CIS Apple macOS 10.13 Benchmark for 2.3.2 and 2.3.3

cainehorr
Contributor III

DOCUMENT LAST UPDATED
2019-08-07

DOCUMENT PURPOSE

CIS Apple macOS 10.13 Benchmark 2.3 Desktop & Screen Saver 2.3.2 Secure screen saver corners (Scored) - Level 2 2.3.3 Familiarize users with screen lock tools or corner to Start Screen Saver (Not Scored) - Level 1

TEST CONDITIONS
2019-08-07 - TESTED ON macOS 10.13 and 10.14

OVERVIEW
According to CIS Apple macOS 10.13 Benchmark v1.0.0 for 2.3.2 and 2.3.3...

This sounds fairly straight forward until you read up on the remediation sections for those benchmarks.

2.3.2 Secure screen saver corners (Scored) - Level 2
CIS recommends the following methodology...

Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Mission Control 3. Select Hot Corners 4. Remove any corners which are set to Disable Screen Saver

Well, that's not exactly an automated approach. Hmmm...

NOTE: In 2.3.3 they "elude" to the method.

2.3.3 Familiarize users with screen lock tools or corner to Start Screen Saver (Not Scored) - Level 1
CIS quickly moves onto this secondary benchmark that suggests we need to Familiarize users with screen lock tools or corner to Start Screen Saver.

They don't really go into any detail on how to familiarize users.

NOTE: There are many methods to invoke the screen saver functionality. May methods are beyond the knowledge of the typical user. This (CIS) method is one of the more direct methods.

Additionally - let's say you do manage to automate this using the CIS suggestion that's "hinted" at... You're most likely going to piss off your users if they use their hot corners like mine do. You don't want to keep wiping their corners out.

With that... I give you my solution to this wonky benchmark.

I wrote a simple script that performs the following...

  • Allows the user to have 3 of the 4 hot corners for their own personal needs
  • Test to see if the user's com.apple.dock.plist actually exists
  • Test to see if the user has jamfHelper - not a deal breaker if they don't
  • Run certain sudo commands AS the user - this is important not to jack up their dock
  • Applies the hot corner settings immediately without logging out or rebooting - CIS benchmark 2.3.2
  • Ignored users who are compliant! No alerts!
  • Takes into account hot corners that have never been set (plist is mysteriously missing those attributes for new devices)
  • Inform the user what's happening and even has an unattended mode
  • Alerts the user at the end and "trains" them on how to use the hot corner thereby meeting CIS Benchmark 2.3.3
  • Tests for "Disable Screen Saver, alerts the user, and remediates

That being said, I've tested this on macOS 10.13 and 10.14...

Without further ado... Here is the script...

SCRIPT

#!/bin/bash

#
# FILENAME:
#   CIS_Apple_macOS_10_13_Benchmark_2_3_2_and_2_3_3.sh
#
# PURPOSE/DESCRIPTION:
#   Enforce the following CIS benchmarks only if the user doesn't already have these CIS benchmarks applied.
#
#   CIS Apple macOS 10.13 Benchmark v1.0.0
#       2.3 Desktop & Screen Saver
#           2.3.2 Secure screen saver corners (Scored) - Level 2
#           2.3.3 Familiarize users with screen lock tools or corner to Start Screen Saver (Not Scored) - Level 1
#
# TESTING:
#   Tested against macOS 10.13 and 10.14
#
# CHANGE CONTROL LOG:
#   Version 2.31 - 2019-08-07
#       Updated by Caine Hörr
#           Cleaned up log/display output
#           Added check_hot_corners_for_disable_screen_saver function to adhere to 2.3.2 Secure screen saver corners (Scored) audit requirements
#           Created check_hot_corners_for_proper_modifier_settings function
#           Created cornerNames function
#           created jamfHelper_Disabled_Screen_Saver function
#           Removed modifier adjustments from check_hot_corners_for_screen_saver function
#           Moved call to jamfHelper_PostFlight out of quit function - pop-up was appearing even on compliant systems
#           Moved call to jamfHelper_PostFlight into evaluate_hot_corner_settings function
#           Moved call to jamfHelper_PostFlight into check_hot_corners_for_screen_saver function 
#   Version 2.1 - 2019-08-06
#       Updated by Caine Hörr
#           Added jamfHelper Functionality to "train" the user how to use the hot corner
#           Added jamfHelper Functionality
#           Added file checks for existence of plist
#           Added sudo -u ${currentUser} to account for a bug where sudo destroys the com.apple.dock.plist file
#           Reorganized all the functions with greater granularity and compartmentalization
#           Added additional checks for corner modifier values
#   Version 1.2 - 2019-08-05
#       Updated by Caine Hörr
#           Broke out into additional functions
#           Added additional verbosity
#           Added checks for plist without wvous-XX-corner data
#           Added checks for plist without wvous-XX-modifier data
#   Version 1.0 - 2019-08-02
#       Created by Caine Hörr
#           Initial script creation
#

