CIS-for-macOS-Catalina-CP
jss-filevault-reissue
CIS-for-macOS-Catalina-CP | jss-filevault-reissue | |
---|---|---|
1 | 2 | |
120 | 184 | |
0.0% | - | |
0.0 | 2.9 | |
almost 3 years ago | 11 months ago | |
Shell | Shell | |
MIT License | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
CIS-for-macOS-Catalina-CP
-
Hardening macOS
You can get most of the way to hardening to CIS level 1 picking more up-to-date fork of these https://github.com/jamf/CIS-for-macOS-Catalina-CP.
FWIW, CIS level 1 will mean people get locked out of their machines very frequently. Complex 15 character passwords with 3 retries from memory. So you need a half-decent MDM to unlock quickly. There is no half-decent MDM out there. Only shit ones but workable like Jamf.
Also you the username does't get auto-populated on login so the typo can be in username and user assumes it is with password. Very fast way to get lock outs.
To pass a full security review you might want to play with Google Santa. But that is intense.
jss-filevault-reissue
-
Personal Recovery Key Invalid - How to fix this?
Which MDM? There are some scripts out there for reissuing a FileVault key with Jamf.
-
Enable Secure Token for Admin
Look at the reissue_filevault_recovey_key.sh in the jss-filevault-reissue repo. Requires user interaction, but it explains to the user what is happening and then asks them for their password. You can add your companies branding to it.
What are some alternatives?
macos_security - macOS Security Compliance Project
Jamf_things - A collection of macOS and Jamf related support information and scripts
santa - A binary authorization and monitoring system for macOS
quickpkg - wrapper for pkgbuild to quickly build simple packages from an installed app, a dmg or zip archive.
debian-cis - PCI-DSS compliant Debian 10/11/12 hardening
homebrew.sh - Install homebrew via Jamf without giving users admin rights
super - S.U.P.E.R.M.A.N. optimizes the macOS software update experience.
prowler - Prowler is an Open Source security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains more than 240 controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks. [Moved to: https://github.com/prowler-cloud/prowler]