How to harden your MAC OS X
This is a guide to help all administrators that want to have a well harden MAC OS X Operating system.
This is a reference, your needs might be different but this might be considered a base line for starting the hardening.
The Version for this document is OS X 10.9
I will try to do another for the latest version OS X 10.10 with the differences
I will use the terminal commands to make it easier for administrators to build custom scripts and deploy them in automated way.
1 – Updates
List available software for updates
if there is no software that needs to be updated the result will be “no new software available”
Install all Available software
1
| sudo softwareupdate -i packagename |
sudo softwareupdate -i packagename
Enable Auto Update
Verify the status:
1
| defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled |
defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled
Make sure the result is: 1
Configure auto update:
1
| sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1 |
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1
Update applications
Verify the status:
1
| defaults read /Library/Preferences/com.apple.storeagent AutoUpdate |
defaults read /Library/Preferences/com.apple.storeagent AutoUpdate
Verify the value returned is: 1
Configure App auto update:
1
| sudo defaults write /Library/Preferences/com.apple.storeagent AutoUpdate -int 1 |
sudo defaults write /Library/Preferences/com.apple.storeagent AutoUpdate -int 1
Enable system and security update
Verify the status:
1
| defaults read /Library/Preferences/com.apple.SoftwareUpdate | egrep '(ConfigDataInstall|CriticalUpdateInstall)' |
defaults read /Library/Preferences/com.apple.SoftwareUpdate | egrep '(ConfigDataInstall|CriticalUpdateInstall)'
Value the value returned: ConfigDataInstall = 1; CriticalUpdateInstall = 1;
Configure Security Auto Updates
1
| sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -int 1 && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -int 1 |
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -int 1 && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -int 1
Configuring System Preferences
Disable Bluetooth
Verify the status:
1
| defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState |
defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState
Verify return value: 0
If value is 1 bluetooth is enabled
Check if there are paired devices:
1
| system_profiler | grep "Bluetooth:" -A 20 | grep Connectable |
system_profiler | grep "Bluetooth:" -A 20 | grep Connectable
Verify return value: Connectable:Yes
Disable Bluetooth if no device is connected:
1
2
| sudo defaults write /Library/Preferences/com.apple.Bluetooth \ ControllerPowerState -int 0
sudo killall -HUP blued |
sudo defaults write /Library/Preferences/com.apple.Bluetooth \ ControllerPowerState -int 0
sudo killall -HUP blued
Disable Bluetooth Discoverable mode
Verify the status:
1
| /usr/sbin/system_profiler SPBluetoothDataType | grep -i discoverable |
/usr/sbin/system_profiler SPBluetoothDataType | grep -i discoverable
Verify returned value is: Off
Disable discoverable bluetooth
1
2
3
| uuid=`/usr/sbin/system_profiler SPHardwareDataType | grep "Hardware UUID" | cut -c22-57`
/usr/bin/defaults write /Users/$@/Library/Preferences/ByHost/com.apple.Bluetooth.$uuid DiscoverableState -bool "no"
/usr/sbin/chown $@ /Users/$@/Library/Preferences/ByHost/com.apple.Bluetooth.$uuid.plist |
uuid=`/usr/sbin/system_profiler SPHardwareDataType | grep "Hardware UUID" | cut -c22-57`
/usr/bin/defaults write /Users/$@/Library/Preferences/ByHost/com.apple.Bluetooth.$uuid DiscoverableState -bool "no"
/usr/sbin/chown $@ /Users/$@/Library/Preferences/ByHost/com.apple.Bluetooth.$uuid.plist
Show the bluetooth status in the menu bar
Verify the status:
1
| defaults read com.apple.systemuiserver menuExtras | grep Bluetooth.menu |
defaults read com.apple.systemuiserver menuExtras | grep Bluetooth.menu
Verify the returned value is: /System/Library/CoreServices/Menu Extras/Bluetooth.menu
show status in the status menu bar:
1
| defaults write com.apple.systemuiserver menuExtras -array-add "/System/Library/CoreServices/Menu Extras/Bluetooth.menu" |
defaults write com.apple.systemuiserver menuExtras -array-add "/System/Library/CoreServices/Menu Extras/Bluetooth.menu"