main(){
    run_as_root
    get_current_user
    cornerNames
    jamfHelper_Settings
    check_plist
    hot_corner_settings
    evaluate_hot_corner_settings
    quit
}

run_as_root(){
    # Check for admin/root permissions
    if [ "$(/usr/bin/id -u)" != "0" ]; then
        /bin/echo "Script must be run as root, or have root privileges (ie. sudo)."
        exit 1
    fi
}

get_current_user(){
    currentUser=$(/usr/bin/stat -f "%Su" "/dev/console")
    echo "[INFO] CURRENTLY LOGGED IN USER: ${currentUser}"
}

cornerNames(){
    bl="BOTTOM LEFT"
    br="BOTTOM RIGHT"
    tl="TOP LEFT"
    tr="TOP RIGHT"
}

jamfHelper_Settings(){
    echo # Line break for log/output clarity
    jamfHelperBinary="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"

    if [ -f "${jamfHelperBinary}" ]; then
        echo "[INFO] ${jamfHelperBinary} INSTALLED"
    else
        echo "[WARNING] ${jamfHelperBinary} NOT INSTALLED"
    fi
}

jamfHelper_PreFlight(){
    if [ -f "${jamfHelperBinary}" ]; then
        # Configure jamfHelper 
        jhWindowType="utility"
        jhTitle="SYSTEM SECURITY UPDATE"
        jhHeading="Screen Saver Hot Corner Configuration"
        jhAlignHeading="left"
        jhDescription="In an effort to ensure a robust security posture, COMPANY IT is configuring a hot corner on your device that will provide you with the ability to initiate the screen saver at will. This configuration takes less than 5 seconds to complete. Your system will not reboot. Please contact EMAIL@COMPANY.COM if you have questions or concerns."
        jhAlignDescription="justified"
        jhIconPath="/Library/CorporateResources/COMPANY_branded_OS_user_icon.png"
        jhButton1Label="CONTINUE"
        jhTimeoutValueInSeconds="30" # 30 seconds
        jhCountdownPromptLabel="AUTO-RUN IN: "
        jgAlignCountdown="center"

        # Alert the user
        jamfHelper_PreFlight_Results=$(sudo -u ${currentUser} "${jamfHelperBinary}" -windowType ${jhWindowType} -title "${jhTitle}" -heading "${jhHeading}" -alignHeading ${jhAlignHeading} -description "${jhDescription}" -alignDescription ${jhAlignDescription} -icon "${jhIconPath}" -button1 "${jhButton1Label}" -timeout ${jhTimeoutValueInSeconds} -countdown -countdownPrompt "${jhCountdownPromptLabel}" -alignCountdown ${jgAlignCountdown})
    fi
}

