gitea_admin/Alte_Skripte
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8425008f5b9baac4dd81cf7de52df6ed137256ce
Alte_Skripte/3_CIS.sh
Andreas Vogel ccc473650e Aktuelle Sammlung
2026-02-16 15:05:15 +01:00

310 lines
14 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
##########################################################################
# Shellscript : Security Remediation
# Autor : Andreas Vogel, NEXT Enterprise gmbh, 2021
##########################################################################
plistlocation="/Library/Application Support/SecurityScoring/org_security_score.plist"
currentUser="$(python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");')"
currentUserID="$(/usr/bin/id -u $currentUser)"
hardwareUUID="$(/usr/sbin/system_profiler SPHardwareDataType | grep "Hardware UUID" | awk -F ": " '{print $2}' | xargs)"
logFile="/Library/Application Support/SecurityScoring/remediation.log"
echo "$(date -u)" "Beginning remediation" >> "$logFile"
if [[ ! -e $plistlocation ]]; then
echo "No scoring file present"
exit 0
fi
set -x
###################### 2.1.1 Turn off Bluetooth, if no paired devices exist ###############################################################
Audit2_1_1="$(defaults read "$plistlocation" OrgScore2_1_1)"
if [ "$Audit2_1_1" = "1" ]; then
echo "$(date -u)" "Checking 2.1.1" | tee -a "$logFile"
connectable="$( system_profiler SPBluetoothDataType | grep -c "Paired: Yes" )"
if [ "$connectable" -gt 0 ]; then
echo "$(date -u)" "2.1.1 passed" | tee -a "$logFile"
else
defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false
killall -HUP bluetoothd
echo "$(date -u)" "2.1.1 remediated" | tee -a "$logFile"
fi
fi
###################### 2.2.1 Enable "Set time and date automatically" #####################################################################
Audit2_1_3="$(defaults read "$plistlocation" OrgScore2_1_3)"
if [ "$Audit2_1_3" = "1" ]; then
sudo -u "$currentUser" defaults write ~/Library/Preferences/ByHost/com.apple.controlcenter.plist Bluetooth -int 18
# sudo -u "$currentUser" defaults write ~/Library/Preferences/ByHost/com.apple.controlcenter.plist Bluetooth -int 24 # to disable
echo "$(date -u)" "2.1.3 remediated" | tee -a "$logFile"
fi
###################### 2.2.2 Ensure time set is within appropriate limits #################################################################
Audit2_2_2="$(defaults read "$plistlocation" OrgScore2_2_2)"
if [ "$Audit2_2_2" = "1" ]; then
systemsetup -setusingnetworktime off 2>&1
systemsetup -setusingnetworktime on 2>&1
# timeServer="$(systemsetup -getnetworktimeserver | awk '{print $4}')"
# ntpdate -sv "$timeServer"
echo "$(date -u)" "2.2.2 enforced" | tee -a "$logFile"
fi
###################### 2.4.5 Disable Remote Login ##########################################################################################
# 2.4.5 Disable Remote Login
# Requires full disk access
# Verify organizational score
Audit2_4_5="$(defaults read "$plistlocation" OrgScore2_4_5)"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
if [ "$Audit2_4_5" = "1" ]; then
/usr/sbin/systemsetup -f -setremotelogin off
echo "$(date -u)" "2.4.5 remediated" | tee -a "$logFile"
fi
###################### 2.4.10 Disable Content Caching ######################################################################################
#2.4.10 Disable Content Caching
# Verify organizational score
Audit2_4_10="$(defaults read "$plistlocation" OrgScore2_4_10)"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
if [ "$Audit2_4_10" = "1" ]; then
/usr/bin/AssetCacheManagerUtil deactivate
echo "$(date -u)" "2.4.10 remediated" | tee -a "$logFile"
fi
###################### 2.5.8 Disable sending diagnostic and usage data to App ##############################################################
# 2.5.8 Disable sending diagnostic and usage data to Apple
# Verify Organizational score
Audit2_5_8="$(defaults read "$plistlocation" OrgScore2_5_8)"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
if [ "$Audit2_5_8" = "1" ]; then
AppleDiagn=$(defaults read /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist AutoSubmit)
if [ $AppleDiagn == 1 ]; then
defaults write /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist AutoSubmit -int 0
echo "$(date -u)" "2.5.8 remediated" | tee -a "$logFile"
fi
fi
###################### 2.12 Disable "Wake for network access" #############################################################################
Audit2_12="$(defaults read "$plistlocation" OrgScore2_12)"
if [ "$Audit2_12" = "1" ]; then
