• "Verify all application software is current"
• "Enable Auto Update"
• "Disable Bluetooth"
• "Disable infrared receiver"
• "Disable AirDrop"
• "Disable automatic setting of time and date"
• "Set an inactivity interval of 10 minutes or less for the screen saver"
• "Enable secure screen saver corners"
• "Require a password to wake the computer from sleep or screen saver"
• "Ensure screen locks immediately when requested"
• "Disable Remote Apple Events"
• "Disable Remote Login"
• "Disable Internet Sharing"
• "Disable Screen Sharing"
• "Disable Printer Sharing"
• "Disable Wake on Network Access"
• "Disable File Sharing"
• "Disable Remote Management"
• "Enable FileVault"
• "Destroy File Vault Key when going to standby"
• "Enable hibernation mode (no memory power on sleep)"
• "Enable Gatekeeper"
• "Enable Firewall"
• "Enable Firewall Stealth Mode"
• "Disable signed apps from being auto-permitted to listen through firewall"
• "Disable iCloud drive"
• "Require an administrator password to access system-wide preferences"
• "Disable IPv6"
• "Disable Previews"
• "Secure Safari by crippling it"
• "Disable automatic loading of remote content by Mail.app"
• "Disable Captive Portal"
• "Enable logging"
• "Verify no HTTP update URLs for Sparkle Updater"

This must be very easy for the average OSX user to run. There are a few enhancements that can help

• Reduce number of non-standard imports to as few as possible, preferably zero
  • HJson can be turned into a JSON file as a build step, and the pre-built JSON can be included in the repo. This requires a user who only wants to use the default config file to only import the standard json module.
  • We can code a substitute for Enum so that non-standard enum34 is not required.
• Turn into a neat Python package
• Turn into a Mac .app package
• Alleviate the need for user to be in sudoers by executing app with OSX Administrator privileges?

https://github.com/drduh/OS-X-Security-and-Privacy-Guide

This could, for example, spare non-developer users from checks related to dev tools such as homebrew and git. Another example: Lock down browsers less for QA engineers and developers who do not use VMs. H/T @KMHouk

cause unknown currently; first step is to try to find steps to reproduce dependably.

This requires passing some information between the results of the check command and the fix command, or to create really long fix commands that check first before fixing.

• Basics
• Preparing and Installing OS X
• First boot
• Full disk encryption
• Firmware password
• Firewall
  • Application layer firewall
  • Third party firewalls
  • Kernel level packet filtering
• Services
• Spotlight Suggestions
• Homebrew
• DNS
  • Hosts file
  • dnsmasq
    • Test DNSSEC validation
  • dnscrypt
• Captive portal
• Certificate authorities
• OpenSSL
• Curl
• HTTP
• Web browsing
• Plugins
• PGP/GPG
• OTR
• Tor
• VPN
• Viruses and malware
• System Integrity Protection
• Gatekeeper and XProtect
• Passwords
• Backup
• Wi-Fi
• SSH
• Physical access
• System monitoring
  • OpenBSM audit
  • DTrace
  • Execution
  • Network
• Miscellaneous
• Related software
• Additional resources

• AlwaysShowFavoritesBarInFullScreen
• AlwaysShowTabBar
• AlwaysShowTabBarInFullScreen
• AutoFillCreditCardData
• AutoFillFromAddressBook
• AutoFillMiscellaneousForms
• AutoFillPasswords
• AutoOpenSafeDownloads
• AutoShowToolbarInFullScreen
• BlockStoragePolicy
• CachedBookmarksFileDate
• CachedBookmarksFileSize
• DefaultBrowserPromptingState2
• DidDisableIndividualExtensionsAfterRemovingOnOffSwitchIfNecessary
• DidMigrateNewBookmarkSheetToReadingListDefault
• DidMigrateTabsToLinksForReaderKey
• DidMigrateToMoreRestrictiveFileURLPolicy
• DidMigrateWebKit1Preferences
• DidReportHistorySettings
• DidUnsubscribeFromRSSFeeds
• ExtensionsEnabled
• GEOUsageSessionID
• GEOUsageSessionIDGenerationTime
• LastApplicationCacheMessageTraceTime
• LastExtensionMessageTraceTime
• LastInstalledPlugInsMessageTraceTime
• LastOSVersionSafariWasLaunchedOn
• LastSafariVersionWithWelcomePage
• LastSharedLinksMessageTraceTime
• LocalFileRestrictionsEnabled
• NSNavLastRootDirectory
• NSNavPanelExpandedSizeForOpenMode
• NSPreferencesContentSize
• NSPreferencesSelectedIndex
• "NSTableView Columns Passwords Preferences"
• "NSTableView Hidden Columns Passwords Preferences"
• "NSTableView Sort Ordering Passwords Preferences"
• "NSToolbar Configuration BrowserToolbarIdentifier-v2"
• "NSToolbar Configuration NSPreferences"
• "NSWindow Frame BrowserWindowFrame"
• "NSWindow Frame Preferences"
• NewestLaunchedSafariVersion
• OpenWindows
• PreloadTopHit
• RecentWebSearches
• RemoteConfigurationLastUpdateFailed
• RemoteConfigurationLastUpdateTime
• SearchProviderIdentifierMigratedToSystemPreference
• SearchProvidersNotAllowedToPromptToBeMadeDefault
• SendDoNotTrackHTTPHeader
• "ShowFavoritesBar-v2"
• ShowFullURLInSmartSearchField
• SidebarViewModeIdentifier
• SkipLoadingExtensionsAtLaunch
• StartPageViewControllerMode
• Storefront
• SuccessfulLaunchTimestamp
• SuppressSearchSuggestions
• TestDriveOriginBrowser
• TestDriveStartDate
• TestDriveState
• TreatSHA1CertificatesAsInsecure
• UserStyleSheetEnabled
• WebKitJavaEnabled
• WebKitJavaScriptEnabled
• WebKitPluginsEnabled
• WebKitRespectStandardStyleKeyEquivalents
• WebKitStorageBlockingPolicy
• WebsiteSpecificSearchEnabled
• "com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled"
• "com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled"
• "com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled"
• "com.apple.Safari.ContentPageGroupIdentifier.WebKit2StorageBlockingPolicy"
• "com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled"