jamfHelper_Disabled_Screen_Saver(){
    if [ -f "${jamfHelperBinary}" ]; then
        # Configure jamfHelper 
        jhWindowType="utility"
        jhTitle="SYSTEM SECURITY UPDATE"
        jhHeading="${cornerValue} Hot Corner To Disable Screen Saver Has Been Detected"
        jhAlignHeading="left"
        jhDescription="Setting a hot corner to disable the screen saver is a violation of COMPANY's security posture. This hot corner has been removed. Please contact EMAIL@COMPANY.COM if you have questions or concerns."
        jhAlignDescription="justified"
        jhIconPath="/Library/CorporateResources/COMPANY_branded_OS_user_icon.png"
        jhButton1Label="CONTINUE"
        jhTimeoutValueInSeconds="30" # 30 seconds
        jhCountdownPromptLabel="AUTO-RUN IN: "
        jgAlignCountdown="center"

        # Get the user's selection
        jamfHelper_Disabled_Screen_Saver_Results=$(sudo -u ${currentUser} "${jamfHelperBinary}" -windowType ${jhWindowType} -title "${jhTitle}" -heading "${jhHeading}" -alignHeading ${jhAlignHeading} -description "${jhDescription}" -alignDescription ${jhAlignDescription} -icon "${jhIconPath}" -button1 "${jhButton1Label}" -timeout ${jhTimeoutValueInSeconds} -countdown -countdownPrompt "${jhCountdownPromptLabel}" -alignCountdown ${jgAlignCountdown})
    fi
}

jamfHelper_PostFlight(){
    if [ -f "${jamfHelperBinary}" ]; then
        # Configure jamfHelper 
        jhWindowType="utility"
        jhTitle="SYSTEM SECURITY UPDATE"
        jhHeading="Screen Saver Hot Corner Configuration Has Been Set"
        jhAlignHeading="left"
        jhDescription="The ${cornerValue} corner of your display has been set as your screen saver hot corner. Dragging your mouse to the ${cornerValue} corner will turn on your screen saver and lock your device. Please contact EMAIL@COMPANY.COM if you have questions or concerns."
        jhAlignDescription="justified"
        jhIconPath="/Library/CorporateResources/COMPANY_branded_OS_user_icon.png"
        jhButton1Label="CONTINUE"
        jhTimeoutValueInSeconds="30" # 30 seconds
        jhCountdownPromptLabel="AUTO-RUN IN: "
        jgAlignCountdown="center"

        # Get the user's selection
        jamfHelper_PostFlight_Results=$(sudo -u ${currentUser} "${jamfHelperBinary}" -windowType ${jhWindowType} -title "${jhTitle}" -heading "${jhHeading}" -alignHeading ${jhAlignHeading} -description "${jhDescription}" -alignDescription ${jhAlignDescription} -icon "${jhIconPath}" -button1 "${jhButton1Label}" -timeout ${jhTimeoutValueInSeconds} -countdown -countdownPrompt "${jhCountdownPromptLabel}" -alignCountdown ${jgAlignCountdown})
    fi
}

check_plist(){
    echo # Line break for log/output clarity
    plist="/Users/${currentUser}/Library/Preferences/com.apple.dock.plist"
    if [ -f "${plist}" ]; then
        echo "[INFO] ${plist} EXISTS"
        plist_defaults="/Users/${currentUser}/Library/Preferences/com.apple.dock"
    else
        echo "[ERROR] ${plist} DOES NOT EXIST"
        exit 1
    fi
}

hot_corner_settings(){
    echo # Line break for log/output clarity
    hot_corner_check=$(defaults read ${plist_defaults} | grep -i "wvous")
    echo "[INFO] ***** HOT CORNER SETTINGS AS READ FROM DEFAULTS *****"
    echo "${hot_corner_check}"
}