Automatic set Date and time
Verify the status:
1
| sudo systemsetup -getusingnetworktime |
sudo systemsetup -getusingnetworktime
Verify the output is: Network Time: 0
Configure auto update Date and Time:
1
| sudo systemsetup –setnetworktimeserver |
sudo systemsetup –setnetworktimeserver
Activate Screen Saver
Verify the device status:
1
2
3
4
5
6
7
8
9
| UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep "IOPlatformUUID" | sed -e 's/^.* "\(.*\)"$/\1/'`
for i in $(find /Users -type d -maxdepth 1)
do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID
if [ -e $PREF.plist ]
then
echo -n "Checking User: '$i': "
defaults read $PREF.plist idleTime 2>&1
fi
done |
UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep "IOPlatformUUID" | sed -e 's/^.* "\(.*\)"$/\1/'`
for i in $(find /Users -type d -maxdepth 1)
do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID
if [ -e $PREF.plist ]
then
echo -n "Checking User: '$i': "
defaults read $PREF.plist idleTime 2>&1
fi
done
Verify the output is the wanted value e.g.: <1200 for <20 than minutes
Verify user configured status:
1
| defaults -currentHost read com.apple.screensaver idleTime |
defaults -currentHost read com.apple.screensaver idleTime
Verify the output is the wanted value e.g.: <1200 for <20 than minutes
Configure Screen Saver after 10 minutes:
1
| defaults -currentHost write com.apple.screensaver idleTime -int 600 |
defaults -currentHost write com.apple.screensaver idleTime -int 600
Secure Screen Saver Corners
Verify the status:
1
| defaults read ~/Library/Preferences/com.apple.dock | grep -i corner |
defaults read ~/Library/Preferences/com.apple.dock | grep -i corner
Verify that output is not 6 for any key user.
This is the script to disable hot corners but I was not able to find a specific script only for the hot corners that specifically disable screen saver, I will try to do one later.
This was taken from github.
/klynch/8275811
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
| -- By Richard Kulesus, 2009. Released without license!
-- Use this for whatever!
-- I seriously despise code authors who copyright tiny bits of obvious code
-- like it's some great treasure. This is small and simple, and if it saves
-- the next guy some time and trouble coding applescript I'll feel good!
--
-- Quickly change all the hot-corners to do what you want.
-- Particularly useful for presentations and full-screen games.
-- Customize the activity of each hot-corner with "all windows/application windows/dashboard/disable screen saver/none/show desktop/show spaces/sleep display/start screen saver"
-- The MODIFIERS are the keys which can be used to supplement hot-corner activation.
-- Here I've set them all to {}, which is none. Options are "command/control/none/option/shift"
-- Dashboard in a fullscreen application.
--
-- Version 1.0
-- - Initial release
--
tell application "System Events"
activate
if UI elements enabled then
tell expose preferences
set properties of the top left screen corner to {activity:none, modifiers:{}}
set properties of the top right screen corner to {activity:none, modifiers:{}}
set properties of the bottom left screen corner to {activity:none, modifiers:{}}
set properties of the bottom right screen corner to {activity:none, modifiers:{}}
end tell
else
tell application "System Preferences"
activate
set current pane to pane "com.apple.preference.universalaccess"
display dialog "UI element scripting is not enabled. Check \"Enable access for assistive devices\""
end tell
end if
end tell
tell application "System Preferences" to quit |
-- By Richard Kulesus, 2009. Released without license!
-- Use this for whatever!
-- I seriously despise code authors who copyright tiny bits of obvious code
-- like it's some great treasure. This is small and simple, and if it saves
-- the next guy some time and trouble coding applescript I'll feel good!
--
-- Quickly change all the hot-corners to do what you want.
-- Particularly useful for presentations and full-screen games.
-- Customize the activity of each hot-corner with "all windows/application windows/dashboard/disable screen saver/none/show desktop/show spaces/sleep display/start screen saver"
-- The MODIFIERS are the keys which can be used to supplement hot-corner activation.