• app checks this directory for configs
• add directory to .gitignore

Currently, if a config has a command version and a sudo_command version and the output of the command version does not meet the desired output, the sudo_command version will be tried. However, in some cases it's clear from the output of the non-sudo version that the config has failed, and running with sudo is unnecessary.

This would make the tool more friendly to automation, if that's a use case people are interested in.

Need to decide how to handle both Enigmail (PGP) and non-PGP users.

TODO: checklist of configurations.

https://github.com/SummitRoute/osxlockdown

E.g. you still have to follow best practices, and there's lots of stuff that you should do that can't be checked such as online activities, how you handle passwords, etc. Maybe refer peeps to this guide: https://github.com/drduh/OS-X-Security-and-Privacy-Guide

need to consider potential side effects first

https://github.com/drduh/OS-X-Security-and-Privacy-Guide

https://github.com/drduh/OS-X-Security-and-Privacy-Guide#third-party-firewalls

Need to handle both PGP users and non-PGP users.

• General
  • Add invitations to Calendar: Never (recommended)
• Accounts
  • for each account: SSL enabled (required)
  • for each account: Allow insecure authentication disabled (required)
  • Junk Mail
  • Enable junk filtering
  • When junk mail arrives, move it to the Junk mailbox (recommended) -- this will kill some phishing attacks
  • Disable exempting junk when message is addressed using my full name (recommended)
• Viewing
  • Disable load remote content in messages (Required)
• GPGMail
  • Encrypt drafts (required)
  • Encrypt new messages by default (recommended)
  • Sign new messages by default (recommened)
  • Automatically check for updates (required)
  • Download updates automatically -- this is debatable of course, but best option for majority of users I think

for example, if no command-line fix is available, that can be expressed in this string rather than a do-nothing fix that may or may not catch the user's attention.

also, config checks should be allowed to have no fix as long as they have a string as described above.

It's probably a good practice to mostly use a non-admin account, but the non-admin won't be able to change configurations unless at least added to the sudoers list. Need to decide how to resolve this catch-22.

CIS_Apple_OSX_10.10_Benchmark_v1.0.0.pdf

https://isc.sans.edu/forums/diary/The+Ultimate+OS+X+Hardening+Guide+Collection/12616/

Don't have a command for this yet, but iCloud is just generally evil and should be disabled altogether as a "recommended" config.

Printer sharing should be disabled -- computers can connect to their own damn printer.

osxlockdown checks with this command: if [ -n "$(system_profiler SPPrintersDataType | grep Shared | grep Yes)" ]; then exit 1; fi; exit 0

This will tell you if one of your printers is currently being shared, but not whether printer sharing has been enabled as a service.

Here's the output from system_profiler if you have no printers currently added but have enabled printer sharing as a service:

$ system_profiler SPPrintersDataType
Printers:

      Status: The printers list is empty. To add printers, choose Apple menu > System Preferences…, click Printers & Scanners, and then click Add (+).
      CUPS Version: x.x.x (cups-xxxx.xxxx)

No useful info there.

