As of Oct 2017, I am attempting to migrate all of these settings to Config Profiles, rather than Bash or Python. These settings should be configurable via MDM and not set once and forget it. Setting via Bash is inevitably insecure, as anyone with Google can figure out how to change the settings back to whatever they want. Config profiles via MDM at least require considerable effort to remove.
This is an attempt at checking off the list for auditing and remediating CIS Level 1 settings on an OS X installation. Some Level 2 sections are implemented as well, as they make sense in the two environments this has been used in. All Level 2 Scored coming soon. For now, the script defaults to Level 1.
There are some elements of Level 2 that I consider to be important. These elements have been deemed Level 1.5 by me. You can now select [-l|--level] [1, 1.5, 2] when running the script. Defaults to Level 1.
- Level 1 attempts to include all Scored recommendations from the benchmark
- Level 1.5 includes all from Level 1, plus additional considerations from Level 2.
- Level 2 includes all from Level 1, plus attempts to include all Scored Level 2 recommendations.
Use at your own risk, please. There may be dragons. Certain aspects of this script can completely hose a perfectly good system. Test in your own environment on non-production equipment!
- 10.9 Mavericks file is mostly here just for posterity. Based off 1.0 benchmarks. Please don't use.
- 10.10 Yosemite is based off 1.2.0 benchmarks.
- 10.11 El Capitan is based off 1.1.0 benchmarks.
The benchmarks are available at the [Center for Internet Security] (https://benchmarks.cisecurity.org/)
To use this script on an already online and available system, download the appropriate benchmark.sh file and then chmod +x then run it ./benchmark.sh [-l|--level] [1, 1.5, 2]
The prefered method of running this is during a first boot after imaging. This has been tested with Casper v9+.