-- Here I've set them all to {}, which is none. Options are "command/control/none/option/shift"
-- Dashboard in a fullscreen application.
--
-- Version 1.0
-- - Initial release
--
tell application "System Events"
activate
if UI elements enabled then
tell expose preferences
set properties of the top left screen corner to {activity:none, modifiers:{}}
set properties of the top right screen corner to {activity:none, modifiers:{}}
set properties of the bottom left screen corner to {activity:none, modifiers:{}}
set properties of the bottom right screen corner to {activity:none, modifiers:{}}
end tell
else
tell application "System Preferences"
activate
set current pane to pane "com.apple.preference.universalaccess"
display dialog "UI element scripting is not enabled. Check \"Enable access for assistive devices\""
end tell
end if
end tell
tell application "System Preferences" to quit
Confirm if sleep is configured with a value larger than the screen saver
Verify status:
1
| pmset -g | grep displaysleep |
pmset -g | grep displaysleep
Configure sleep
1
| sudo pmset -c displaysleep 0 |
sudo pmset -c displaysleep 0
If the display sleeps before the screen saver is active the computer may be unlocked and available for an unauthorized user.
Set a Screen Corner to start the screen saver
Verify status:
1
| defaults read ~/Library/Preferences/com.apple.dock | grep -i corner |
defaults read ~/Library/Preferences/com.apple.dock | grep -i corner
At least on of the corners should have the value of 5 for each user.
If not enable screen corner for the screen saver
An adaptation of the script that was done to enable hot corners that I found on github
In this example is for top left corner.
I did not test this script…
/klynch/8275811
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
| -- By Richard Kulesus, 2009. Released without license!
-- Use this for whatever!
-- I seriously despise code authors who copyright tiny bits of obvious code
-- like it's some great treasure. This is small and simple, and if it saves
-- the next guy some time and trouble coding applescript I'll feel good!
--
-- Quickly change all the hot-corners to do what you want.
-- Particularly useful for presentations and full-screen games.
-- Customize the activity of each hot-corner with "all windows/application windows/dashboard/disable screen saver/none/show desktop/show spaces/sleep display/start screen saver"
-- The MODIFIERS are the keys which can be used to supplement hot-corner activation.
-- Here I've set them all to {}, which is none. Options are "command/control/none/option/shift"
-- Dashboard in a fullscreen application.
--
-- Version 1.0
-- - Initial release
--
tell application "System Events"
activate
if UI elements enabled then
tell expose preferences
set properties of the top left screen corner to {activity:Start Screen Saver, modifiers:{}}
end tell
else
tell application "System Preferences"
activate
set current pane to pane "com.apple.preference.universalaccess"
display dialog "UI element scripting is not enabled. Check \"Enable access for assistive devices\""
end tell
end if
end tell
tell application "System Preferences" to quit |
-- By Richard Kulesus, 2009. Released without license!
-- Use this for whatever!
-- I seriously despise code authors who copyright tiny bits of obvious code
-- like it's some great treasure. This is small and simple, and if it saves
-- the next guy some time and trouble coding applescript I'll feel good!
--
-- Quickly change all the hot-corners to do what you want.
-- Particularly useful for presentations and full-screen games.
-- Customize the activity of each hot-corner with "all windows/application windows/dashboard/disable screen saver/none/show desktop/show spaces/sleep display/start screen saver"
-- The MODIFIERS are the keys which can be used to supplement hot-corner activation.
-- Here I've set them all to {}, which is none. Options are "command/control/none/option/shift"
-- Dashboard in a fullscreen application.