pmset -a womp 0
pmset -a powernap 0
echo "$(date -u)" "2.12 remediated" | tee -a "$logFile"
fi
###################### 3.2 Configure Security Auditing Flags ##############################################################################
Audit3_2="$(defaults read "$plistlocation" OrgScore3_2)"
if [ "$Audit3_2" = "1" ]; then
cp /etc/security/audit_control /etc/security/audit_control_old
sed "s/"flags:lo,aa"/"flags:lo,ad,fd,fm,-all"/g" /etc/security/audit_control_old > /etc/security/audit_control
chmod 644 /etc/security/audit_control
chown root:wheel /etc/security/audit_control
echo "$(date -u)" "3.2 remediated" | tee -a "$logFile"
fi
###################### 3.5 Retain install.log for 365 or more days ########################################################################
Audit3_5="$(defaults read "$plistlocation" OrgScore3_5)"
if [ "$Audit3_5" = "1" ]; then
installRetention="$(grep -i ttl /etc/asl/com.apple.install | awk -F'ttl=' '{print $2}')"
if [[ "$installRetention" = "" ]]; then
mv /etc/asl/com.apple.install /etc/asl/com.apple.install.old
sed '$s/$/ ttl=365/' /etc/asl/com.apple.install.old > /etc/asl/com.apple.install
chmod 644 /etc/asl/com.apple.install
chown root:wheel /etc/asl/com.apple.install
echo "$(date -u)" "3.5 remediated" | tee -a "$logfile"
else
if [[ "$installRetention" -lt "365" ]]; then
mv /etc/asl/com.apple.install /etc/asl/com.apple.install.old
sed "s/"ttl=$installRetention"/"ttl=365"/g" /etc/asl/com.apple.install.old > /etc/asl/com.apple.install
chmod 644 /etc/asl/com.apple.install
chown root:wheel /etc/asl/com.apple.install
echo "$(date -u)" "3.5 remediated" | tee -a "$logfile"
fi
fi
fi
###################### 3.6 Ensure firewall is configured to log ###########################################################################
Audit3_6="$(defaults read "$plistlocation" OrgScore3_6)"
if [ "$Audit3_6" = "1" ]; then
/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
echo "$(date -u)" "3.6 remediated" | tee -a "$logFile"
fi
###################### 4.2 Enable "Show Wi-Fi status in menu bar" #########################################################################
Audit4_2="$(defaults read "$plistlocation" OrgScore4_2)"
if [ "$Audit4_2" = "1" ]; then
open "/System/Library/CoreServices/Menu Extras/AirPort.menu"
echo "$(date -u)" "4.2 remediated" | tee -a "$logFile"
fi
###################### 4.4 Ensure http server is not running ##############################################################################
Audit4_4="$(defaults read "$plistlocation" OrgScore4_4)"
if [ "$Audit4_4" = "1" ]; then
apachectl stop
defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled -bool true
echo "$(date -u)" "4.4 remediated" | tee -a "$logFile"
fi
###################### 4.5 Ensure nfs server is not running ###############################################################################
Audit4_5="$(defaults read "$plistlocation" OrgScore4_5)"
if [ "$Audit4_5" = "1" ]; then
nfsd disable
rm -rf /etc/exports
echo "$(date -u)" "4.5 remediated" | tee -a "$logFile"
fi
###################### 5.1.1 Secure Home Folders ##########################################################################################
Audit5_1_1="$(defaults read "$plistlocation" OrgScore5_1_1)"
if [ "$Audit5_1_1" = "1" ]; then
IFS=$'\n'
for userDirs in $( find /Users -mindepth 1 -maxdepth 1 -type d -perm -1 | grep -v "Shared" | grep -v "Guest" ); do
chmod og-rwx "$userDirs"
done
echo "$(date -u)" "5.1.1 enforced" | tee -a "$logFile"
unset IFS
fi
###################### 5.1.2 Check System Wide Applications for appropriate permissions ###################################################
Audit5_1_2="$(defaults read "$plistlocation" OrgScore5_1_2)"
if [ "$Audit5_1_2" = "1" ]; then
IFS=$'\n'
for apps in $( find /Applications -iname "*\.app" -type d -perm -2 ); do
chmod -R o-w "$apps"
done
echo "$(date -u)" "5.1.2 enforced" | tee -a "$logFile"
unset IFS
fi
###################### 5.1.3 Check System folder for world writable files #################################################################
Audit5_1_3="$(defaults read "$plistlocation" OrgScore5_1_3)"
if [ "$Audit5_1_3" = "1" ]; then
IFS=$'\n'
for sysPermissions in $( find /System -type d -perm -2 | grep -v "Public/Drop Box" ); do
chmod -R o-w "$sysPermissions"
done
echo "$(date -u)" "5.1.3 enforced" | tee -a "$logFile"
unset IFS
fi
###################### 5.1.4 Check Library folder for world writable files ################################################################
Audit5_1_4="$(defaults read "$plistlocation" OrgScore5_1_4)"
