GitHub GitHub

This CIS Script is build to report and remediate based on the your organisation score.

While working with CIS Benchmarks (Remediation Scripts and/or Configuration Profiles) I felt this could be done better, faster and easier. The guys from the macOS Security Compliance Project did an amazing job automating the guidance and configuration profiles.

I created custom rules set for CIS Benchmark to integrate with the macOS Security Compliance Project and published CIS-macOS-Security.

While working with CIS Benchmark, Script and Configuration Profile, I had the feeling there was missing a overview with compleet reporting, and there for build a read only CIS-Reporting script you can find here

Ended up with seperate tools, creation of the Documention, Configuration Profiles and Reporting. However I still needed an extra script for remediation.

To resolve this I combined the reporting script with remediation with the option to enable remediation or not.

And we need to keep in mind that every year we get a new macOS release and like macOS, Security is a moving target. Basically things change, and we don’t want to edit and maintain an 3000 line script. This will be hard to maintain if a new macOS has released.

For that reason, and for easy maintaining, the CIS-Script is assembled out of a bunch of fragments.

Here structure of the CIS Script folder, in the root of the folder, there is a symbolic link to the assemble script. The original is in the Utils folder, with some other script you can use. All script that you assamble/create will be stored in the Build folder. For implementation into the jamf pro server there are some resources in the Jamf Folder.

In the Fragments folder. Here you will have the Header.sh, Footer.sh and Version.sh files with all the logic and functions that will be assembled into the script. In the OrgScore Folder are all the separate CIS Benchmark OrgScore*.sh. Every CIS Benchmark orgScore you can test separately if you need to trouble shoot or extend it with the new macOS.

CIS Benchmark OrgScore

Let’s have a look how the CIS Benchmark OrgScore, looks like.

#!/bin/zsh

script_dir=$(dirname ${0:A})
projectfolder=$(dirname $script_dir)

source ${projectfolder}/Header.sh

CISLevel="1"
audit="2.1.1 Turn off Bluetooth, if no paired devices exist (Automated)"
orgScore="OrgScore2_1_1"
emptyVariables

# Verify organizational score
runAudit
# If organizational score is 1 or true, check status of client
if [[ "${auditResult}" == "1" ]]; then
    method="Script"
    remediate="Script - defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false"

    connectable=$(system_profiler SPBluetoothDataType 2>&1 | grep -c "Paired: Yes")
    bluetoothEnabled=$(defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool)
    comment="Paired Devices: ${connectable}"
    # if [[ "$connectable" == 0 ]] && [[ "$bluetoothEnabled" == 0 ]]; then
    if [[ "$connectable" -gt 0 ]] && [[ "$bluetoothEnabled" == 1 ]] || [[ "$connectable" == 0 ]] && [[ "$bluetoothEnabled" == 0 ]]; then
        result="Passed"
    else
        result="Failed"
        comment="No Paired Devices”

        # Remediation
        if [[ "${remediateResult}" == "enabled" ]]; then
            defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false
            killall -HUP bluetoothd

            # re-check
            connectable=$(system_profiler SPBluetoothDataType 2>&1 | grep -c "Paired: Yes")
            bluetoothEnabled=$(defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool)
            if [[ "$connectable" == 0 ]] && [[ "$bluetoothEnabled" == 0 ]]; then
                result="Passed After Remediation"
            else
                result="Failed After Remediation"
            fi
        fi
    fi
fi
printReport

We runAudit to verify the organizational score. If scored we perform an audit to check the state. Then Check if remediateResult is enabled, and if enabled we remediate, we perform an audit to check if remediation succeeded and report back so we can read this out in report

To some up what the org score is doing, is Audit, Remediate and report.

For adjustments or testing, you can run every OrgScore seperatly.

$ cd /Git/CIS-Script/Fragments/OrgScores
$ sudo ./OrgScore*.sh

Custom CIS Benchmark OrgScore

You can make your own custom OrgScore, which you can include into the CIS-Script. Make sure that the name of the file is the same as the OrgScore within the script.

Place your custom OrgScore in the Framework/OrgScore folder.

Assemble Remediation Script

To assemble all the fragements together in a full Script CISBenchmarkScript.sh which you can use standalone or via an MDM server (like Jamf Pro) you can use the Assemble.sh script.

The Assemble.sh will default build the full Remediation Script CISBenchmarkScript.sh.

$ ./Assemble.sh

You can create seperate script by running the script with -s [–separate] option

$ ./Assemble.sh -s

With the following command ./Assemble.sh -h you can read about the options.

The following options are available:

  -j  --json      Builds Jamf Pro Custom Schema.json file
  -s  --separate  Builds separate CIS Benchmark Script from the fragements
  -h  --help      Displays this message or details on a specific verb

EXAMPLES
  ./Assemble.sh
      Builds CIS Benchmark Script from the fragements

  ./Assemble.sh -j
      Builds Jamf Pro Custom Schema.json file

  ./Assemble.sh -s
      Builds separate CIS Benchmark Script from the fragements

The Assemble.sh script will built the full script in ./Build/ and the seperate scripts in ./Build/Scripts/ folder.

CIS Benchmark Script

The CISBenchmarkScript.sh Script can be run as a local standalone script, and will preform a read only audit which creates a full report. Location of the report /Library/Security/Reports/

$ sudo ./CISBenchmarkScript.sh

You can create a Full Report by running the script with -f [–fullreport] option

$ sudo ./CISBenchmarkScript.sh -f

You can enable remediation by running the script with -r [–remediate] option

$ sudo ./CISBenchmarkScript.sh -r

With the following command ./Build/CISBenchmarkScript.sh -h you can read about the options.

The following options are available:

	-f	--fullreport	Print Full Report
	-h	--help			Displays this message or details on a specific verb
	-r	--remediate		Enable Remediation

EXAMPLES
    ./CISBenchmarkScript.sh -f
            Run script to print Full Report

    ./CISBenchmarkScript.sh -r
            Run script with Remediation enabled

    ./CISBenchmarkScript.sh -rf
            Run script with Remediation enabled and print Full Report

Implementation Jamf Pro Server

Upload the assembled CISBenchmarkScript.sh Script into the Jamf Pro Server.

Upload the Extension Atrributes into you Jamf Pro Server. Location Extension Atrributes

CIS Benchmark Settings Configuration Profile

If you use the script via a Jamf Pro you can set the script to create a short or full report, and enable or disable remediation. By using a mobile config we can control and set the organisation scoring and CIS script settings.

For easy creation of the CIS script Configure profile, you can use the Assemble.sh script with -j [–json] option to generate an JSON Schema manifests from all the fragments in OrgScores folder (including custom OrgScores).

$ sudo ./CISBenchmarkScript.sh -j

Create a new computer configuration profile, give the profile a name and add the policy to a categorie, within the Application & Custom Settings payload, upload the just generated Custom Schema.json file, make sure that you check if you upload the just created file, Fill in the preference domain.

Now you can configure what you need the CIS script to do, full or short report, remediation enabled or not, and go through the list and enable/disable the org scores where you need to score on.

After we uploaded the CIS scripts, Configuration profile and Extension Attribute into the Jamf Pro Server, the last thing we need to do is, to create a policy. Create a new policy, choose the preferred trigger, set the preferred frequency, add the CIS Script and don’t forget to scope.

After you scoped the CIS script Configure profile and the Policy with the script to the Target Devices.

You are ready to get compliant and know the state of your devices

Resources

github.com/mvdbent/CIS-Script