--
-- Version 1.0
-- - Initial release
--
tell application "System Events"
activate
if UI elements enabled then
tell expose preferences
set properties of the top left screen corner to {activity:Start Screen Saver, modifiers:{}}
end tell
else
tell application "System Preferences"
activate
set current pane to pane "com.apple.preference.universalaccess"
display dialog "UI element scripting is not enabled. Check \"Enable access for assistive devices\""
end tell
end if
end tell
tell application "System Preferences" to quit
Another option could be the following:
1
| defaults write com.apple.dock wvous-tl-corner -string "Start Screen Saver" |
defaults write com.apple.dock wvous-tl-corner -string "Start Screen Saver"
Disable Remote Apple Events
Verify status:
1
| sudo systemsetup -getremoteappleevents |
sudo systemsetup -getremoteappleevents
Verify output is: Remote Apple Events: Off
Disable:
1
| sudo systemsetup -setremoteappleevents off |
sudo systemsetup -setremoteappleevents off
Disable Internt Sharing
Verify:
1
| sudo defaults read /Library/Preferences/SystemConfiguration/com.apple.nat | \ grep -i Enabled |
sudo defaults read /Library/Preferences/SystemConfiguration/com.apple.nat | \ grep -i Enabled
no output should be found
Disable:
1
2
| sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat \ NAT -dict Enabled -int 0
sudo launchctl unload -w /System/Library/LaunchDaemons/ \ com.apple.InternetSharing.plist |
sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat \ NAT -dict Enabled -int 0
sudo launchctl unload -w /System/Library/LaunchDaemons/ \ com.apple.InternetSharing.plist
Disable Screen Sharing
Verify:
1
| sudo launchctl load /System/Library/LaunchDaemons/com.apple.screensharing.plist |
sudo launchctl load /System/Library/LaunchDaemons/com.apple.screensharing.plist
Verify the value returned is: nothing found to load
Disable:
1
| sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.screensharing.plist |
sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.screensharing.plist
Disable Printer Sharing
Verify:
1
| system_profiler SPPrintersDataType |
system_profiler SPPrintersDataType
The output should show “Shared: No” for all printers. If no printers are present, the above command will yield “Status: The printers list is empty.”
Disable:
1
| /usr/sbin/lpadmin -p printer -u allow:[your_username] ENTER |
/usr/sbin/lpadmin -p printer -u allow:[your_username] ENTER
Disable Remote Login
Verify:
1
| sudo systemsetup -getremotelogin |
sudo systemsetup -getremotelogin
Disable:
1
| sudo systemsetup -setremotelogin off |
sudo systemsetup -setremotelogin off
Disable DVD or CD Sharing
Verify:
1
| sudo launchctl list | egrep ODSAgent |
sudo launchctl list | egrep ODSAgent
Disable:
1
2
| defaults write com.apple.NetworkBrowser EnableODiskBrowsing -bool false
defaults write com.apple.NetworkBrowser ODSSupported -bool false |
defaults write com.apple.NetworkBrowser EnableODiskBrowsing -bool false
defaults write com.apple.NetworkBrowser ODSSupported -bool false
Disable File Sharing
Verify:
1
| sudo launchctl list | egrep '(ftp|nmdb|smdb|AppleFileServer)' |
sudo launchctl list | egrep '(ftp|nmdb|smdb|AppleFileServer)'
Disable:
1
2
3
4
5
6
| sudo launchctl unload -w \ /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist
sudo launchctl unload -w /System/Library/LaunchDaemons/ftp.plist
sudo defaults delete \
/Library/Preferences/SystemConfiguration/com.apple.smb.server EnabledServices
sudo launchctl unload -w /System/Library/LaunchDaemons/nmbd.plist
sudo launchctl unload -w /System/Library/LaunchDaemons/smbd.plist |
sudo launchctl unload -w \ /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist
sudo launchctl unload -w /System/Library/LaunchDaemons/ftp.plist
sudo defaults delete \
/Library/Preferences/SystemConfiguration/com.apple.smb.server EnabledServices
sudo launchctl unload -w /System/Library/LaunchDaemons/nmbd.plist
sudo launchctl unload -w /System/Library/LaunchDaemons/smbd.plist
Disable Remote Management
Verify:
1
| ps -ef | egrep ARDAgent |
ps -ef | egrep ARDAgent
Ensure /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Conten ts/MacOS/ARDAgent is not present
Disable:
1
| sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop |
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop
Disable Wake for network Access
Verify:
Disable:
Disable Sleeping When connected to power
Verify:
Output should be 0
Disable:
Enable File Vault
Verify:
1
| diskutil cs list | grep -i encryption |
diskutil cs list | grep -i encryption
Output should be: Encryption Status: Unlocked and Encryption Type: AES-XTS
Configuration:
1
| fdesetup enable -user USERNAME -outputplist > ~/recoverykey.plist |
fdesetup enable -user USERNAME -outputplist > ~/recoverykey.plist
Enable gate Keeper
Configuring:
1
| sudo spctl --master-enable |
sudo spctl --master-enable
Enable Firewall
Verify:
1
| defaults read /Library/Preferences/com.apple.alf global state |
defaults read /Library/Preferences/com.apple.alf global state
Output Value should be: 1 or 2
Configuration:
1
| defaults write /Library/Preferences/com.apple.alf global state - int |
defaults write /Library/Preferences/com.apple.alf global state - int
Value 1 for specific services 2 for essential services
Enable Secure Keyboard Entry
Verify:
1
| defaults read -app Terminal SecureKeyboardEntry |
defaults read -app Terminal SecureKeyboardEntry
Output should be: 1
Configuration
1
| defaults write -app Terminal SecureKeyboardEntry true |
defaults write -app Terminal SecureKeyboardEntry true
Disable Core Dumps
Verify:
Disable:
1
| launchctl limit core 0,/pre> |
launchctl limit core 0,/pre>
Configure Secure Empty Trash
Verify:
1
| defaults read ~/Library/Preferences/com.apple.finder EmptyTrashSecurely |
defaults read ~/Library/Preferences/com.apple.finder EmptyTrashSecurely
Configure:
1
| defaults write ~/Library/Preferences/com.apple.finder EmptyTrashSecurely true |
defaults write ~/Library/Preferences/com.apple.finder EmptyTrashSecurely true
Configuring Logging
Configure asl.conf
Verify:
1
| sudo egrep "^flags:" /etc/security/audit_control |
sudo egrep "^flags:" /etc/security/audit_control
Ensure at least the following flags are present:
- lo – audit successful/failed login/logout events
- ad – audit successful/failed administrative events
- fd – audit successful/failed file deletion events
- fm – audit successful/failed file attribute modification events o -all – audit all failed events across all audit classes
configuration:
- Open a terminal session and edit the /etc/security/audit_control file
- Find the line beginning with “flags”
- Add the following flags: lo, ad, fd, fm, -all.
- Save the file.
Retain System Log for 90 days
Verify:
1
| grep -i ttl /etc/asl.conf |
grep -i ttl /etc/asl.conf
Verify that the ttl for system.log is greater than 90 days
Configuration:
system.log mode=0640 format=bsd rotate=utc compress file_max=5M ttl=90
Retain appfirewall.log for 90 or more days
Verification:
1
| grep -i ttl /etc/asl.conf |
grep -i ttl /etc/asl.conf
Verify that the ttl for appfirewall.log is greater than 90 days
Configuration:
> appfirewall.log mode=0640 format=bsd rotate=utc compress file_max=5M ttl=90
Retain auth.log for 90 or more days
Verification:
1
| grep -i ttl /etc/asl/com.apple.authd |
grep -i ttl /etc/asl/com.apple.authd
Configuration:
1
| sudo vim /etc/asl/com.apple.authd |
sudo vim /etc/asl/com.apple.authd
* file /var/log/authd.log mode=0640 format=bsd rotate=utc compress file_max=5M ttl=90
Enable Security Auditing
Verification:
1
| sudo launchctl list | grep -i auditd |
sudo launchctl list | grep -i auditd
Configuration:
1
| sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist |
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist
Configure Security Auditing Flags
Verification:
1
| sudo egrep "^flags:" /etc/security/audit_control |
sudo egrep "^flags:" /etc/security/audit_control
Ensure at least the following flags are present:
- lo – audit successful/failed login/logout events
- ad – audit successful/failed administrative events
- fd – audit successful/failed file deletion events
- fm – audit successful/failed file attribute modification events o -all – audit all failed events across all audit classes
Configuration:
- Open a terminal session and edit the /etc/security/audit_control file
- Find the line beginning with “flags”
- Add the following flags: lo, ad, fd, fm, -all.
