible Firmware Interface (EFI) password (Not Scored)
#7.9 Apple ID password reset (Not Scored)
#7.10 Repairing permissions is no longer needed with 10.11 (Not Scored)
#7.11 App Store Password Settings (Not Scored)
############################################
#8 Artifacts
#8.1 Password Policy Plist generated through OS X Server (Not Scored)
#8.2 Password Policy Plist from man page (Not Scored)
############################################ From CentOS 6 #############################################
#Security 1.1 - join system to domain
auditStep="Security.1.1 system joined to domain"
#auditCmd=`dsconfigad -show | grep "domain.local"`
auditCmd=`/usr/local/bin/adinfo | grep -i "domain.local"`
audit_WithOutput "$auditStep" "$auditCmd"
#Security 1.2 - modify hosts.allow
auditStep="Security.1.2 modify hosts.allow"
auditCmd=`grep -iE "ALL: 10.0.0.0/255.0.0.0|ALL: 172.16.0.0/255.240.0.0|ALL: 192.168.0.0/255.255.0.0" /etc/hosts.allow`
audit_WithOutput "$auditStep" "$auditCmd"
#Security 1.3 - modify hosts.deny
auditStep="Security.1.3 modify hosts.deny"
auditCmd=`grep -i "ALL: ALL" /etc/hosts.deny`
audit_WithOutput "$auditStep" "$auditCmd"
#Security 1.4 - configure ssh
auditStep="Security.1.4 ssh config issue"
auditCmd=`grep -iE "PermitRootLogin no|AllowGroups admin macadmins|Protocol 2|PermitEmptyPasswords no" /etc/sshd_config`
audit_WithOutput "$auditStep" "$auditCmd"
#this will find any passwordless sudo settings
auditStep="Security.1.5 No passwordless sudo"
auditCmd=`grep "NOPASSWD" /etc/sudoers | grep -v '#'`
audit_WithNoOutput "$auditStep" "$auditCmd"
# #####################################################################
# # Security.2 llow auditd to get the calling user's uid correctly when calling sudo or su
# #This will allow auditd to get the calling user's uid correctly when calling sudo or su.
# auditStep="Security.2.1 pam_loginuid.so in /Private/etc/pam.d/login"
# auditCmd=`grep -E "session\s+required\s+pam_loginuid.so" /Private/Private/etc/pam.d/login`
# audit_WithOutput "$auditStep" "$auditCmd"
# #This will allow auditd to get the calling user's uid correctly when calling sudo or su.
# auditStep="Security.2.2 pam_loginuid.so in /Private/etc/pam.d/gdm"
# auditCmd=`grep -E "session\s+required\s+pam_loginuid.so" /Private/etc/pam.d/gdm`
# audit_WithOutput "$auditStep" "$auditCmd"
# #This will allow auditd to get the calling user's uid correctly when calling sudo or su.
# auditStep="Security.2.3 pam_loginuid.so in /Private/etc/pam.d/sshd"
# auditCmd=`grep -E "session\s+required\s+pam_loginuid.so" /Private/etc/pam.d/sshd`
# audit_WithOutput "$auditStep" "$auditCmd"
# #####################################################################
# # Security.3 bashrc configuration
# userCounter=1
# for user in `ls /Users`; do
# if [[ "$user" != ".localized" ]]; then
# #This will check if each user's bashrc is configured correctly
# auditStep="Security.3.$userCounter reconfigure bashrc for $user"
# auditCmd=`egrep "export HISTCONTROL=ignoredups:erasedups|export HISTSIZE=100000|export HISTFILESIZE=100000|export HISTTIMEFORMAT=\"%m/%d/%y %T \"|shopt -s histappend|export PROMPT_COMMAND=" /Users/$user/.bashrc`
# audit_WithOutput "$auditStep" "$auditCmd"
# fi
# #increment Counter
# userCounter=$((userCounter+1))
# done
# #reconfigure /root/bashrc
# userCounter=$((userCounter+1))
# auditStep="Security.3.$userCounter reconfigure bashrc for Root"
# auditCmd=`egrep "export HISTCONTROL=ignoredups:erasedups|export HISTSIZE=100000|export HISTFILESIZE=100000|export HISTTIMEFORMAT=\"%m/%d/%y %T \"|shopt -s histappend|export PROMPT_COMMAND=" /Users/$user/.bashrc`
# audit_WithOutput "$auditStep" "$auditCmd"
# #reconfigure /etc/skel/.bashrc
# userCounter=$((userCounter+1))
# auditStep="Security.3.$userCounter reconfigure bashrc for skel"
# auditCmd=`egrep "export HISTCONTROL=ignoredups:erasedups|export HISTSIZE=100000|export HISTFILESIZE=100000|export HISTTIMEFORMAT=\"%m/%d/%y %T \"|shopt -s histappend|export PROMPT_COMMAND=" /Users/$user/.bashrc`
# audit_WithOutput "$auditStep" "$auditCmd"
#####################################################################
echo "-------------------complete---------------"
--------------------------------------------------------------------------------
/OSX/OSX_Yosemite_Server/CIS_OSX_Yosemite_Server_Audit.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # install a DMG from CLI
3 | # Author Ryan Nolette
4 | # Date Modified 06/26/2016
5 | ######################################################################
6 | function audit_WithOutput () {
7 |
8 | if [[ $2 ]]; then
9 | echo "$1,pass" >> $filename
10 | else
11 | echo "$1,fail" >> $filename
12 | fi
13 | }
14 | function audit_WithNoOutput () {
15 |
16 | if [[ $2 ]]; then
17 | echo "$1,fail" >> $filename
18 | else
19 | echo "$1,pass" >> $filename
20 | fi
21 | }
22 | function audit_Exception () {
23 | echo "$1,exception" >> $filename
24 | }
25 | #####################################################################
26 | #get hostname
27 | host=`hostname`
28 | #get current date
29 | dateTime=`date +"%m%d%y-%H%M"`
30 | #create filename
31 | filename="CIS_MacOSX-"$host"-"$dateTime".csv"
32 | #create new file
33 | touch $filename
34 | #####################################################################
35 | #1 Install Updates, Patches and Additional Security Software
36 | #1.1 Verify all application software is current
37 | auditStep="1.1 Verify all application software is current (Scored)"
38 | #auditCmd=`softwareupdate -l |grep -i "No new software available."`
39 | authdCmd=``
40 | audit_Exception "$auditStep" "$auditCmd"
41 | #1.2 Enable Auto Update (Scored)
42 | auditStep="1.2 Enable Auto Update (Scored)"
43 | auditCmd=`defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled |grep 1`
44 | audit_WithOutput "$auditStep" "$auditCmd"
45 | #1.3 Enable app update installs (Scored)
46 | auditStep="1.3 Enable app update installs (Scored)"
47 | auditCmd=`defaults read /Library/Preferences/com.apple.storeagent.plist |grep 1`
48 | audit_WithOutput "$auditStep" "$auditCmd"
49 | #1.4 Enable system data files and security update installs (Scored)
50 | auditStep="1.4 Enable system data files and security update installs (Scored)"
51 | auditCmd=`defaults read /Library/Preferences/com.apple.SoftwareUpdate | egrep '(ConfigDataInstall = 1 |CriticalUpdateInstall = 1)'`
52 | #Make sure the result is: ConfigDataInstall = 1; CriticalUpdateInstall = 1
53 | audit_WithOutput "$auditStep" "$auditCmd"
54 | ######################################################################
55 | #2 System Preferences
56 | #2.1 Bluetooth
57 | #2.1.1 Disable Bluetooth, if no paired devices exist (Scored)
58 | auditStep="2.1.1 Disable Bluetooth if no paired devices exist (Scored)"
59 | #auditCmd=`defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState | grep "0"`
60 | auditCmd=``
61 | audit_Exception "$auditStep - Security chose not to disable" "$auditCmd"
62 | #2.1.2 Disable Bluetooth "Discoverable" mode when not pairing devices (Scored) - Is not applicable to servers because they do not have Bluetooth.
63 | auditStep="2.1.2 Disable Bluetooth \"Discoverable\" mode when not pairing devices (Scored)"
64 | #auditCmd=`/usr/sbin/system_profiler SPBluetoothDataType | grep -i discoverable`
65 | auditCmd=``
66 | audit_Exception "$auditStep - Security chose not to disable" "$auditCmd"
67 | #2.1.3 Show Bluetooth status in menu bar (Scored)
68 | auditStep="2.1.3 Show Bluetooth status in menu bar (Scored)" #is not applicable to servers because they do not have screen savers.
69 | #auditCmd=`defaults read com.apple.systemuiserver menuExtras | grep Bluetooth.menu`
70 | auditCmd=``
71 | audit_Exception "$auditStep - Security chose not to disable" "$auditCmd"
72 | #2.2 Date & Time
73 | #2.2.1 Enable "Set time and date automatically" (Not Scored)
74 | auditStep="2.2.1 Enable Set time and date automatically (Not Scored)"
75 | auditCmd=`systemsetup -setnetworktimeserver on | grep -E "setNetworkTimeServer:\s+on"`
76 | audit_WithOutput "$auditStep" "$auditCmd"
77 | #2.2.2 Ensure time set is within appropriate limits (Scored)
78 | ##########################
79 | auditStep="2.2.2 Ensure time set is within appropriate limits (Scored)"
80 | auditCmd=`systemsetup -getnetworktimeserver | grep -E "Network\s+Time\s+Server:\s+on"`
81 | audit_WithOutput "$auditStep" "$auditCmd"
82 | ##########################
83 | #2.3 Desktop & Screen Saver
84 | #2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver (Scored)
85 | auditStep="2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver (Scored)"
86 | auditCmd=`defaults -currentHost read com.apple.screensaver |grep -E "idleTime\s+=\s+600"`
87 | audit_WithOutput "$auditStep" "$auditCmd"
88 | #2.3.2 Secure screen saver corners (Scored)
89 | #exception because of servers
90 | auditStep="2.3.2 Secure screen saver corners (Scored)"
91 | #auditCmd=`defaults read /Library/Preferences/com.apple.dock | grep -i corner`
92 | auditCmd=``
93 | audit_Exception "$auditStep - casper enforced" "$auditCmd"
94 | #2.3.3 Verify Display Sleep is set to a value larger than the Screen Saver (Not Scored)
95 | auditStep="2.3.3 Verify Display Sleep is set to a value larger than the Screen Saver (Not Scored)" #is not applicable to servers because they do not have screen savers.
96 | #auditCmd=`/usr/bin/pmset -g | grep -iE "displaysleep\s+15"`
97 | auditCmd=``
98 | audit_Exception "$auditStep - casper enforced" "$auditCmd"
99 | #2.3.4 Set a screen corner to Start Screen Saver (Scored)
100 | auditStep="2.3.4 Set a screen corner to Start Screen Saver (Scored)" #is not applicable to servers because they do not have screen savers.
101 | #auditCmd=`defaults read /Library/Preferences/com.apple.dock | grep -i corner`
102 | #This is trypically run for each user of the system. The only user for this system is Build
103 | auditCmd=``
104 | audit_Exception "$auditStep - casper enforced" "$auditCmd"
105 | ##########################
106 | #2.4 Sharing
107 | #2.4.1 Disable Remote Apple Events (Scored)
108 | auditStep="2.4.1 Disable Remote Apple Events (Scored)"
109 | auditCmd=`systemsetup -getremoteappleevents |grep -E "Remote\s+Apple\s+Events:\s+Off"`
110 | audit_WithOutput "$auditStep" "$auditCmd"
111 | #2.4.2 Disable Internet Sharing (Scored)
112 | auditStep="2.4.2 Disable Internet Sharing (Scored) - grep not working correctly on this commands output"
113 | #auditCmd=`defaults read /Library/Preferences/SystemConfiguration/com.apple.nat | grep -E "com.apple.nat\s+does\s+not\s+exist"`
114 | auditCmd=``
115 | audit_Exception "$auditStep" "$auditCmd"
116 | #2.4.3 Disable Screen Sharing (Scored)
117 | auditStep="2.4.3 Disable Screen Sharing (Scored)"
118 | auditCmd=`launchctl list | grep com.apple.screensharing`
119 | audit_WithNoOutput "$auditStep" "$auditCmd"
120 | #2.4.4 Disable Printer Sharing (Scored)
121 | auditStep="2.4.4 Disable Printer Sharing (Scored)"
122 | auditCmd=`system_profiler SPPrintersDataType | grep "Status: The printers list is empty."`
123 | audit_WithOutput "$auditStep" "$auditCmd"
124 | #2.4.5 Disable Remote Login (Scored) #This is required for ssh login
125 | auditStep="2.4.5 Disable Remote Login (Scored) - leaving enabled for ssh access to server"
126 | auditCmd=``
127 | audit_Exception "$auditStep - required by Security" "$auditCmd"
128 | #2.4.6 Disable DVD or CD Sharing (Scored)
129 | auditStep="2.4.6 Disable DVD or CD Sharing (Scored)"
130 | auditCmd=`launchctl list | egrep ODSAgent`
131 | audit_WithNoOutput "$auditStep" "$auditCmd"
132 | #2.4.7 Disable Bluetooth Sharing (Scored)
133 | auditStep="2.4.7 Disable Bluetooth Sharing (Scored)"
134 | auditCmd=`system_profiler SPBluetoothDataType | grep -E "State: Enabled"`
135 | audit_WithNoOutput "$auditStep" "$auditCmd"
136 | #2.4.8 Disable File Sharing (Scored)
137 | auditStep="2.4.8 Disable File Sharing (Scored)"
138 | auditCmd=`launchctl list | egrep AppleFileServer`
139 | audit_WithNoOutput "$auditStep" "$auditCmd"
140 | #2.4.9 Disable Remote Management (Scored)
141 | auditStep="2.4.9 Disable Remote Management (Scored)"
142 | auditCmd=`ps -ef | egrep ARDAgent | grep -Eiv "grep ARDAgent"`
143 | audit_WithNoOutput "$auditStep" "$auditCmd"
144 | ##########################
145 | #2.5 Energy Saver
146 | #2.5.1 Disable "Wake for network access" (Scored)
147 | auditStep="2.5.1 Disable Wake for network access (Scored)" #This is not applicable because network connectivity does not goto sleep.
148 | #auditCmd=`pmset -g | grep -i 'AC Power'`
149 | auditCmd=``
150 | audit_Exception "$auditStep" "$auditCmd"
151 | #2.5.2 Disable sleeping the computer when connected to power (Scored)
152 | auditStep="2.5.2 Disable sleeping the computer when connected to power (Scored)"
153 | #auditCmd=`pmset -g | grep -E 'sleep\s+0|AC Power'`
154 | auditCmd=``
155 | audit_Exception "$auditStep" "$auditCmd"
156 | ##########################
157 | #2.6 Security & Privacy
158 | #2.6.1 Enable FileVault (Scored)
159 | auditStep="2.6.1 Enable FileVault (Scored)"
160 | #auditCmd=`diskutil cs list | grep -iE "Encryption\s+Type:\s+AES-XTS"`
161 | auditCmd=``
162 | audit_Exception "$auditStep" "$auditCmd"
163 | #2.6.2 Enable Gatekeeper (Scored)
164 | auditStep="2.6.2 Enable Gatekeeper (Scored)"
165 | auditCmd=`spctl --status | grep "assessments enabled"`
166 | audit_WithOutput "$auditStep" "$auditCmd"
167 | #2.6.3 Enable Firewall (Scored)
168 | auditStep="2.6.3 Enable Firewall (Scored)"
169 | auditCmd=`defaults read /Library/Preferences/com.apple.alf globalstate | grep "1"`
170 | # is: 1 = on for specific services, 2 = on for essential services
171 | audit_WithOutput "$auditStep" "$auditCmd"
172 | #2.6.4 Enable Firewall Stealth Mode (Scored)
173 | auditStep="2.6.4 Enable Firewall Stealth Mode (Scored) - cannot be turned on and allow ssh inbound"
174 | #auditCmd=`/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode |grep -i "Stealth mode enabled."`
175 | auditCmd=``
176 | audit_Exception "$auditStep" "$auditCmd"
177 | #2.6.5 Review Application Firewall Rules (Scored)
178 | auditStep="2.6.5 Review Application Firewall Rules (Scored)"
179 | auditCmd=`/usr/libexec/ApplicationFirewall/socketfilterfw --listapps | sed -n 'p;$='`
180 | audit_WithNoOutput "$auditStep" "$auditCmd"
181 | ##########################
182 | #2.7 iCloud
183 | #2.7.1 iCloud configuration (Not Scored)
184 | auditStep="2.7.1 iCloud configuration (Not Scored)"
185 | authdCmd=``
186 | audit_Exception "$auditStep" "$auditCmd"
187 | #2.7.2 iCloud keychain (Not Scored)
188 | auditStep="2.7.2 iCloud keychain (Not Scored)"
189 | authdCmd=``
190 | audit_Exception "$auditStep" "$auditCmd"
191 | #2.7.3 iCloud Drive (Scored)
192 | auditStep="2.7.3 iCloud Drive (Scored)"
193 | #auditCmd=`defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud |grep "0"`
194 | authdCmd=``
195 | audit_Exception "$auditStep" "$auditCmd"
196 | ##########################
197 | #2.8 Pair the remote control infrared receiver if enabled (Scored)
198 | auditStep="2.8 Pair the remote control infrared receiver if enabled (Scored)" #This is not applicable because servers do not utilize infrared technology.
199 | auditCmd=`defaults read /Library/Preferences/com.apple.driver.AppleIRController | grep -E "DeviceEnabled\s+=\s+0;"`
200 | audit_WithOutput "$auditStep" "$auditCmd"
201 | ##########################
202 | #2.9 Enable Secure Keyboard Entry in terminal.app (Scored)
203 | auditStep="2.9 Enable Secure Keyboard Entry in terminal.app (Scored)"
204 | auditCmd=`defaults read -app Terminal SecureKeyboardEntry | grep "1"`
205 | audit_WithOutput "$auditStep" "$auditCmd"
206 | ##########################
207 | #2.10 Java 8 is not the default Java runtime (Scored) Java is not installed by default.
208 | auditStep="2.10 Java 6 is not the default Java runtime (Scored)"
209 | auditCmd=`pkgutil --packages | grep "com.oracle.*"`
210 | #auditCmd=`java -version | grep `
211 | audit_WithNoOutput "$auditStep" "$auditCmd"
212 | ##########################
213 | #2.11 Configure Secure Empty Trash (Scored)
214 | auditStep="2.11 Configure Secure Empty Trash (Scored)" #This does not apply because this would indicate a gui is used for login accounts. This is not the case on servers.
