summitroute / osxlockdown Goto Github PK

Hello,

Thanks for your work on this great tool. I like all the options it selects, however, I really want to lengthen the time for locking out my account. I am starting to tire of having to login with my password so frequently after being away from my computer for short amounts of time. I have turned off all options that appear to be related to screen saver, or locking the screen immediately, but I am just not experienced enough to figure out where to look to adjust this, or if I can adjust this option.

Also, I am wondering if there is a way to uninstall this program to turn all the options it changed back to normal?

Thank you for your time.

Hello,

Though in the Finder, AD appears or not in the GO menu. (Quit Finder and Relaunch each time)
The read command returns 1 or 0 if I try to change it manually.

No matter what I do, it is always FAILED.

Thanks

As per the latest JSON, remediation is done via

"fix_command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist",

this command appears to be bogus with a standard user or sudo, yielding

YES (0)
Unrecognized Command

and failing subsequent checks.

Hello,

Diagnostics & Usage Data sends a bunch of datas about your computer to Apple, it should be disabled.

Warning: If someone is using a beta version of OS X, SubmitDiagInfo will be reactivated each time an update is made so you should block internet access of this process with Little Snitch or similar too.

See: https://github.com/fix-macosx/fix-macosx/wiki/Diagnostics-&-Usage-Data

"Complex password required" check command is pwpolicy -getglobalpolicy | tr \" \" \"\\n\" | grep requiresSymbol but tr says:

In order to allow people to copy/paste commands, we need a format that doesn't require quotes to be escaped. TOML should allow that.

"osxlockdown was built to audit, and remediate, security configuration settings on OS X"

As per commands.json, "I 'secure' safari by removing javascript and PDF support. Advanced users won't use Safari anyway and novices will be persuaded to use Chrome or Firefox"

What is insecure about Safari? I'd note that, unlike third-party browsers, updates to it are applied along with general system updates, which are automatically enabled by osxlockdown itself. If I'm using Firefox or Chrome, the app needs to run to update, meaning there's a necessary out-of-date window.

Your project, your rules. I do consider myself an "advanced" user, though, and I use Safari :P

I verified on my El Capitan machine that the following fix in the YAML works:
defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false

However, the check command seems broken. I allowed internet sharing on one of my networking interfaces, and the /Library/Preferences/SystemConfiguration/com.apple.nat file doesn't exist. (Maybe it would if I re-logged or rebooted.)

I recommend just performing the defaults read portion of the check.

The check command for this produces a false negative. I tested this by enabling screen sharing in System Preferences and running the following:

$ launchctl load /System/Library/LaunchDaemons/com.apple.screensharing.plist
/System/Library/LaunchDaemons/com.apple.screensharing.plist: Service is disabled

unloading this with launchctl appears to successfully stop the service, but only works for me when run with sudo privs.

Hey there, I made a pack to use osquery when performing the checks instead of all of the defaults reads. Wondering if it would be something you're interested in hosting, I could give it another once-over and send a PR.
(Nice work on Downclimb, btw.)

Samba stopped working to connect to Windows machines on my Local Network, May I re-enable it somehow in the script but leave other options off? Or rather, how may I?

Apple still has not updated SSH, so check the version and additionally check for "No Roaming". On failure add the following to the /etc/ssh/ssh_config under the Host * section:

# Fixing CVE-2016-0777
UseRoaming no

Title says everything, auditing and fixing it fails.

Hey,

I'm not sure how this is helpful. It's just another data point for Apple, since your computer will be periodically talking to them. It sounds the opposite of reducing attack surface. What am I missing here?

(Love osxlockdown, though. Thanks a bunch!)

To prevent Java, Silverlight or other shit from being injected into Safari/Firefox/Chrome/whatever browser, it would be nice to simply wipe and lock read/write access the /Library/Internet Plug-Ins/ directory

Hello,

I'm surprised it has not been done before, both of them send your search queries to Apple and Microsoft respectively.

See https://fix-macosx.com

I am not sure why I am unable to "fix" this vulnerability on my system. Everything else is clean!

:)

Add the ability to do checks and remediations for only specific rules.

Can you tag a release with a version? Something like '0.1' or whatever version scheme you want to start with.

As per #6 , is tr even necessary?

Mostly, though, writing to express doubt about the checks. As per the pwpolicy man page, "maxFailedLoginAttempts" intructs that "user's account is disabled if the failed login count exceeds this number." Is this safe on single-user systems? Not inspired to test.

Further, things like numbers, caps, and symbols don't do much to move the needle on entropy, but sure make things harder to remember and type. https://xkcd.com/936/ is a famous pop example of this, and https://en.wikipedia.org/wiki/Diceware is a nice implementation.

When I enable screen sharing in my system preferences, I still get this:

$ launchctl load /System/Library/LaunchDaemons/com.apple.screensharing.plist
/System/Library/LaunchDaemons/com.apple.screensharing.plist: Service is disabled

System details: OS X El Capitan 10.11.5

Hello,

Everything is in the title, I think it could be easy to detect the programs but harder to remove them via --remediate

"Install system data files and security updates" may be a threat to privacy according to https://medium.com/@sabrihaddouche/automatic-updates-of-kernel-extensions-in-os-x-9b75b3e45c97

Recommendation: Disable it.

