#!/bin/bash ########################################################################## # Shellscript : Security Remediation # Autor : Andreas Vogel, NEXT Enterprise gmbh, 2021 ########################################################################## plistlocation="/Library/Application Support/SecurityScoring/org_security_score.plist" currentUser="$(python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");')" currentUserID="$(/usr/bin/id -u $currentUser)" hardwareUUID="$(/usr/sbin/system_profiler SPHardwareDataType | grep "Hardware UUID" | awk -F ": " '{print $2}' | xargs)" logFile="/Library/Application Support/SecurityScoring/remediation.log" echo "$(date -u)" "Beginning remediation" >> "$logFile" if [[ ! -e $plistlocation ]]; then echo "No scoring file present" exit 0 fi set -x ###################### 2.1.1 Turn off Bluetooth, if no paired devices exist ############################################################### Audit2_1_1="$(defaults read "$plistlocation" OrgScore2_1_1)" if [ "$Audit2_1_1" = "1" ]; then echo "$(date -u)" "Checking 2.1.1" | tee -a "$logFile" connectable="$( system_profiler SPBluetoothDataType | grep -c "Paired: Yes" )" if [ "$connectable" -gt 0 ]; then echo "$(date -u)" "2.1.1 passed" | tee -a "$logFile" else defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false killall -HUP bluetoothd echo "$(date -u)" "2.1.1 remediated" | tee -a "$logFile" fi fi ###################### 2.2.1 Enable "Set time and date automatically" ##################################################################### Audit2_1_3="$(defaults read "$plistlocation" OrgScore2_1_3)" if [ "$Audit2_1_3" = "1" ]; then sudo -u "$currentUser" defaults write ~/Library/Preferences/ByHost/com.apple.controlcenter.plist Bluetooth -int 18 # sudo -u "$currentUser" defaults write ~/Library/Preferences/ByHost/com.apple.controlcenter.plist Bluetooth -int 24 # to disable echo "$(date -u)" "2.1.3 remediated" | tee -a "$logFile" fi ###################### 2.2.2 Ensure time set is within appropriate limits ################################################################# Audit2_2_2="$(defaults read "$plistlocation" OrgScore2_2_2)" if [ "$Audit2_2_2" = "1" ]; then systemsetup -setusingnetworktime off 2>&1 systemsetup -setusingnetworktime on 2>&1 # timeServer="$(systemsetup -getnetworktimeserver | awk '{print $4}')" # ntpdate -sv "$timeServer" echo "$(date -u)" "2.2.2 enforced" | tee -a "$logFile" fi ###################### 2.4.5 Disable Remote Login ########################################################################################## # 2.4.5 Disable Remote Login # Requires full disk access # Verify organizational score Audit2_4_5="$(defaults read "$plistlocation" OrgScore2_4_5)" # If organizational score is 1 or true, check status of client # If client fails, then remediate if [ "$Audit2_4_5" = "1" ]; then /usr/sbin/systemsetup -f -setremotelogin off echo "$(date -u)" "2.4.5 remediated" | tee -a "$logFile" fi ###################### 2.4.10 Disable Content Caching ###################################################################################### #2.4.10 Disable Content Caching # Verify organizational score Audit2_4_10="$(defaults read "$plistlocation" OrgScore2_4_10)" # If organizational score is 1 or true, check status of client # If client fails, then remediate if [ "$Audit2_4_10" = "1" ]; then /usr/bin/AssetCacheManagerUtil deactivate echo "$(date -u)" "2.4.10 remediated" | tee -a "$logFile" fi ###################### 2.5.8 Disable sending diagnostic and usage data to App ############################################################## # 2.5.8 Disable sending diagnostic and usage data to Apple # Verify Organizational score Audit2_5_8="$(defaults read "$plistlocation" OrgScore2_5_8)" # If organizational score is 1 or true, check status of client # If client fails, then remediate if [ "$Audit2_5_8" = "1" ]; then AppleDiagn=$(defaults read /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist AutoSubmit) if [ $AppleDiagn == 1 ]; then defaults write /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist AutoSubmit -int 0 echo "$(date -u)" "2.5.8 remediated" | tee -a "$logFile" fi fi ###################### 2.12 Disable "Wake for network access" ############################################################################# Audit2_12="$(defaults read "$plistlocation" OrgScore2_12)" if [ "$Audit2_12" = "1" ]; then pmset -a womp 0 pmset -a powernap 0 echo "$(date -u)" "2.12 remediated" | tee -a "$logFile" fi ###################### 3.2 