Home

Awesome

Welcome to the macOS Hardening project

Work in progress label CI

This project was inspired by

(Thanks for your good work !)

Also, project structure is based on HardeningKitty work and, because Windows and macOS are like cats and dogs, this project is called HardeningPuppy.

HardeningPuppy

HardeningPuppy supports hardening of a macOS system. The configuration of the system is retrieved and assessed using a finding list. In addition, the system can be hardened according to predefined values. HardeningPuppy reads settings from the registry (defaults command) and uses other modules to read configurations outside the registry.

How to run

  1. Clone or download this repository
  2. Go to macos_hardening
cd macos_hardening
  1. Run this command :
./puppy.sh
username@hostname ~/macos_hardening % ./puppy.sh


                             ^. .^                                   
                             (=°=)                                   
                             (n  n )/  HardeningPuppy                


################################################################################
User name               : username
Mode to apply           : AUDIT
Hostname                : hostname
CSV File configuration  : list.csv
################################################################################

################################################################################
Verify all Apple provided software is current...
Your software is up to date !
################################################################################

    ID      Name                                                  Actual Recommended
--------------------------------------------------------------------------------
[*] 07/26/21 16:14:07 Starting Category Updates
------------Software Update
[-] 1001    Automatically check new software updates               1           1
[-] 1002    Automatically download new software updates            1           1
.
.
.

--------------------------------------------------------------------------------
[*] 07/26/21 16:14:07 Starting Category Login/Logout
------------Sleep
[/] 2000    AC display sleep timer                                 0           5
[/] 2001    Battery display sleep timer                            0           2
------------Screen Saver
[X] 2100    Enable prompt for a password on screen saver           0           1
[X] 2101    Set password delay                                     0          
.
.
.

--------------------------------------------------------------------------------
[*] 07/26/21 16:14:08 Starting Category Cache
------------Disable Content Caching
[-] 7000    Disable Content Caching                                deactivate  deactivate

#################################### SCORE #####################################

total points : 216
points archived : 140
Score : 4.24 / 6

Usages

  1. Status Mode : To just read a configuration.
./puppy.sh -s
  1. Audit Mode : It will read and audit a configuration with colors.
./puppy.sh -a

You can skip Software Update verification with -skipu.

  1. Hardening Mode : This function will apply all policies with Automatically assessment status.
./puppy.sh -H

Hardening Mode will ask your confirmation.

  1. Backup option : You can save your configuration in csv file before the Hardening Mode.
./puppy.sh -b

Documentation

Apple Documentation

For setting preferences throught plist files (Registry method with defaults command), I use this Apple documentation.

CIS Apple macOS Benchmark

This project is mainly based on CIS Apple macOS 11.0 Benchmark v1.2.0

Profile Definitions

  1. Level 1 : Items in this profile intend to:

    • be practical and prudent;
    • provide a clear security benefit; and
    • not inhibit the utility of the technology beyond acceptable means.
  2. Level 2 : This profile extends the "Level 1" profile. Items in this profile exhibit one or more of the following characteristics:

    • are intended for environments or use cases where security is paramount
    • acts as defense in depth measure
    • may negatively inhibit the utility or performance of the technology.

List of policies

Before, you have to login to your iCloud account

This Hardening depends on a list :

Details of policies

For more details about policies read POLICIES.md