- Save the file.
Retain Install Log for defined days (xxx)
Verification:
1
| grep -i ttl /etc/asl/com.apple.install |
grep -i ttl /etc/asl/com.apple.install
Configuration
1
| sudo vim /etc/asl/com.apple.install |
sudo vim /etc/asl/com.apple.install
* file /var/log/install.log mode=0640 format=bsd rotate=utc compress file_max=5M ttl=xxx
Network Configurations
Disable Bonjur advertising service
Verification:
1
| defaults read /Library/Preferences/com.apple.alf global state |
defaults read /Library/Preferences/com.apple.alf global state
Disable:
1
| sudo nano "/System/Library/LaunchDaemons/com.apple.mDNSResponder.plist" |
sudo nano "/System/Library/LaunchDaemons/com.apple.mDNSResponder.plist"
Add string
1
2
3
4
5
| ProgramArguments
/usr/sbin/mDNSResponder
-launchd
-NoMulticastAdvertisements |
ProgramArguments
/usr/sbin/mDNSResponder
-launchd
-NoMulticastAdvertisements
Enable Show wifi Status in Menu bar
1
| defaults read com.apple.systemuiserver menuExtras | grep AirPort.menu |
defaults read com.apple.systemuiserver menuExtras | grep AirPort.menu
Output should is: /System/Library/CoreServices/Menu Extras/AirPort.menu
File System permissions and access controls
Secure Home Folders
Verification:
Output is: drwx—— and drwx–x–x
Configuration
1
| sudo chmod -R og-rwx /Users/ |
sudo chmod -R og-rwx /Users/
Or
1
| sudo chmod -R og-rw /Users/ |
sudo chmod -R og-rw /Users/
Repair Permissions Regulary
Verification
1
| cat /var/log/system.log* | grep RepairPermissions |
cat /var/log/system.log* | grep RepairPermissions
Configuration:
1
| diskutil repairPermissions / |
diskutil repairPermissions /
Check Applications for proper Permissions
Verification:
1
| sudo find /Applications -iname "*\.app" -type d -perm -2 -ls |
sudo find /Applications -iname "*\.app" -type d -perm -2 -ls
Output should be: drwxr-xr-x
Configuration:
1
| sudo chmod -R o-w /Applications/Bad\ Permissions.app/ |
sudo chmod -R o-w /Applications/Bad\ Permissions.app/
Check System order for world writable files
Verification:
1
| sudo find /System -type d -perm -2 -ls |
sudo find /System -type d -perm -2 -ls
Configuration:
1
| sudo chmod -R o-w /Bad/Directory |
sudo chmod -R o-w /Bad/Directory
Check Library folder for world writable files
Verification:
1
| sudo find /Library -type d -perm -2 -ls |
sudo find /Library -type d -perm -2 -ls
Configuration:
1
| sudo chmod -R o-w /Bad/Directory |
sudo chmod -R o-w /Bad/Directory
Reduce Sudo Time out Period
Verification:
1
| sudo cat /etc/sudoers | grep timestamp |
sudo cat /etc/sudoers | grep timestamp
Output should be:Defaults timestamp_timeout=0
Configuration:
add line in the #Defaults specification
Defaults timestamp_timeout=0
Automatically lock the login key chain after 15 minutes of inactivity and when sleeping
Verification:
1
| security show-keychain-info |
security show-keychain-info
Configuration:
- Open Utilities
- Select Keychain Access
- Select a keychain
- Select Edit
- Select Change Settings for keychain
- Authenticate, if requested.
- Select Lock when sleeping setting
Change the Lock after # minutes of inactivity setting for the Login Keychain to 15 minutes or based on the access frequency of the security credentials included in the keychain for other keychains.
Do not enable the “root” account
Verification:
1
| dscl . -read /Users/root AuthenticationAuthority |
dscl . -read /Users/root AuthenticationAuthority
Output value should be: No such key: AuthenticationAuthority
Configuration:
- Open System Preferences,
- Uses & Groups.
- Click the lock icon to unlock it.
