macOS Security and Privacy Guide
macOS Security and Privacy Guide - Reading Notes
enterprise-standard security
1. Secure System
A system is only as secure as its administrator is capable of making it.
2. Keep the Mac OS system always updated
$ softwareupdate
3. Book Security-announce
– Product security notifications and announcements from Apple
https://lists.apple.com/mailman/subscribe/security-announce
Haha, I have already subscribed…
4. Encryption
Encrypt the disk, and created encrypted container Using FileVault(security: PRNG)
5. Create data backup
6. Software Installation
Be careful when installing new softwares, better choose open source software.
7. Use password to protect firmware
First option:
Cmd + R -> Recovery Mode -> Utilities/ Firmware Password Utility -> Firmware Password -> Set password -> Quit Firmware Utility
Second option:
sudo firmwarepasswd -setpasswd -setmode command
8. Keep Computer Name and Host name random
$ sudo scutil --set ComputerName your_computer_name
$ sudo scutil --set LocalHostName your_hostname
9. Admin account
Can be removed from FileVault
10. Firewall Configuration
$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on # Open firewall
$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on # Logging on
$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on # not responding ICMP
others:
$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned off
$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off
$ sudo pkill -HUP socketfilterfw
Other firewall: Little Snitch, Hands Off, Radio Silence, Security Growler
11. System Service
$ launchctl list
$ sudo launchctl list
$ launchctl list com.apple.Maps.mapspushd
$ defaults read /System/Library/LaunchDaemons/com.apple.apsd.plist
$ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist # Disable Apple Push Notifications
12. Spotlight
To disable sending the spotlight info to Apple.
13. Homebrew
$ mkdir homebrew && curl -L https://github.com/Homebrew/brew/tarball/master | tar xz --strip 1 -C homebrew
14. DNS
Hosts file: to block malware, ads and domains that are malicious.
sudo vi /etc/hosts
To block a host, add a line:
0.0.0.0 example.com
127.0.0.1 example.com
Dnsmasq + DNSCrypt to encrypt DNS traffic. Two popular DNS option is Google DNS and OpenDNS.
15. Web
Privoxy: default port 8118
$ brew install privoxy
$ brew services start privoxy
$ sudo networksetup -setwebproxy "Wi-Fi" 127.0.0.1 8118
$ sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 8118
Testing Proxy: 1.
$ scutil --proxy
<dictionary> {
ExceptionsList : <array> {
0 : *.local
1 : 169.254/16
}
FTPPassive : 1
HTTPEnable : 1
HTTPPort : 8118
HTTPProxy : 127.0.0.1
}
$ ALL_PROXY=127.0.0.1:8118 curl -I http://p.p/
HTTP/1.1 200 OK
Content-Length: 2401
Content-Type: text/html
Cache-Control: no-cache
16. Browser
Firefox/Google Chrome
17. Plugin
Risky: Adobe Flash, Oracle JAVA, ADOBE READER, Microsoft Silverlight -> better install in VM.
18. Tor
Install Tor
Explore. Privately. You’re ready for the world’s most private browsing experience.