215 | auditCmd=`defaults read ~/Library/Preferences/com.apple.finder EmptyTrashSecurely | grep "1"`
216 | audit_WithOutput "$auditStep" "$auditCmd"
217 | ####################################################
218 | #3 Logging and Auditing
219 | #3.1 Configure asl.conf
220 | #3.1.1 Retain system.log for 90 or more days (Scored)
221 | auditStep="3.1.1 Retain system.log for 90 or more days (Scored)"
222 | auditCmd=`grep -i "> system.log" /etc/asl.conf | egrep "system.log|tty=90"`
223 | audit_WithOutput "$auditStep" "$auditCmd"
224 | #3.1.2 Retain appfirewall.log for 90 or more days (Scored)
225 | auditStep="3.1.2 Retain appfirewall.log for 90 or more days (Scored)"
226 | auditCmd=`grep -i "appfirewall.log" /etc/asl.conf | grep -i "ttl=90"`
227 | audit_WithOutput "$auditStep" "$auditCmd"
228 | #3.1.3 Retain authd.log for 90 or more days (Scored)
229 | auditStep="3.1.3 Retain authd.log for 90 or more days (Scored)"
230 | auditCmd=`grep -i "authd.log" /etc/asl/com.apple.authd | egrep "authd.conf|ttl=90"`
231 | audit_WithOutput "$auditStep" "$auditCmd"
232 | ##########################
233 | #3.2 Enable security auditing (Scored)
234 | auditStep="3.2 Enable security auditing (Scored)"
235 | auditCmd=`/bin/launchctl list | grep -i auditd | awk '{ print $3 }'`
236 | audit_WithOutput "$auditStep" "$auditCmd"
237 | ##########################
238 | #3.3 Configure Security Auditing Flags (Scored)
239 | auditStep="3.3 Configure Security Auditing Flags (Scored)"
240 | auditCmd=`egrep "^flags:" /etc/security/audit_control | egrep "^flags:lo,ad,fd,fm,-all"`
241 | audit_WithOutput "$auditStep" "$auditCmd"
242 | ##########################
243 | #3.4 Enable remote logging for Desktops on trusted networks (Not Scored)
244 | auditStep="3.4 Enable remote logging for Desktops on trusted networks (Not Scored) - using log forwarder for this"
245 | auditCmd=``
246 | audit_Exception "$auditStep" "$auditCmd"
247 | ##########################
248 | #3.5 Retain install.log for 365 or more days (Scored)
249 | auditStep="3.5 Retain install.log for 365 or more days (Scored)"
250 | auditCmd=`grep -i "ttl=365" /etc/asl/com.apple.install`
251 | audit_WithOutput "$auditStep" "$auditCmd"
252 | ####################################################
253 | #4 Network Configurations
254 | #4.1 Enable "Show Wi-Fi status in menu bar" (Scored)
255 | auditStep="4.1 Enable Show Wi-Fi status in menu bar (Scored) - no wifi on servers"
256 | #auditCmd=`defaults read com.apple.systemuiserver menuExtras | grep AirPort.menu
257 | auditCmd=``
258 | audit_Exception "$auditStep" "$auditCmd"
259 | ##########################
260 | #4.2 Create network specific locations (Not Scored)
261 | auditStep="4.2 Create network specific locations (Not Scored)" #This is not applicable in a server environment where vCenter controls network segment access
262 | auditCmd=``
263 | audit_Exception "$auditStep" "$auditCmd"
264 | ##########################
265 | #4.3 Ensure http server is not running (Scored)
266 | auditStep="4.3 Ensure http server is not running (Scored)"
267 | auditCmd=`launchctl list |egrep httpd`
268 | audit_WithNoOutput "$auditStep" "$auditCmd"
269 | ##########################
270 | #4.4 Ensure ftp server is not running (Scored)
271 | auditStep="4.4 Ensure ftp server is not running (Scored)"
272 | auditCmd=`launchctl list | egrep ftp`
273 | audit_WithNoOutput "$auditStep" "$auditCmd"
274 | ##########################
275 | #4.5 Ensure nfs server is not running (Scored)
276 | auditStep="4.5 Ensure nfs server is not running (Scored)"
277 | auditCmd=`launchctl list | egrep nfsd`
278 | audit_WithNoOutput "$auditStep" "$auditCmd"
279 | ####################################################
280 | #5 System Access, Authentication and Authorization
281 | #5.1 File System Permissions and Access Controls
282 | #5.1.1 Secure Home Folders (Scored)
283 | auditStep="5.1.1 Secure Home Folders (Scored)"
284 | auditCmd=`ls -l /Users/ | grep "^drwx------"`
285 | audit_WithOutput "$auditStep" "$auditCmd"
286 | #5.1.2 Repair permissions regularly to ensure binaries and other System files have appropriate permissions (Not Scored)
287 | auditStep="5.1.2 Repair permissions regularly to ensure binaries and other System files have appropriate permissions (Not Scored) - not required on fresh install"
288 | #auditCmd=`cat /var/log/system.log* | grep RepairPermissions`
289 | auditCmd=``
290 | audit_Exception "$auditStep" "$auditCmd"
291 | #5.1.3 Check System Wide Applications for appropriate permissions (Scored)
292 | auditStep="5.1.3 Check System Wide Applications for appropriate permissions (Scored)"
293 | auditCmd=`find /Applications -iname "*\.app" -type d -perm -2 -ls -fstype local`
294 | audit_WithNoOutput "$auditStep" "$auditCmd"
295 | #5.1.4 Check System folder for world writable files (Scored)
296 | auditStep="5.1.4 Check System folder for world writable files (Scored)"
297 | auditCmd=`find /System -type d -perm -2 -ls -fstype local | grep -v "Public/Drop Box"`
298 | audit_WithNoOutput "$auditStep" "$auditCmd"
299 | #5.1.5 Check Library folder for world writable files (Scored)
300 | auditStep="5.1.5 Check Library folder for world writable files (Scored)"
301 | auditCmd=`find /Library -type d -perm -2 -ls -fstype local | grep -v Caches`
302 | audit_WithNoOutput "$auditStep" "$auditCmd"
303 | ##########################
304 | #5.2 Reduce the sudo timeout period (Scored)
305 | auditStep="5.2 Reduce the sudo timeout period (Scored)"
306 | auditCmd=`cat /etc/sudoers | grep -E "Defaults\s+timestamp_timeout=0"`
307 | #Verify the value returned is: Defaults timestamp_timeout=0
308 | audit_WithOutput "$auditStep" "$auditCmd"
309 | ##########################
310 | #5.3 Automatically lock the login keychain for inactivity (Scored)
311 | auditStep="5.3 Automatically lock the login keychain for inactivity (Scored)"
312 | #auditCmd=`security show-keychain-info | grep -i "timeout=21600s"`
313 | auditCmd=``
314 | audit_Exception "$auditStep" "$auditCmd"
315 | ##########################
316 | #5.4 Ensure login keychain is locked when the computer sleeps (Scored)
317 | auditStep="5.4 Ensure login keychain is locked when the computer sleeps (Scored)"
318 | #auditCmd=`security show-keychain-info | grep -i "lock-on-sleep"`
319 | auditCmd=``
320 | audit_Exception "$auditStep" "$auditCmd"
321 | ##########################
322 | #5.5 Enable OCSP and CRL certificate checking (Scored)
323 | auditStep="5.5 Enable OCSP and CRL certificate checking (Scored)"
324 | auditCmd=`defaults read com.apple.security.revocation | egrep "CRLStyle = RequireIfPresent;|OCSPStyle = RequireIfPresent;"`
325 | #This gives both output results for OCSPStyle and CRLStyle
326 | audit_WithOutput "$auditStep" "$auditCmd"
327 | ##########################
328 | #5.6 Do not enable the "root" account (Scored)
329 | auditStep="5.6 Do not enable the "root" account (Scored)"
330 | auditCmd=`dscl . -read /Users/root | grep -q AuthenticationAuthority`
331 | audit_WithNoOutput "$auditStep" "$auditCmd"
332 | ##########################
333 | #5.7 Disable automatic login (Scored)
334 | auditStep="5.7 Disable automatic login (Scored)" #This is not applicable to server environments
335 | auditCmd=`defaults read /Library/Preferences/com.apple.loginwindow | grep autoLoginUser`
336 | audit_WithNoOutput "$auditStep" "$auditCmd"
337 | ##########################
338 | #5.8 Require a password to wake the computer from sleep or screen saver (Scored)
339 | auditStep="5.8 Require a password to wake the computer from sleep or screen saver (Scored)" #The is not applicable to server instances as they do not goto sleep
340 | auditCmd=`defaults read com.apple.screensaver askForPassword | grep "1"`
341 | audit_WithOutput "$auditStep" "$auditCmd"
342 | ##########################
343 | #5.9 Require an administrator password to access system-wide preferences (Scored)
344 | auditStep="5.9 Require an administrator password to access system-wide preferences (Scored)"
345 | auditCmd=`security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(false)'`
346 | audit_WithOutput "$auditStep" "$auditCmd"
347 | ##########################
348 | #5.10 Disable ability to login to another user's active and locked session (Scored)
349 | auditStep="5.10 Disable ability to login to another user's active and locked session (Scored)"
350 | auditCmd=`grep -i "group=admin,wheel fail_safe" /Private/etc/pam.d/screensaver`
351 | audit_WithNoOutput "$auditStep" "$auditCmd"
352 | ##########################
353 | #5.11 Complex passwords must contain an Alphabetic Character (Scored)
354 | auditStep="5.11 Complex passwords must contain an Alphabetic Character (Scored)"
355 | auditCmd=`pwpolicy -getglobalpolicy | tr " " "\n" | grep -i "requiresAlpha=1"`
356 | audit_WithOutput "$auditStep" "$auditCmd"
357 | ##########################
358 | #5.12 Complex passwords must contain a Numeric Character (Scored)
359 | auditStep="5.12 Complex passwords must contain a Numeric Character (Scored)"
360 | auditCmd=`pwpolicy -getglobalpolicy | tr " " "\n" | grep -i "requiresNumeric=1"`
361 | audit_WithOutput "$auditStep" "$auditCmd"
362 | ##########################
363 | #5.13 Complex passwords must contain a Symbolic Character (Scored)
364 | auditStep="5.13 Complex passwords must contain a Symbolic Character (Scored)"
365 | auditCmd=`pwpolicy -getglobalpolicy | tr " " "\n" | grep -i "requiresSymbol=1"`
366 | audit_WithOutput "$auditStep" "$auditCmd"
367 | ##########################
368 | #5.14 Set a minimum password length (Scored)
369 | auditStep="5.14 Set a minimum password length (Scored)"
370 | auditCmd=`pwpolicy -getglobalpolicy | tr " " "\n" | grep -i "minChars=12"`
371 | audit_WithOutput "$auditStep" "$auditCmd"
372 | ##########################
373 | #5.15 Configure account lockout threshold (Scored)
374 | auditStep="5.15 Configure account lockout threshold (Scored)"
375 | auditCmd=`pwpolicy -getglobalpolicy | tr " " "\n" | grep -i "maxFailedLoginAttempts=5"`
376 | audit_WithOutput "$auditStep" "$auditCmd"
377 | ##########################
378 | #5.16 Create a custom message for the Login Screen (Scored)
379 | auditStep="5.16 Create a custom message for the Login Screen (Scored)"
380 | #auditCmd=`defaults read /Library/Preferences/com.apple.loginwindow.plist LoginwindowText`
381 | auditCmd=``
382 | audit_Exception "$auditStep" "$auditCmd"
383 | ##########################
384 | #5.17 Create a Login window banner (Scored)
385 | auditStep="5.17 Create a Login window banner (Scored)"
386 | #auditCmd=`grep -i Authorized /Library/Security/PolicyBanner.txt`
387 | authdCmd=``
388 | audit_Exception "$auditStep" "$auditCmd"
389 | ##########################
390 | #5.18 Do not enter a password-related hint (Not Scored)
391 | auditStep="5.18 Do not enter a password-related hint (Not Scored) - controlled by AD"
392 | auditCmd=``
393 | audit_Exception "$auditStep" "$auditCmd"
394 | ##########################
395 | #5.19 Disable Fast User Switching (Not Scored)
396 | auditStep="5.19 Disable Fast User Switching (Not Scored)"
397 | auditCmd=`defaults read /Library/Preferences/.GlobalPreferences MultipleSessionEnabled | grep "0"`
398 | audit_WithOutput "$auditStep" "$auditCmd"
399 | ##########################
400 | #5.20 Secure individual keychain items (Not Scored)
401 | auditStep="5.20 Secure individual keychain items (Not Scored)"
402 | auditCmd=``
403 | audit_Exception "$auditStep" "$auditCmd"
404 | ##########################
405 | #5.21 Create specialized keychains for different purposes (Not Scored)
406 | auditStep="5.21 Create specialized keychains for different purposes (Not Scored)"
407 | auditCmd=``
408 | audit_Exception "$auditStep" "$auditCmd"
409 | ####################################################
410 | #6 User Accounts and Environment
411 | #6.1 Accounts Preferences Action Items
412 | #6.1.1 Display login window as name and password (Scored)
413 | auditStep="6.1.1 Display login window as name and password (Scored)"
414 | auditCmd=`defaults read /Library/Preferences/com.apple.loginwindow SHOWFULLNAME |grep -i "1"`
415 | audit_WithOutput "$auditStep" "$auditCmd"
416 | #6.1.2 Disable Show password hints (Scored)
417 | auditStep="6.1.2 Disable Show password hints (Scored)"
418 | auditCmd=`defaults read /Library/Preferences/com.apple.loginwindow RetriesUntilHint | grep -i "0"`
419 | audit_WithOutput "$auditStep" "$auditCmd"
420 | #6.1.3 Disable guest account login (Scored)
421 | auditStep="6.1.3 Disable guest account login (Scored)"
422 | auditCmd=`defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled | grep "0"`
423 | audit_WithOutput "$auditStep" "$auditCmd"
424 | #6.1.4 Disable Allow guests to connect to shared folders (Scored)
425 | auditStep="6.1.4 Disable Allow guests to connect to shared folders (Scored)"
426 | auditCmd=`defaults read /Library/Preferences/com.apple.AppleFileServer | grep -E "guestAccess\s+=\s+0"`
427 | audit_WithOutput "$auditStep" "$auditCmd"
428 | ##########################
429 | #6.2 Turn on filename extensions (Scored)
430 | auditStep="6.2 Turn on filename extensions (Scored)"
431 | auditCmd=`defaults read NSGlobalDomain AppleShowAllExtensions | grep "1"`
432 | audit_WithOutput "$auditStep" "$auditCmd"
433 | ##########################
434 | #6.3 Disable the automatic run of safe files in Safari (Scored)
435 | auditStep="6.3 Disable the automatic run of safe files in Safari (Scored)"
436 | auditCmd=`defaults read com.apple.Safari AutoOpenSafeDownloads | grep "0"`
437 | audit_WithOutput "$auditStep" "$auditCmd"
438 | ##########################
439 | #6.4 Use parental controls for systems that are not centrally managed (Not Scored)
440 | auditStep="6.4 Use parental controls for systems that are not centrally managed (Not Scored)"
441 | auditCmd=``
442 | audit_Exception "$auditStep" "$auditCmd"
443 |
444 | ########################################## For Future Desktop / Laptop audits #################################################
445 |
446 | #7 Appendix: Additional Considerations
447 | #7.1 Wireless Adapters on Mobile Clients (Not Scored)
448 | #auditStep="7.1 Wireless Adapters on Mobile Clients (Not Scored)"
449 | #auditCmd=`echo test`
450 | #audit_Exception "$auditStep" "$auditCmd"
451 | #7.2 iSight Camera Privacy and Confidentiality Concerns (Not Scored)
452 | #auditStep="7.2 iSight Camera Privacy and Confidentiality Concerns (Not Scored)"
453 | #auditCmd=`echo test`
454 | #audit_Exception "$auditStep" "$auditCmd"
455 | #7.3 Computer Name Considerations (Not Scored)
456 | #auditStep="7.3 Computer Name Considerations (Not Scored)"
457 | #auditCmd=`echo test`
458 | #audit_Exception "$auditStep" "$auditCmd"
459 | #7.4 Software Inventory Considerations (Not Scored)
460 | #auditStep="7.4 Software Inventory Considerations (Not Scored)"
461 | #auditCmd=`echo test`
462 | #audit_Exception "$auditStep" "$auditCmd"
463 | #7.5 Firewall Consideration (Not Scored)
464 | #auditStep="7.5 Firewall Consideration (Not Scored)"
465 | #auditCmd=`echo test`
466 | #audit_Exception "$auditStep" "$auditCmd"
467 | #7.6 Automatic Actions for Optical Media (Not Scored)
468 | #auditStep="7.6 Automatic Actions for Optical Media (Not Scored)"
469 | #auditCmd=`echo test`
470 | #audit_Exception "$auditStep" "$auditCmd"
471 | #7.7 App Store Automatically download apps purchased on other Macs Considerations (Not Scored)
472 | #auditStep="7.7 App Store Automatically download apps purchased on other Macs Considerations (Not Scored)"
473 | #auditCmd=`echo test`
474 | #audit_Exception "$auditStep" "$auditCmd"
475 | #7.8 Extensible Firmware Interface (EFI) password (Not Scored)
476 | #auditStep="7.8 Extensible Firmware Interface (EFI) password (Not Scored)"
477 | #auditCmd=`echo test`
478 | #audit_Exception "$auditStep" "$auditCmd"
479 | #7.9 Apple ID password reset (Not Scored)
480 | #auditStep="7.9 Apple ID password reset (Not Scored)"
481 | #auditCmd=`echo test`
482 | #audit_Exception "$auditStep" "$auditCmd"
483 |
484 | ############################################ From CentOS 6 #############################################
485 | #Security 1.1 - join system to domain
486 | auditStep="Security.1.1 system joined to domain"
487 | #auditCmd=`dsconfigad -show | grep "domain.local"`
488 | auditCmd=` | grep -i "domain.local"`
489 | audit_WithOutput "$auditStep" "$auditCmd"
490 | #Security 1.2 - install Casper
491 | auditStep="Security.1.2 Casper installed"
492 | auditCmd=`ls "/Applications/Self Service.app/Contents/MacOS/Self Service"`
493 | audit_WithOutput "$auditStep" "$auditCmd"
494 | #Security 1.3 - modify hosts.allow
495 | auditStep="Security.1.3 modify hosts.allow"
496 | auditCmd=`grep -iE "ALL: 10.0.0.0/255.0.0.0|ALL: 172.16.0.0/255.240.0.0|ALL: 192.168.0.0/255.255.0.0" /etc/hosts.allow`
497 | audit_WithOutput "$auditStep" "$auditCmd"
498 | #Security 1.4 - modify hosts.deny
499 | auditStep="Security.1.4 modify hosts.deny"
500 | auditCmd=`grep -i "ALL: ALL" /etc/hosts.deny`
501 | audit_WithOutput "$auditStep" "$auditCmd"
502 | #Security 1.5 - configure ssh
503 | auditStep="Security.1.5 ssh config issue"
504 | auditCmd=`grep -iE "PermitRootLogin no|AllowGroups admin osxadmins|Protocol 2|PermitEmptyPasswords no" /etc/sshd_config`
505 | audit_WithOutput "$auditStep" "$auditCmd"
506 | #this will find any passwordless sudo settings
507 | auditStep="Security.1.6 No passwordless sudo"
508 | auditCmd=`grep "NOPASSWD" /etc/sudoers | grep -v '#'`
509 | audit_WithNoOutput "$auditStep" "$auditCmd"
510 | # #####################################################################
511 | # # Security.2 llow auditd to get the calling user's uid correctly when calling sudo or su
512 | # #This will allow auditd to get the calling user's uid correctly when calling sudo or su.
