This repository has been archived by the owner on Apr 11, 2018. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 50
/
Copy pathcommands.yaml
276 lines (210 loc) · 12.5 KB
/
commands.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
- title: "Verify all application software is current"
check_command: |
LASTUPDATE=$(sudo defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* "\([0-9\\-]*\) .*$@\1@'); if [ "$LASTUPDATE" = "$(date +%Y-%m-%d)" ];then exit 0; fi; exit 1
fix_command: |
sudo softwareupdate -i -a
enabled: true
- title: "Enable Auto Update"
check_command: |
sudo softwareupdate --schedule | grep 'Automatic check is on'
fix_command: |
sudo softwareupdate --schedule on
enabled: true
- title: "Disable Bluetooth"
check_command: |
defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState | grep 0
fix_command: |
sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0; sudo killall -HUP blued
enabled: true
- title: "Disable infrared receiver"
check_command: |
defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled | grep 0
fix_command: |
sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -int 0
enabled: true
- title: "Disable AirDrop"
check_command: |
sudo defaults read com.apple.NetworkBrowser DisableAirDrop | grep 1
fix_command: |
defaults write com.apple.NetworkBrowser DisableAirDrop -bool YES
enabled: true
- title: "Disable automatic setting of time and date"
check_command: |
sudo systemsetup getusingnetworktime | grep 'Network Time: Off'
fix_command: |
sudo systemsetup setusingnetworktime off
enabled: true
- title: "Set an inactivity interval of 10 minutes or less for the screen saver"
check_command: |
UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep "IOPlatformUUID" | sed -e 's/^.*"\(.*\)"$/\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then exit 1; fi; fi; done; exit 0
comment: "This checks the screensaver setting for each user"
fix_command: |
UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep "IOPlatformUUID" | sed -e 's/^.*"\(.*\)"$/\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done
enabled: true
- title: "Enable secure screen saver corners"
check_command: |
for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/com.apple.dock.plist; if [ -e $PREF ]; then CORNER=$(defaults read $PREF | grep corner | grep 6) && if [ -n "$CORNER" ]; then exit 1; fi; fi; done; exit 0
fix_command: |
for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/com.apple.dock.plist; if [ -e $PREF ]; then CORNER=$(defaults read $PREF | grep corner | grep 6) && if [ -n "$CORNER" ]; then defaults write $PREF wvous-tr-corner 5; fi; fi; done;
enabled: true
- title: "Require a password to wake the computer from sleep or screen saver"
check_command: |
defaults read com.apple.screensaver askForPassword | grep 1
fix_command: |
defaults write com.apple.screensaver askForPassword -int 1
enabled: true
- title: "Ensure screen locks immediately when requested"
check_command: |
defaults read com.apple.screensaver askForPasswordDelay | grep "0"
fix_command: |
defaults write com.apple.screensaver askForPasswordDelay -int 0
enabled: true
- title: "Disable Remote Apple Events"
check_command: |
sudo systemsetup -getremoteappleevents | grep "Remote Apple Events: Off"
fix_command: |
sudo systemsetup -setremoteappleevents off
enabled: true
- title: "Disable Remote Login"
check_command: |
sudo systemsetup -getremotelogin | grep "Remote Login: Off"
fix_command: |
sudo systemsetup -f -setremotelogin off",
enabled: true
- title: "Disable Internet Sharing"
check_command: |
if [ -e /Library/Preferences/SystemConfiguration/com.apple.nat ]; then NAT=$(defaults read /Library/Preferences/SystemConfiguration/com.apple.nat | grep -i "Enabled = 0") && if [ -n "$NAT" ]; then exit 1; fi; fi; exit 0
fix_command: |
defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -int 0
comment: "TODO: I'm not sure if this fix actually works since I don't have Internet Sharing enabled anywhere to test"
enabled: true
- title: "Disable Screen Sharing"
check_command: |
if [ -e /System/Library/LaunchDaemons/com.apple.screensharing.plist ]; then STATUS=$(launchctl load /System/Library/LaunchDaemons/com.apple.screensharing.plist | grep -v "Service is disabled") && if [ -n "$STATUS" ]; then exit 1; fi; fi; exit 0
fix_command: |
launchctl unload -w /System/Library/LaunchDaemons/com.apple.screensharing.plist
enabled: true
- title: "Disable Printer Sharing"
check_command: |
if [ -n "$(system_profiler SPPrintersDataType | grep Shared | grep Yes)" ]; then exit 1; fi; exit 0
fix_command: |
cupsctl --no-share-printers
enabled: true
- title: "Disable Wake on Network Access"
check_command: |
sudo systemsetup getwakeonnetworkaccess | grep "Wake On Network Access: Off"
fix_command: |
sudo systemsetup -setwakeonnetworkaccess off
enabled: true
- title: "Disable File Sharing"
check_command: |
if [ -n "$(launchctl list | egrep AppleFileServer)" ]; then exit 1; fi; if [ -n "$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)" ]; then exit 1; fi; exit 0;
fix_command: |
launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist
enabled: true
- title: "Disable Remote Management"
check_command: |
if [ -n "$(ps -ef | egrep "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent")" ]; then exit 1; fi; exit 0
fix_command: |
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop
enabled: true
- title: "Enable FileVault"
check_command: |
diskutil cs list | grep -i "Encryption Status: Unlocked"
comment: "TODO: FileVault can be enabled with `fdesetup enable`, but you need to enter user creds and write down the recovery key. How to do this programmatically, or at least tell the user the steps? See https://derflounder.wordpress.com/2013/10/22/managing-mavericks-filevault-2-with-fdesetup/"