- In the Network Account Server section,
- click Join or Edit.
- Click Open Directory Utility.
- Click the lock icon to unlock it.
- Select the Edit menu
- Disable Root User.
Disable automatic login
Verification:
1
| defaults read /Library/Preferences/com.apple.loginwindow | grep autoLoginUser |
defaults read /Library/Preferences/com.apple.loginwindow | grep autoLoginUser
Configuration:
1
| sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser |
sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
Require a password to wake the computer from sleep or screen saver
Verification:
1
| defaults read com.apple.screensaver askForPassword |
defaults read com.apple.screensaver askForPassword
Configuration:
1
| defaults write com.apple.screensaver askForPassword -int 1 |
defaults write com.apple.screensaver askForPassword -int 1
Require an administrator password to get access to system-wide preferences
Verification:
- In System Preferences: Security,
- General tab
- under Advanced,
- verify “Require an administrator password to get access to system-wide preferences” is checked.
Configuration:
- In System Preferences:
- Security,
- General tab under Advanced,
- check “Require an administrator password to access system-wide preferences”
- Disable ability to login to another user’s active and locked session
Verification:
1
| grep -i "group=admin,wheel fail_safe" /etc/pam.d/screensaver |
grep -i "group=admin,wheel fail_safe" /etc/pam.d/screensaver
Remediation:
1
| sudo vi /etc/pam.d/screensaver |
sudo vi /etc/pam.d/screensaver
- Locate account required pam_group.so no_warn group=admin,wheel fail_safe
- Remove “admin,”
- Save
Complex passwords must contain an Alphabetic Character
Verification:
1
| pwpolicy -getglobalpolicy | tr " " "\n" | grep requiresAlpha |
pwpolicy -getglobalpolicy | tr " " "\n" | grep requiresAlpha
Configuration:
1
| sudo pwpolicy -setglobalpolicy "maxFailedLoginAttempts=5 minChars=15 requiresNumeric=1 requiresAlpha=1 requiresSymbol=1" |
sudo pwpolicy -setglobalpolicy "maxFailedLoginAttempts=5 minChars=15 requiresNumeric=1 requiresAlpha=1 requiresSymbol=1"
Complex passwords must contain a Numeric Character
Verification:
1
| pwpolicy -getglobalpolicy | tr " " "\n" | grep requiresSymbol |
pwpolicy -getglobalpolicy | tr " " "\n" | grep requiresSymbol
Configuration:
1
| sudo pwpolicy -setglobalpolicy "maxFailedLoginAttempts=5 minChars=15 |
sudo pwpolicy -setglobalpolicy "maxFailedLoginAttempts=5 minChars=15
requiresNumeric=1 requiresAlpha=1 requiresSymbol=1″
Complex passwords must contain a Symbolic Character
Verification:
1
| pwpolicy -getglobalpolicy | tr " " "\n" | grep requiresSymbol |
pwpolicy -getglobalpolicy | tr " " "\n" | grep requiresSymbol
Configuration:
1
| sudo pwpolicy -setglobalpolicy "maxFailedLoginAttempts=5 minChars=15 requiresNumeric=1 requiresAlpha=1 requiresSymbol=1" |
sudo pwpolicy -setglobalpolicy "maxFailedLoginAttempts=5 minChars=15 requiresNumeric=1 requiresAlpha=1 requiresSymbol=1"
Set a minimum password length
Verification:
1
| pwpolicy -getglobalpolicy | tr " " "\n" | grep minChars |
pwpolicy -getglobalpolicy | tr " " "\n" | grep minChars
Configuration:
1
| sudo pwpolicy -setglobalpolicy "maxFailedLoginAttempts=5 minChars=15 requiresNumeric=1 requiresAlpha=1 requiresSymbol=1" |
sudo pwpolicy -setglobalpolicy "maxFailedLoginAttempts=5 minChars=15 requiresNumeric=1 requiresAlpha=1 requiresSymbol=1"
Configure account lockout threshold
Verification:
1
| pwpolicy -getglobalpolicy | tr " " "\n" | grep maxFailedLoginAttempts |
pwpolicy -getglobalpolicy | tr " " "\n" | grep maxFailedLoginAttempts
Configuration:
1
| sudo pwpolicy -setglobalpolicy "maxFailedLoginAttempts=5 minChars=15 requiresNumeric=1 requiresAlpha=1 requiresSymbol=1" |
sudo pwpolicy -setglobalpolicy "maxFailedLoginAttempts=5 minChars=15 requiresNumeric=1 requiresAlpha=1 requiresSymbol=1"