513 | # auditStep="Security.2.1 pam_loginuid.so in /Private/etc/pam.d/login"
514 | # auditCmd=`grep -E "session\s+required\s+pam_loginuid.so" /Private/Private/etc/pam.d/login`
515 | # audit_WithOutput "$auditStep" "$auditCmd"
516 | # #This will allow auditd to get the calling user's uid correctly when calling sudo or su.
517 | # auditStep="Security.2.2 pam_loginuid.so in /Private/etc/pam.d/gdm"
518 | # auditCmd=`grep -E "session\s+required\s+pam_loginuid.so" /Private/etc/pam.d/gdm`
519 | # audit_WithOutput "$auditStep" "$auditCmd"
520 | # #This will allow auditd to get the calling user's uid correctly when calling sudo or su.
521 | # auditStep="Security.2.3 pam_loginuid.so in /Private/etc/pam.d/sshd"
522 | # auditCmd=`grep -E "session\s+required\s+pam_loginuid.so" /Private/etc/pam.d/sshd`
523 | # audit_WithOutput "$auditStep" "$auditCmd"
524 | # #####################################################################
525 | # # Security.3 bashrc configuration
526 | # userCounter=1
527 | # for user in `ls /Users`; do
528 | # if [[ "$user" != ".localized" ]]; then
529 | # #This will check if each user's bashrc is configured correctly
530 | # auditStep="Security.3.$userCounter reconfigure bashrc for $user"
531 | # auditCmd=`egrep "export HISTCONTROL=ignoredups:erasedups|export HISTSIZE=100000|export HISTFILESIZE=100000|export HISTTIMEFORMAT=\"%m/%d/%y %T \"|shopt -s histappend|export PROMPT_COMMAND=" /Users/$user/.bashrc`
532 | # audit_WithOutput "$auditStep" "$auditCmd"
533 | # fi
534 | # #increment Counter
535 | # userCounter=$((userCounter+1))
536 | # done
537 | # #reconfigure /root/bashrc
538 | # userCounter=$((userCounter+1))
539 | # auditStep="Security.3.$userCounter reconfigure bashrc for Root"
540 | # auditCmd=`egrep "export HISTCONTROL=ignoredups:erasedups|export HISTSIZE=100000|export HISTFILESIZE=100000|export HISTTIMEFORMAT=\"%m/%d/%y %T \"|shopt -s histappend|export PROMPT_COMMAND=" /Users/$user/.bashrc`
541 | # audit_WithOutput "$auditStep" "$auditCmd"
542 | # #reconfigure /etc/skel/.bashrc
543 | # userCounter=$((userCounter+1))
544 | # auditStep="Security.3.$userCounter reconfigure bashrc for skel"
545 | # auditCmd=`egrep "export HISTCONTROL=ignoredups:erasedups|export HISTSIZE=100000|export HISTFILESIZE=100000|export HISTTIMEFORMAT=\"%m/%d/%y %T \"|shopt -s histappend|export PROMPT_COMMAND=" /Users/$user/.bashrc`
546 | # audit_WithOutput "$auditStep" "$auditCmd"
547 | #####################################################################
548 | echo "-------------------complete---------------"
549 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | GNU GENERAL PUBLIC LICENSE
2 | Version 3, 29 June 2007
3 |
4 | Copyright (C) 2007 Free Software Foundation, Inc.
5 | Everyone is permitted to copy and distribute verbatim copies
6 | of this license document, but changing it is not allowed.
7 |
8 | Preamble
9 |
10 | The GNU General Public License is a free, copyleft license for
11 | software and other kinds of works.
12 |
13 | The licenses for most software and other practical works are designed
14 | to take away your freedom to share and change the works. By contrast,
15 | the GNU General Public License is intended to guarantee your freedom to
16 | share and change all versions of a program--to make sure it remains free
17 | software for all its users. We, the Free Software Foundation, use the
18 | GNU General Public License for most of our software; it applies also to
19 | any other work released this way by its authors. You can apply it to
20 | your programs, too.
21 |
22 | When we speak of free software, we are referring to freedom, not
23 | price. Our General Public Licenses are designed to make sure that you
24 | have the freedom to distribute copies of free software (and charge for
25 | them if you wish), that you receive source code or can get it if you
26 | want it, that you can change the software or use pieces of it in new
27 | free programs, and that you know you can do these things.
28 |
29 | To protect your rights, we need to prevent others from denying you
30 | these rights or asking you to surrender the rights. Therefore, you have
31 | certain responsibilities if you distribute copies of the software, or if
32 | you modify it: responsibilities to respect the freedom of others.
33 |
34 | For example, if you distribute copies of such a program, whether
35 | gratis or for a fee, you must pass on to the recipients the same
36 | freedoms that you received. You must make sure that they, too, receive
37 | or can get the source code. And you must show them these terms so they
38 | know their rights.
39 |
40 | Developers that use the GNU GPL protect your rights with two steps:
41 | (1) assert copyright on the software, and (2) offer you this License
42 | giving you legal permission to copy, distribute and/or modify it.
43 |
44 | For the developers' and authors' protection, the GPL clearly explains
45 | that there is no warranty for this free software. For both users' and
46 | authors' sake, the GPL requires that modified versions be marked as
47 | changed, so that their problems will not be attributed erroneously to
48 | authors of previous versions.
49 |
50 | Some devices are designed to deny users access to install or run
51 | modified versions of the software inside them, although the manufacturer
52 | can do so. This is fundamentally incompatible with the aim of
53 | protecting users' freedom to change the software. The systematic
54 | pattern of such abuse occurs in the area of products for individuals to
55 | use, which is precisely where it is most unacceptable. Therefore, we
56 | have designed this version of the GPL to prohibit the practice for those
57 | products. If such problems arise substantially in other domains, we
58 | stand ready to extend this provision to those domains in future versions
59 | of the GPL, as needed to protect the freedom of users.
60 |
61 | Finally, every program is threatened constantly by software patents.
62 | States should not allow patents to restrict development and use of
63 | software on general-purpose computers, but in those that do, we wish to
64 | avoid the special danger that patents applied to a free program could
65 | make it effectively proprietary. To prevent this, the GPL assures that
66 | patents cannot be used to render the program non-free.
67 |
68 | The precise terms and conditions for copying, distribution and
69 | modification follow.
70 |
71 | TERMS AND CONDITIONS
72 |
73 | 0. Definitions.
74 |
75 | "This License" refers to version 3 of the GNU General Public License.
76 |
77 | "Copyright" also means copyright-like laws that apply to other kinds of
78 | works, such as semiconductor masks.
79 |
80 | "The Program" refers to any copyrightable work licensed under this
81 | License. Each licensee is addressed as "you". "Licensees" and
82 | "recipients" may be individuals or organizations.
83 |
84 | To "modify" a work means to copy from or adapt all or part of the work
85 | in a fashion requiring copyright permission, other than the making of an
86 | exact copy. The resulting work is called a "modified version" of the
87 | earlier work or a work "based on" the earlier work.
88 |
89 | A "covered work" means either the unmodified Program or a work based
90 | on the Program.
91 |
92 | To "propagate" a work means to do anything with it that, without
93 | permission, would make you directly or secondarily liable for
94 | infringement under applicable copyright law, except executing it on a
95 | computer or modifying a private copy. Propagation includes copying,
96 | distribution (with or without modification), making available to the
97 | public, and in some countries other activities as well.
98 |
99 | To "convey" a work means any kind of propagation that enables other
100 | parties to make or receive copies. Mere interaction with a user through
101 | a computer network, with no transfer of a copy, is not conveying.
102 |
103 | An interactive user interface displays "Appropriate Legal Notices"
104 | to the extent that it includes a convenient and prominently visible
105 | feature that (1) displays an appropriate copyright notice, and (2)
106 | tells the user that there is no warranty for the work (except to the
107 | extent that warranties are provided), that licensees may convey the
108 | work under this License, and how to view a copy of this License. If
109 | the interface presents a list of user commands or options, such as a
110 | menu, a prominent item in the list meets this criterion.
111 |
112 | 1. Source Code.
113 |
114 | The "source code" for a work means the preferred form of the work
115 | for making modifications to it. "Object code" means any non-source
116 | form of a work.
117 |
118 | A "Standard Interface" means an interface that either is an official
119 | standard defined by a recognized standards body, or, in the case of
120 | interfaces specified for a particular programming language, one that
121 | is widely used among developers working in that language.
122 |
123 | The "System Libraries" of an executable work include anything, other
124 | than the work as a whole, that (a) is included in the normal form of
125 | packaging a Major Component, but which is not part of that Major
126 | Component, and (b) serves only to enable use of the work with that
127 | Major Component, or to implement a Standard Interface for which an
128 | implementation is available to the public in source code form. A
129 | "Major Component", in this context, means a major essential component
130 | (kernel, window system, and so on) of the specific operating system
131 | (if any) on which the executable work runs, or a compiler used to
132 | produce the work, or an object code interpreter used to run it.
133 |
134 | The "Corresponding Source" for a work in object code form means all
135 | the source code needed to generate, install, and (for an executable
136 | work) run the object code and to modify the work, including scripts to
137 | control those activities. However, it does not include the work's
138 | System Libraries, or general-purpose tools or generally available free
139 | programs which are used unmodified in performing those activities but
140 | which are not part of the work. For example, Corresponding Source
141 | includes interface definition files associated with source files for
142 | the work, and the source code for shared libraries and dynamically
143 | linked subprograms that the work is specifically designed to require,
144 | such as by intimate data communication or control flow between those
145 | subprograms and other parts of the work.
146 |
147 | The Corresponding Source need not include anything that users
148 | can regenerate automatically from other parts of the Corresponding
149 | Source.
150 |
151 | The Corresponding Source for a work in source code form is that
152 | same work.
153 |
154 | 2. Basic Permissions.
155 |
156 | All rights granted under this License are granted for the term of
157 | copyright on the Program, and are irrevocable provided the stated
158 | conditions are met. This License explicitly affirms your unlimited
159 | permission to run the unmodified Program. The output from running a
160 | covered work is covered by this License only if the output, given its
161 | content, constitutes a covered work. This License acknowledges your
162 | rights of fair use or other equivalent, as provided by copyright law.
163 |
164 | You may make, run and propagate covered works that you do not
165 | convey, without conditions so long as your license otherwise remains
166 | in force. You may convey covered works to others for the sole purpose
167 | of having them make modifications exclusively for you, or provide you
168 | with facilities for running those works, provided that you comply with
169 | the terms of this License in conveying all material for which you do
170 | not control copyright. Those thus making or running the covered works
171 | for you must do so exclusively on your behalf, under your direction
172 | and control, on terms that prohibit them from making any copies of
173 | your copyrighted material outside their relationship with you.
174 |
175 | Conveying under any other circumstances is permitted solely under
176 | the conditions stated below. Sublicensing is not allowed; section 10
177 | makes it unnecessary.
178 |
179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
180 |
181 | No covered work shall be deemed part of an effective technological
182 | measure under any applicable law fulfilling obligations under article
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
184 | similar laws prohibiting or restricting circumvention of such
185 | measures.
186 |
187 | When you convey a covered work, you waive any legal power to forbid
188 | circumvention of technological measures to the extent such circumvention
189 | is effected by exercising rights under this License with respect to
190 | the covered work, and you disclaim any intention to limit operation or
191 | modification of the work as a means of enforcing, against the work's
192 | users, your or third parties' legal rights to forbid circumvention of
193 | technological measures.
194 |
195 | 4. Conveying Verbatim Copies.
196 |
197 | You may convey verbatim copies of the Program's source code as you
198 | receive it, in any medium, provided that you conspicuously and
199 | appropriately publish on each copy an appropriate copyright notice;
200 | keep intact all notices stating that this License and any
201 | non-permissive terms added in accord with section 7 apply to the code;
202 | keep intact all notices of the absence of any warranty; and give all
203 | recipients a copy of this License along with the Program.
204 |
205 | You may charge any price or no price for each copy that you convey,
206 | and you may offer support or warranty protection for a fee.
207 |
208 | 5. Conveying Modified Source Versions.
209 |
210 | You may convey a work based on the Program, or the modifications to
211 | produce it from the Program, in the form of source code under the
212 | terms of section 4, provided that you also meet all of these conditions:
213 |
214 | a) The work must carry prominent notices stating that you modified
215 | it, and giving a relevant date.
216 |
217 | b) The work must carry prominent notices stating that it is
218 | released under this License and any conditions added under section
219 | 7. This requirement modifies the requirement in section 4 to
220 | "keep intact all notices".
221 |
222 | c) You must license the entire work, as a whole, under this
223 | License to anyone who comes into possession of a copy. This
224 | License will therefore apply, along with any applicable section 7
225 | additional terms, to the whole of the work, and all its parts,
226 | regardless of how they are packaged. This License gives no
227 | permission to license the work in any other way, but it does not
228 | invalidate such permission if you have separately received it.
229 |
230 | d) If the work has interactive user interfaces, each must display
231 | Appropriate Legal Notices; however, if the Program has interactive
232 | interfaces that do not display Appropriate Legal Notices, your
233 | work need not make them do so.
234 |
235 | A compilation of a covered work with other separate and independent
236 | works, which are not by their nature extensions of the covered work,
237 | and which are not combined with it such as to form a larger program,
238 | in or on a volume of a storage or distribution medium, is called an
239 | "aggregate" if the compilation and its resulting copyright are not
240 | used to limit the access or legal rights of the compilation's users
241 | beyond what the individual works permit. Inclusion of a covered work
242 | in an aggregate does not cause this License to apply to the other
243 | parts of the aggregate.
244 |
245 | 6. Conveying Non-Source Forms.
246 |
247 | You may convey a covered work in object code form under the terms
248 | of sections 4 and 5, provided that you also convey the
249 | machine-readable Corresponding Source under the terms of this License,
250 | in one of these ways:
251 |
252 | a) Convey the object code in, or embodied in, a physical product
253 | (including a physical distribution medium), accompanied by the
254 | Corresponding Source fixed on a durable physical medium
255 | customarily used for software interchange.
256 |
257 | b) Convey the object code in, or embodied in, a physical product
258 | (including a physical distribution medium), accompanied by a
259 | written offer, valid for at least three years and valid for as
260 | long as you offer spare parts or customer support for that product
261 | model, to give anyone who possesses the object code either (1) a
262 | copy of the Corresponding Source for all the software in the
263 | product that is covered by this License, on a durable physical
264 | medium customarily used for software interchange, for a price no
265 | more than your reasonable cost of physically performing this
266 | conveying of source, or (2) access to copy the
267 | Corresponding Source from a network server at no charge.
268 |
269 | c) Convey individual copies of the object code with a copy of the
270 | written offer to provide the Corresponding Source. This
271 | alternative is allowed only occasionally and noncommercially, and
272 | only if you received the object code with such an offer, in accord
273 | with subsection 6b.
274 |
275 | d) Convey the object code by offering access from a designated
276 | place (gratis or for a charge), and offer equivalent access to the
277 | Corresponding Source in the same way through the same place at no
278 | further charge. You need not require recipients to copy the
279 | Corresponding Source along with the object code. If the place to
280 | copy the object code is a network server, the Corresponding Source
281 | may be on a different server (operated by you or a third party)
282 | that supports equivalent copying facilities, provided you maintain
283 | clear directions next to the object code saying where to find the
284 | Corresponding Source. Regardless of what server hosts the
285 | Corresponding Source, you remain obligated to ensure that it is
286 | available for as long as needed to satisfy these requirements.
287 |
288 | e) Convey the object code using peer-to-peer transmission, provided
289 | you inform other peers where the object code and Corresponding
290 | Source of the work are being offered to the general public at no
291 | charge under subsection 6d.
292 |
293 | A separable portion of the object code, whose source code is excluded
294 | from the Corresponding Source as a System Library, need not be
295 | included in conveying the object code work.
296 |
297 | A "User Product" is either (1) a "consumer product", which means any
298 | tangible personal property which is normally used for personal, family,
299 | or household purposes, or (2) anything designed or sold for incorporation
300 | into a dwelling. In determining whether a product is a consumer product,
301 | doubtful cases shall be resolved in favor of coverage. For a particular
302 | product received by a particular user, "normally used" refers to a
303 | typical or common use of that class of product, regardless of the status
304 | of the particular user or of the way in which the particular user
305 | actually uses, or expects or is expected to use, the product. A product
306 | is a consumer product regardless of whether the product has substantial
307 | commercial, industrial or non-consumer uses, unless such uses represent
308 | the only significant mode of use of the product.
309 |
310 | "Installation Information" for a User Product means any methods,
311 | procedures, authorization keys, or other information required to install
312 | and execute modified versions of a covered work in that User Product from
313 | a modified version of its Corresponding Source. The information must
314 | suffice to ensure that the continued functioning of the modified object
315 | code is in no case prevented or interfered with solely because
316 | modification has been made.
317 |
318 | If you convey an object code work under this section in, or with, or
319 | specifically for use in, a User Product, and the conveying occurs as
320 | part of a transaction in which the right of possession and use of the
321 | User Product is transferred to the recipient in perpetuity or for a
322 | fixed term (regardless of how the transaction is characterized), the
323 | Corresponding Source conveyed under this section must be accompanied
324 | by the Installation Information. But this requirement does not apply
325 | if neither you nor any third party retains the ability to install
326 | modified object code on the User Product (for example, the work has
327 | been installed in ROM).
328 |
329 | The requirement to provide Installation Information does not include a
330 | requirement to continue to provide support service, warranty, or updates
331 | for a work that has been modified or installed by the recipient, or for
332 | the User Product in which it has been modified or installed. Access to a
333 | network may be denied when the modification itself materially and
334 | adversely affects the operation of the network or violates the rules and
335 | protocols for communication across the network.
336 |
337 | Corresponding Source conveyed, and Installation Information provided,
338 | in accord with this section must be in a format that is publicly
339 | documented (and with an implementation available to the public in
340 | source code form), and must require no special password or key for
341 | unpacking, reading or copying.
342 |
343 | 7. Additional Terms.
344 |
345 | "Additional permissions" are terms that supplement the terms of this
346 | License by making exceptions from one or more of its conditions.
347 | Additional permissions that are applicable to the entire Program shall
348 | be treated as though they were included in this License, to the extent
349 | that they are valid under applicable law. If additional permissions
350 | apply only to part of the Program, that part may be used separately
351 | under those permissions, but the entire Program remains governed by
352 | this License without regard to the additional permissions.
353 |
354 | When you convey a copy of a covered work, you may at your option
355 | remove any additional permissions from that copy, or from any part of
356 | it. (Additional permissions may be written to require their own
357 | removal in certain cases when you modify the work.) You may place
358 | additional permissions on material, added by you to a covered work,
359 | for which you have or can give appropriate copyright permission.
360 |
361 | Notwithstanding any other provision of this License, for material you
362 | add to a covered work, you may (if authorized by the copyright holders of
363 | that material) supplement the terms of this License with terms:
364 |
365 | a) Disclaiming warranty or limiting liability differently from the
366 | terms of sections 15 and 16 of this License; or
367 |
368 | b) Requiring preservation of specified reasonable legal notices or
369 | author attributions in that material or in the Appropriate Legal
370 | Notices displayed by works containing it; or
371 |
372 | c) Prohibiting misrepresentation of the origin of that material, or
373 | requiring that modified versions of such material be marked in
374 | reasonable ways as different from the original version; or
375 |
376 | d) Limiting the use for publicity purposes of names of licensors or
377 | authors of the material; or
378 |
379 | e) Declining to grant rights under trademark law for use of some
380 | trade names, trademarks, or service marks; or
381 |
382 | f) Requiring indemnification of licensors and authors of that
383 | material by anyone who conveys the material (or modified versions of
384 | it) with contractual assumptions of liability to the recipient, for
385 | any liability that these contractual assumptions directly impose on
386 | those licensors and authors.
