Awesome
Welcome to the macOS Hardening project
This project was inspired by
- beerisgood/macOS_Hardening
- ayethatsright/MacOS-Hardening-Script
- herrbischoff/awesome-macos-command-line
- MoeClub/Note
- alichtman/stronghold
- wazuh/cis_apple_macOS_10.13.yml
- mathiasbynens/dotfiles
- pathikrit/mac-setup-script
(Thanks for your good work !)
Also, project structure is based on HardeningKitty work and, because Windows and macOS are like cats and dogs, this project is called HardeningPuppy.
HardeningPuppy
HardeningPuppy supports hardening of a macOS system. The configuration of the system is retrieved and assessed using a finding list. In addition, the system can be hardened according to predefined values. HardeningPuppy reads settings from the registry (defaults
command) and uses other modules to read configurations outside the registry.
How to run
- Clone or download this repository
- Go to
macos_hardening
cd macos_hardening
- Run this command :
./puppy.sh
username@hostname ~/macos_hardening % ./puppy.sh
^. .^
(=°=)
(n n )/ HardeningPuppy
################################################################################
User name : username
Mode to apply : AUDIT
Hostname : hostname
CSV File configuration : list.csv
################################################################################
################################################################################
Verify all Apple provided software is current...
Your software is up to date !
################################################################################
ID Name Actual Recommended
--------------------------------------------------------------------------------
[*] 07/26/21 16:14:07 Starting Category Updates
------------Software Update
[-] 1001 Automatically check new software updates 1 1
[-] 1002 Automatically download new software updates 1 1
.
.
.
--------------------------------------------------------------------------------
[*] 07/26/21 16:14:07 Starting Category Login/Logout
------------Sleep
[/] 2000 AC display sleep timer 0 5
[/] 2001 Battery display sleep timer 0 2
------------Screen Saver
[X] 2100 Enable prompt for a password on screen saver 0 1
[X] 2101 Set password delay 0
.
.
.
--------------------------------------------------------------------------------
[*] 07/26/21 16:14:08 Starting Category Cache
------------Disable Content Caching
[-] 7000 Disable Content Caching deactivate deactivate
#################################### SCORE #####################################
total points : 216
points archived : 140
Score : 4.24 / 6
Usages
- Status Mode : To just read a configuration.
./puppy.sh -s
- Audit Mode : It will read and audit a configuration with colors.
- Color code :
Purple
: Appears when a policy withHigh
severity is not set to the recommended value.Red
: Appears when a policy withMedium
severity is not set to the recommended value.Yellow
: It's when a policy withLow
severity is not set to the recommended value. It can be ignored.
./puppy.sh -a
You can skip Software Update verification with
-skipu
.
- Hardening Mode : This function will apply all policies with
Automatically
assessment status.
./puppy.sh -H
Hardening Mode will ask your confirmation.
- Backup option : You can save your configuration in csv file before the Hardening Mode.
./puppy.sh -b
Documentation
Apple Documentation
For setting preferences throught plist
files (Registry method with defaults
command), I use this Apple documentation.
CIS Apple macOS Benchmark
This project is mainly based on CIS Apple macOS 11.0 Benchmark v1.2.0
Profile Definitions
-
Level 1 : Items in this profile intend to:
- be practical and prudent;
- provide a clear security benefit; and
- not inhibit the utility of the technology beyond acceptable means.
-
Level 2 : This profile extends the "Level 1" profile. Items in this profile exhibit one or more of the following characteristics:
- are intended for environments or use cases where security is paramount
- acts as defense in depth measure
- may negatively inhibit the utility or performance of the technology.
List of policies
Before, you have to login to your iCloud account
This Hardening depends on a list :
-
Updates
- [1000] Verify all Apple provided software is current
- Software Update
- [1001] Automatically check new software updates
- [1002] Automatically download new software updates
- [1003] Enable system data files update install
- [1004] Enable security updates install
- [1005] Automatically install macOS updates
- AppStore
- [1100] Automatically keep apps up to date from app store
-
Login
- Sleep
- [2000] AC display sleep timer
- [2001] Battery display sleep timer
- Screen saver
- [2100] Enable prompt for a password on screen saver
- [2101] Set password delay
- [2102] Set inactivity interval for the screen saver
- Secure screen saver corners
- [2103:1] Secure screen saver corners (top-left)
- [2103:2] Secure screen saver corners (bottom-left)
- [2103:3] Secure screen saver corners (top-right)
- [2103:4] Secure screen saver corners (bottom-right)
- Policy Banner
- [2200] Enable Policy Banner
- Logout
- [2300] Set Logout delay
- Windows text
- [2400] Set Login Window Text
- Automatic login
- [2500] Disable automatic login
- Console
- [2600] Disable console logon from the logon screen
- Remote Login
- [2700] Disable Remote Login
- Sleep
-
User Preferences
- iCloud
- [3000] Disable the iCloud password for local accounts
- [3001] Enable Find my mac
- Bluetooth
- [3100] Disable Bluetooth
- [3101] Show Bluetooth status in menu bar
- Finder
- [3200] Show hidden files in Finder
- [3201] Display all file extensions
- [3202] Show status bar
- Safari
- [3300] Disable the automatic run of safe files in Safari
- [3301] Don't send search queries to Apple
- [3302] Enable suppress search suggestions
- Date and Time
- [3400] Set time and date automatically
- Sharing
- [3500] Remote Apple Events
- [3501] Internet Sharing
- [3502] Screen Sharing
- [3503] File Sharing
- iCloud
-
Protections
- Systeme intergrity protection
- [4000] Enable Systeme intergrity protection
- Gatekeeper
- [4100] Enable Gatekeeper
- Systeme intergrity protection
-
Encryption
- FileVault
- [5000] Enable FileVault
- FileVault
-
Network
- Firewall
- [6000] Enable Firewall
- [6001] Enable logging
- [6002] Enable Stealth Mode
- [6003] Disable automatic software whitelisting
- [6004] Disable automatic signed software whitelisting
- [6005] Disable captive portal
- Remote Management
- [6100] Disable remote management
- [6101] Disable "Wake for network access"
- Firewall
Details of policies
For more details about policies read POLICIES.md