evaluate_hot_corner_settings(){
    echo # Line break for log/output clarity
    if [[ ${hot_corner_check} != "" ]]; then
        echo "[INFO] HOT CORNER SETTINGS EXIST"
        hot_corner_breakout
        check_hot_corners_for_proper_modifier_settings
        check_hot_corners_for_disabled_screen_saver
        check_hot_corners_for_screen_saver
    else
        echo "[WARNING] HOT CORNERS SETTINGS DO NOT EXIST"
        jamfHelper_PreFlight
        hot_corners_first_run
        restart_supporting_services
        hot_corner_settings
        jamfHelper_PostFlight
        evaluate_hot_corner_settings
    fi
}

hot_corner_breakout(){
        # Bottom Left Corner
        wvous_bl_corner=$(defaults read ${plist_defaults} | grep -i "wvous-bl-corner" | awk '{ print $3 }' | sed 's/(.*);/1 /')
        wvous_bl_modifier=$(defaults read ${plist_defaults} | grep -i "wvous-bl-modifier" | awk '{ print $3 }' | sed 's/(.*);/1 /')

        # Bottom Right Corner
        wvous_br_corner=$(defaults read ${plist_defaults} | grep -i "wvous-br-corner" | awk '{ print $3 }' | sed 's/(.*);/1 /')
        wvous_br_modifier=$(defaults read ${plist_defaults} | grep -i "wvous-br-modifier" | awk '{ print $3 }' | sed 's/(.*);/1 /')

        # Top Left Corner
        wvous_tl_corner=$(defaults read ${plist_defaults} | grep -i "wvous-tl-corner" | awk '{ print $3 }' | sed 's/(.*);/1 /')
        wvous_tl_modifier=$(defaults read ${plist_defaults} | grep -i "wvous-tl-modifier" | awk '{ print $3 }' | sed 's/(.*);/1 /')

        # Top Right Corner
        wvous_tr_corner=$(defaults read ${plist_defaults} | grep -i "wvous-tr-corner" | awk '{ print $3 }' | sed 's/(.*);/1 /')
        wvous_tr_modifier=$(defaults read ${plist_defaults} | grep -i "wvous-tr-modifier" | awk '{ print $3 }' | sed 's/(.*);/1 /')
}

check_hot_corners_for_screen_saver(){
    # Looking for a hot corner with a value of 5
    echo # Line break for log/output clarity
    echo "[INFO] ***** LOOKING FOR SCREEN SAVER ASSIGNED TO HOT CORNER *****"

    if [[ ${wvous_bl_corner} -ne "5" ]]; then
        echo "[INFO] ${bl} CORNER NOT SET TO SCREEN SAVER"
        if [[ ${wvous_br_corner} -ne "5" ]]; then
            echo "[INFO] ${br} CORNER NOT SET TO SCREEN SAVER"
            if [[ ${wvous_tl_corner} -ne "5" ]]; then 
                echo "[INFO] ${tl} CORNER NOT SET TO SCREEN SAVER"
                if [[ ${wvous_tr_corner} -ne "5" ]]; then
                    echo "[INFO] ${tr} CORNER NOT SET TO SCREEN SAVER"
                    echo "[WARNING] SCREEN SAVER HOT CORNER NOT SET"
                    jamfHelper_PreFlight
                    set_default_hot_corner
                    restart_supporting_services
                    cornerValue="${bl}"
                    jamfHelper_PostFlight
                else
                    echo "[INFO] ${tr} CORNER SET TO SCREEN SAVER"
                fi
            else
                echo "[INFO] ${tl} CORNER SET TO SCREEN SAVER"
            fi
        else
            echo "[INFO] ${br} CORNER SET TO SCREEN SAVER"
        fi
    else
        echo "[INFO] ${bl} CORNER SET TO SCREEN SAVER"
    fi
}

check_hot_corners_for_proper_modifier_settings(){
    # Looking for a hot corner modifier with a value other than 0
    echo # Line break for log/output clarity
    echo "[INFO] ***** LOOKING FOR INCORRECT HOT CORNER MODIFIERS *****"