if [ "$Audit5_1_4" = "1" ]; then
# Exempts Adobe files by default!
# for libPermissions in $( find /Library -type d -perm -2 -ls | grep -v Caches ); do
IFS=$'\n'
for libPermissions in $( find /Library -type d -perm -2 | grep -v Caches | grep -v Adobe | grep -v VMware); do
chmod -R o-w "$libPermissions"
done
echo "$(date -u)" "5.1.4 enforced" | tee -a "$logFile"
unset IFS
fi
###################### 5.3 Reduce the sudo timeout period #################################################################################
Audit5_3="$(defaults read "$plistlocation" OrgScore5_3)"
if [ "$Audit5_3" = "1" ]; then
echo "Defaults timestamp_timeout=0" >> /etc/sudoers
echo "$(date -u)" "5.3 remediated" | tee -a "$logFile"
fi
###################### 5.4 Use a separate timestamp for each user/tty combo ###############################################################
Audit5_4="$(defaults read "$plistlocation" OrgScore5_4)"
if [ "$Audit5_4" = "1" ]; then
sed -i ".old" '/Default !tty_tickets/d' /etc/sudoers
chmod 644 /etc/sudoers
chown root:wheel /etc/sudoers
echo "$(date -u)" "5.4 remediated" | tee -a "$logFile"
fi
###################### 5.6 Ensure login keychain is locked when the computer sleeps #######################################################
# If both 5.5 and 5.6 need to be set, both commands must be run at the same time
Audit5_5="$(defaults read "$plistlocation" OrgScore5_5)"
Audit5_6="$(defaults read "$plistlocation" OrgScore5_6)"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
if [ "$Audit5_5" = "1" ] && [ "$Audit5_6" = 1 ]; then
echo "$(date -u)" "Checking 5.5 and 5.6" | tee -a "$logFile"
security set-keychain-settings -l -u -t 21600s /Users/"$currentUser"/Library/Keychains/login.keychain
echo "$(date -u)" "5.5 and 5.6 remediated" | tee -a "$logFile"
elif [ "$Audit5_5" = "1" ] && [ "$Audit5_6" = 0 ]; then
echo "$(date -u)" "Checking 5.5" | tee -a "$logFile"
security set-keychain-settings -u -t 21600s /Users/"$currentUser"/Library/Keychains/login.keychain
echo "$(date -u)" "5.5 remediated" | tee -a "$logFile"
elif [ "$Audit5_5" = "0" ] && [ "$Audit5_6" = 1 ]; then
echo "$(date -u)" "Checking 5.6" | tee -a "$logFile"
security set-keychain-settings -l /Users/"$currentUser"/Library/Keychains/login.keychain
echo "$(date -u)" "5.6 remediated" | tee -a "$logFile"
fi
###################### 5.7 Do not enable the "root" account ###############################################################################
Audit5_7="$(defaults read "$plistlocation" OrgScore5_7)"
if [ "$Audit5_7" = "1" ]; then
dscl . -create /Users/root UserShell /usr/bin/false
echo "$(date -u)" "5.7 remediated" | tee -a "$logFile"
fi
###################### 5.10 Ensure system is set to hibernate #############################################################################
Audit5_10="$(defaults read "$plistlocation" OrgScore5_10)"
if [ "$Audit5_10" = "1" ]; then
pmset -a standbydelayhigh 600
pmset -a standbydelaylow 600
pmset -a highstandbythreshold 90
pmset -a destroyfvkeyonstandby 1
echo "$(date -u)" "5.10 remediated" | tee -a "$logFile"
fi
###################### 5.11 Require an administrator password to access system-wide preferences ###########################################
Audit5_11="$(defaults read "$plistlocation" OrgScore5_11)"
if [ "$Audit5_11" = "1" ]; then
security authorizationdb read system.preferences > /tmp/system.preferences.plist
/usr/libexec/PlistBuddy -c "Set :shared false" /tmp/system.preferences.plist
security authorizationdb write system.preferences < /tmp/system.preferences.plist
echo "$(date -u)" "5.11 remediated" | tee -a "$logFile"
fi
###################### 5.12 Disable ability to login to another user's active and locked session ##########################################
Audit5_12="$(defaults read "$plistlocation" OrgScore5_12)"
if [ "$Audit5_12" = "1" ]; then
/usr/bin/security authorizationdb write system.login.screensaver "use-login-window-ui"
echo "$(date -u)" "5.12 remediated" | tee -a "$logFile"
fi
###################### 6.2 Turn on filename extensions ####################################################################################
Audit6_2="$(defaults read "$plistlocation" OrgScore6_2)"
if [ "$Audit6_2" = "1" ]; then
sudo -u "$currentUser" defaults write NSGlobalDomain AppleShowAllExtensions -bool true
pkill -u "$currentUser" Finder
echo "$(date -u)" "6.2 remediated" | tee -a "$logFile"
# defaults write /Users/"$currentUser"/Library/Preferences/.GlobalPreferences.plist AppleShowAllExtensions -bool true
fi
echo "$(date -u)" "Remediation complete" | tee -a "$logFile"
echo "continue"
exit 0
Reference in New Issue View Git Blame Copy Permalink