387 |
388 | All other non-permissive additional terms are considered "further
389 | restrictions" within the meaning of section 10. If the Program as you
390 | received it, or any part of it, contains a notice stating that it is
391 | governed by this License along with a term that is a further
392 | restriction, you may remove that term. If a license document contains
393 | a further restriction but permits relicensing or conveying under this
394 | License, you may add to a covered work material governed by the terms
395 | of that license document, provided that the further restriction does
396 | not survive such relicensing or conveying.
397 |
398 | If you add terms to a covered work in accord with this section, you
399 | must place, in the relevant source files, a statement of the
400 | additional terms that apply to those files, or a notice indicating
401 | where to find the applicable terms.
402 |
403 | Additional terms, permissive or non-permissive, may be stated in the
404 | form of a separately written license, or stated as exceptions;
405 | the above requirements apply either way.
406 |
407 | 8. Termination.
408 |
409 | You may not propagate or modify a covered work except as expressly
410 | provided under this License. Any attempt otherwise to propagate or
411 | modify it is void, and will automatically terminate your rights under
412 | this License (including any patent licenses granted under the third
413 | paragraph of section 11).
414 |
415 | However, if you cease all violation of this License, then your
416 | license from a particular copyright holder is reinstated (a)
417 | provisionally, unless and until the copyright holder explicitly and
418 | finally terminates your license, and (b) permanently, if the copyright
419 | holder fails to notify you of the violation by some reasonable means
420 | prior to 60 days after the cessation.
421 |
422 | Moreover, your license from a particular copyright holder is
423 | reinstated permanently if the copyright holder notifies you of the
424 | violation by some reasonable means, this is the first time you have
425 | received notice of violation of this License (for any work) from that
426 | copyright holder, and you cure the violation prior to 30 days after
427 | your receipt of the notice.
428 |
429 | Termination of your rights under this section does not terminate the
430 | licenses of parties who have received copies or rights from you under
431 | this License. If your rights have been terminated and not permanently
432 | reinstated, you do not qualify to receive new licenses for the same
433 | material under section 10.
434 |
435 | 9. Acceptance Not Required for Having Copies.
436 |
437 | You are not required to accept this License in order to receive or
438 | run a copy of the Program. Ancillary propagation of a covered work
439 | occurring solely as a consequence of using peer-to-peer transmission
440 | to receive a copy likewise does not require acceptance. However,
441 | nothing other than this License grants you permission to propagate or
442 | modify any covered work. These actions infringe copyright if you do
443 | not accept this License. Therefore, by modifying or propagating a
444 | covered work, you indicate your acceptance of this License to do so.
445 |
446 | 10. Automatic Licensing of Downstream Recipients.
447 |
448 | Each time you convey a covered work, the recipient automatically
449 | receives a license from the original licensors, to run, modify and
450 | propagate that work, subject to this License. You are not responsible
451 | for enforcing compliance by third parties with this License.
452 |
453 | An "entity transaction" is a transaction transferring control of an
454 | organization, or substantially all assets of one, or subdividing an
455 | organization, or merging organizations. If propagation of a covered
456 | work results from an entity transaction, each party to that
457 | transaction who receives a copy of the work also receives whatever
458 | licenses to the work the party's predecessor in interest had or could
459 | give under the previous paragraph, plus a right to possession of the
460 | Corresponding Source of the work from the predecessor in interest, if
461 | the predecessor has it or can get it with reasonable efforts.
462 |
463 | You may not impose any further restrictions on the exercise of the
464 | rights granted or affirmed under this License. For example, you may
465 | not impose a license fee, royalty, or other charge for exercise of
466 | rights granted under this License, and you may not initiate litigation
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that
468 | any patent claim is infringed by making, using, selling, offering for
469 | sale, or importing the Program or any portion of it.
470 |
471 | 11. Patents.
472 |
473 | A "contributor" is a copyright holder who authorizes use under this
474 | License of the Program or a work on which the Program is based. The
475 | work thus licensed is called the contributor's "contributor version".
476 |
477 | A contributor's "essential patent claims" are all patent claims
478 | owned or controlled by the contributor, whether already acquired or
479 | hereafter acquired, that would be infringed by some manner, permitted
480 | by this License, of making, using, or selling its contributor version,
481 | but do not include claims that would be infringed only as a
482 | consequence of further modification of the contributor version. For
483 | purposes of this definition, "control" includes the right to grant
484 | patent sublicenses in a manner consistent with the requirements of
485 | this License.
486 |
487 | Each contributor grants you a non-exclusive, worldwide, royalty-free
488 | patent license under the contributor's essential patent claims, to
489 | make, use, sell, offer for sale, import and otherwise run, modify and
490 | propagate the contents of its contributor version.
491 |
492 | In the following three paragraphs, a "patent license" is any express
493 | agreement or commitment, however denominated, not to enforce a patent
494 | (such as an express permission to practice a patent or covenant not to
495 | sue for patent infringement). To "grant" such a patent license to a
496 | party means to make such an agreement or commitment not to enforce a
497 | patent against the party.
498 |
499 | If you convey a covered work, knowingly relying on a patent license,
500 | and the Corresponding Source of the work is not available for anyone
501 | to copy, free of charge and under the terms of this License, through a
502 | publicly available network server or other readily accessible means,
503 | then you must either (1) cause the Corresponding Source to be so
504 | available, or (2) arrange to deprive yourself of the benefit of the
505 | patent license for this particular work, or (3) arrange, in a manner
506 | consistent with the requirements of this License, to extend the patent
507 | license to downstream recipients. "Knowingly relying" means you have
508 | actual knowledge that, but for the patent license, your conveying the
509 | covered work in a country, or your recipient's use of the covered work
510 | in a country, would infringe one or more identifiable patents in that
511 | country that you have reason to believe are valid.
512 |
513 | If, pursuant to or in connection with a single transaction or
514 | arrangement, you convey, or propagate by procuring conveyance of, a
515 | covered work, and grant a patent license to some of the parties
516 | receiving the covered work authorizing them to use, propagate, modify
517 | or convey a specific copy of the covered work, then the patent license
518 | you grant is automatically extended to all recipients of the covered
519 | work and works based on it.
520 |
521 | A patent license is "discriminatory" if it does not include within
522 | the scope of its coverage, prohibits the exercise of, or is
523 | conditioned on the non-exercise of one or more of the rights that are
524 | specifically granted under this License. You may not convey a covered
525 | work if you are a party to an arrangement with a third party that is
526 | in the business of distributing software, under which you make payment
527 | to the third party based on the extent of your activity of conveying
528 | the work, and under which the third party grants, to any of the
529 | parties who would receive the covered work from you, a discriminatory
530 | patent license (a) in connection with copies of the covered work
531 | conveyed by you (or copies made from those copies), or (b) primarily
532 | for and in connection with specific products or compilations that
533 | contain the covered work, unless you entered into that arrangement,
534 | or that patent license was granted, prior to 28 March 2007.
535 |
536 | Nothing in this License shall be construed as excluding or limiting
537 | any implied license or other defenses to infringement that may
538 | otherwise be available to you under applicable patent law.
539 |
540 | 12. No Surrender of Others' Freedom.
541 |
542 | If conditions are imposed on you (whether by court order, agreement or
543 | otherwise) that contradict the conditions of this License, they do not
544 | excuse you from the conditions of this License. If you cannot convey a
545 | covered work so as to satisfy simultaneously your obligations under this
546 | License and any other pertinent obligations, then as a consequence you may
547 | not convey it at all. For example, if you agree to terms that obligate you
548 | to collect a royalty for further conveying from those to whom you convey
549 | the Program, the only way you could satisfy both those terms and this
550 | License would be to refrain entirely from conveying the Program.
551 |
552 | 13. Use with the GNU Affero General Public License.
553 |
554 | Notwithstanding any other provision of this License, you have
555 | permission to link or combine any covered work with a work licensed
556 | under version 3 of the GNU Affero General Public License into a single
557 | combined work, and to convey the resulting work. The terms of this
558 | License will continue to apply to the part which is the covered work,
559 | but the special requirements of the GNU Affero General Public License,
560 | section 13, concerning interaction through a network will apply to the
561 | combination as such.
562 |
563 | 14. Revised Versions of this License.
564 |
565 | The Free Software Foundation may publish revised and/or new versions of
566 | the GNU General Public License from time to time. Such new versions will
567 | be similar in spirit to the present version, but may differ in detail to
568 | address new problems or concerns.
569 |
570 | Each version is given a distinguishing version number. If the
571 | Program specifies that a certain numbered version of the GNU General
572 | Public License "or any later version" applies to it, you have the
573 | option of following the terms and conditions either of that numbered
574 | version or of any later version published by the Free Software
575 | Foundation. If the Program does not specify a version number of the
576 | GNU General Public License, you may choose any version ever published
577 | by the Free Software Foundation.
578 |
579 | If the Program specifies that a proxy can decide which future
580 | versions of the GNU General Public License can be used, that proxy's
581 | public statement of acceptance of a version permanently authorizes you
582 | to choose that version for the Program.
583 |
584 | Later license versions may give you additional or different
585 | permissions. However, no additional obligations are imposed on any
586 | author or copyright holder as a result of your choosing to follow a
587 | later version.
588 |
589 | 15. Disclaimer of Warranty.
590 |
591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
599 |
600 | 16. Limitation of Liability.
601 |
602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
610 | SUCH DAMAGES.
611 |
612 | 17. Interpretation of Sections 15 and 16.
613 |
614 | If the disclaimer of warranty and limitation of liability provided
615 | above cannot be given local legal effect according to their terms,
616 | reviewing courts shall apply local law that most closely approximates
617 | an absolute waiver of all civil liability in connection with the
618 | Program, unless a warranty or assumption of liability accompanies a
619 | copy of the Program in return for a fee.
620 |
621 | END OF TERMS AND CONDITIONS
622 |
623 | How to Apply These Terms to Your New Programs
624 |
625 | If you develop a new program, and you want it to be of the greatest
626 | possible use to the public, the best way to achieve this is to make it
627 | free software which everyone can redistribute and change under these terms.
628 |
629 | To do so, attach the following notices to the program. It is safest
630 | to attach them to the start of each source file to most effectively
631 | state the exclusion of warranty; and each file should have at least
632 | the "copyright" line and a pointer to where the full notice is found.
633 |
634 | {one line to give the program's name and a brief idea of what it does.}
635 | Copyright (C) {year} {name of author}
636 |
637 | This program is free software: you can redistribute it and/or modify
638 | it under the terms of the GNU General Public License as published by
639 | the Free Software Foundation, either version 3 of the License, or
640 | (at your option) any later version.
641 |
642 | This program is distributed in the hope that it will be useful,
643 | but WITHOUT ANY WARRANTY; without even the implied warranty of
644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
645 | GNU General Public License for more details.
646 |
647 | You should have received a copy of the GNU General Public License
648 | along with this program. If not, see .
649 |
650 | Also add information on how to contact you by electronic and paper mail.
651 |
652 | If the program does terminal interaction, make it output a short
653 | notice like this when it starts in an interactive mode:
654 |
655 | {project} Copyright (C) {year} {fullname}
656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
657 | This is free software, and you are welcome to redistribute it
658 | under certain conditions; type `show c' for details.
659 |
660 | The hypothetical commands `show w' and `show c' should show the appropriate
661 | parts of the General Public License. Of course, your program's commands
662 | might be different; for a GUI interface, you would use an "about box".
663 |
664 | You should also get your employer (if you work as a programmer) or school,
665 | if any, to sign a "copyright disclaimer" for the program, if necessary.
666 | For more information on this, and how to apply and follow the GNU GPL, see
667 | .
668 |
669 | The GNU General Public License does not permit incorporating your program
670 | into proprietary programs. If your program is a subroutine library, you
671 | may consider it more useful to permit linking proprietary applications with
672 | the library. If this is what you want to do, use the GNU Lesser General
673 | Public License instead of this License. But first, please read
674 | .
675 |
--------------------------------------------------------------------------------
/OSX/OSX_Yosemite_Server/CIS_OSX_Yosemite_Server_Hardening.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # install a DMG from CLI
3 | # Author Ryan Nolette
4 | # Date Modified 06/26/2016
5 | ######################################################################
6 | #check to see if script is being run as root
7 | if [ "$EUID" -ne 0 ]
8 | then echo "Please run as root"
9 | exit
10 | fi
11 | # this is required for enablement of filevault
12 | # echo "Please enter the password for the localadmin user: "
13 | # read localadminpassword
14 | ######################################################################
15 | #1 Install Updates, Patches and Additional Security Software#################################################
16 |
17 | echo "1 Install Updates, Patches and Additional Security Software"
18 | echo "1.1 Verify all application software is current"
19 | softwareupdate --install --all
20 |
21 | echo "1.2 Enable Auto Update"
22 | defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1
23 |
24 | echo "1.3 Enable app update installs - requires a reboot to take effect"
25 | defaults write /Library/Preferences/com.apple.storeagent AutoUpdate -int 1
26 |
27 | echo "1.4 Enable system data files and security update installs"
28 | defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true
29 | #####################################################################
30 | #2 System Preferences#################################################
31 | #no bluetooth on servers
32 | #
33 | # echo "2 System Preferences"
34 | # echo "2.1 Bluetooth"
35 | # echo "2.1.1 Disable Bluetooth, if no paired devices exist"
36 | # defaults write /Library/Preferences/com.apple.Bluetooth \ ControllerPowerState -int 0
37 | # killall -HUP blued
38 | # echo "2.1.2 Disable Bluetooth \"Discoverable\" mode when not pairing devices"
39 | # /usr/sbin/system_profiler SPBluetoothDataType | grep -i discoverable
40 | # echo "If query returns \"Discoverable: On\" you need to turn discoverable off."
41 | # echo "Starting with OS X (10.9) Bluetooth is only set to Discoverable when the Bluetooth System Preference is selected. To ensure that the computer is not Discoverable do not leave that preference open."
42 | # echo "2.1.3 Show Bluetooth status in menu bar"
43 | # defaults write com.apple.systemuiserver menuExtras -array-add "/System/Library/CoreServices/Menu Extras/Bluetooth.menu"###############################
44 | ###############################
45 | # echo "2.2 Date & Time"
46 | systemsetup -f -setnetworktimeserver ntpServer.domain.local
47 |
48 | #echo "2.2.2 Ensure time set is within appropriate limits"
49 | #already completed in step 2.2
50 | #systemsetup -f -getnetworktimeserver
51 | ###############################
52 | echo "2.3 Desktop & Screen Saver"
53 | echo "2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver"
54 | #set to 10 minutes
55 | defaults -currentHost write com.apple.screensaver idleTime -int 600
56 |
57 | #echo "2.3.2 Secure screen saver corners"
58 | # Perform the following to implement the prescribed state:
59 | # 1. Open System Preferences
60 | # 2. Select Mission Control
61 | # 3. Select Hot Corners
62 | # 4. Remove any corners which are set to Disable Screen Saver
63 | #below is an applescript equivalent of these steps
64 | touch disableSharing.scpt
65 | /bin/cat << EOM > disableSharing.scpt
66 | property theSavedValues : {"Mission Control", "Desktop", "Dashboard", "Launchpad"} -- for example
67 | tell application "System Preferences"
68 | activate
69 | set current pane to pane id "com.apple.preference.expose"
70 | tell application "System Events"
71 | tell window "Mission Control" of process "System Preferences"
72 | click button "Hot Corners…"
73 | tell sheet 1
74 | tell group 1
75 | set theCurrentValues to value of pop up buttons
76 | if theCurrentValues is {"-", "-", "-", "-"} then
77 | --do nothing
78 | else
79 | copy theCurrentValues to theSavedValues
80 | repeat with i from 1 to 4
81 | tell pop up button i
82 | click
83 | click last menu item of menu 1
84 | end tell
85 | end repeat
86 | end if
87 | end tell
88 | click button "OK"
89 | end tell
90 | end tell
91 | end tell
92 | quit
93 | end tell
94 | EOM
95 | #Enable Access for Assistive Devices Command Line
96 | sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceAccessibility','com.apple.Terminal',0,1,1,NULL);"
97 | #run applescript
98 | osascript disableSharing.scpt
99 | #Disable Access for Assistive Devices Command Line
100 | sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "delete from access where client='com.apple.Terminal';"
101 | #remove script after usage
102 | rm -r disableSharing.scpt
103 |
104 | #echo "2.3.3 Verify Display Sleep is set to a value larger than the Screen Saver"
105 | # In System Preferences: Energy Saver, drag the slider for "Put the display(s) to sleep..." to a reasonable number, but longer than the screen saver setting. The Mac will display a warning if the number is too short.
106 | # Alternatively, use the following command: pmset -c displaysleep 0
107 | # Note: The -c flag means "wall power." Different settings must be used for other power sources.
108 | #pmset -c displaysleep 0
109 |
110 | #echo "2.3.4 Set a screen corner to Start Screen Saver"
111 | # In System Preferences: Desktop & Screen Saver: Screen Saver: Hot Corners, make sure at least one Active Screen Corner is set to Start Screen Saver. Make sure the user knows about this feature.
112 | # The screen corners can be set using the defaults command, but the permutations of combinations are many. The plist file to check is ~/Library/Preferences/com.apple.dock and the keys are wvous-bl-corner wvous-br-corner wvous-tl-corner wvous-tr-corner
113 | # There are also modifier keys to check and various values for each of these keys. A value of 5 means the corner will start the screen saver. The corresponding wvous-xx-modifier key should be set to 0.
114 |
115 | ###############################
116 | echo "2.4 Sharing"
117 | echo "2.4.1 Disable Remote Apple Events"
118 | systemsetup -f setremoteappleevents off
119 |
120 | echo "2.4.2 Disable Internet Sharing"
121 | echo "The file should not exist or Enabled = 0 for all network interfaces."
122 | # Remediation:
123 | # Perform the following to implement the prescribed state:
124 | # 1. Open System Preferences
125 | # 2. Select Sharing
126 | # 3. Uncheck Internet Sharing
127 | #below is an applescript equivalent of these steps
128 | touch disableSharing.scpt
129 | /bin/cat << EOM > disableSharing.scpt
130 | tell application "System Preferences" to set current pane to pane "com.apple.preferences.sharing"
131 | tell application "System Events" to tell process "System Preferences"
132 | tell row 8 of table 1 of scroll area 1 of group 1 of window "Sharing"
133 | tell checkbox 1 to if value is 1 then click -- checkbox was not checked.