    if [[ ${wvous_bl_modifier} -eq "0" ]]; then
        echo "[INFO] ${bl} CORNER MODIFIER IS CORRECT"
    else
        echo "[WARNING] ${bl} CORNER MODIFER IS INCORRECT"
        echo "[INFO] CORRECTING ${bl} CORNER MODIFIER"
        sudo -u ${currentUser} defaults write ${plist_defaults} wvous-bl-modifier -int 0
    fi

    if [[ ${wvous_br_modifier} -eq "0" ]]; then
        echo "[INFO] ${br} CORNER MODIFIER IS CORRECT"
    else
        echo "[WARNING] ${br} CORNER MODIFER IS INCORRECT"
        echo "[INFO] CORRECTING ${br} CORNER MODIFIER"
        sudo -u ${currentUser} defaults write ${plist_defaults} wvous-br-modifier -int 0
    fi

    if [[ ${wvous_tl_modifier} -eq "0" ]]; then
        echo "[INFO] ${tl} CORNER MODIFIER IS CORRECT"
    else
        echo "[WARNING] ${tl} CORNER MODIFER IS INCORRECT"
        echo "[INFO] CORRECTING ${tl} CORNER MODIFIER"
        sudo -u ${currentUser} defaults write ${plist_defaults} wvous-tl-modifier -int 0
    fi

    if [[ ${wvous_tr_modifier} -eq "0" ]]; then
        echo "[INFO] ${tr} CORNER MODIFIER IS CORRECT"
    else
        echo "[WARNING] ${tt} CORNER MODIFER IS INCORRECT"
        echo "[INFO] CORRECTING ${tr} CORNER MODIFIER"
        sudo -u ${currentUser} defaults write ${plist_defaults} wvous-tr-modifier -int 0
    fi
}

check_hot_corners_for_disabled_screen_saver(){
    # Looking for a hot corner with a value of 6
    echo # Line break for log/output clarity
    echo "[INFO] ***** LOOKING FOR DISABLED SCREEN SAVER ASSIGNED TO HOT CORNER *****"

    if [[ ${wvous_bl_corner} -eq "6" ]]; then
        echo "[WARNING] ${bl} CORNER SET TO DISABLE SCREEN SAVER"
        echo "[INFO] SETTING ${bl} CORNER TO NULL"
        sudo -u ${currentUser} defaults write ${plist_defaults} wvous-bl-corner -int 1
        cornerValue="${bl}"
        jamfHelper_Disabled_Screen_Saver
        restart_supporting_services
    else
        echo "[INFO] ${bl} CORNER NOT CONFIGURED TO DISABLE SCREENSAVER"
    fi

    if [[ ${wvous_br_corner} -eq "6" ]]; then
        echo "[WARNING] ${br} CORNER SET TO DISABLE SCREEN SAVER"
        echo "[INFO] SETTING ${br} CORNER TO NULL"
        sudo -u ${currentUser} defaults write ${plist_defaults} wvous-br-corner -int 1
        cornerValue="${br}"
        jamfHelper_Disabled_Screen_Saver
        restart_supporting_services
    else
        echo "[INFO] ${br} CORNER NOT CONFIGURED TO DISABLE SCREENSAVER"
    fi

    if [[ ${wvous_tl_corner} -eq "6" ]]; then
        echo "[WARNING] ${tl} CORNER SET TO DISABLE SCREEN SAVER"
        echo "[INFO] SETTING ${tl} CORNER CORNER TO NULL"
        sudo -u ${currentUser} defaults write ${plist_defaults} wvous-tl-corner -int 1
        cornerValue="${tl}"
        jamfHelper_Disabled_Screen_Saver
        restart_supporting_services
    else
        echo "[INFO] ${tl} CORNER NOT CONFIGURED TO DISABLE SCREENSAVER"
    fi

    if [[ ${wvous_tr_corner} -eq "6" ]]; then
        echo "[WARNING] ${tr} CORNER SET TO DISABLE SCREEN SAVER"
        echo "[INFO] SETTING ${tr} CORNER TO NULL"
        sudo -u ${currentUser} defaults write ${plist_defaults} wvous-tr-corner -int 1
        cornerValue="${tr}"
        jamfHelper_Disabled_Screen_Saver
        restart_supporting_services
    else
        echo "[INFO] ${tr} CORNER NOT CONFIGURED TO DISABLE SCREENSAVER"
    fi
}

