-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy path.macos_hardening
executable file
·203 lines (162 loc) · 7.16 KB
/
.macos_hardening
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
#!/usr/bin/env bash
#
# MacOs Hardening:
#
# - Ensure FileVault is enabled
# - Ensure firmware password is enabled
# - Enforce Firewall settings
# - Consolidate my /etc/hosts
# - Manage my Network locations:
# * Automatic: follow DHCP instructions
# * Public Network: Local DNS resolver + Tor
# * Office: Local DNS resolver
# * Home: follow DHCP instructions
#
# https://github.com/drduh/macOS-Security-and-Privacy-Guide
#
set -o errexit
set -o pipefail
set -o nounset
CPU_BRAND="$(sysctl -n machdep.cpu.brand_string)"
CURRENT_NETWORK_LOCATION="$(networksetup -getcurrentlocation)"
export CPU_BRAND CURRENT_NETWORK_LOCATION
echo "--> Detected CPU Brand: ${CPU_BRAND}"
function _clean() {
sudo networksetup -switchtolocation "$CURRENT_NETWORK_LOCATION"
sudo networksetup -setairportpower en0 on
sudo networksetup -deletelocation 'tmp' || true
}
while true; do
sudo -n true
sleep 60
kill -0 $$ || exit
done 2>/dev/null &
# Check FileVault status
if ! fdesetup status | grep -q 'FileVault is On.'; then
# shellcheck disable=SC1003
echo 1>&2 '/!\ FileVault is not enabled /!\'
exit 1
# sudo fdesetup enable -user $USER > $HOME/FileVault_recovery_key.txt
fi
if [[ $CPU_BRAND != 'Apple M1' ]]; then
# Check firmware password
if ! sudo firmwarepasswd -check | grep -q 'Password Enabled: Yes'; then
# shellcheck disable=SC1003
echo 1>&2 '/!\ firmware password is not set /!\'
echo 1>&2 'Hint: "sudo firmwarepasswd -setpasswd"'
exit 1
fi
# Check firmware password mode
if ! sudo firmwarepasswd -mode | grep -q 'Mode: full'; then
# shellcheck disable=SC1003
echo 1>&2 '/!\ firmware password is not required on all startups /!\'
echo 1>&2 'Hint: "sudo firmwarepasswd -setmode full"'
exit 1
fi
# check EFI Firmware Integrity
/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check
fi
# Check System Integrity Protection
if ! csrutil status | grep -q 'System Integrity Protection status: enabled.'; then
# shellcheck disable=SC1003
echo 1>&2 '/!\ System Integrity protection is disabled /!\'
echo 1>&2 'Hint: "sudo csrutil enable"'
