summitroute / osxlockdown Goto Github PK
View Code? Open in Web Editor NEW[No longer maintained] Apple OS X tool to audit for, and remediate, security configuration settings.
License: MIT License
[No longer maintained] Apple OS X tool to audit for, and remediate, security configuration settings.
License: MIT License
Hello,
Thanks for your work on this great tool. I like all the options it selects, however, I really want to lengthen the time for locking out my account. I am starting to tire of having to login with my password so frequently after being away from my computer for short amounts of time. I have turned off all options that appear to be related to screen saver, or locking the screen immediately, but I am just not experienced enough to figure out where to look to adjust this, or if I can adjust this option.
Also, I am wondering if there is a way to uninstall this program to turn all the options it changed back to normal?
Thank you for your time.
Hello,
Though in the Finder, AD appears or not in the GO menu. (Quit Finder and Relaunch each time)
The read command returns 1 or 0 if I try to change it manually.
No matter what I do, it is always FAILED.
Thanks
As per the latest JSON, remediation is done via
"fix_command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist",
this command appears to be bogus with a standard user or sudo, yielding
YES (0)
Unrecognized Command
and failing subsequent checks.
Hello,
Diagnostics & Usage Data sends a bunch of datas about your computer to Apple, it should be disabled.
Warning: If someone is using a beta version of OS X, SubmitDiagInfo will be reactivated each time an update is made so you should block internet access of this process with Little Snitch or similar too.
See: https://github.com/fix-macosx/fix-macosx/wiki/Diagnostics-&-Usage-Data
In order to allow people to copy/paste commands, we need a format that doesn't require quotes to be escaped. TOML should allow that.
"osxlockdown was built to audit, and remediate, security configuration settings on OS X"
As per commands.json
, "I 'secure' safari by removing javascript and PDF support. Advanced users won't use Safari anyway and novices will be persuaded to use Chrome or Firefox"
What is insecure about Safari? I'd note that, unlike third-party browsers, updates to it are applied along with general system updates, which are automatically enabled by osxlockdown itself. If I'm using Firefox or Chrome, the app needs to run to update, meaning there's a necessary out-of-date window.
Your project, your rules. I do consider myself an "advanced" user, though, and I use Safari :P
I verified on my El Capitan machine that the following fix in the YAML works:
defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false
However, the check command seems broken. I allowed internet sharing on one of my networking interfaces, and the /Library/Preferences/SystemConfiguration/com.apple.nat
file doesn't exist. (Maybe it would if I re-logged or rebooted.)
I recommend just performing the defaults read
portion of the check.
The check command for this produces a false negative. I tested this by enabling screen sharing in System Preferences and running the following:
$ launchctl load /System/Library/LaunchDaemons/com.apple.screensharing.plist
/System/Library/LaunchDaemons/com.apple.screensharing.plist: Service is disabled
unloading this with launchctl appears to successfully stop the service, but only works for me when run with sudo privs.
Samba stopped working to connect to Windows machines on my Local Network, May I re-enable it somehow in the script but leave other options off? Or rather, how may I?
Apple still has not updated SSH, so check the version and additionally check for "No Roaming". On failure add the following to the /etc/ssh/ssh_config
under the Host *
section:
# Fixing CVE-2016-0777
UseRoaming no
Title says everything, auditing and fixing it fails.
Hey,
I'm not sure how this is helpful. It's just another data point for Apple, since your computer will be periodically talking to them. It sounds the opposite of reducing attack surface. What am I missing here?
(Love osxlockdown
, though. Thanks a bunch!)
To prevent Java, Silverlight or other shit from being injected into Safari/Firefox/Chrome/whatever browser, it would be nice to simply wipe and lock read/write access the /Library/Internet Plug-Ins/ directory
Hello,
I'm surprised it has not been done before, both of them send your search queries to Apple and Microsoft respectively.
I am not sure why I am unable to "fix" this vulnerability on my system. Everything else is clean!
:)
Add the ability to do checks and remediations for only specific rules.
Can you tag a release with a version? Something like '0.1' or whatever version scheme you want to start with.
As per #6 , is tr
even necessary?
Mostly, though, writing to express doubt about the checks. As per the pwpolicy
man page, "maxFailedLoginAttempts" intructs that "user's account is disabled if the failed login count exceeds this number." Is this safe on single-user systems? Not inspired to test.
Further, things like numbers, caps, and symbols don't do much to move the needle on entropy, but sure make things harder to remember and type. https://xkcd.com/936/ is a famous pop example of this, and https://en.wikipedia.org/wiki/Diceware is a nice implementation.
When I enable screen sharing in my system preferences, I still get this:
$ launchctl load /System/Library/LaunchDaemons/com.apple.screensharing.plist
/System/Library/LaunchDaemons/com.apple.screensharing.plist: Service is disabled
System details: OS X El Capitan 10.11.5
Hello,
Everything is in the title, I think it could be easy to detect the programs but harder to remove them via --remediate
"Install system data files and security updates" may be a threat to privacy according to https://medium.com/@sabrihaddouche/automatic-updates-of-kernel-extensions-in-os-x-9b75b3e45c97
Recommendation: Disable it.