134 | end tell
135 | end tell
136 | ignoring application responses
137 | tell application "System Preferences" to quit
138 | end ignoring
139 | EOM
140 | #Enable Access for Assistive Devices Command Line
141 | sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceAccessibility','com.apple.Terminal',0,1,1,NULL);"
142 | #run applescript
143 | osascript disableSharing.scpt
144 | #Disable Access for Assistive Devices Command Line
145 | sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "delete from access where client='com.apple.Terminal';"
146 | #remove script after usage
147 | rm -r disableSharing.scpt
148 |
149 |
150 | echo "2.4.3 Disable Screen Sharing"
151 | echo "Verify the value returned is nothing found to load"
152 | # Perform the following to implement the prescribed state:
153 | # 1. Open System Preferences
154 | # 2. Select Sharing
155 | # 3. Uncheck Screen Sharing
156 | #below is an applescript equivalent of these steps
157 | touch disableSharing.scpt
158 | /bin/cat << EOM > disableSharing.scpt
159 | tell application "System Preferences" to set current pane to pane "com.apple.preferences.sharing"
160 | tell application "System Events" to tell process "System Preferences"
161 | tell row 2 of table 1 of scroll area 1 of group 1 of window "Sharing"
162 | tell checkbox 1 to if value is 1 then click -- checkbox was not checked.
163 | end tell
164 | end tell
165 | ignoring application responses
166 | tell application "System Preferences" to quit
167 | end ignoring
168 | EOM
169 | #Enable Access for Assistive Devices Command Line
170 | sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceAccessibility','com.apple.Terminal',0,1,1,NULL);"
171 | #run applescript
172 | osascript disableSharing.scpt
173 | #Disable Access for Assistive Devices Command Line
174 | sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "delete from access where client='com.apple.Terminal';"
175 | #remove script after usage
176 | rm -r disableSharing.scpt
177 |
178 |
179 |
180 | echo "2.4.4 Disable Printer Sharing"
181 | echo "The output should show \"Shared: No\" for all printers. If no printers are present, the above command will yield \"Status: The printers list is empty.\""
182 | #Perform the following to implement the prescribed state:
183 | #1. Open System Preferences
184 | #2. Select Sharing
185 | #3. Uncheck Printer Sharing
186 | #below is an applescript equivalent of these steps
187 | touch disableSharing.scpt
188 | /bin/cat << EOM > disableSharing.scpt
189 | tell application "System Preferences" to set current pane to pane "com.apple.preferences.sharing"
190 | tell application "System Events" to tell process "System Preferences"
191 | tell row 4 of table 1 of scroll area 1 of group 1 of window "Sharing"
192 | tell checkbox 1 to if value is 1 then click -- checkbox was not checked.
193 | end tell
194 | end tell
195 | ignoring application responses
196 | tell application "System Preferences" to quit
197 | end ignoring
198 | EOM
199 | #Enable Access for Assistive Devices Command Line
200 | sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceAccessibility','com.apple.Terminal',0,1,1,NULL);"
201 | #run applescript
202 | osascript disableSharing.scpt
203 | #Disable Access for Assistive Devices Command Line
204 | sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "delete from access where client='com.apple.Terminal';"
205 | #remove script after usage
206 | rm -r disableSharing.scpt
207 |
208 |
209 | #echo "2.4.5 Disable Remote Login"
210 | #systemsetup -f -setremotelogin off
211 |
212 | echo "2.4.6 Disable DVD or CD Sharing"
213 | echo "There should be no results"
214 | # Perform the following to implement the prescribed state:
215 | # 1. Open System Preferences
216 | # 2. Select Sharing
217 | # 3. Uncheck DVD or CD Sharing
218 | #below is an applescript equivalent of these steps
219 | touch disableSharing.scpt
220 | /bin/cat << EOM > disableSharing.scpt
221 | tell application "System Preferences" to set current pane to pane "com.apple.preferences.sharing"
222 | tell application "System Events" to tell process "System Preferences"
223 | tell row 1 of table 1 of scroll area 1 of group 1 of window "Sharing"
224 | tell checkbox 1 to if value is 1 then click -- checkbox was not checked.
225 | end tell
226 | end tell
227 | ignoring application responses
228 | tell application "System Preferences" to quit
229 | end ignoring
230 | EOM
231 | #Enable Access for Assistive Devices Command Line
232 | sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceAccessibility','com.apple.Terminal',0,1,1,NULL);"
233 | #run applescript
234 | osascript disableSharing.scpt
235 | #Disable Access for Assistive Devices Command Line
236 | sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "delete from access where client='com.apple.Terminal';"
237 | #remove script after usage
238 | rm -r disableSharing.scpt
239 |
240 |
241 | echo "2.4.7 Disable Bluetooth Sharing"
242 | echo "Verify that all values are Disabled"
243 | system_profiler SPBluetoothDataType | grep State
244 | # Perform the following to implement the prescribed state:
245 | # 1. Open System Preferences
246 | # 2. Select Sharing
247 | # 3. Uncheck Bluetooth Sharing
248 | #below is an applescript equivalent of these steps
249 | touch disableSharing.scpt
250 | /bin/cat << EOM > disableSharing.scpt
251 | tell application "System Preferences" to set current pane to pane "com.apple.preferences.sharing"
252 | tell application "System Events" to tell process "System Preferences"
253 | tell row 9 of table 1 of scroll area 1 of group 1 of window "Sharing"
254 | tell checkbox 1 to if value is 1 then click -- checkbox was not checked.
255 | end tell
256 | end tell
257 | ignoring application responses
258 | tell application "System Preferences" to quit
259 | end ignoring
260 | EOM
261 | #Enable Access for Assistive Devices Command Line
262 | sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceAccessibility','com.apple.Terminal',0,1,1,NULL);"
263 | #run applescript
264 | osascript disableSharing.scpt
265 | #Disable Access for Assistive Devices Command Line
266 | sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "delete from access where client='com.apple.Terminal';"
267 | #remove script after usage
268 | rm -r disableSharing.scpt
269 |
270 | echo "2.4.8 Disable File Sharing"
271 | #Run the following command in Terminal to turn off AFP from the command line:
272 | launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist
273 | #Run the following command in Terminal to turn off SMB sharing from the CLI:
274 | launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist
275 |
276 | echo "2.4.9 Disable Remote Management"
277 | # In System Preferences: Sharing, turn off Remote Management.
278 | #below is an applescript equivalent of these steps
279 | touch disableSharing.scpt
280 | /bin/cat << EOM > disableSharing.scpt
281 | tell application "System Preferences" to set current pane to pane "com.apple.preferences.sharing"
282 | tell application "System Events" to tell process "System Preferences"
283 | tell row 6 of table 1 of scroll area 1 of group 1 of window "Sharing"
284 | tell checkbox 1 to if value is 1 then click -- checkbox was not checked.
285 | end tell
286 | end tell
287 | ignoring application responses
288 | tell application "System Preferences" to quit
289 | end ignoring
290 | EOM
291 | #Enable Access for Assistive Devices Command Line
292 | sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceAccessibility','com.apple.Terminal',0,1,1,NULL);"
293 | #run applescript
294 | osascript disableSharing.scpt
295 | #Disable Access for Assistive Devices Command Line
296 | sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "delete from access where client='com.apple.Terminal';"
297 | #remove script after usage
298 | rm -r disableSharing.scpt
299 | ###############################
300 | # echo "2.5 Energy Saver"
301 | # echo "2.5.1 Disable \"Wake for network access\""
302 | # pmset -a womp 0
303 |
304 | echo "2.5.2 Disable sleeping the computer when connected to power"
305 | pmset -c sleep 0
306 | ###############################
307 | echo "2.6 Security & Privacy"
308 | # echo "2.6.1 Enable FileVault"
309 | # echo "On a booted system the Logical Volume should show as both Encrypted and unlocked"
310 | # echo "Encryption Status: Unlocked"
311 | # echo "Encryption Type: AES-XTS"
312 | # diskutil cs list | grep -i encryption
313 | # # Perform the following to implement the prescribed state:
314 | # # 1. Open System Preferences
315 | # # 2. Select Security & Privacy
316 | # # 3. Select FileVault
317 | # # 4. Select Turn on FileVault
318 | # #scripted out for the above steps
319 | # touch fdesetup.plist
320 | # /bin/cat << EOM > fdesetup.plist
321 | #
322 | #
323 | #
324 | #
325 | # Username
326 | # localadmin
327 | # Password
328 | # $localadminpassword
329 | #
330 | #
331 | # EOM
332 | # fdesetup enable -inputplist < fdesetup.plist &> fdekey.txt
333 | # rm -f fdesetup.plist
334 | # #disabled filevault
335 | # #fdesetup disable
336 |
337 | echo "2.6.2 Enable Gatekeeper"
338 | spctl --master-enable
339 |
340 | echo "2.6.3 Enable Firewall"
341 | #Where is:
342 | # 1 = on for specific services
343 | # 2 = on for essential services
344 | defaults write /Library/Preferences/com.apple.alf globalstate -int 1
345 |
346 | #echo "2.6.4 Enable Firewall Stealth Mode"
347 | #/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
348 |
349 | # echo "2.6.5 Review Application Firewall Rules"
350 | # echo "List all firewall exceptions"
351 | # /usr/libexec/ApplicationFirewall/socketfilterfw --listapps
352 | # Edit and run the following command in Terminal to remove specific applications: /usr/libexec/ApplicationFirewall/socketfilterfw --remove
353 | # Where is the one to be removed
354 | ###############################
355 | # echo "2.7 iCloud"
356 | # echo "2.7.1 iCloud configuration"
357 | # echo "2.7.2 iCloud keychain"
358 | # echo "2.7.3 iCloud Drive"
359 | # defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false
360 | ###############################
361 | echo "2.8 Pair the remote control infrared receiver if enabled"
362 | #are there IR recievers
363 | #system_profiler 2>/dev/null | egrep "IR Receiver"
364 | # echo "Verify the value returned for DeviceEnabled = 0; If the value returned is DeviceEnabled = 1, then verify the value returned for the UIDFilter does not equal none"
365 | # defaults read /Library/Preferences/com.apple.driver.AppleIRController
366 | #Disable the remote control infrared receiver:
367 | # 1. Open System Preferences
368 | # 2. Select Security & Privacy
369 | # 3. Select the General tab
370 | # 4. Select Advanced
371 | # 5. Check Disable remote control infrared receiver
372 | defaults write /Library/Preferences/com.apple.driver.AppleIRController.plist DeviceEnabled -bool NO
373 | ###############################
374 | echo "2.9 Enable Secure Keyboard Entry in terminal.app"
375 | echo "verify the value returned is 1"
376 | /usr/bin/defaults write -app Terminal SecureKeyboardEntry 1
377 | #1. Open Terminal
378 | # 2. Select Terminal
379 | # 3. Select Secure Keyboard Entry
380 | ###############################
381 | # echo "2.10 Java 6 is not the default Java runtime"
382 | # echo "The output of the above command should not return a result with Java 6:"
383 | # #echo "Java version 1.6.0_x"
384 | # #echo "Java(TM) SE Runtime Environment (build 1.6.0_x)"
385 | # java -version
386 | ###############################
387 | echo "2.11 Configure Secure Empty Trash"
388 | echo "Make sure the value returned for each user is 1"
389 | #1. Select Finder
390 | # 2. Select Preferences
391 | # 3. Select Advanced
392 | # 4. Check Empty Trash Securely
393 | #3 Logging and Auditing
394 | defaults write com.apple.finder EmptyTrashSecurely -bool true
395 | #################################################
396 |
397 | echo "3 Logging and Auditing"
398 | echo "3.1 Configure asl.conf"
399 | echo "3.1.1 Retain system.log for 90 or more days"
400 | /usr/bin/sed -i.bak 's/^>\ system\.log.*/>\ system\.log\ mode=640\ format=bsd\ rotate=seq\ ttl=90/' /etc/asl.conf
401 |
402 | echo "3.1.2 Retain appfirewall.log for 90 or more days"
403 | /usr/bin/sed -i.bak 's/^\?\ \[=\ Facility\ com.apple.alf.logging\]\ .*/\?\ \[=\ Facility\ com.apple.alf.logging\]\ file\ appfirewall.log\ rotate=seq\ ttl=90/' /etc/asl.conf
404 |
405 | echo "3.1.3 Retain authd.log for 90 or more days "
406 | /usr/bin/sed -i.bak 's/^\*\ file\ \/var\/log\/authd\.log.*/\*\ file\ \/var\/log\/authd\.log\ mode=640\ format=bsd\ rotate=seq\ ttl=90/' /etc/asl/com.apple.authd
407 | ###############################
408 | echo "3.2 Enable security auditing"
409 | if [[ "$(/bin/launchctl list | grep -i auditd | awk '{ print $3 }')" = "com.apple.auditd" ]]; then
410 | ScriptLogging " Security Auditing enabled."
411 | else
412 | /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist
413 | fi
414 | ###############################
415 | echo "3.3 Configure Security Auditing Flags"
416 | # echo "Ensure at least the following flags are present:"
417 | # echo "lo - audit successful/failed login/logout events"
418 | # echo "ad - audit successful/failed administrative events"
419 | # echo "fd - audit successful/failed file deletion events"
420 | # echo "fm - audit successful/failed file attribute modification events"
421 | # echo "-all - audit all failed events across all audit classes"
422 | #Perform the following to implement the prescribed state:
423 | # 1. Open a terminal session and edit the /etc/security/audit_control file
424 | # 2. Find the line beginning with "flags"
425 | # 3. Add the following flags: lo, ad, fd, fm, -all.
426 | # 4. Save the file.
427 | /usr/bin/sed -i '' 's/^flags:.*/flags:lo,ad,fd,fm,-all/' /etc/security/audit_control
428 | /usr/bin/sed -i '' 's/^expire-after:.*/expire-after:90d\ AND\ 1G/' /etc/security/audit_control
429 |
430 | ###############################
431 | #echo "3.4 Enable remote logging for Desktops on trusted networks"
432 | ###############################
433 | echo "3.5 Retain install.log for 365 or more days"
434 | /usr/bin/sed -i.bak 's/^\*\ file\ \/var\/log\/install\.log.*/\*\ file\ \/var\/log\/install\.log\ mode=640\ format=bsd\ rotate=seq\ ttl=365/' /etc/asl/com.apple.install
435 | ##############################################################
436 | #4 Network Configurations
437 |
438 | echo "4 Network Configurations"
439 | #echo "4.1 Enable \"Show Wi-Fi status in menu bar\""
440 | # echo "Verify the value returned is: /System/Library/CoreServices/Menu Extras/AirPort.menu"
441 | # defaults read com.apple.systemuiserver menuExtras | grep AirPort.menu
442 | #Perform the following to implement the prescribed state:
443 | # 1. Open System Preferences
444 | # 2. Select Network
445 | # 3. Check Show Wi-Fi status in menu bar
446 | ###############################
447 | #echo "4.2 Create network specific locations"
448 | ###############################
449 | echo "4.3 Ensure http server is not running"
450 | #stop web server
451 | apachectl stop
452 | #stop web server from auto start at boot
453 | defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled -bool true
454 | ###############################
455 | echo "4.4 Ensure ftp server is not running"
456 | -s launchctl unload -w /System/Library/LaunchDaemons/ftp.plist
457 | ###############################
458 | echo "4.5 Ensure nfs server is not running"
459 | nfsd disable
460 | rm /etc/export
461 | ##############################################################
462 | #5 System Access, Authentication and Authorization
463 | echo "5 System Access, Authentication and Authorization"
464 | echo "5.1 File System Permissions and Access Controls"
465 | echo "5.1.1 Secure Home Folders"
466 | #Perform the following to implement the prescribed state:
467 | # 1. Run one of the following commands in Terminal:
468 | # chmod -R og-rwx /Users/
469 | # 2. chmod -R og-rw /Users/
470 | # 3. Substitute user name in .
471 | # 4. This command has to be run for each user account with a local home folder.
472 | for users in `ls /Users/`; do
473 | #echo $users
474 | sudo chmod -R og-rwx /Users/$users
475 | done
476 | ###############################
477 | #echo "5.1.2 Repair permissions regularly to ensure binaries and other System files have appropriate permissions "
478 | #diskutil repairPermissions /
479 | ###############################
480 | echo "5.1.3 Check System Wide Applications for appropriate permissions"
481 | #Change permissions so that "Others" can only execute
482 | #chmod -R o-w /Applications/Bad\ Permissions.app/
483 | for files in `sudo find /Applications -iname "*\.app" -type d -perm -2 -ls`; do
484 | sudo chmod -R o-w $files
485 | done
486 | ###############################
487 | echo "5.1.4 Check System folder for world writable files"
488 | #Change permissions so that "Others" can only execute
489 | #chmod -R o-w /Bad/Directory
490 | for files in `sudo find /System -type d -perm -2 -ls | grep -v "Public/Drop Box"`; do
491 | sudo chmod -R o-w $files
492 | done
493 | ###############################
494 | echo "5.1.5 Check Library folder for world writable files"
495 | #Change permissions so that "Others" can only execute
496 | #chmod -R o-w /Bad/Directory
497 | for files in `sudo find /Library -type d -perm -2 -ls | grep -v Caches`; do
498 | sudo chmod -R o-w $files
499 | done
500 | ###############################
501 | echo "5.2 Reduce the timeout period - requires reboot"
502 | /bin/cat << EOM > /etc/sudoers
503 | ## sudoers file.
504 | ##
505 | ## This file MUST be edited with the 'visudo' command as root.
506 | ## Failure to use 'visudo' may result in syntax or file permission errors
507 | ## that prevent sudo from running.
508 | ##
509 | ## See the sudoers man page for the details on how to write a sudoers file.
510 | ##
511 |
512 | ##
513 | ## Host alias specification
514 | ##
515 | ## Groups of machines. These may include host names (optionally with wildcards),
516 | ## IP addresses, network numbers or netgroups.
517 | # Host_Alias WEBSERVERS = www1, www2, www3
518 |
519 | ##
520 | ## User alias specification
521 | ##
522 | ## Groups of users. These may consist of user names, uids, Unix groups,
523 | ## or netgroups.
524 | # User_Alias ADMINS = millert, dowdy, mikef
525 |
526 | ##
527 | ## Cmnd alias specification
528 | ##
529 | ## Groups of commands. Often used to group related commands together.
530 | # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
531 | # /usr/bin/pkill, /usr/bin/top
532 |
533 | ##
534 | ## Defaults specification
535 | ##
536 |
537 | Defaults env_reset
538 | Defaults env_keep += "BLOCKSIZE"
539 | Defaults env_keep += "COLORFGBG COLORTERM"
540 | Defaults env_keep += "__CF_USER_TEXT_ENCODING"
541 | Defaults env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
542 | Defaults env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
543 | Defaults env_keep += "LINES COLUMNS"
544 | Defaults env_keep += "LSCOLORS"
545 | Defaults env_keep += "SSH_AUTH_SOCK"
546 | Defaults env_keep += "TZ"
547 | Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
548 | Defaults env_keep += "EDITOR VISUAL"
549 | Defaults env_keep += "HOME MAIL"
550 | Defaults timestamp_timeout=0
551 |
552 | Defaults lecture_file = "/etc/sudo_lecture"
553 |
554 | ##
555 | ## Runas alias specification
556 | ##
557 |
558 | ##
559 | ## User privilege specification
560 | ##
561 | root ALL=(ALL) ALL
562 | %admin ALL=(ALL) ALL
563 | %localadmin ALL=(ALL) ALL
564 |
565 | ## Uncomment to allow members of group wheel to execute any command
566 | # %wheel ALL=(ALL) ALL
567 |
568 | ## Same thing without a password
569 | # %wheel ALL=(ALL) NOPASSWD: ALL
570 |
571 | ## Uncomment to allow members of group sudo to execute any command
572 | # %sudo ALL=(ALL) ALL
573 |
574 | ## Uncomment to allow any user to run sudo if they know the password
575 | ## of the user they are running the command as (root by default).