See http://apple.stackexchange.com/questions/92214/how-to-disable-apple-push-notification-service-apsd-on-os-x-10-8 as noted by Sabri here: https://twitter.com/pwnsdx/status/683837201822674944

What about an implementation to flick the switch for individual checks instead of all at once? Something like:

./osxlockdown --remediate 12

To switch the 12th check?

launchctl load -w /System/Library/LaunchAgents/com.apple.gamed.plist

feel free to add more services of this kind!

Sparkle is used by many third-party apps. It should never use HTTP. Check for that. Should be possible using:

for i in /Applications/*/Contents/Info.plist; do defaults read "$i" SUFeedURL 2>/dev/null; done

I've added a check and fix to disable automatically loading of remote content by Mail.app when an email is opened by the user: defaults write com.apple.mail-shared DisableURLLoading -bool true

This should prevent Mail from automatically loading possibly malicious content from (hidden) URLs in e-mails.
I have forked and did a pull request, but since this is my first time, not sure whether I did it right...

I can't update applications like malwarebytes or other 3rd party apps that have internal updates. Which setting needs to be reversed to make that possible again?

Source: https://stackoverflow.com/questions/32418438/how-can-i-disable-bash-sessions-in-os-x-el-capitan

Fix: touch $HOME/.bash_sessions_disable

https://apple.stackexchange.com/questions/151481/why-is-my-macbook-visibile-on-bluetooth-after-yosemite-install

Is there a Undo / Uninstall Option?

Thanks

https://github.com/SummitRoute/osxlockdown/blob/master/commands.json#L176

    "check_command": "defaults read /Library/Preferences/com.apple.finder.plist | grep ShowIconThumbnails | grep 0",

the file to check should be perhaps ~/Library/Preferences/com.apple.finder.plist ?

Hello,

This feature could improve privacy as an attacker will have to guess the username too on the login window.

Hello,

I run OLD and it reports
[FAILED] Verify all application software is current

but if I run softwareupdate --list
it reports "No new software available."

The grep reports this
LastSuccessfulDate = "2016-01-27 10:50:35 +0000";

I am using El Capitan OS X French, all updates applied.

Thank you.

Hello,

Apple commonly use your computer model and session name (like "Macbook's of Thea" or "iMac's of Oliver") to propagate itself in the network and this is bad for privacy.

To remediate this, you could make a regexp to detect this common name and replace it with randomized alphanumeric characters from /dev/random.

to give more people with a plain system access to this script

please +1

On 10.11.5 DisableAirDrop fails:

$ sudo defaults read com.apple.NetworkBrowser DisableAirDrop | grep 1
Password:
2016-05-18 09:28:12.188 defaults[4266:54118] 
The domain/default pair of (com.apple.NetworkBrowser, DisableAirDrop) does not exist

Any thoughts?

To reduce attack surface, Netbios support should be disabled.

launchctl unload -w /System/Library/LaunchDaemons/com.apple.netbiosd.plist

See: https://en.wikipedia.org/wiki/NetBIOS
https://jamfnation.jamfsoftware.com/discussion.html?id=15357

As noted by sabri here, perhaps we should disable ntpd instead of enabling it, due to issues it has had in the past (see here)

Hi,

As your script seems to be more "aggressive" than conservative (not saying this as a negative, quite the opposite), would you consider verifying hibernation modes and FileVault key destruction on sleep with pmset and configuring the following?

Hibernatemode to 25
Destroyfvkeysonstandby to 1

Thanks!

Hello, the state of a vanilla 10.11.5 image is that, in /Library/Preferences/com.apple.alf (which I think the description should say is for the firewall and not y'know asl and all logging on the system) loggingenabled is already is integer 1... not sure why you're checking for it besides general hygiene checkup I guess?

iCloud Drive is disabled on my Mac, but your program says what it's enabled

Or how I should disable it?

IPv6 should not be disabled. I'm not sure what this adds security-wise.

just for discussion.. does it make sense to enable/disable such unknown logs?

In this case your download log?
sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* 'select LSQuarantineDataURLString from LSQuarantineEvent'

The check for File Sharing fails if a WINS server is defined by a DHCP server. Disabling network interfaces then running osxlockdown returns a success.

grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist
    <array>
    </array>

A copy of the com.apple.smb.server.plist is below:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>DOSCodePage</key>
    <string>437</string>
    <key>LocalKerberosRealm</key>
    <string>snipped</string>
    <key>NetBIOSName</key>
    <string>MACBOOKPRO</string>
    <key>ServerDescription</key>
    <string>MacBook Pro</string>
    <key>WINSServerAddressList</key>
    <array>
        <string>10.20.0.1</string>
    </array>
</dict>
</plist>

For those of us that like to keep in sync with the mothership, setting enabled to true or false within the commands.json (soon to be commands.toml?) file will require a local merge every time a pull is executed. If this were done in a separate file, one could keep that independent and pull at will.

On my machine, some (all?) settings written with or without sudo to /Library/Preferences/com.apple.* are overwritten when I logout and log back in.

Consequently this fix doesn't stick for me:
defaults write /Library/Preferences/com.apple.alf allowsignedenabled -bool false

The solution is to write it only for the current user:
defaults write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false

not working on mine OSX, replace in commands.json line
"check_command": "defaults read com.apple.screensaver askForPassword | grep "1",
by
"check_command": "defaults read com.apple.screensaver askForPassword | grep 1",

in all cases, Thanks for this script.
Rgds