-
Notifications
You must be signed in to change notification settings - Fork 15
/
Copy path1_Set_Organization_Priorities.sh
354 lines (293 loc) · 9.53 KB
/
1_Set_Organization_Priorities.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
#!/bin/bash
####################################################################################################
#
# Copyright (c) 2016, Jamf, LLC. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# * Neither the name of the JAMF Software, LLC nor the
# names of its contributors may be used to endorse or promote products
# derived from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
####################################################################################################
# written by Katie English, Jamf October 2016
# github.com/jamfprofessionalservices
# USAGE
# Admins set organizational compliance for each listed item, which gets written to plist.
# Values default to "true," and must be commented to "false" to disregard as an organizational priority.
# Writes to /Library/Application Support/SecurityScoring/org_security_score.plist by default.
# Create the Scoring file destination directory if it does not already exist
dir="/Library/Application Support/SecurityScoring"
if [[ ! -e "$dir" ]]; then
mkdir "$dir"
fi
plistlocation="$dir/org_security_score.plist"
##################################################################
############### ADMINS DESIGNATE ORG VALUES BELOW ################
##################################################################
# 1.1 Verify all Apple provided software is current
# OrgScore1_1="true"
OrgScore1_1="false"
# 1.2 Enable Auto Update
OrgScore1_2="true"
# OrgScore1_2="false"
# 1.3 Enable app update installs
OrgScore1_3="true"
# OrgScore1_3="false"
# 1.4 Enable system data files and security update installs
OrgScore1_4="true"
# OrgScore1_4="false"
# 1.5 Enable OS X update installs
OrgScore1_5="true"
# OrgScore1_5="false"
# 2.1.1 Turn off Bluetooth, if no paired devices exist
OrgScore2_1_1="true"
# OrgScore2_1_1="false"
# 2.1.3 Show Bluetooth status in menu bar
OrgScore2_1_3="true"
# OrgScore2_1_3="false"
# 2.2.2 Ensure time set is within appropriate limits
OrgScore2_2_2="true"
# OrgScore2_2_2="false"
# 2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver
OrgScore2_3_1="true"
# OrgScore2_3_1="false"
# 2.3.2 Secure screen saver corners
OrgScore2_3_2="true"
# OrgScore2_3_2="false"
# 2.3.4 Set a screen corner to Start Screen Saver
OrgScore2_3_4="true"
# OrgScore2_3_4="false"
# 2.4.1 Disable Remote Apple Events
OrgScore2_4_1="true"
# OrgScore2_4_1="false"
# 2.4.2 Disable Internet Sharing
OrgScore2_4_2="true"
# OrgScore2_4_2="false"
# 2.4.3 Disable Screen Sharing
OrgScore2_4_3="true"
# OrgScore2_4_3="false"
# 2.4.5 Disable Remote Login
OrgScore2_4_5="true"
# OrgScore2_4_5="false"
# 2.4.7 Disable Bluetooth Sharing
OrgScore2_4_7="true"
# OrgScore2_4_7="false"
# 2.4.8 Disable File Sharing
OrgScore2_4_8="true"
# OrgScore2_4_8="false"
# 2.4.9 Disable Remote Management
OrgScore2_4_9="true"
# OrgScore2_4_9="false"
# 2.5.1 Disable "Wake for network access"
OrgScore2_5_1="true"
# OrgScore2_5_1="false"
# 2.5.2 Disable sleeping the computer when connected to power
OrgScore2_5_2="true"
# OrgScore2_5_2="false"
# 2.6.3 Enable Firewall
OrgScore2_6_3="true"
# OrgScore2_6_3="false"
# 2.6.4 Enable Firewall Stealth Mode
OrgScore2_6_4="true"
# OrgScore2_6_4="false"
# 2.6.5 Review Application Firewall Rules
OrgScore2_6_5="true"
# OrgScore2_6_5="false"
# 2.8 Pair the remote control infrared receiver if enabled
OrgScore2_8="true"
# OrgScore2_8="false"
# 2.9 Enable Secure Keyboard Entry in terminal.app
OrgScore2_9="true"
# OrgScore2_9="false"
# 2.10 Java 6 is not the default Java runtime
OrgScore2_10="true"
# OrgScore2_10="false"
# 3.1.1 Retain system.log for 90 or more days
OrgScore3_1_1="true"
# OrgScore3_1_1="false"
# 3.1.3 Retain authd.log for 90 or more days
OrgScore3_1_3="true"
# OrgScore3_1_3="false"
# 3.5 Retain install.log for 365 or more days
OrgScore3_5="true"
# OrgScore3_5="false"
# 4.1 Disable Bonjour advertising service
OrgScore4_1="true"