576 | # Defaults targetpw # Ask for the password of the target user
577 | # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
578 |
579 | ## Read drop-in files from /private/etc/sudoers.d
580 | ## (the '#' here does not indicate a comment)
581 | #includedir /private/etc/sudoers.d
582 | EOM
583 | ###############################
584 | #echo "5.3 Automatically lock the login keychain for inactivity"
585 | #echo "Verify that a value is returned below 6 hours: Keychain \"\" timeout=21600s"
586 | #security show-keychain-info
587 | #Perform the following to implement the prescribed state:
588 | # 1. Open Utilities
589 | # 2. Select Keychain Access
590 | # 3. Select a keychain
591 | # 4. Select Edit
592 | # 5. Select Change Settings for keychain
593 | # 6. Authenticate, if requested.
594 | # 7. Change the Lock after # minutes of inactivity setting for the Login Keychain to an
595 | # approved value that should be longer than 6 hours or 3600 minutes or based on the access frequency of the security credentials included in the keychain for other keychains.
596 | ###############################
597 | #echo "5.4 Ensure login keychain is locked when the computer sleeps"
598 | #echo "Verify that the value returned contains: Keychain \"\" lock-on-sleep"
599 | #security show-keychain-info
600 | # Perform the following to implement the prescribed state:
601 | # 1. Open Utilities
602 | # 2. Select Keychain Access
603 | # 3. Select a keychain
604 | # 4. Select Edit
605 | # 5. Select Change Settings for keychain
606 | # 6. Authenticate, if requested.
607 | # 7. Select Lock when sleeping setting
608 | ###############################
609 | echo "5.5 Enable OCSP and CRL certificate checking"
610 | defaults write com.apple.security.revocation CRLStyle -string RequireIfPresent
611 | defaults write com.apple.security.revocation OCSPStyle -string RequireIfPresent
612 | ###############################
613 | echo "5.6 Do not enable the \"root\" account"
614 | #Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User.
615 | #correctly configured by default on installs. no hardening step required.
616 | ###############################
617 | echo "5.7 Disable automatic login"
618 | sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
619 | ###############################
620 | echo "5.8 Require a password to wake the computer from sleep or screen saver - requires reboot"
621 | defaults write com.apple.screensaver askForPassword -int 1
622 | ###############################
623 | echo "5.9 Require an administrator password to access system-wide preferences"
624 | #security authorizationdb write system.preferences allow
625 | #security authorizationdb read system.preferences > /tmp/system.preferences.plist
626 | #defaults write /tmp/system.preferences.plist shared -bool false
627 | #security authorizationdb write system.preferences < /tmp/system.preferences.plist
628 | #echo Set Preferences...
629 | security authorizationdb read system.preferences > /tmp/system.preferences.plist
630 | sleep 1
631 | defaults write /tmp/system.preferences.plist shared -bool false
632 | sleep 1
633 | sudo security authorizationdb write system.preferences < /tmp/system.preferences.plist
634 | sleep 1
635 | #echo Done.
636 | ###############################
637 | echo "5.10 Disable ability to login to another user's active and locked session"
638 | echo "No results will be returned if the system is configured as recommended."
639 | #Perform the following to implement the prescribed state:
640 | # 1. vi /etc/pam.d/screensaver
641 | # 2. Locate account required pam_group.so no_warn group=admin,wheel fail_safe
642 | # 3. Remove "admin,"
643 | # 4. Save
644 | sed -ie "s/group=admin,wheel/group=wheel/" /etc/pam.d/screensaver
645 |
646 | ###############################
647 | echo "5.11 Complex passwords must contain an Alphabetic Character"
648 | echo "5.12 Complex passwords must contain a Numeric Character"
649 | echo "5.13 Complex passwords must contain a Symbolic Character"
650 | echo "5.14 Set a minimum password length"
651 | echo "5.15 Configure account lockout threshold"
652 | pwpolicy -setglobalpolicy "maxFailedLoginAttempts=5 minChars=12 requiresNumeric=1 requiresAlpha=1 requiresSymbol=1"
653 |
654 | #echo "5.16 Create a custom message for the Login Screen"
655 | # since the systems will be on the domain, we are not doing this step
656 | # Perform the following to implement the prescribed state:
657 | # 1. To add text with elevated privileges:
658 | # defaults write /Library/Preferences/com.apple.loginwindow \LoginwindowText "your text here"
659 | # To remove the text with elevated privileges:
660 | # defaults delete /Library/Preferences/com.apple.loginwindow \LoginwindowText
661 | ###############################
662 |
663 | #echo "5.17 Create a Login window banner"
664 | # since the systems will be on the domain, we are not doing this step
665 | # Run the following command to see the login window text:
666 | # cat /Library/Security/PolicyBanner.txt
667 | # Remediation:
668 | # Place a file named PolicyBanner.txt in/Library/Security/
669 | ###############################
670 | #echo "5.18 Do not enter a password-related hint"
671 | # since the systems will be on the domain, we are not doing this step
672 | # Remediation:
673 | # 1. Open System Preferences
674 | # 2. Select Users & Groups
675 | # 3. Highlight the user
676 | # 4. Select Change Password
677 | # 5. Verify that no text is entered in the Password hint box
678 | ###############################
679 |
680 | echo "5.19 Disable Fast User Switching"
681 | # since the systems will be on the domain, we are not doing this step
682 | #In System Preferences: Accounts, Login Options, make sure the "Enable fast user switching" checkbox is off.
683 | defaults write /Library/Preferences/.GlobalPreferences MultipleSessionEnabled -bool 'NO'
684 |
685 | ###############################
686 | #echo "5.20 Secure individual keychain items"
687 | #small value add in security for large user inconvience.
688 | # Remediation:
689 | # 1. Open Utilities
690 | # 2. Select Keychain Access
691 | # 3. Double-click keychain
692 | # 4. Select Access Control
693 | # 5. Check box next to "Ask for Keychain Password"
694 | ###############################
695 |
696 | #echo "5.21 Create specialized keychains for different purposes"
697 | #small value add in security for large user inconvience.
698 | # Remediation:
699 | # 1. Open Utilities
700 | # 2. Select Keychain Access
701 | # 3. Select File
702 | # 4. Select New Keychain
703 | # 5. Input name of new keychain next to Save As
704 | # 6. Select Create
705 | # 7. Drag and drop desired keychain items into new keychain from login keychain
706 | ##############################################################
707 | #6 User Accounts and Environment#################################################
708 | echo "6 User Accounts and Environment"
709 | echo "6.1 Accounts Preferences Action Items"
710 | echo "6.1.1 Display login window as name and password"
711 | defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool yes
712 |
713 | echo "6.1.2 Disable \"Show password hints\""
714 | defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0
715 |
716 | echo "6.1.3 Disable guest account login"
717 | defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool NO
718 |
719 | echo "6.1.4 Disable \"Allow guests to connect to shared folders\""
720 | #For AFP sharing:
721 | defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool no
722 | #For SMB sharing:
723 | defaults write \ /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool no
724 | ###############################
725 | echo "6.2 Turn on filename extensions"
726 | defaults write NSGlobalDomain AppleShowAllExtensions -bool true
727 | ###############################
728 | echo "6.3 Disable the automatic run of safe files in Safari"
729 | defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no
730 | ###############################
731 | #echo "6.4 Use parental controls for systems that are not centrally managed"
732 | #Remediation:
733 | # 1. Open System Preferences
734 | # 2. Select Users & Groups
735 | # 3. Highlight managed user
736 | # 4. Check box next to Enable parental controls
737 | # 5. Select Open Parental Controls
738 | # 6. Select items within the Parental Controls feature that should be restricted.
739 | ##############################################################
740 | #7 Appendix: Additional Considerations#################################################
741 |
742 | # echo "7 Appendix: Additional Considerations"
743 | # echo "7.1 Wireless Adapters on Mobile Clients"
744 | # echo "7.2 iSight Camera Privacy and Confidentiality Concerns"
745 | # echo "7.3 Computer Name Considerations"
746 | # echo "7.4 Software Inventory Considerations"
747 | # echo "7.5 Firewall Consideration"
748 | # echo "7.6 Automatic Actions for Optical Media"
749 | # echo "7.7 App Store Automatically download apps purchased on other Macs Considerations"
750 | # echo "7.8 Extensible Firmware Interface (EFI) password"
751 | # echo "7.9 Apple ID password reset"
752 | ##############################################################
753 | ############Security applications
754 | #Security 1.1 - join system to domain
755 | #Security 1.3 - modify hosts.allow
756 | touch /etc/hosts.allow
757 | echo "ALL: 10.0.0.0/255.0.0.0" >/etc/hosts.allow
758 | echo "ALL: 172.16.0.0/255.240.0.0" >>/etc/hosts.allow
759 | echo "ALL: 192.168.0.0/255.255.0.0" >>/etc/hosts.allow
760 | /bin/chmod 644 /etc/hosts.allow
761 | #Security 1.4 - modify hosts.deny
762 | touch /etc/hosts.deny
763 | echo "ALL: ALL" >> /etc/hosts.deny
764 | /bin/chmod 644 /etc/hosts.deny
765 | #Security 1.5 - configure ssh
766 | mv /etc/sshd_config /etc/sshd_config.bak
767 | /bin/cat << EOM > /etc/sshd_config
768 | SyslogFacility AUTHPRIV
769 | AuthorizedKeysFile .ssh/authorized_keys
770 | UsePrivilegeSeparation sandbox # Default for new installations.
771 | AcceptEnv LANG LC_*
772 | # override default of no subsystems
773 | Subsystem sftp /usr/libexec/sftp-server
774 | ## Random SSH port
775 | Port 22
776 | ## Sets listening address on server. default=0.0.0.0
777 | #ListenAddress 192.168.0.1
778 | ## Enforcing SSH Protocol 2 only
779 | Protocol 2
780 | ## Checks users on their home directority and rhosts, that they arent world-writable
781 | StrictModes yes
782 | ## The option IgnoreRhosts specifies whether rhosts or shosts files should not be used -i in authentication
783 | IgnoreRhosts yes
784 | ## Disable direct root login, with no you need to login with account, then "su" you into root
785 | PermitRootLogin no
786 | UsePrivilegeSeparation yes
787 | UsePAM yes
788 | PasswordAuthentication yes
789 | ChallengeResponseAuthentication no
790 | AllowTcpForwarding yes
791 | X11Forwarding no
792 | #PubkeyAuthentication yes
793 | RSAAuthentication no
794 | GSSAPIAuthentication no
795 | KerberosAuthentication no
796 | HostbasedAuthentication no
797 | RhostsRSAAuthentication no
798 | LogLevel INFO
799 | PermitUserEnvironment no
800 | Ciphers aes128-ctr,aes192-ctr,aes256-ctr
801 | ClientAliveInterval 300
802 | ClientAliveCountMax 0
803 | MaxAuthTries 4
804 | PermitEmptyPasswords no
805 | ## Adds a login banner that the user can see
806 | #Banner /etc/motd
807 | PrintMotd yes
808 | ## Add users or groups that are allowed to log in
809 | #AllowUsers serveradmin
810 | AllowGroups admin localadmin
811 | #if you run a command through SSH directly without going interactive (EX: ssh root@system COMMAND), the command won’t be logged anywhere.
812 | #this line will fix that
813 | ForceCommand if [[ -z \$SSH_ORIGINAL_COMMAND ]]; then bash; else printf "\x23\`date +%s\`\n\$SSH_ORIGINAL_COMMAND\n" >> .bash_history; bash -c "\$SSH_ORIGINAL_COMMAND"; fi
814 | EOM
815 | ##############################################################
816 | #Security 3.1 - configure security logging
817 | # echo "Configuring Security Logging"
818 | # #backup /etc/audit/audit.rules
819 | # cp /etc/audit/audit.rules /etc/audit/audit.rules.bk
820 | # #reconfigure /etc/audit/audit.rules
821 | # echo "--- Configuring auditd ---"
822 | # echo " This configuration change will not work until after a reboot"
823 | # #backup pam modules
824 | # cp /private/etc/pam.d/login /private/etc/pam.d/login.bk
825 | # cp /private/etc/pam.d/gdm /private/etc/pam.d/gdm
826 | # #reconfigure pam
827 | # #This will allow auditd to get the calling user's uid correctly when calling sudo or su.
828 | # echo -e "session\trequired\tpam_loginuid.so" >> /private/etc/pam.d/login
829 | # echo -e "session\trequired\tpam_loginuid.so" >> /private/etc/pam.d/gdm
830 | # echo -e "session\trequired\tpam_loginuid.so" >> /private/etc/pam.d/sshd
831 | # #backup bashrc
832 | # for user in `ls /Users | grep -v .localized`; do
833 | # cp /Users/$user/.bashrc /Users/$user/.bashrc.bk
834 | # done
835 | # #reconfigure bashrc
836 | # echo "--- Enabling Real time bash history for all current users ---"
837 | # for user in `ls /Users | grep -v .localized`; do
838 | # echo 'export HISTCONTROL=ignoredups:erasedups # no duplicate entries' >> /Users/$user/.bashrc
839 | # echo 'export HISTSIZE=100000 # big big history' >> /Users/$user/.bashrc
840 | # echo 'export HISTFILESIZE=100000 # big big history' >> /Users/$user/.bashrc
841 | # echo 'export HISTTIMEFORMAT="%m/%d/%y %T " # Add timestamp' >> /Users/$user/.bashrc
842 | # echo "shopt -s histappend # append to history, don't overwrite it" >> /Users/$user/.bashrc
843 | # echo '# After each command, append to the history file and reread it' >> /Users/$user/.bashrc
844 | # echo 'export PROMPT_COMMAND="history -a; history -c; history -r; $PROMPT_COMMAND"' >> /Users/$user/.bashrc
845 | # done
846 | # #backup bashrc for root
847 | # cp /private/etc/bashrc /private/etc/bashrc.bk
848 | # #reconfigure /root/bashrc
849 | # echo "--- Enabling Real time bash history for root ---"
850 | # /bin/cat << EOM > /private/etc/bashrc
851 | # # .bashrc
852 | # # User specific aliases and functions
853 | # alias rm='rm -i'
854 | # alias cp='cp -i'
855 | # alias mv='mv -i'
856 | # # Source global definitions
857 | # if [ -f /private/etc/bashrc ]; then
858 | # . /private/etc/bashrc
859 | # fi
860 | # export HISTCONTROL=ignoredups:erasedups # no duplicate entries
861 | # export HISTSIZE=100000 # big big history
862 | # export HISTFILESIZE=100000 # big big history
863 | # export HISTTIMEFORMAT="%m/%d/%y %T " # Add timestamp
864 | # shopt -s histappend # append to history, don't overwrite it
865 | # # After each command, append to the history file and reread it
866 | # export PROMPT_COMMAND="history -a; history -c; history -r; $PROMPT_COMMAND"
867 | # EOM
868 | #complete
869 | echo "-------------------complete---------------"
870 |
--------------------------------------------------------------------------------
/OSX/OSX_ElCapitan_Server/CIS_MacOSX_1011_Hardening-Servers.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #
3 | #CIS MacOSX 10.11 hardening script
4 | #v1.1.0 - 04-02-2015
5 | #author rnolette
6 | #date 06/06/2016
7 | #version 1.0
8 | #description: This script will harden a system for compliance with the CIS V1.1.0 hardening guide for MacOSX
9 | #####################################################################
10 | #check to see if script is being run as root
11 | if [ "$EUID" -ne 0 ]
12 | then echo "Please run as root"
13 | exit
14 | fi
15 | #disabled since filevault is not required for servers
16 | # echo "Please enter the password for the macadmin user: "
17 | # read macadminpassword
18 | ######################################################################
19 | #1 Install Updates, Patches and Additional Security Software#################################################
20 |
21 | echo "1 Install Updates, Patches and Additional Security Software"
22 | echo "1.1 Verify all application software is current"
23 | softwareupdate --install --all
24 |
25 | echo "1.2 Enable Auto Update"
26 | defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1
27 |
28 | echo "1.3 Enable app update installs - requires a reboot to take effect"
29 | defaults write /Library/Preferences/com.apple.storeagent AutoUpdate -int 1
30 |
31 | echo "1.4 Enable system data files and security update installs"
32 | defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true
33 |
34 | echo "1.5 Enable OS X update installs"
35 | defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE
36 |
37 | #####################################################################
38 | #2 System Preferences#################################################
39 | #no bluetooth on servers
40 | #
41 | # echo "2 System Preferences"
42 | # echo "2.1 Bluetooth"
43 | # echo "2.1.1 Disable Bluetooth, if no paired devices exist"
44 | # defaults write /Library/Preferences/com.apple.Bluetooth \ ControllerPowerState -int 0
45 | # killall -HUP blued
46 | # echo "2.1.2 Disable Bluetooth \"Discoverable\" mode when not pairing devices"
47 | # /usr/sbin/system_profiler SPBluetoothDataType | grep -i discoverable
48 | # echo "If query returns \"Discoverable: On\" you need to turn discoverable off."
49 | # echo "Starting with OS X (10.9) Bluetooth is only set to Discoverable when the Bluetooth System Preference is selected. To ensure that the computer is not Discoverable do not leave that preference open."
50 | # echo "2.1.3 Show Bluetooth status in menu bar"
51 | # defaults write com.apple.systemuiserver menuExtras -array-add "/System/Library/CoreServices/Menu Extras/Bluetooth.menu"###############################
52 | ###############################
53 | # echo "2.2 Date & Time"
54 | systemsetup -f -setnetworktimeserver NTP.domain.local
55 |
56 | #echo "2.2.2 Ensure time set is within appropriate limits"
57 | #already completed in step 2.2
58 | #systemsetup -f -getnetworktimeserver
59 | ###############################
60 | echo "2.3 Desktop & Screen Saver"
61 | echo "2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver"
62 | #set to 10 minutes
63 | defaults -currentHost write com.apple.screensaver idleTime -int 600
64 |
65 | #echo "2.3.2 Secure screen saver corners"
66 | # Perform the following to implement the prescribed state:
67 | # 1. Open System Preferences
68 | # 2. Select Mission Control
69 | # 3. Select Hot Corners
70 | # 4. Remove any corners which are set to Disable Screen Saver
71 | #below is an applescript equivalent of these steps
72 | touch disableSharing.scpt
73 | /bin/cat << EOM > disableSharing.scpt
74 | property theSavedValues : {"Mission Control", "Desktop", "Dashboard", "Launchpad"} -- for example
75 | tell application "System Preferences"
76 | activate
77 | set current pane to pane id "com.apple.preference.expose"
78 | tell application "System Events"
79 | tell window "Mission Control" of process "System Preferences"
80 | click button "Hot Corners…"
81 | tell sheet 1
82 | tell group 1
83 | set theCurrentValues to value of pop up buttons
84 | if theCurrentValues is {"-", "-", "-", "-"} then
85 | --do nothing
86 | else
87 | copy theCurrentValues to theSavedValues
88 | repeat with i from 1 to 4
89 | tell pop up button i
90 | click
91 | click last menu item of menu 1
92 | end tell
93 | end repeat
94 | end if
95 | end tell
96 | click button "OK"
97 | end tell
98 | end tell
99 | end tell
100 | quit
101 | end tell
102 | EOM
103 | #Enable Access for Assistive Devices Command Line
104 | sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceAccessibility','com.apple.Terminal',0,1,1,NULL);"
105 | #run applescript
106 | osascript disableSharing.scpt
107 | #Disable Access for Assistive Devices Command Line
108 | sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "delete from access where client='com.apple.Terminal';"
109 | #remove script after usage
110 | rm -r disableSharing.scpt
111 |
112 | #echo "2.3.3 Verify Display Sleep is set to a value larger than the Screen Saver"
113 | # In System Preferences: Energy Saver, drag the slider for "Put the display(s) to sleep..." to a reasonable number, but longer than the screen saver setting. The Mac will display a warning if the number is too short.