set_default_hot_corner(){
    echo "[INFO] ASSIGNING SCREEN SAVER TO ${bl} CORNER"
    echo "[INFO] WRITING CONFIGURATION TO ${plist}"

    sudo -u ${currentUser} defaults write ${plist_defaults} wvous-bl-corner -int 5
    sudo -u ${currentUser} defaults write ${plist_defaults} wvous-bl-modifier -int 0
}

hot_corners_first_run(){
    # Initializes hot corners if not previously configured
    echo "[INFO] CONFIGURING HOT CORNERS"
    echo "[INFO] WRITING CONFIGURATION TO ${plist}"

    # Bottom Left Corner
    sudo -u ${currentUser} defaults write ${plist_defaults} wvous-bl-corner -int 5
    sudo -u ${currentUser} defaults write ${plist_defaults} wvous-bl-modifier -int 0

    # Bottom Right Corner
    sudo -u ${currentUser} defaults write ${plist_defaults} wvous-br-corner -int 1
    sudo -u ${currentUser} defaults write ${plist_defaults} wvous-br-modifier -int 0

    # Top Left Corner
    sudo -u ${currentUser} defaults write ${plist_defaults} wvous-tl-corner -int 1
    sudo -u ${currentUser} defaults write ${plist_defaults} wvous-tl-modifier -int 0

    # Top Right Corner
    sudo -u ${currentUser} defaults write ${plist_defaults} wvous-tr-corner -int 1
    sudo -u ${currentUser} defaults write ${plist_defaults} wvous-tr-modifier -int 0
}

restart_supporting_services(){
    echo # Line break for log/output clarity
    echo "[INFO] QUITTING SYSTEM PREFERENCES"
    sudo -u ${currentUser} pkill -1 'System Preferences'

    echo "[INFO] RESTARTING THE DOCK"
    sudo -u ${currentUser} killall Dock
}

quit(){
    echo # Line break for log/output clarity
    echo "[INFO] SYSTEM ADHERES TO CIS BENCHMARKS 2.3.2 AND 2.3.3"
}

main

exit

ERRATA
You can run this manually from command line OR from within a Jamf policy.

If you do run this within a Jamf policy, you can set an ongoing policy to run once a day, once a week, whatever.

If you have any questions or comments, I'm all ears!

Cheers!

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

8 REPLIES 8

cainehorr
Contributor III

@kenglish - You might find this useful...

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

cainehorr
Contributor III

Here's some sample Jamf logs from the script output against live devices in my environment...

Here's a user who was already compliant. As you can see, no changes were made to this user's system.

Executing Policy CIS Benchmark for 2.3.2 and 2.3.3 - Screen Saver Hot Corner
Running script CIS_Apple_macOS_10_13_Benchmark_2_3_2_and_2_3_3.sh...
Script exit code: 0
Script result: [INFO] CURRENTLY LOGGED IN USER: username_changed_to_protect_the_innocent
[INFO] /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper INSTALLED
[INFO] /Users/username_changed_to_protect_the_innocent/Library/Preferences/com.apple.dock.plist EXISTS
[INFO] HOT CORNER SETTINGS AS READ FROM DEFAULTS:
    "wvous-bl-corner" = 4;
    "wvous-bl-modifier" = 0;
    "wvous-br-corner" = 5;
    "wvous-br-modifier" = 0;
    "wvous-tl-corner" = 4;
    "wvous-tl-modifier" = 0;
    "wvous-tr-corner" = 2;
    "wvous-tr-modifier" = 0;
[INFO] HOT CORNER SETTINGS EXIST
[INFO] LOOKING FOR SCREEN SAVER ASSIGNED TO HOT CORNER
[INFO] BOTTOM LEFT CORNER NOT SET TO SCREEN SAVER
[INFO] BOTTOM RIGHT CORNER SET TO SCREEN SAVER
[INFO] SYSTEM ADHERES TO CIS BENCHMARKS 2.3.2 AND 2.3.3
Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

cainehorr
Contributor III

Here's a user (me) who had never set a hot corner before...