Here's what it looks like if you have printer sharing enabled, but have not shared the single printer you've added to your system's list:

$ system_profiler SPPrintersDataType
Printers:

    My Fancy Printer X9001:

      Status: Idle
      Print Server: Local
      ...
      System Printer Sharing: Yes
      Shared: No

The fix for both is the same, borrowed from osxlockdown: cupsctl --no-share-printers

So the only thing I'm doing differently here is checking both for the service being active and whether printers are being shared, rather than just the latter. This will be condensed into one command.

https://github.com/drduh/OS-X-Security-and-Privacy-Guide#third-party-firewalls

add field to HJson specification that states whether the command should be tried again with sudo if the first configuration attempt fails due to lack of sudo.

then, attempt all fixes up to 2 times -- once without sudo, and once with if specified in the HJson.

This will eliminate unnecessary use of sudo.

Ideally I would encourage the user to disable Safari from being opened altogether.

Safari should still be updated normally in case the user enables it in the future.

It should come with an "undo" command to reverse the effect.

Previously I tried chmoding the .app folder, but no dice.

confidence level: recommended, not required.

The grep command can be used to replace the regex match type in the config HJson.

https://github.com/SummitRoute/osxlockdown/blob/master/commands.yaml does it this way, and it would probably make the HJson simpler.

As described here:
https://github.com/drduh/OS-X-Security-and-Privacy-Guide#http

At a glance, this seems to be of limited use. This might lead to unnecessary logging of sensitive info in HTTP requests/responses.

Example output:

The next configuration check requires elevated privileges; you may be prompted for your current OS X user's password below. The command to be executed is: 'sudo softwareupdate --schedule | grep 'Automatic check is on''
Password:
CHECK #11: Automatic check for software updates is enabled.... FAILED!
    Apply the following  fix? This will execute this command:
        'softwareupdate --schedule on' [Y/n] 
The next configuration check requires elevated privileges; you may be prompted for your current OS X user's password below. The command to be executed is: 'sudo softwareupdate --schedule | grep 'Automatic check is on''
    Attempting configuration fix with elevated privileges; you may be prompted for your OS X login password...
The next configuration check requires elevated privileges; you may be prompted for your current OS X user's password below. The command to be executed is: 'sudo softwareupdate --schedule | grep 'Automatic check is on''
CHECK #11: Automatic check for software updates is enabled.... PASSED!

Just need to add a state variable to check whether the command is being executed for the first time or not -- just clutters the screen to have this printed multiple times.

https://github.com/herrbischoff/awesome-osx-command-line

Some linked here:
https://github.com/drduh/OS-X-Security-and-Privacy-Guide#dns

However, glancing at these -- they are very long. Unless we can establish a high degree of trust in their integrity, I'm not sure how you can avoid getting hosed by one of them. :-/

https://techwiki.uwm.edu/display/SecOfficeStandGuide/Mac+Hardening+Guidelines

Adapt from the script here:
https://raw.githubusercontent.com/macmule/JSS-Extension-Attributes/master/Sparkle-MITM-Vuln-Apps.py

I'd like to eliminate the dependency on CoreFoundation, however.

http://forums.macrumors.com/threads/can-a-mac-be-hacked-how-do-i-know-if-it-happens-security-advise-welcome.1087922/page-3#post-11835313

I think #29 broke some config fixes; By not running as sudo by default, we temporarily change the defaults value but it doesn't persist.

I've noticed this with the application firewall and stealth mode.

• perform checks for each Chrome profile
• Chrome is the default browser (recommended)
• Chrome is installed (recommended) fix via homebrew? (recommended)
• For all Chrome checks, test passes if Chrome not installed
• Default search engine set to DuckDuckGo (recommended)
• Guest browsing not enabled (or ought it be?) (recommended)
• Disable "Let anyone add a person to Chrome" (required)
• Disable "use a web service to resolve errors" (required)
• Disable "use a prediction service to help complete..." (required)
• Disable "use a prediction service to load pages more quickly" (required)
• Disable "Automatically report issues..." (required)
• Enable "Protect you and your device from dangerous sites" -- recommended level since likely privacy tradeoff
• Disable "Use a web service to help resolve..." (required)
• Disable "Automatically send usage statistics" (Required)
• Enable Do-Not-Track (recommended)
• Disable auto-fill forms (recommended)
• Disable offer to save your web passwords (recommended)
• Disable Google CloudPrint (Recommended)
• Content Settings
  • Key generation: disable (recommended)
  • Do not allow any protocol handlers (recommended)
  • Plugins: Let me choose when to run plugin content (required)
  • Do not allow popups (required)
  • Do not allow any site to track physical location (required)
  • Do not allow unsandboxed plugins (recommended)
  • Plugins
    • Disable flash (recommended)
    • Disable native client (recommended)
    • Disable widevine DRM thingy (Recommended)
• Extensions
  • Check for uBlock Origin (recommended)
  • Check for Ghostery (Recommended)
  • ScriptSafe (experimental)

https://objective-see.com/products/dhs.html