114 | # Alternatively, use the following command: pmset -c displaysleep 0
115 | # Note: The -c flag means "wall power." Different settings must be used for other power sources.
116 | #pmset -c displaysleep 0
117 |
118 | #echo "2.3.4 Set a screen corner to Start Screen Saver"
119 | # In System Preferences: Desktop & Screen Saver: Screen Saver: Hot Corners, make sure at least one Active Screen Corner is set to Start Screen Saver. Make sure the user knows about this feature.
120 | # The screen corners can be set using the defaults command, but the permutations of combinations are many. The plist file to check is ~/Library/Preferences/com.apple.dock and the keys are wvous-bl-corner wvous-br-corner wvous-tl-corner wvous-tr-corner
121 | # There are also modifier keys to check and various values for each of these keys. A value of 5 means the corner will start the screen saver. The corresponding wvous-xx-modifier key should be set to 0.
122 |
123 | ###############################
124 | echo "2.4 Sharing"
125 | echo "2.4.1 Disable Remote Apple Events"
126 | systemsetup -f setremoteappleevents off
127 |
128 | echo "2.4.2 Disable Internet Sharing"
129 | echo "The file should not exist or Enabled = 0 for all network interfaces."
130 | # Remediation:
131 | # Perform the following to implement the prescribed state:
132 | # 1. Open System Preferences
133 | # 2. Select Sharing
134 | # 3. Uncheck Internet Sharing
135 | #below is an applescript equivalent of these steps
136 | touch disableSharing.scpt
137 | /bin/cat << EOM > disableSharing.scpt
138 | tell application "System Preferences" to set current pane to pane "com.apple.preferences.sharing"
139 | tell application "System Events" to tell process "System Preferences"
140 | tell row 8 of table 1 of scroll area 1 of group 1 of window "Sharing"
141 | tell checkbox 1 to if value is 1 then click -- checkbox was not checked.
142 | end tell
143 | end tell
144 | ignoring application responses
145 | tell application "System Preferences" to quit
146 | end ignoring
147 | EOM
148 | #Enable Access for Assistive Devices Command Line
149 | sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceAccessibility','com.apple.Terminal',0,1,1,NULL);"
150 | #run applescript
151 | osascript disableSharing.scpt
152 | #Disable Access for Assistive Devices Command Line
153 | sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "delete from access where client='com.apple.Terminal';"
154 | #remove script after usage
155 | rm -r disableSharing.scpt
156 |
157 |
158 | echo "2.4.3 Disable Screen Sharing"
159 | echo "Verify the value returned is nothing found to load"
160 | # Perform the following to implement the prescribed state:
161 | # 1. Open System Preferences
162 | # 2. Select Sharing
163 | # 3. Uncheck Screen Sharing
164 | #below is an applescript equivalent of these steps
165 | touch disableSharing.scpt
166 | /bin/cat << EOM > disableSharing.scpt
167 | tell application "System Preferences" to set current pane to pane "com.apple.preferences.sharing"
168 | tell application "System Events" to tell process "System Preferences"
169 | tell row 2 of table 1 of scroll area 1 of group 1 of window "Sharing"
170 | tell checkbox 1 to if value is 1 then click -- checkbox was not checked.
171 | end tell
172 | end tell
173 | ignoring application responses
174 | tell application "System Preferences" to quit
175 | end ignoring
176 | EOM
177 | #Enable Access for Assistive Devices Command Line
178 | sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceAccessibility','com.apple.Terminal',0,1,1,NULL);"
179 | #run applescript
180 | osascript disableSharing.scpt
181 | #Disable Access for Assistive Devices Command Line
182 | sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "delete from access where client='com.apple.Terminal';"
183 | #remove script after usage
184 | rm -r disableSharing.scpt
185 |
186 |
187 |
188 | echo "2.4.4 Disable Printer Sharing"
189 | echo "The output should show \"Shared: No\" for all printers. If no printers are present, the above command will yield \"Status: The printers list is empty.\""
190 | #Perform the following to implement the prescribed state:
191 | #1. Open System Preferences
192 | #2. Select Sharing
193 | #3. Uncheck Printer Sharing
194 | #below is an applescript equivalent of these steps
195 | touch disableSharing.scpt
196 | /bin/cat << EOM > disableSharing.scpt
197 | tell application "System Preferences" to set current pane to pane "com.apple.preferences.sharing"
198 | tell application "System Events" to tell process "System Preferences"
199 | tell row 4 of table 1 of scroll area 1 of group 1 of window "Sharing"
200 | tell checkbox 1 to if value is 1 then click -- checkbox was not checked.
201 | end tell
202 | end tell
203 | ignoring application responses
204 | tell application "System Preferences" to quit
205 | end ignoring
206 | EOM
207 | #Enable Access for Assistive Devices Command Line
208 | sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceAccessibility','com.apple.Terminal',0,1,1,NULL);"
209 | #run applescript
210 | osascript disableSharing.scpt
211 | #Disable Access for Assistive Devices Command Line
212 | sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "delete from access where client='com.apple.Terminal';"
213 | #remove script after usage
214 | rm -r disableSharing.scpt
215 |
216 |
217 | #echo "2.4.5 Disable Remote Login"
218 | #systemsetup -f -setremotelogin off
219 |
220 | echo "2.4.6 Disable DVD or CD Sharing"
221 | echo "There should be no results"
222 | # Perform the following to implement the prescribed state:
223 | # 1. Open System Preferences
224 | # 2. Select Sharing
225 | # 3. Uncheck DVD or CD Sharing
226 | #below is an applescript equivalent of these steps
227 | touch disableSharing.scpt
228 | /bin/cat << EOM > disableSharing.scpt
229 | tell application "System Preferences" to set current pane to pane "com.apple.preferences.sharing"
230 | tell application "System Events" to tell process "System Preferences"
231 | tell row 1 of table 1 of scroll area 1 of group 1 of window "Sharing"
232 | tell checkbox 1 to if value is 1 then click -- checkbox was not checked.
233 | end tell
234 | end tell
235 | ignoring application responses
236 | tell application "System Preferences" to quit
237 | end ignoring
238 | EOM
239 | #Enable Access for Assistive Devices Command Line
240 | sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceAccessibility','com.apple.Terminal',0,1,1,NULL);"
241 | #run applescript
242 | osascript disableSharing.scpt
243 | #Disable Access for Assistive Devices Command Line
244 | sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "delete from access where client='com.apple.Terminal';"
245 | #remove script after usage
246 | rm -r disableSharing.scpt
247 |
248 |
249 | echo "2.4.7 Disable Bluetooth Sharing"
250 | echo "Verify that all values are Disabled"
251 | system_profiler SPBluetoothDataType | grep State
252 | # Perform the following to implement the prescribed state:
253 | # 1. Open System Preferences
254 | # 2. Select Sharing
255 | # 3. Uncheck Bluetooth Sharing
256 | #below is an applescript equivalent of these steps
257 | touch disableSharing.scpt
258 | /bin/cat << EOM > disableSharing.scpt
259 | tell application "System Preferences" to set current pane to pane "com.apple.preferences.sharing"
260 | tell application "System Events" to tell process "System Preferences"
261 | tell row 9 of table 1 of scroll area 1 of group 1 of window "Sharing"
262 | tell checkbox 1 to if value is 1 then click -- checkbox was not checked.
263 | end tell
264 | end tell
265 | ignoring application responses
266 | tell application "System Preferences" to quit
267 | end ignoring
268 | EOM
269 | #Enable Access for Assistive Devices Command Line
270 | sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceAccessibility','com.apple.Terminal',0,1,1,NULL);"
271 | #run applescript
272 | osascript disableSharing.scpt
273 | #Disable Access for Assistive Devices Command Line
274 | sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "delete from access where client='com.apple.Terminal';"
275 | #remove script after usage
276 | rm -r disableSharing.scpt
277 |
278 | echo "2.4.8 Disable File Sharing"
279 | #Run the following command in Terminal to turn off AFP from the command line:
280 | launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist
281 | #Run the following command in Terminal to turn off SMB sharing from the CLI:
282 | launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist
283 |
284 | echo "2.4.9 Disable Remote Management"
285 | # In System Preferences: Sharing, turn off Remote Management.
286 | #below is an applescript equivalent of these steps
287 | touch disableSharing.scpt
288 | /bin/cat << EOM > disableSharing.scpt
289 | tell application "System Preferences" to set current pane to pane "com.apple.preferences.sharing"
290 | tell application "System Events" to tell process "System Preferences"
291 | tell row 6 of table 1 of scroll area 1 of group 1 of window "Sharing"
292 | tell checkbox 1 to if value is 1 then click -- checkbox was not checked.
293 | end tell
294 | end tell
295 | ignoring application responses
296 | tell application "System Preferences" to quit
297 | end ignoring
298 | EOM
299 | #Enable Access for Assistive Devices Command Line
300 | sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceAccessibility','com.apple.Terminal',0,1,1,NULL);"
301 | #run applescript
302 | osascript disableSharing.scpt
303 | #Disable Access for Assistive Devices Command Line
304 | sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "delete from access where client='com.apple.Terminal';"
305 | #remove script after usage
306 | rm -r disableSharing.scpt
307 | ###############################
308 | # echo "2.5 Energy Saver"
309 | # echo "2.5.1 Disable \"Wake for network access\""
310 | # pmset -a womp 0
311 |
312 | echo "2.5.2 Disable sleeping the computer when connected to power"
313 | pmset -c sleep 0
314 | ###############################
315 | echo "2.6 Security & Privacy"
316 | # echo "2.6.1 Enable FileVault"
317 | # echo "On a booted system the Logical Volume should show as both Encrypted and unlocked"
318 | # echo "Encryption Status: Unlocked"
319 | # echo "Encryption Type: AES-XTS"
320 | # diskutil cs list | grep -i encryption
321 | # # Perform the following to implement the prescribed state:
322 | # # 1. Open System Preferences
323 | # # 2. Select Security & Privacy
324 | # # 3. Select FileVault
325 | # # 4. Select Turn on FileVault
326 | # #scripted out for the above steps
327 | # touch fdesetup.plist
328 | # /bin/cat << EOM > fdesetup.plist
329 | #
330 | #
331 | #
332 | #
333 | # Username
334 | # macadmin
335 | # Password
336 | # $macadminpassword
337 | #
338 | #
339 | # EOM
340 | # fdesetup enable -inputplist < fdesetup.plist &> fdekey.txt
341 | # rm -f fdesetup.plist
342 | # #disabled filevault
343 | # #fdesetup disable
344 |
345 | echo "2.6.2 Enable Gatekeeper"
346 | spctl --master-enable
347 |
348 | echo "2.6.3 Enable Firewall"
349 | #Where is:
350 | # 1 = on for specific services
351 | # 2 = on for essential services
352 | defaults write /Library/Preferences/com.apple.alf globalstate -int 1
353 |
354 | #echo "2.6.4 Enable Firewall Stealth Mode"
355 | #/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
356 |
357 | # echo "2.6.5 Review Application Firewall Rules"
358 | # echo "List all firewall exceptions"
359 | # /usr/libexec/ApplicationFirewall/socketfilterfw --listapps
360 | # Edit and run the following command in Terminal to remove specific applications: /usr/libexec/ApplicationFirewall/socketfilterfw --remove
361 | # Where is the one to be removed
362 | ###############################
363 | # echo "2.7 iCloud"
364 | # echo "2.7.1 iCloud configuration"
365 | # echo "2.7.2 iCloud keychain"
366 | # echo "2.7.3 iCloud Drive"
367 | # defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false
368 | ###############################
369 | echo "2.8 Pair the remote control infrared receiver if enabled"
370 | #are there IR recievers
371 | #system_profiler 2>/dev/null | egrep "IR Receiver"
372 | # echo "Verify the value returned for DeviceEnabled = 0; If the value returned is DeviceEnabled = 1, then verify the value returned for the UIDFilter does not equal none"
373 | # defaults read /Library/Preferences/com.apple.driver.AppleIRController
374 | #Disable the remote control infrared receiver:
375 | # 1. Open System Preferences
376 | # 2. Select Security & Privacy
377 | # 3. Select the General tab
378 | # 4. Select Advanced
379 | # 5. Check Disable remote control infrared receiver
380 | defaults write /Library/Preferences/com.apple.driver.AppleIRController.plist DeviceEnabled -bool NO
381 | ###############################
382 | echo "2.9 Enable Secure Keyboard Entry in terminal.app"
383 | echo "verify the value returned is 1"
384 | /usr/bin/defaults write -app Terminal SecureKeyboardEntry 1
385 | #1. Open Terminal
386 | # 2. Select Terminal
387 | # 3. Select Secure Keyboard Entry
388 | ###############################
389 | # echo "2.10 Java 6 is not the default Java runtime"
390 | # echo "The output of the above command should not return a result with Java 6:"
391 | # #echo "Java version 1.6.0_x"
392 | # #echo "Java(TM) SE Runtime Environment (build 1.6.0_x)"
393 | # java -version
394 | ###############################
395 | echo "2.11 Securely delete files as needed"
396 | echo "Make sure the value returned for each user is 1"
397 | #1. Select Finder
398 | # 2. Select Preferences
399 | # 3. Select Advanced
400 | # 4. Check Empty Trash Securely
401 | #3 Logging and Auditing
402 | defaults write com.apple.finder EmptyTrashSecurely -bool true
403 | #################################################
404 |
405 | echo "3 Logging and Auditing"
406 | echo "3.1 Configure asl.conf"
407 | echo "3.1.1 Retain system.log for 90 or more days"
408 | /usr/bin/sed -i.bak 's/^>\ system\.log.*/>\ system\.log\ mode=640\ format=bsd\ rotate=seq\ ttl=90/' /etc/asl.conf
409 |
410 | echo "3.1.2 Retain appfirewall.log for 90 or more days"
411 | /usr/bin/sed -i.bak 's/^\?\ \[=\ Facility\ com.apple.alf.logging\]\ .*/\?\ \[=\ Facility\ com.apple.alf.logging\]\ file\ appfirewall.log\ rotate=seq\ ttl=90/' /etc/asl.conf
412 |
413 | echo "3.1.3 Retain authd.log for 90 or more days "
414 | /usr/bin/sed -i.bak 's/^\*\ file\ \/var\/log\/authd\.log.*/\*\ file\ \/var\/log\/authd\.log\ mode=640\ format=bsd\ rotate=seq\ ttl=90/' /etc/asl/com.apple.authd
415 | ###############################
416 | echo "3.2 Enable security auditing"
417 | if [[ "$(/bin/launchctl list | grep -i auditd | awk '{ print $3 }')" = "com.apple.auditd" ]]; then
418 | ScriptLogging " Security Auditing enabled."
419 | else
420 | /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist
421 | fi
422 | ###############################
423 | echo "3.3 Configure Security Auditing Flags"
424 | # echo "Ensure at least the following flags are present:"
425 | # echo "lo - audit successful/failed login/logout events"
426 | # echo "ad - audit successful/failed administrative events"
427 | # echo "fd - audit successful/failed file deletion events"
428 | # echo "fm - audit successful/failed file attribute modification events"
429 | # echo "-all - audit all failed events across all audit classes"
430 | #Perform the following to implement the prescribed state:
431 | # 1. Open a terminal session and edit the /etc/security/audit_control file
432 | # 2. Find the line beginning with "flags"
433 | # 3. Add the following flags: lo, ad, fd, fm, -all.
434 | # 4. Save the file.
435 | /usr/bin/sed -i '' 's/^flags:.*/flags:lo,ad,fd,fm,-all/' /etc/security/audit_control
436 | /usr/bin/sed -i '' 's/^expire-after:.*/expire-after:90d\ AND\ 1G/' /etc/security/audit_control
437 |
438 | ###############################
439 | #echo "3.4 Enable remote logging for Desktops on trusted networks"
440 | ###############################
441 | echo "3.5 Retain install.log for 365 or more days"
442 | /usr/bin/sed -i.bak 's/^\*\ file\ \/var\/log\/install\.log.*/\*\ file\ \/var\/log\/install\.log\ mode=640\ format=bsd\ rotate=seq\ ttl=365/' /etc/asl/com.apple.install
443 | ##############################################################
444 | #4 Network Configurations
445 | echo "4 Network Configurations"
446 | echo "4.1 Disable Bonjour advertising service (Scored)"
447 | launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
448 | defaults write /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist ProgramArguments -array-add "-NoMulticastAdvertisements"
449 | launchctl load /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
450 | ###############################
451 | #echo "4.2 Enable Show Wi-Fi status in menu bar (Scored)"
452 | ###############################
453 | #echo "4.3 Create network specific locations"
454 | ###############################
455 | echo "4.4 Ensure http server is not running"
456 | #stop web server
457 | apachectl stop
458 | #stop web server from auto start at boot
459 | defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled -bool true
460 | ###############################
461 | echo "4.4 Ensure ftp server is not running"
462 | -s launchctl unload -w /System/Library/LaunchDaemons/ftp.plist
463 | ###############################
464 | echo "4.5 Ensure nfs server is not running"
465 | nfsd disable
466 | rm /etc/export
467 | ##############################################################
468 | #5 System Access, Authentication and Authorization
469 | echo "5 System Access, Authentication and Authorization"
470 | echo "5.1 File System Permissions and Access Controls"
471 | echo "5.1.1 Secure Home Folders"
472 | #Perform the following to implement the prescribed state:
473 | # 1. Run one of the following commands in Terminal:
474 | # chmod -R og-rwx /Users/
475 | # 2. chmod -R og-rw /Users/
476 | # 3. Substitute user name in .
477 | # 4. This command has to be run for each user account with a local home folder.