enabled: true
- title: "Destroy File Vault Key when going to standby"
check_command: |
pmset -g | grep DestroyFVKeyOnStandby | grep 1
fix_command: |
sudo pmset -a destroyfvkeyonstandby 1
enabled: true
- title: "Enable hibernation mode (no memory power on sleep)"
check_command: |
pmset -g | grep hibernatemode | grep 25
fix_command: |
sudo pmset -a hibernatemode 25
enabled: true
- title: "Enable Gatekeeper"
check_command: |
spctl --status | grep "assessments enabled"
fix_command: |
sudo spctl --master-enable
enabled: true
- title: "Enable Firewall"
check_command: |
test $(defaults read /Library/Preferences/com.apple.alf globalstate) -ge 1
fix_command: |
defaults write /Library/Preferences/com.apple.alf globalstate -int 1
enabled: true
- title: "Enable Firewall Stealth Mode"
check_command: |
/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode | grep "Stealth mode enabled"
fix_command: |
/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
enabled: true
- title: "Disable signed apps from being auto-permitted to listen through firewall"
check_command: |
defaults read /Library/Preferences/com.apple.alf allowsignedenabled | grep 0
fix_command: |
defaults write /Library/Preferences/com.apple.alf allowsignedenabled -bool false
enabled: true
- title: "Disable iCloud drive"
check_command: |
if [ -n "$(defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud | grep "0")" ]; then exit 0; fi; exit 1;
fix_command: |
defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false
comment: "TODO: Disable icloud entirely. This checks if a value is not set or set to 0"
enabled: true
- title: "Require an administrator password to access system-wide preferences"
check_command: |
if [ -n "$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')" ]; then exit 0; fi; exit 1
fix_command: |
security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c "Set :shared false" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist
enabled: true
- title: "Disable IPv6"
check_command: |
networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo "$i" | grep "IPv6: Automatic") && if [ -n "$SUPPORT" ]; then exit 1; fi; done; exit 0
fix_command: |
networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo "$i" | grep "IPv6: Automatic") && if [ -n "$SUPPORT" ]; then networksetup -setv6off "$i"; fi; done;
enabled: true
- title: "Disable Previews"
check_command: |
defaults read /Library/Preferences/com.apple.finder.plist | grep ShowIconThumbnails | grep 0
fix_command: |
/usr/libexec/PlistBuddy -c "Add StandardViewOptions:ColumnViewOptions:ShowIconThumbnails bool NO" "/Library/Preferences/com.apple.finder.plist" && /usr/libexec/PlistBuddy -c "Add StandardViewSettings:ListViewSettings:showIconPreview bool NO" "/Library/Preferences/com.apple.finder.plist" && /usr/libexec/PlistBuddy -c "Add StandardViewSettings:IconViewSettings:showIconPreview bool NO" "/Library/Preferences/com.apple.finder.plist" && /usr/libexec/PlistBuddy -c "Add StandardViewSettings:ExtendedListViewSettings:showIconPreview bool NO" "/Library/Preferences/com.apple.finder.plist" && /usr/libexec/PlistBuddy -c "Add StandardViewOptions:ColumnViewOptions:ShowPreview bool NO" "/Library/Preferences/com.apple.finder.plist" && /usr/libexec/PlistBuddy -c "Add StandardViewSettings:ListViewSettings:showPreview bool NO" "/Library/Preferences/com.apple.finder.plist" && /usr/libexec/PlistBuddy -c "Add StandardViewSettings:IconViewSettings:showPreview bool NO" "/Library/Preferences/com.apple.finder.plist" && /usr/libexec/PlistBuddy -c "Add StandardViewSettings:ExtendedListViewSettings:showPreview bool NO" "/Library/Preferences/com.apple.finder.plist"
comment: "TODO: I'm only checking one item, check all"
enabled: true
- title: "Secure Safari by crippling it"
check_command: |
defaults read com.apple.Safari WebKitOmitPDFSupport | grep 1
fix_command: |
defaults write com.apple.Safari WebKitOmitPDFSupport -bool YES && defaults write com.apple.Safari WebKitJavaScriptEnabled -bool FALSE && defaults write com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool FALSE
comment: "I 'secure' safari by removing javascript and PDF support. Advanced users won't use Safari anyway and novices will be persuaded to use Chrome or Firefox. TODO: This needs to be done per user."
enabled: true
- title: "Disable automatic loading of remote content by Mail.app"
check_command: |
defaults read com.apple.mail-shared DisableURLLoading | grep 1
fix_command: |
defaults write com.apple.mail-shared DisableURLLoading -bool true
comment: "I improve security of OSX's Mail app by disabling automatic loading of remote content in opened emails. TODO: This needs to be done per user."
enabled: true
- title: "Disable Captive Portal"
check_command: |
defaults read /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist | grep "Active = 0"
fix_command: |
sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false
comment: "For more details see https://github.com/drduh/OS-X-Security-and-Privacy-Guide#captive-portal"
enabled: true
- title: "Enable logging"
check_command: |
defaults read /Library/Preferences/com.apple.alf loggingenabled | grep 1
fix_command: |
sudo defaults write /Library/Preferences/com.apple.alf loggingenabled -bool true
comment: "In case of post-pwnege investigation or host-based log management systems"
enabled: true
- title: "Verify no HTTP update URLs for Sparkle Updater"
check_command: |
for i in /Applications/*/Contents/Info.plist; do URL=$(defaults read "$i" SUFeedURL 2>/dev/null | grep "http://"); if [ -n "$URL" ]; then exit 1; fi; done; exit 0
comment: "For more details see https://vulnsec.com/2016/osx-apps-vulnerabilities/"
enabled: true