# OrgScore4_1="false"
# 4.2 Enable "Show Wi-Fi status in menu bar"
OrgScore4_2="true"
# OrgScore4_2="false"
# 4.4 Ensure http server is not running
OrgScore4_4="true"
# OrgScore4_4="false"
# 4.5 Ensure ftp server is not running
OrgScore4_5="true"
# OrgScore4_5="false"
# 4.6 Ensure nfs server is not running
OrgScore4_6="true"
# OrgScore4_6="false"
# 5.1.1 Secure Home Folders
OrgScore5_1_1="true"
# OrgScore5_1_1="false"
# 5.1.2 Check System Wide Applications for appropriate permissions
OrgScore5_1_2="true"
# OrgScore5_1_2="false"
# 5.1.3 Check System folder for world writable files
OrgScore5_1_3="true"
# OrgScore5_1_3="false"
# 5.1.4 Check Library folder for world writable files
OrgScore5_1_4="true"
# OrgScore5_1_4="false"
# 5.3 Reduce the sudo timeout period
OrgScore5_3="true"
# OrgScore5_3="false"
# 5.4 Automatically lock the login keychain for inactivity
OrgScore5_4="true"
# OrgScore5_4="false"
# 5.7 Do not enable the "root" account
OrgScore5_7="true"
# OrgScore5_7="false"
# 5.8 Disable automatic login
OrgScore5_8="true"
# OrgScore5_8="false"
# 5.9 Require a password to wake the computer from sleep or screen saver
OrgScore5_9="true"
# OrgScore5_9="false"
# 5.10 Require an administrator password to access system-wide preferences
OrgScore5_10="true"
# OrgScore5_10="false"
# 5.18 System Integrity Protection status
OrgScore5_18="true"
# OrgScore5_18="false"
# 6.1.4 Disable "Allow guests to connect to shared folders"
OrgScore6_1_4="true"
# OrgScore6_1_4="false"
# 6.2 Turn on filename extensions
OrgScore6_2="true"
# OrgScore6_2="false"
# 6.3 Disable the automatic run of safe files in Safari
OrgScore6_3="true"
# OrgScore6_3="false"
##################################################################
############# DO NOT MODIFY ANYTHING BELOW THIS LINE #############
##################################################################
# Write org_security_score values to local plist
echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">
<plist version=\"1.0\">
<dict>
<key>OrgScore1_1</key>
<${OrgScore1_1}/>
<key>OrgScore1_2</key>
<${OrgScore1_2}/>
<key>OrgScore1_3</key>
<${OrgScore1_3}/>
<key>OrgScore1_4</key>
<${OrgScore1_4}/>
<key>OrgScore1_5</key>
<${OrgScore1_5}/>
<key>OrgScore2_1_1</key>
<${OrgScore2_1_1}/>
<key>OrgScore2_1_3</key>
<${OrgScore2_1_3}/>
<key>OrgScore2_2_2</key>
<${OrgScore2_2_2}/>
<key>OrgScore2_3_1</key>
<${OrgScore2_3_1}/>
<key>OrgScore2_3_2</key>
<${OrgScore2_3_2}/>
<key>OrgScore2_3_4</key>
<${OrgScore2_3_4}/>
<key>OrgScore2_4_1</key>
<${OrgScore2_4_1}/>
<key>OrgScore2_4_2</key>
<${OrgScore2_4_2}/>
<key>OrgScore2_4_3</key>
<${OrgScore2_4_3}/>
<key>OrgScore2_4_5</key>
<${OrgScore2_4_5}/>
<key>OrgScore2_4_7</key>
<${OrgScore2_4_7}/>
<key>OrgScore2_4_8</key>
<${OrgScore2_4_8}/>
<key>OrgScore2_4_9</key>
<${OrgScore2_4_9}/>
<key>OrgScore2_5_1</key>
<${OrgScore2_5_1}/>
<key>OrgScore2_5_2</key>
<${OrgScore2_5_2}/>
<key>OrgScore2_6_3</key>
<${OrgScore2_6_3}/>
<key>OrgScore2_6_4</key>
<${OrgScore2_6_4}/>
<key>OrgScore2_6_5</key>
<${OrgScore2_6_5}/>
<key>OrgScore2_8</key>
<${OrgScore2_8}/>
<key>OrgScore2_9</key>
<${OrgScore2_9}/>
<key>OrgScore2_10</key>
<${OrgScore2_10}/>
<key>OrgScore3_1_1</key>
<${OrgScore3_1_1}/>
<key>OrgScore3_1_3</key>
<${OrgScore3_1_3}/>
<key>OrgScore3_5</key>
<${OrgScore3_5}/>
<key>OrgScore4_1</key>
<${OrgScore4_1}/>
<key>OrgScore4_2</key>
<${OrgScore4_2}/>
<key>OrgScore4_4</key>
<${OrgScore4_4}/>
<key>OrgScore4_5</key>
<${OrgScore4_5}/>
<key>OrgScore4_6</key>
<${OrgScore4_6}/>
<key>OrgScore5_1_1</key>
<${OrgScore5_1_1}/>
<key>OrgScore5_1_2</key>
<${OrgScore5_1_2}/>
<key>OrgScore5_1_3</key>
<${OrgScore5_1_3}/>
<key>OrgScore5_1_4</key>
<${OrgScore5_1_4}/>
<key>OrgScore5_3</key>
<${OrgScore5_3}/>
<key>OrgScore5_4</key>
<${OrgScore5_4}/>
<key>OrgScore5_7</key>
<${OrgScore5_7}/>
<key>OrgScore5_8</key>
<${OrgScore5_8}/>
<key>OrgScore5_9</key>
<${OrgScore5_9}/>
<key>OrgScore5_10</key>
<${OrgScore5_10}/>
<key>OrgScore5_18</key>
<${OrgScore5_18}/>
<key>OrgScore6_1_4</key>
<${OrgScore6_1_4}/>
<key>OrgScore6_2</key>
<${OrgScore6_2}/>
<key>OrgScore6_3</key>
<${OrgScore6_3}/>
</dict>
</plist>" > "$plistlocation"