478 | for users in `ls /Users/`; do
479 | #echo $users
480 | sudo chmod -R og-rwx /Users/$users
481 | done
482 | ###############################
483 | echo "5.1.2 Check System Wide Applications for appropriate permissions"
484 | #Change permissions so that "Others" can only execute
485 | #chmod -R o-w /Applications/Bad\ Permissions.app/
486 | for files in `sudo find /Applications -iname "*\.app" -type d -perm -2 -ls`; do
487 | sudo chmod -R o-w $files
488 | done
489 | ###############################
490 | echo "5.1.3 Check System folder for world writable files"
491 | #Change permissions so that "Others" can only execute
492 | #chmod -R o-w /Bad/Directory
493 | for files in `sudo find /System -type d -perm -2 -ls | grep -v "Public/Drop Box"`; do
494 | sudo chmod -R o-w $files
495 | done
496 | ###############################
497 | echo "5.1.4 Check Library folder for world writable files"
498 | #Change permissions so that "Others" can only execute
499 | #chmod -R o-w /Bad/Directory
500 | for files in `sudo find /Library -type d -perm -2 -ls | grep -v Caches`; do
501 | sudo chmod -R o-w $files
502 | done
503 | ###############################
504 | echo "5.2 Password Management"
505 | #5.2.2 Set a minimum password length (Scored)
506 | #5.2.3 Complex passwords must contain an Alphabetic Character (Scored)
507 | #5.2.4 Complex passwords must contain a Numeric Character (Scored)
508 | #5.2.5 Complex passwords must contain a Special Character (Scored)
509 | #5.2.6 Complex passwords must uppercase and lowercase letters (Scored)
510 | #5.2.7 Password Age (Scored)
511 | #5.2.8 Password History (Scored)
512 | #
513 | pwpolicy -setglobalpolicy "maxFailedLoginAttempts=5 minChars=12 requiresNumeric=1 requiresAlpha=1 requiresSymbol=1"
514 |
515 | ###############################
516 | echo "5.3 Reduce the sudo timeout period (Scored)"
517 | /bin/cat << EOM > /etc/sudoers
518 | ## sudoers file.
519 | ##
520 | ## This file MUST be edited with the 'visudo' command as root.
521 | ## Failure to use 'visudo' may result in syntax or file permission errors
522 | ## that prevent sudo from running.
523 | ##
524 | ## See the sudoers man page for the details on how to write a sudoers file.
525 | ##
526 |
527 | ##
528 | ## Host alias specification
529 | ##
530 | ## Groups of machines. These may include host names (optionally with wildcards),
531 | ## IP addresses, network numbers or netgroups.
532 | # Host_Alias WEBSERVERS = www1, www2, www3
533 |
534 | ##
535 | ## User alias specification
536 | ##
537 | ## Groups of users. These may consist of user names, uids, Unix groups,
538 | ## or netgroups.
539 | # User_Alias ADMINS = millert, dowdy, mikef
540 |
541 | ##
542 | ## Cmnd alias specification
543 | ##
544 | ## Groups of commands. Often used to group related commands together.
545 | # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
546 | # /usr/bin/pkill, /usr/bin/top
547 |
548 | ##
549 | ## Defaults specification
550 | ##
551 |
552 | Defaults env_reset
553 | Defaults env_keep += "BLOCKSIZE"
554 | Defaults env_keep += "COLORFGBG COLORTERM"
555 | Defaults env_keep += "__CF_USER_TEXT_ENCODING"
556 | Defaults env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
557 | Defaults env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
558 | Defaults env_keep += "LINES COLUMNS"
559 | Defaults env_keep += "LSCOLORS"
560 | Defaults env_keep += "SSH_AUTH_SOCK"
561 | Defaults env_keep += "TZ"
562 | Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
563 | Defaults env_keep += "EDITOR VISUAL"
564 | Defaults env_keep += "HOME MAIL"
565 | Defaults timestamp_timeout=0
566 |
567 | Defaults lecture_file = "/etc/sudo_lecture"
568 |
569 | ##
570 | ## Runas alias specification
571 | ##
572 |
573 | ##
574 | ## User privilege specification
575 | ##
576 | root ALL=(ALL) ALL
577 | %admin ALL=(ALL) ALL
578 | %macadmins ALL=(ALL) ALL
579 |
580 | ## Uncomment to allow members of group wheel to execute any command
581 | # %wheel ALL=(ALL) ALL
582 |
583 | ## Same thing without a password
584 | # %wheel ALL=(ALL) NOPASSWD: ALL
585 |
586 | ## Uncomment to allow members of group sudo to execute any command
587 | # %sudo ALL=(ALL) ALL
588 |
589 | ## Uncomment to allow any user to run sudo if they know the password
590 | ## of the user they are running the command as (root by default).
591 | # Defaults targetpw # Ask for the password of the target user
592 | # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
593 |
594 | ## Read drop-in files from /private/etc/sudoers.d
595 | ## (the '#' here does not indicate a comment)
596 | #includedir /private/etc/sudoers.d
597 | EOM
598 | ###############################
599 | #echo "5.4 Automatically lock the login keychain for inactivity"
600 | #echo "Verify that a value is returned below 6 hours: Keychain \"\" timeout=21600s"
601 | #security show-keychain-info
602 | #Perform the following to implement the prescribed state:
603 | # 1. Open Utilities
604 | # 2. Select Keychain Access
605 | # 3. Select a keychain
606 | # 4. Select Edit
607 | # 5. Select Change Settings for keychain
608 | # 6. Authenticate, if requested.
609 | # 7. Change the Lock after # minutes of inactivity setting for the Login Keychain to an
610 | # approved value that should be longer than 6 hours or 3600 minutes or based on the access frequency of the security credentials included in the keychain for other keychains.
611 | ###############################
612 | #echo "5.5 Ensure login keychain is locked when the computer sleeps"
613 | #echo "Verify that the value returned contains: Keychain \"\" lock-on-sleep"
614 | #security show-keychain-info
615 | # Perform the following to implement the prescribed state:
616 | # 1. Open Utilities
617 | # 2. Select Keychain Access
618 | # 3. Select a keychain
619 | # 4. Select Edit
620 | # 5. Select Change Settings for keychain
621 | # 6. Authenticate, if requested.
622 | # 7. Select Lock when sleeping setting
623 | ###############################
624 | echo "5.6 Enable OCSP and CRL certificate checking"
625 | defaults write com.apple.security.revocation CRLStyle -string RequireIfPresent
626 | defaults write com.apple.security.revocation OCSPStyle -string RequireIfPresent
627 | ###############################
628 | #echo "5.7 Do not enable the \"root\" account"
629 | #Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User.
630 | #correctly configured by default on installs. no hardening step required.
631 | ###############################
632 | echo "5.8 Disable automatic login"
633 | sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
634 | ###############################
635 | echo "5.9 Require a password to wake the computer from sleep or screen saver - requires reboot"
636 | defaults write com.apple.screensaver askForPassword -int 1
637 | ###############################
638 | echo "5.10 Require an administrator password to access system-wide preferences"
639 | #security authorizationdb write system.preferences allow
640 | #security authorizationdb read system.preferences > /tmp/system.preferences.plist
641 | #defaults write /tmp/system.preferences.plist shared -bool false
642 | #security authorizationdb write system.preferences < /tmp/system.preferences.plist
643 | #echo Set Preferences...
644 | security authorizationdb read system.preferences > /tmp/system.preferences.plist
645 | sleep 1
646 | defaults write /tmp/system.preferences.plist shared -bool false
647 | sleep 1
648 | sudo security authorizationdb write system.preferences < /tmp/system.preferences.plist
649 | sleep 1
650 | #echo Done.
651 | ###############################
652 | echo "5.11 Disable ability to login to another user's active and locked session"
653 | echo "No results will be returned if the system is configured as recommended."
654 | #Perform the following to implement the prescribed state:
655 | # 1. vi /etc/pam.d/screensaver
656 | # 2. Locate account required pam_group.so no_warn group=admin,wheel fail_safe
657 | # 3. Remove "admin,"
658 | # 4. Save
659 | sed -ie "s/group=admin,wheel/group=wheel/" /etc/pam.d/screensaver
660 |
661 | ###############################
662 |
663 | #echo "5.12 Create a custom message for the Login Screen"
664 | # since the systems will be on the domain, we are not doing this step
665 | # Perform the following to implement the prescribed state:
666 | # 1. To add text with elevated privileges:
667 | # defaults write /Library/Preferences/com.apple.loginwindow \LoginwindowText "your text here"
668 | # To remove the text with elevated privileges:
669 | # defaults delete /Library/Preferences/com.apple.loginwindow \LoginwindowText
670 | ###############################
671 |
672 | #echo "5.13 Create a Login window banner"
673 | # since the systems will be on the domain, we are not doing this step
674 | # Run the following command to see the login window text:
675 | # cat /Library/Security/PolicyBanner.txt
676 | # Remediation:
677 | # Place a file named PolicyBanner.txt in/Library/Security/
678 | ###############################
679 | #echo "5.14 Do not enter a password-related hint"
680 | # since the systems will be on the domain, we are not doing this step
681 | # Remediation:
682 | # 1. Open System Preferences
683 | # 2. Select Users & Groups
684 | # 3. Highlight the user
685 | # 4. Select Change Password
686 | # 5. Verify that no text is entered in the Password hint box
687 | ###############################
688 |
689 | echo "5.15 Disable Fast User Switching"
690 | # since the systems will be on the domain, we are not doing this step
691 | #In System Preferences: Accounts, Login Options, make sure the "Enable fast user switching" checkbox is off.
692 | defaults write /Library/Preferences/.GlobalPreferences MultipleSessionEnabled -bool 'NO'
693 |
694 | ###############################
695 | #echo "5.16 Secure individual keychain items"
696 | #small value add in security for large user inconvience.
697 | # Remediation:
698 | # 1. Open Utilities
699 | # 2. Select Keychain Access
700 | # 3. Double-click keychain
701 | # 4. Select Access Control
702 | # 5. Check box next to "Ask for Keychain Password"
703 | ###############################
704 |
705 | #echo "5.17 Create specialized keychains for different purposes"
706 | #small value add in security for large user inconvience.
707 | # Remediation:
708 | # 1. Open Utilities
709 | # 2. Select Keychain Access
710 | # 3. Select File
711 | # 4. Select New Keychain
712 | # 5. Input name of new keychain next to Save As
713 | # 6. Select Create
714 | # 7. Drag and drop desired keychain items into new keychain from login keychain
715 | ###############################
716 | #5.18 System Integrity Protection status (Scored)
717 | #Perform the following while booted in OS X Recovery Partition.
718 | #1. Select Terminal from the Utilities menu
719 | #2. Run the following command in Terminal:
720 | /usr/bin/csrutil enable
721 | #3. The output should be:
722 | #Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.
723 | #4. Reboot.
724 | #If a change is to the status is attempted from the booted Operating System rather than the recovery partition an error will be generated.
725 | ###############################
726 | #5.19 Install an approved tokend for smartcard authentication (Not Scored)
727 | #Install the appropriate tokend middleware installer for MacOS Forge or third party vendor.
728 | #https://smartcardservices.macosforge.org/
729 | ##############################################################
730 | #6 User Accounts and Environment#################################################
731 | echo "6 User Accounts and Environment"
732 | echo "6.1 Accounts Preferences Action Items"
733 | echo "6.1.1 Display login window as name and password"
734 | defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool yes
735 |
736 | echo "6.1.2 Disable \"Show password hints\""
737 | defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0
738 |
739 | echo "6.1.3 Disable guest account login"
740 | defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool NO
741 |
742 | echo "6.1.4 Disable \"Allow guests to connect to shared folders\""
743 | #For AFP sharing:
744 | defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool no
745 | #For SMB sharing:
746 | defaults write \ /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool no
747 | ###############################
748 | echo "6.2 Turn on filename extensions"
749 | defaults write NSGlobalDomain AppleShowAllExtensions -bool true
750 | ###############################
751 | echo "6.3 Disable the automatic run of safe files in Safari"
752 | defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no
753 | ###############################
754 | #echo "6.4 Use parental controls for systems that are not centrally managed"
755 | #Remediation:
756 | # 1. Open System Preferences
757 | # 2. Select Users & Groups
758 | # 3. Highlight managed user
759 | # 4. Check box next to Enable parental controls
760 | # 5. Select Open Parental Controls
761 | # 6. Select items within the Parental Controls feature that should be restricted.
762 | ##############################################################
763 | #7 Appendix: Additional Considerations#################################################
764 |
765 | # echo "7 Appendix: Additional Considerations"
766 | # echo "7.1 Wireless Adapters on Mobile Clients"
767 | # echo "7.2 iSight Camera Privacy and Confidentiality Concerns"
768 | # echo "7.3 Computer Name Considerations"
769 | # echo "7.4 Software Inventory Considerations"
770 | # echo "7.5 Firewall Consideration"
771 | # echo "7.6 Automatic Actions for Optical Media"
772 | # echo "7.7 App Store Automatically download apps purchased on other Macs Considerations"
773 | # echo "7.8 Extensible Firmware Interface (EFI) password"
774 | # echo "7.9 Apple ID password reset"
775 | ##############################################################
776 | ############secops applications
777 | #secops 1.1 - join system to domain
778 | #secops 1.2 - modify hosts.allow
779 | touch /etc/hosts.allow
780 | echo "ALL: 10.0.0.0/255.0.0.0" >/etc/hosts.allow
781 | echo "ALL: 172.16.0.0/255.240.0.0" >>/etc/hosts.allow
782 | echo "ALL: 192.168.0.0/255.255.0.0" >>/etc/hosts.allow
783 | /bin/chmod 644 /etc/hosts.allow
784 | #secops 1.3 - modify hosts.deny
785 | touch /etc/hosts.deny
786 | echo "ALL: ALL" >> /etc/hosts.deny
787 | /bin/chmod 644 /etc/hosts.deny
788 | #secops 1.4 - configure ssh
789 | mv /etc/sshd_config /etc/sshd_config.bak
790 | /bin/cat << EOM > /etc/sshd_config
791 | SyslogFacility AUTHPRIV
792 | AuthorizedKeysFile .ssh/authorized_keys
793 | UsePrivilegeSeparation sandbox # Default for new installations.
794 | AcceptEnv LANG LC_*
795 | # override default of no subsystems
796 | Subsystem sftp /usr/libexec/sftp-server
797 | ## Random SSH port
798 | Port 22
799 | ## Sets listening address on server. default=0.0.0.0
800 | #ListenAddress 192.168.0.1
801 | ## Enforcing SSH Protocol 2 only
802 | Protocol 2
803 | ## Checks users on their home directority and rhosts, that they arent world-writable
804 | StrictModes yes
805 | ## The option IgnoreRhosts specifies whether rhosts or shosts files should not be used -i in authentication
806 | IgnoreRhosts yes
807 | ## Disable direct root login, with no you need to login with account, then "su" you into root
808 | PermitRootLogin no
809 | UsePrivilegeSeparation yes
810 | UsePAM yes
811 | PasswordAuthentication yes
812 | ChallengeResponseAuthentication no
813 | AllowTcpForwarding yes
814 | X11Forwarding no
815 | #PubkeyAuthentication yes
816 | RSAAuthentication no
817 | GSSAPIAuthentication no
818 | KerberosAuthentication no
819 | HostbasedAuthentication no
820 | RhostsRSAAuthentication no
821 | LogLevel INFO
822 | PermitUserEnvironment no
823 | Ciphers aes128-ctr,aes192-ctr,aes256-ctr
824 | ClientAliveInterval 300
825 | ClientAliveCountMax 0
826 | MaxAuthTries 4
827 | PermitEmptyPasswords no
828 | ## Adds a login banner that the user can see
829 | #Banner /etc/motd
830 | PrintMotd yes
831 | ## Add users or groups that are allowed to log in
832 | AllowGroups admin macadmins
833 | #if you run a command through SSH directly without going interactive (EX: ssh root@system COMMAND), the command won’t be logged anywhere.
834 | #this line will fix that
835 | ForceCommand if [[ -z \$SSH_ORIGINAL_COMMAND ]]; then bash; else printf "\x23\`date +%s\`\n\$SSH_ORIGINAL_COMMAND\n" >> .bash_history; bash -c "\$SSH_ORIGINAL_COMMAND"; fi
836 | EOM
837 | ##############################################################
838 | #secops 1.9 - configure security logging
839 | # echo "Configuring Security Logging"
840 | # #backup /etc/audit/audit.rules
841 | # cp /etc/audit/audit.rules /etc/audit/audit.rules.bk
842 | # #reconfigure /etc/audit/audit.rules
843 | # echo "--- Configuring auditd ---"
844 | # echo " This configuration change will not work until after a reboot"
845 | # #backup pam modules
846 | # cp /private/etc/pam.d/login /private/etc/pam.d/login.bk
847 | # cp /private/etc/pam.d/gdm /private/etc/pam.d/gdm
848 | # #reconfigure pam
849 | # #This will allow auditd to get the calling user's uid correctly when calling sudo or su.
850 | # echo -e "session\trequired\tpam_loginuid.so" >> /private/etc/pam.d/login
851 | # echo -e "session\trequired\tpam_loginuid.so" >> /private/etc/pam.d/gdm
852 | # echo -e "session\trequired\tpam_loginuid.so" >> /private/etc/pam.d/sshd
853 | # #backup bashrc
854 | # for user in `ls /Users | grep -v .localized`; do
855 | # cp /Users/$user/.bashrc /Users/$user/.bashrc.bk
856 | # done
857 | # #reconfigure bashrc
858 | # echo "--- Enabling Real time bash history for all current users ---"
859 | # for user in `ls /Users | grep -v .localized`; do
860 | # echo 'export HISTCONTROL=ignoredups:erasedups # no duplicate entries' >> /Users/$user/.bashrc
861 | # echo 'export HISTSIZE=100000 # big big history' >> /Users/$user/.bashrc
862 | # echo 'export HISTFILESIZE=100000 # big big history' >> /Users/$user/.bashrc
863 | # echo 'export HISTTIMEFORMAT="%m/%d/%y %T " # Add timestamp' >> /Users/$user/.bashrc
864 | # echo "shopt -s histappend # append to history, don't overwrite it" >> /Users/$user/.bashrc
865 | # echo '# After each command, append to the history file and reread it' >> /Users/$user/.bashrc
866 | # echo 'export PROMPT_COMMAND="history -a; history -c; history -r; $PROMPT_COMMAND"' >> /Users/$user/.bashrc
867 | # done
868 | # #backup bashrc for root
869 | # cp /private/etc/bashrc /private/etc/bashrc.bk
870 | # #reconfigure /root/bashrc
871 | # echo "--- Enabling Real time bash history for root ---"
872 | # /bin/cat << EOM > /private/etc/bashrc
873 | # # .bashrc
874 | # # User specific aliases and functions
875 | # alias rm='rm -i'
876 | # alias cp='cp -i'
877 | # alias mv='mv -i'
878 | # # Source global definitions
879 | # if [ -f /private/etc/bashrc ]; then
880 | # . /private/etc/bashrc
881 | # fi
882 | # export HISTCONTROL=ignoredups:erasedups # no duplicate entries
883 | # export HISTSIZE=100000 # big big history
884 | # export HISTFILESIZE=100000 # big big history
885 | # export HISTTIMEFORMAT="%m/%d/%y %T " # Add timestamp
886 | # shopt -s histappend # append to history, don't overwrite it
887 | # # After each command, append to the history file and reread it
888 | # export PROMPT_COMMAND="history -a; history -c; history -r; $PROMPT_COMMAND"
889 | # EOM
890 | #complete
891 | echo "-------------------complete---------------"
892 |
--------------------------------------------------------------------------------