DuckDuckGo <- Search Engine for Privacy
19. VPN
avoid using openVPN
20. Prevent Viruses and Malware
- Block Block
- Ostiarius
- Best Antivirus Common sense 2020
21. Current Mac Security News
22. Password
Generate Strong Password:
$ openssl rand -base64 30
qb8ZWbUU2Ri3FOAPY/1wKSFAJwMXmpQM4mZU4YbO
$ gpg --gen-random -a 0 90 | fold -w 40
3e+kfHOvovHVXxZYPgu+OOWQ1g1ttbljr+kNGv7f
loD//RsjUXYGIjfPM/bT0itsoEstyGLVUsFns8wP
zYM8VRBga+TsnxWrS7lWKfH1uvVPowzkq9kXCdvJ
$ LANG=C tr -dc 'A-F0-9' < /dev/urandom | fold -w 40 | head -n 5
45D0371481EE5E5A5C1F68EA59E69F9CA52CB321
A30B37A00302643921F205621B145E7EAF520164
B6EF38A2DA1D0586D20105502AFFF0468EA5F16A
029D6EA9F76CD64D3356E342EA154BEFEBE23387
07F468F0569579A0A06471247CABC4F4C1386E24
$ tr -dc '[:alnum:]' < /dev/urandom | fold -w 40 | head -n5
zmj8S0iuxud8y8YHjzdg7Hefu6U1KAYBiLl3aE8v
nCNpuMkWohTjQHntTzbiLQJG5zLzEHWSWaYSwjtm
R2L6M909S3ih852IkJqQFMDawCiHcpPBxlllAPrt
aZOXKVUmxhzQwVSYb6nqAbGTVMFSJOLf094bFZAb
HfgwSNlkVBXwIPQST6E6x6vDNCCasMLSSOoTUfSK
$ tr -dc '[:lower:]' < /dev/urandom | fold -w 40 | head -n5
gfvkanntxutzwxficgvavbwdvttexdezdftvvtmn
lgrsuiugwkqbtbkyggcbpbqlynwbiyxzlabstqcf
ufctdlsbyonkowzpmotxiksnsbwdzkjrjsupoqvr
hjwibdjxtmuvqricljayzkgdfztcmapsgwsubggr
bjstlmvwjczakgeetkbmwbjnidbeaerhaonpkacg
$ tr -dc '[:upper:]' < /dev/urandom | fold -w 40 | head -n5
EUHZMAOBOLNFXUNNDSTLJTPDCPVQBPUEQOLRZUQZ
HVNVKBEPAAYMXRCGVCNEZLFHNUYMRYPTWPWOOZVM
TAHEUPQJTSYQVJVYSKLURESMKWEZONXLUDHWQODB
PRDITWMAXXZLTRXEEOGOSGAWUXYDGDRJYRHUWICM
VHERIQBLBPHSIUZSGYZRDHTNAPUGJMRODIKBWZRJ
$ tr -dc '[:graph:]' < /dev/urandom | fold -w 40 | head -n5
n\T2|zUz:\C,@z9!#p3!B/[t6m:B94}q&t(^)Ol~
J%MMDbAgGdP}zrSQO!3mrP3$w!.[Ng_xx-_[C<3g
^)6V&*<2"ZOgU.mBd]iInvFKiT<dq~y\O[cdDK`V
+RE]UYPIf3:StX`y#w,.iG~g"urD)'FnDIFI_q^)
6?HRillpgvvFDBAr4[:H{^oAL<`Em7$roF=2w;1~
23. Backup and Encrypt
$ tar zcvf - ~/Downloads | gpg -c > ~/Desktop/backup-$(date +%F-%H%M).tar.gz.gpg # Compress & Encrypt
$ gpg -o ~/Desktop/decrypted-backup.tar.gz -d ~/Desktop/backup-2015-01-01-0000.tar.gz.gpg # Decrypt and Decompress
24. Physical Access
A helpful tool is usbkill, which is an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer.
25. Execution
ps -ef
launchctl list
26. Network
$ sudo lsof -Pni
$ sudo netstat -atln
Monitor DNS queries and replies:
$ tshark -Y "dns.flags.response == 1" -Tfields \
-e frame.time_delta \
-e dns.qry.name \
-e dns.a \
-Eseparator=,
Monitor HTTP requests and responses:
$ tshark -Y "http.request or http.response" -Tfields \
-e ip.dst \
-e http.request.full_uri \
-e http.request.method \
-e http.response.code \
-e http.response.phrase \
-Eseparator=/s
Monitor x509 (SSL/TLS) certificates:
$ tshark -Y "ssl.handshake.certificate" -Tfields \
-e ip.src \
-e x509sat.uTF8String \
-e x509sat.printableString \
-e x509sat.universalString \
-e x509sat.IA5String \
-e x509sat.teletexString \
-Eseparator=/s -Equote=d