Configure Security Auditing Flags ############################################################################## Audit3_2="$(defaults read "$plistlocation" OrgScore3_2)" if [ "$Audit3_2" = "1" ]; then cp /etc/security/audit_control /etc/security/audit_control_old sed "s/"flags:lo,aa"/"flags:lo,ad,fd,fm,-all"/g" /etc/security/audit_control_old > /etc/security/audit_control chmod 644 /etc/security/audit_control chown root:wheel /etc/security/audit_control echo "$(date -u)" "3.2 remediated" | tee -a "$logFile" fi ###################### 3.5 Retain install.log for 365 or more days ######################################################################## Audit3_5="$(defaults read "$plistlocation" OrgScore3_5)" if [ "$Audit3_5" = "1" ]; then installRetention="$(grep -i ttl /etc/asl/com.apple.install | awk -F'ttl=' '{print $2}')" if [[ "$installRetention" = "" ]]; then mv /etc/asl/com.apple.install /etc/asl/com.apple.install.old sed '$s/$/ ttl=365/' /etc/asl/com.apple.install.old > /etc/asl/com.apple.install chmod 644 /etc/asl/com.apple.install chown root:wheel /etc/asl/com.apple.install echo "$(date -u)" "3.5 remediated" | tee -a "$logfile" else if [[ "$installRetention" -lt "365" ]]; then mv /etc/asl/com.apple.install /etc/asl/com.apple.install.old sed "s/"ttl=$installRetention"/"ttl=365"/g" /etc/asl/com.apple.install.old > /etc/asl/com.apple.install chmod 644 /etc/asl/com.apple.install chown root:wheel /etc/asl/com.apple.install echo "$(date -u)" "3.5 remediated" | tee -a "$logfile" fi fi fi ###################### 3.6 Ensure firewall is configured to log ########################################################################### Audit3_6="$(defaults read "$plistlocation" OrgScore3_6)" if [ "$Audit3_6" = "1" ]; then /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on echo "$(date -u)" "3.6 remediated" | tee -a "$logFile" fi ###################### 4.2 Enable "Show Wi-Fi status in menu bar" ######################################################################### Audit4_2="$(defaults read "$plistlocation" OrgScore4_2)" if [ "$Audit4_2" = "1" ]; then open "/System/Library/CoreServices/Menu Extras/AirPort.menu" echo "$(date -u)" "4.2 remediated" | tee -a "$logFile" fi ###################### 4.4 Ensure http server is not running ############################################################################## Audit4_4="$(defaults read "$plistlocation" OrgScore4_4)" if [ "$Audit4_4" = "1" ]; then apachectl stop defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled -bool true echo "$(date -u)" "4.4 remediated" | tee -a "$logFile" fi ###################### 4.5 Ensure nfs server is not running ############################################################################### Audit4_5="$(defaults read "$plistlocation" OrgScore4_5)" if [ "$Audit4_5" = "1" ]; then nfsd disable rm -rf /etc/exports echo "$(date -u)" "4.5 remediated" | tee -a "$logFile" fi ###################### 5.1.1 Secure Home Folders ########################################################################################## Audit5_1_1="$(defaults read "$plistlocation" OrgScore5_1_1)" if [ "$Audit5_1_1" = "1" ]; then IFS=$'\n' for userDirs in $( find /Users -mindepth 1 -maxdepth 1 -type d -perm -1 | grep -v "Shared" | grep -v "Guest" ); do chmod og-rwx "$userDirs" done echo "$(date -u)" "5.1.1 enforced" | tee -a "$logFile" unset IFS fi ###################### 5.1.2 Check System Wide Applications for appropriate permissions ################################################### Audit5_1_2="$(defaults read "$plistlocation" OrgScore5_1_2)" if [ "$Audit5_1_2" = "1" ]; then IFS=$'\n' for apps in $( find /Applications -iname "*\.app" -type d -perm -2 ); do chmod -R o-w "$apps" done echo "$(date -u)" "5.1.2 enforced" | tee -a "$logFile" unset IFS fi ###################### 5.1.3 Check System folder for world writable files ################################################################# Audit5_1_3="$(defaults read "$plistlocation" OrgScore5_1_3)" if [ "$Audit5_1_3" = "1" ]; then IFS=$'\n' for sysPermissions in $( find /System -type d -perm -2 | grep -v "Public/Drop Box" ); do chmod -R o-w "$sysPermissions" done echo "$(date -u)" "5.1.3 enforced" | tee -a "$logFile" unset IFS fi ###################### 5.1.4 Check Library folder for world writable files ################################################################ Audit5_1_4="$(defaults read "$plistlocation" OrgScore5_1_4)" if [ "$Audit5_1_4" = "1" ]; then # Exempts Adobe files by default! # for libPermissions in $( find /Library -type d -perm -2 -ls | grep -v Caches ); do IFS=$'\n' for libPermissions in $( find /Library -type d -perm -2 | grep -v Caches | grep -v Adobe | grep -v VMware); do chmod -R o-w "$libPermissions" done echo "$(date -u)" "5.1.4 enforced" | tee -a "$logFile" unset IFS fi ###################### 5.3 Reduce the sudo timeout period ################################################################################# Audit5_3="$(defaults read "$plistlocation" OrgScore5_3)" if [ "$Audit5_3" = "1" ]; then echo "Defaults timestamp_timeout=0" >> /etc/sudoers echo "$(date -u)" "5.3 remediated" | tee -a "$logFile" fi ###################### 5.4 Use a separate timestamp for each user/tty combo ############################################################### Audit5_4="$(defaults read "$plistlocation" OrgScore5_4)" if [ "$Audit5_4" = "1" ]; then sed -i ".old" '/Default !tty_tickets/d' /etc/sudoers chmod 644 /etc/sudoers chown root:wheel /etc/sudoers echo "$(date -u)" "5.4 remediated" | tee -a "$logFile" fi ###################### 5.6 Ensure login keychain is locked when the computer sleeps ####################################################### # If both 5.5 and 5.6 need to be set, both commands must be run at the same time Audit5_5="$(defaults read "$plistlocation" OrgScore5_5)" Audit5_6="$(defaults read "$plistlocation" OrgScore5_6)" # If organizational score is 1 or true, check status of client # If client fails, then remediate if [ "$Audit5_5" = "1" ] && [ "$Audit5_6" = 1 ]; then echo "$(date -u)" "Checking 5.5 and 5.6" | tee -a "$logFile" security set-keychain-settings -l -u -t 21600s /Users/"$currentUser"/Library/Keychains/login.keychain echo "$(date -u)" "5.5 and 5.6 remediated" | tee -a "$logFile" elif [ "$Audit5_5" = "1" ] && [ "$Audit5_6" = 0 ]; then echo "$(date -u)" "Checking 5.5" | tee -a "$logFile" security set-keychain-settings -u -t 21600s /Users/"$currentUser"/Library/Keychains/login.keychain echo "$(date -u)" "5.5 remediated" | tee -a "$logFile" elif [ "$Audit5_5" = "0" ] && [ "$Audit5_6" = 1 ]; then echo "$(date -u)" "Checking 5.6" | tee -a "$logFile" security set-keychain-settings -l /Users/"$currentUser"/Library/Keychains/login.keychain echo "$(date -u)" "5.6 remediated" | tee -a "$logFile" fi ###################### 5.7 Do not enable the "root" account ############################################################################### Audit5_7="$(defaults read "$plistlocation" OrgScore5_7)" if [ "$Audit5_7" = "1" ]; then dscl . -create /Users/root UserShell /usr/bin/false echo "$(date -u)" "5.7 remediated" | tee -a "$logFile" fi ###################### 5.10 Ensure system is set to hibernate ############################################################################# Audit5_10="$(defaults read "$plistlocation" OrgScore5_10)" if [ "$Audit5_10" = "1" ]; then pmset -a standbydelayhigh 600 pmset -a standbydelaylow 600 pmset -a highstandbythreshold 90 pmset -a destroyfvkeyonstandby 1 echo "$(date -u)" "5.10 remediated" | tee -a "$logFile" fi ###################### 5.11 Require an administrator password to access system-wide preferences ########################################### Audit5_11="$(defaults read "$plistlocation" OrgScore5_11)" if [ "$Audit5_11" = "1" ]; then security authorizationdb read system.preferences > /tmp/system.preferences.plist /usr/libexec/PlistBuddy -c "Set :shared false" /tmp/system.preferences.plist security authorizationdb write system.preferences < /tmp/system.preferences.plist echo "$(date -u)" "5.11 remediated" | tee -a "$logFile" fi ###################### 5.12 Disable ability to login to another user's active and locked session ########################################## Audit5_12="$(defaults read "$plistlocation" OrgScore5_12)" if [ "$Audit5_12" = "1" ]; then /usr/bin/security authorizationdb write system.login.screensaver "use-login-window-ui" echo "$(date -u)" "5.12 remediated" | tee -a "$logFile" fi ###################### 6.2 Turn on filename extensions #################################################################################### Audit6_2="$(defaults read "$plistlocation" OrgScore6_2)" if [ "$Audit6_2" = "1" ]; then sudo -u "$currentUser" defaults write NSGlobalDomain AppleShowAllExtensions -bool true pkill -u "$currentUser" Finder echo "$(date -u)" "6.2 remediated" | tee -a "$logFile" # defaults write /Users/"$currentUser"/Library/Preferences/.GlobalPreferences.plist AppleShowAllExtensions -bool true fi echo "$(date -u)" "Remediation complete" | tee -a "$logFile" echo "continue" exit 0