A tenancy is synonymous with a company or organization. You can create, organize, and administer your resources in Oracle Cloud within your tenancy. The architecture has the following components:Ī tenancy is a secure and isolated partition that Oracle sets up within Oracle Cloud when you sign up for Oracle Cloud The following diagram illustrates this reference architecture.ĭescription of the illustration oci-cis-landingzone.png Notifications are set using Topics and Events forĪlerting administrators about changes in the deployed resources. Infrastructure Bastion, and Oracle Security Zones. Vulnerability Scanning Service, Oracle Cloud Infrastructure Service Connector Hub, Vault with customer managed keys, Oracle Cloud Infrastructure Services are Oracle Cloud Guard, Flow Logs, Oracle Cloud The Landing Zone includes various preconfigured security services that can beĭeployed in tandem with the overall architecture for a strong security posture. Inbound and outbound interfaces properly secured. They are out-of-box configured with the necessary routing, with their Specific topologies, like supporting Oracle Exadata Database The VCNs canĮither follow a general purpose standard three-tier network topology or oriented towards In standalone mode or as constituent parts of a Hub and Spoke architecture. Landing Zone V2 brings in the ability of provisioning multiple VCNs, either Required resources in other compartments. With the appropriate permissions for managing resources in the compartment and for accessing Each of the Landing Zone compartments is assigned a group In Landing Zone V2 provisioning of Landing Zone compartments within a designated When you pivot the latest Guidance for macOS Ventura, you can find highly detailed PDF's on every single configuration item.The architecture starts with the compartmentĭesign for the tenancy along with groups and policies for segregation of duties. Hardening procedures can be fairly disruptive for users and their daily experience and might even be counterproductive - potentially leading to circumvention attempts and even increased Shadow IT.Ī good starting point is here: macOS Security Compliance Project You might need to dig in deep and test a lot before you gonna apply this to your whole fleet. The report indicates which settings are managed via MDM/Profile and which aren't.ĭisclaimer (as usual): Handle with caution and iterate your way through each setting. One recommendation: All settings which you can manage on a macOS-based device via MDM-policies (like Patching, Screen Lock, Password Policies etc.) shall be done this way as they are much more tamper-proof in that case. You can find the two payloads and the JumpCloud Command itself here.Īssembled in a JumpCloud Command it looks like this:įrom my experience during testing, the execution never exceeded 3 minutes, but to play it save I'm setting a timeout after 5min here. Fourth, if any Org_Score has failed during the scoring/assessment, the remediation will be executed (parameter -r).Third, the CISBenchmarkScript creates a report (parameter -f).Second, the custom scoring file gets created in the tmp-folder (customisable).(certainly you can verify the actual remediation script as well) First, i'm making a simple hash-validation of the attached script which determines the scoring.tmp/CISBenchmarkScript-custom.sh -r # Remediating If grep -q Failed "$CISBenchmarkReport" thenĮcho 'Device needs remediation - executing' Hash=$(shasum -a 256 /tmp/Set_SecurityScoring.sh | awk '/CISBenchmarkReport.csv" JumpCloud Command (which is a script as well):. Therefore, we're having the following ingredients: When executed, this script generates the custom org_security_ist which is then consumed by the actual reporting-and-remediation script. In this script an admin can configure the custom scoring for the benchmark by simply editing each OrgScore and set them to true or false as desired. But I didn't have to reinvent the wheel here either, but was able to stitch the pieces together by using a version made for macOS Catalina and published on JAMF's github-repo here. One missing piece was the custom scoring of the CIS Benchmarks which is based on a plist-file generated by another script and which is consumed during reporting and remediation. The most legwork I repurposed here was done by Mischa van der Bent and his version of the CIS-Script which you can find here. I really want to emphasise that this is based on great and awesome community content which I'll reference here. I won't repeat much on the why's and rather go straight to practical part of it. Quite some time ago a wrote an article about hardening Windows Devices, now it's time for a similar approach for macOS Devices.
0 Comments
Leave a Reply. |