As you can tell, I did not have any hot corners set - now I do!

Executing Policy CIS Benchmark for 2.3.2 and 2.3.3 - Screen Saver Hot Corner
Running script CIS_Apple_macOS_10_13_Benchmark_2_3_2_and_2_3_3.sh...
Script exit code: 0
Script result: [INFO] CURRENTLY LOGGED IN USER: cainehorr
[INFO] /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper INSTALLED
[INFO] /Users/cainehorr/Library/Preferences/com.apple.dock.plist EXISTS
[INFO] HOT CORNER SETTINGS AS READ FROM DEFAULTS:

[WARNING] HOT CORNERS SETTINGS DO NOT EXIST
[INFO] CONFIGURING HOT CORNERS
[INFO] WRITING CONFIGURATION TO /Users/cainehorr/Library/Preferences/com.apple.dock.plist
[INFO] QUITTING SYSTEM PREFERENCES
[INFO] RESTARTING THE DOCK
[INFO] HOT CORNER SETTINGS AS READ FROM DEFAULTS:
    "wvous-bl-corner" = 5;
    "wvous-bl-modifier" = 0;
    "wvous-br-corner" = 1;
    "wvous-br-modifier" = 0;
    "wvous-tl-corner" = 1;
    "wvous-tl-modifier" = 0;
    "wvous-tr-corner" = 1;
    "wvous-tr-modifier" = 0;
[INFO] HOT CORNER SETTINGS EXIST
[INFO] LOOKING FOR SCREEN SAVER ASSIGNED TO HOT CORNER
[INFO] BOTTOM LEFT CORNER SET TO SCREEN SAVER
[INFO] SYSTEM ADHERES TO CIS BENCHMARKS 2.3.2 AND 2.3.3
Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

cainehorr
Contributor III

Here's a user who had a corner set, but did not have a screen saver setting hot corner configured.

The script left his hot corner (bottom right) alone and applied the CIS benchmarks to the bottom left.

Executing Policy CIS Benchmark for 2.3.2 and 2.3.3 - Screen Saver Hot Corner
Running script CIS_Apple_macOS_10_13_Benchmark_2_3_2_and_2_3_3.sh...
Script exit code: 0
Script result: [INFO] CURRENTLY LOGGED IN USER: username_changed_to_protect_the_guilty
[INFO] /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper INSTALLED
[INFO] /Users/username_changed_to_protect_the_guilty/Library/Preferences/com.apple.dock.plist EXISTS
[INFO] HOT CORNER SETTINGS AS READ FROM DEFAULTS:
    "wvous-br-corner" = 1;
    "wvous-br-modifier" = 1048576;
[INFO] HOT CORNER SETTINGS EXIST
[INFO] LOOKING FOR SCREEN SAVER ASSIGNED TO HOT CORNER
[INFO] BOTTOM LEFT CORNER NOT SET TO SCREEN SAVER
[INFO] BOTTOM RIGHT CORNER NOT SET TO SCREEN SAVER
[INFO] TOP LEFT CORNER NOT SET TO SCREEN SAVER
[INFO] TOP RIGHT CORNER NOT SET TO SCREEN SAVER
[WARNING] SCREEN SAVER HOT CORNER NOT SET
[INFO] ASSIGNING SCREEN SAVER TO BOTTOM LEFT CORNER
[INFO] WRITING CONFIGURATION TO /Users/seanvail/Library/Preferences/com.apple.dock.plist
[INFO] QUITTING SYSTEM PREFERENCES
[INFO] RESTARTING THE DOCK
[INFO] SYSTEM ADHERES TO CIS BENCHMARKS 2.3.2 AND 2.3.3
Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

cainehorr
Contributor III

One thing I may shoot for in a "Version 3" of this script is to have it test the 4 corners for screen saver.

