Skip to content
This repository has been archived by the owner on Sep 17, 2024. It is now read-only.

Benchmark Mismatch #10

Open
cainehorr-okta opened this issue Mar 9, 2021 · 4 comments
Open

Benchmark Mismatch #10

cainehorr-okta opened this issue Mar 9, 2021 · 4 comments

Comments

@cainehorr-okta
Copy link

cainehorr-okta commented Mar 9, 2021
edited
Loading

I have noticed that the Jamf scripts have the wrong benchmarks in some cases.

EXAMPLE:
Within the 1_Set_Organization_Priorities.sh script, the following is stated:

## 2.5.6 Enable Location Services (Not Scored)
## As of macOS 10.12.2, Location Services cannot be enabled/monitored programmatically.
## It is considered user opt in.

## 2.5.7 Monitor Location Services Access (Not Scored)
## As of macOS 10.12.2, Location Services cannot be enabled/monitored programmatically.
## It is considered user opt in.

This does not align with the CIS_Apple_macOS_10.15_Benchmark_v1.2.0.pdf from CIS Workbench.

According to the CIS_Apple_macOS_10.15_Benchmark_v1.2.0.pdf document,

  • 2.5.6 is as follows: 2.5.6 Limit Ad tracking and personalized Ads (Automated)
  • 2.5.7 is as follows: 2.5.7 Camera Privacy and Confidentiality Concerns (Manual)

According to the CIS_Apple_macOS_10.15_Benchmark_v1.2.0.pdf document, Location services are 2.5.3 and 2.5.4

The 1_Set_Organization_Priorities.sh script show 2.5.3 and 2.5.4 as follows:

# 2.5.3 Enable Firewall 
# Configuration Profile - Security and Privacy payload > Firewall > Enable Firewall (checked)
OrgScore2_5_3="true"
# OrgScore2_5_3="false"

# 2.5.4 Enable Firewall Stealth Mode 
# Configuration Profile - Security and Privacy payload > Firewall > Enable stealth mode (checked)
OrgScore2_5_4="true"
# OrgScore2_5_4="false"

The CIS_Apple_macOS_10.15_Benchmark_v1.2.0.pdf document shows firewall as follows:

  • 2.5.2.2 Enable Firewall (Automated)......................................................................................... 97
  • 2.5.2.3 Enable Firewall Stealth Mode (Automated) ......................................................... 102

To date, these are the only discrepancies I have found. There may be others.

As of the current CIS_Apple_macOS_10.15_Benchmark_v1.2.0.pdf document, the Jamf Scripts for CIS do not align.
@espaay
Copy link

espaay commented May 18, 2022

Hi, what we are showing below: PDF file doesn't have OCSP data, yet the 2.5 extension attribute shows "5.9 enable OCSP", we are showing that the OCSP is coming from the Security_audit_Compliance script, which is not matching the true control # from the PDF.

@espaay
Copy link

espaay commented May 18, 2022

image

@espaay
Copy link

espaay commented May 18, 2022

JAMF reporting, Again the 2.5 audit_list_Extension Attribute, not aligned with the PDF and the Security_audit_compliance scripts.

image
image
image
image
image
image

@espaay
Copy link

espaay commented May 18, 2022

The Security_Audit_Compliance script contains the "controls off alignment" from the Org*_Priorities script, aligned with the PDF.
2.5.1 Disable "Wake for network access" is really the pdf 2.8 and in Org*_Priorities
2.6.4 enable Firewall stealth mode is really 2.5.4 pdf and Org*_Priorities

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cainehorr-okta @espaay