What about an implementation to flick the switch for individual checks instead of all at once? Something like:
./osxlockdown --remediate 12
To switch the 12th check?
launchctl load -w /System/Library/LaunchAgents/com.apple.gamed.plist
feel free to add more services of this kind!
Sparkle is used by many third-party apps. It should never use HTTP. Check for that. Should be possible using:
for i in /Applications/*/Contents/Info.plist; do defaults read "$i" SUFeedURL 2>/dev/null; done
I've added a check and fix to disable automatically loading of remote content by Mail.app when an email is opened by the user: defaults write com.apple.mail-shared DisableURLLoading -bool true
This should prevent Mail from automatically loading possibly malicious content from (hidden) URLs in e-mails.
I have forked and did a pull request, but since this is my first time, not sure whether I did it right...
I can't update applications like malwarebytes or other 3rd party apps that have internal updates. Which setting needs to be reversed to make that possible again?
Source: https://stackoverflow.com/questions/32418438/how-can-i-disable-bash-sessions-in-os-x-el-capitan
Fix: touch $HOME/.bash_sessions_disable
Is there a Undo / Uninstall Option?
Thanks
https://github.com/SummitRoute/osxlockdown/blob/master/commands.json#L176
"check_command": "defaults read /Library/Preferences/com.apple.finder.plist | grep ShowIconThumbnails | grep 0",
the file to check should be perhaps ~/Library/Preferences/com.apple.finder.plist ?
Hello,
I run OLD and it reports
[FAILED] Verify all application software is current
but if I run softwareupdate --list
it reports "No new software available."
The grep reports this
LastSuccessfulDate = "2016-01-27 10:50:35 +0000";
I am using El Capitan OS X French, all updates applied.
Thank you.
Hello,
Apple commonly use your computer model and session name (like "Macbook's of Thea" or "iMac's of Oliver") to propagate itself in the network and this is bad for privacy.
To remediate this, you could make a regexp to detect this common name and replace it with randomized alphanumeric characters from /dev/random.
to give more people with a plain system access to this script
please +1
On 10.11.5 DisableAirDrop fails:
$ sudo defaults read com.apple.NetworkBrowser DisableAirDrop | grep 1
Password:
2016-05-18 09:28:12.188 defaults[4266:54118]
The domain/default pair of (com.apple.NetworkBrowser, DisableAirDrop) does not exist
Any thoughts?
To reduce attack surface, Netbios support should be disabled.
launchctl unload -w /System/Library/LaunchDaemons/com.apple.netbiosd.plist
See: https://en.wikipedia.org/wiki/NetBIOS
https://jamfnation.jamfsoftware.com/discussion.html?id=15357
Hi,
As your script seems to be more "aggressive" than conservative (not saying this as a negative, quite the opposite), would you consider verifying hibernation modes and FileVault key destruction on sleep with pmset and configuring the following?
Hibernatemode to 25
Destroyfvkeysonstandby to 1
Thanks!
Hello, the state of a vanilla 10.11.5 image is that, in /Library/Preferences/com.apple.alf (which I think the description should say is for the firewall and not y'know asl and all logging on the system) loggingenabled is already is integer 1... not sure why you're checking for it besides general hygiene checkup I guess?
IPv6 should not be disabled. I'm not sure what this adds security-wise.
just for discussion.. does it make sense to enable/disable such unknown logs?
In this case your download log?
sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* 'select LSQuarantineDataURLString from LSQuarantineEvent'
The check for File Sharing fails if a WINS server is defined by a DHCP server. Disabling network interfaces then running osxlockdown returns a success.
grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist
<array>
</array>
A copy of the com.apple.smb.server.plist is below:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DOSCodePage</key>
<string>437</string>
<key>LocalKerberosRealm</key>
<string>snipped</string>
<key>NetBIOSName</key>
<string>MACBOOKPRO</string>
<key>ServerDescription</key>
<string>MacBook Pro</string>
<key>WINSServerAddressList</key>
<array>
<string>10.20.0.1</string>
</array>
</dict>
</plist>
For those of us that like to keep in sync with the mothership, setting enabled
to true or false within the commands.json
(soon to be commands.toml
?) file will require a local merge every time a pull is executed. If this were done in a separate file, one could keep that independent and pull at will.
On my machine, some (all?) settings written with or without sudo to /Library/Preferences/com.apple.*
are overwritten when I logout and log back in.
Consequently this fix doesn't stick for me:
defaults write /Library/Preferences/com.apple.alf allowsignedenabled -bool false
The solution is to write it only for the current user:
defaults write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false
not working on mine OSX, replace in commands.json line
"check_command": "defaults read com.apple.screensaver askForPassword | grep "1",
by
"check_command": "defaults read com.apple.screensaver askForPassword | grep 1",
in all cases, Thanks for this script.
Rgds
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.