exit 1
fi
# Enable Gatekeeper
sudo spctl --master-enable
# Require an administrator password to access system-wide preferences
sudo /usr/bin/security authorizationdb write system.preferences deny
# Enable the firewall
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
# Enable logging
/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
# Enable stealth mode
/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
# Prevent built-in software as well as code-signed, downloaded software from
# being whitelisted automatically
/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned off
/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off
# Configure the firewall to block all incoming traffic
/usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on
# Disabled allow signed downloaded applications automatically
/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off
sudo pkill -HUP socketfilterfw
# Set the screen to lock as soon as the screensaver starts
defaults write com.apple.screensaver askForPassword -int 1
defaults write com.apple.screensaver askForPasswordDelay -int 0
# Expose hidden files and Library folder in Finder
defaults write com.apple.finder AppleShowAllFiles -bool true
chflags nohidden ~/Library
# Show all filename extensions (so that "Evil.jpg.app" cannot masquerade easily).
defaults write NSGlobalDomain AppleShowAllExtensions -bool true
# Don't default to saving documents to iCloud
defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false
# Disable Bonjour multicast advertisements
sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES
# Set AirDrop Discoverability to 'Contacts Only'
defaults write com.apple.sharingd DiscoverableMode -string 'Contacts Only'
sudo killall -HUP sharingd
# Set AppStore update check to every one (1) day
defaults write com.apple.SoftwareUpdate ScheduleFrequency -int 1
# Captive portal
sudo defaults write \
/Library/Preferences/SystemConfiguration/com.apple.captive.control Active \
-bool false
# disable automatic loading of remote content by Mail.app
defaults write -app mail DisableURLLoading -bool true
# Disable Remote Login
sudo systemsetup -f -setremotelogin off
# Disable Safari Auto Open 'safe' Files
defaults write -app safari AutoOpenSafeDownloads -bool false
# You may wish to enforce hibernation and evict FileVault keys from memory
# instead of traditional sleep to memory
sudo pmset -a destroyfvkeyonstandby 1
sudo pmset -a hibernatemode 25
# If you choose to evict FileVault keys in standby mode, you should also modify
# your standby and power nap settings. Otherwise, your machine may wake while
# in standby mode and then power off due to the absence of the FileVault key
sudo pmset -a powernap 0
sudo pmset -a standby 0
sudo pmset -a standbydelay 0
sudo pmset -a autopoweroff 0
# Consolidate my /etc/hosts too just in case I don't use my DNS, eg: automatic
# network profile
curl -s 'https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling/hosts' |
sudo tee '/etc/hosts'
# Shutdown Wi-Fi
sudo networksetup -setairportpower airport off
trap _clean INT TERM EXIT
# Create a tmp location, before generate 'Automatic' location
sudo networksetup -createlocation 'tmp' populate ||
sudo networksetup -switchtolocation 'tmp'
# Automatic
sudo networksetup -deletelocation 'Automatic' || true
sudo networksetup -createlocation 'Automatic' populate
sudo networksetup -switchtolocation 'Automatic'
# Public Network
sudo networksetup -deletelocation 'Public Network' || true
sudo networksetup -createlocation 'Public Network' populate
sudo networksetup -switchtolocation 'Public Network'
sudo networksetup -setdnsservers Wi-Fi 127.0.0.1
sudo networksetup -setproxybypassdomains Wi-Fi 'localhost' '127.0.0.0/8' '172.16.0.0/12' '192.168.0.0/16' '169.254/16' '*.local' '*.home' '*.netflix.com' '*.youtube.com' '*.airbnb.fr'
sudo networksetup -setsocksfirewallproxy Wi-Fi 127.0.0.1 9050
sudo networksetup -setsocksfirewallproxystate Wi-Fi on
sudo networksetup -setsearchdomains Wi-Fi Empty
# Office
sudo networksetup -deletelocation 'Office' || true
sudo networksetup -createlocation 'Office' populate
sudo networksetup -switchtolocation 'Office'
sudo networksetup -setdnsservers Wi-Fi 127.0.0.1
sudo networksetup -setproxybypassdomains Wi-Fi 'localhost' '127.0.0.0/8' '172.16.0.0/12' '192.168.0.0/16' '169.254/16' '*.local' '*.home' '*.netflix.com' '*.youtube.com'
sudo networksetup -setsocksfirewallproxystate Wi-Fi off
sudo networksetup -setsearchdomains Wi-Fi Empty
# Home
sudo networksetup -deletelocation 'Home' || true
sudo networksetup -createlocation 'Home' populate
sudo networksetup -switchtolocation 'Home'
sudo networksetup -setdnsservers Wi-Fi Empty
sudo networksetup -setproxybypassdomains Wi-Fi 'localhost' '127.0.0.0/8' '172.16.0.0/12' '192.168.0.0/16' '169.254/16' '*.local' '*.home' '*.netflix.com' '*.youtube.com'
sudo networksetup -setsocksfirewallproxy Wi-Fi Empty
sudo networksetup -setsocksfirewallproxystate Wi-Fi off
sudo networksetup -setsearchdomains Wi-Fi Empty