hoakley Macs, Technology

Achieving the CIS Apple macOS 10.15 Benchmark

There have been various security benchmarks and recommendations for securing Macs, of which one of the most widely used now comes from the Center for Internet Security. This article explains which of the items listed in CIS Apple macOS 10.15 Benchmark v1.0.0 – 04-06-2020 can be tackled and monitored using my free apps SilentKnight, LockRattler, and the command tool silnite.

System and security updates

Chapter 1 lists a series of scored benchmarks for macOS updates, security updates, etc., which rely largely on softwareupdate settings, and don’t actually verify whether updates installed are the latest released by Apple. As Apple doesn’t announce those updates, or detail which versions are current, there’s no official source for information.

I maintain lists of current versions on several pages here, for:

I also store an XML Property List containing this information on GitHub, which you are welcome to access for non-commercial purposes.

My free app SilentKnight accesses the last of those and checks whether that Mac’s versions are current, and more. If you want a command tool version of it, silnite should be ideal. You can also check versions installed and other security settings using LockRattler. These three are available from their Product Page.

SilentKnight and silnite report the following key security indicators:

  • Firmware, for all Mac models including those with T2 chips.
  • SIP status.
  • XProtect checks.
  • FileVault use.
  • Version numbers of XProtect, Gatekeeper, MRT, TCC and KEXT blocker data installed.
  • Availability of software updates.

These cover benchmarks 1.1, 1.2, 1.5, 2.5.1.1, 2.5.2 and 5.19 (SIP status).

Firmware

Firmware is covered in benchmark 2.11, and relies on the macOS command tool eficheck, which isn’t adequate for ascertaining whether the firmware installed is current.

First, eficheck can’t check whether the firmware of Macs with T2 chips is up-to-date at all, so the benchmark assumes that this isn’t necessary. I’ve now encountered several Macs with T2 chips whose firmware hasn’t been up-to-date, so that is a dangerous assumption. The other problem with eficheck is that, even on Macs without T2 chips, it only checks whether the firmware is within the loose limits that Apple prescribes, not whether it’s current at all. In many cases, firmware can be months out of date and still be accepted by eficheck.

Neither does Apple publish any list of current firmware versions for different Mac models. The only such listing that I’m aware of is that which I maintain on GitHub, which is used by both SilentKnight and silnite to determine whether firmware is really current. I also provide a full listing in this article.

If you want to check properly whether a Mac’s firmware is up to date, no matter whether it has a T2 chip or not, then as far as I’m aware there’s no better way than using SilentKnight or silnite, not eficheck.

If you’re working to attain or maintain CIS benchmarks and need any other tools to help, please don’t hesitate to let me know.