If the user has a bottom left value set that's not screen saver, but other corners are available, I'll see if I can't have the script use an available corner before overwriting the bottom left.

Wish list item... ;-)

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

jwojda
Valued Contributor II

this is awesome! thank you!

cainehorr
Contributor III

EDGE CASE BUG
This morning, I was reviewing Jamf logs for people in my org who received this script.

I had one user in particular who had the following log...

Executing Policy CIS Benchmark for 2.3.2 and 2.3.3 - Screen Saver Hot Corner Running script CIS_Apple_macOS_10_13_Benchmark_2_3_2_and_2_3_3.sh... Script exit code: 0 Script result: [INFO] CURRENTLY LOGGED IN USER: username_changed_to_protect_the_innocent [INFO] /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper INSTALLED [INFO] /Users/username_changed_to_protect_the_innocent/Library/Preferences/com.apple.dock.plist EXISTS [INFO] HOT CORNER SETTINGS AS READ FROM DEFAULTS: "wvous-bl-corner" = 5; [INFO] HOT CORNER SETTINGS EXIST [INFO] LOOKING FOR SCREEN SAVER ASSIGNED TO HOT CORNER [INFO] BOTTOM LEFT CORNER SET TO SCREEN SAVER [INFO] SYSTEM ADHERES TO CIS BENCHMARKS 2.3.2 AND 2.3.3

So far, this looks perfect...

However, upon closer examination of this user's system, her System Preferences > Mission Control > Hot Corners didn't actually update.

However...37c6fafcb2354a3e93e3f98cb6129e4f

I took a deep dive into their com.apple.dock.plist file...

Here's what I found...

"wvous-bl-corner" = 5;

That was the ONLY setting. They were missing the following line...

"wvous-bl-modifier" = 0;

I manually ran the following commands on her system:

defaults write ~/Library/Preferences/com.apple.dock wvous-bl-modifier -int 0
pkill -1 "System Preferences"
killall Dock

This added the missing value and reset the system with the updated com.apple.dock.plist file as expected.

However, this didn't actually work!

So I ran the following commands on their system:

defaults delete ~/Library/Preferences/com.apple.dock wvous-bl-corner
defaults delete ~/Library/Preferences/com.apple.dock wvous-bl-modifier
pkill -1 "System Preferences"
killall Dock
defaults write ~/Library/Preferences/com.apple.dock wvous-bl-corner -int 5
defaults write ~/Library/Preferences/com.apple.dock wvous-bl-modifier -int 0
pkill -1 "System Preferences"
killall Dock

THAT ACTUALLY WORKED!

Unfortunately, that doesn't provide me with the proper details for a Root Cause Analysis (RCA).

Yes, I could write those aforementioned commands into the code and have the script reset everyone's hot corner regardless of a proper attribute - just to be certain, but that's the "blunt object vs a scalpel" approach. This of course will annoy user's based on the Jamf Policy cadence. They would have their dock restart daily. My users are hyperaware and that will flood our helpdesk staff and I really don't want to do that.

So for now, I'm diffing the plist outputs from before and after to see if there's a smoking gun. I may not find it in Patient 0, but perhaps I might identify a few others in my org with the same or similar symptoms. Once I find the RCA, I'll post my findings - unless someone else beats me to it!

With all that being said - CIS controls are nice and all, but when it comes to scripting these settings, the old adage of "trust but verify" certainly comes into play.

My logs didn't lie to me, but this user's system was in a strange state the gave me a false positive.

NOTE: Lucky for me and my org, this particular bug has only reared its ugly head once to date.

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

cainehorr
Contributor III

@jwojda - I've made a few updates since your last visit. If you're checking the script out, you might be interested in the latest version.

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!