Create an access warning for the login window
Verification:
1
| defaults read /Library/Preferences/com.apple.loginwindow.plist LoginwindowText |
defaults read /Library/Preferences/com.apple.loginwindow.plist LoginwindowText
Configuration:
Add text with elevated privileges:
1
| sudo defaults write /Library/Preferences/com.apple.loginwindow \ LoginwindowText "your text here" |
sudo defaults write /Library/Preferences/com.apple.loginwindow \ LoginwindowText "your text here"
Remove Text with elevated privileges
1
| sudo defaults delete /Library/Preferences/com.apple.loginwindow \ LoginwindowText |
sudo defaults delete /Library/Preferences/com.apple.loginwindow \ LoginwindowText
Do not enter a password-related hint
Verification:
- Open System Preferences
- Select Users & Groups
- Highlight the user
- Select Change Password
- Verify that no text is entered in the Password hint box
Configuration:
- Open System Preferences
- Select Users & Groups
- Highlight the user
- Select Change Password
- Verify that no text is entered in the Password hint box
Secure individual keychain items
Verification:
- Open Utilities
- Select Keychain Access
- Double-click keychain
- Select Access Control
- Verify if the box next to “Ask for Keychain Password” is checked
Configuration:
- Open Utilities
- Select Keychain Access
- Double-click keychain
- Select Access Control
- Check box next to “Ask for Keychain Password”
Create specialized keychains for different purposes
Verification:
- Open Utilities
- Select Keychain Access
- Verify there are multiple keychains listed under Keychains on the upper left-hand
side of the window
Configuration:
- Open Utilities
- Select Keychain Access
- Select File
- Select New Keychain
- Input name of new keychain next to Save As
- Select Create
- Drag and drop desired keychain items into new keychain from login keychain
Display login window as name and password
Verification:
1
| defaults read /Library/Preferences/com.apple.loginwindow SHOWFULLNAME |
defaults read /Library/Preferences/com.apple.loginwindow SHOWFULLNAME
Configuration:
1
| sudo defaults write /Library/Preferences/com.apple.loginwindow \ SHOWFULLNAME -bool yes |
sudo defaults write /Library/Preferences/com.apple.loginwindow \ SHOWFULLNAME -bool yes
Disable “Show password hints”
Verification:
1
| defaults read /Library/Preferences/com.apple.loginwindow RetriesUntilHint |
defaults read /Library/Preferences/com.apple.loginwindow RetriesUntilHint
Configuration:
1
| sudo defaults write /Library/Preferences/com.apple.loginwindow \ RetriesUntilHint -int 0 |
sudo defaults write /Library/Preferences/com.apple.loginwindow \ RetriesUntilHint -int 0
Disable guest account login
Verification:
1
| sudo defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled |
sudo defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled
Output should be: 0
Configuration:
1
| sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool NO |
sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool NO
Disable “Allow guests to connect to shared folders”
Verification:
1
| defaults read /Library/Preferences/com.apple.AppleFileServer | grep -i guest |
defaults read /Library/Preferences/com.apple.AppleFileServer | grep -i guest
Output should be guestAccess = 0;
for SMB sharing:
1
| defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server | grep -i guest |
defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server | grep -i guest
Output should be AllowGuestAccess = 0;
Configuration:
AFP configuration:
1
| sudo defaults write /Library/Preferences/com.apple.AppleFileServer \ guestAccess -bool no |
sudo defaults write /Library/Preferences/com.apple.AppleFileServer \ guestAccess -bool no
SMB Configuration:
1
| sudo defaults write \ /Library/Preferences/SystemConfiguration/com.apple.smb.server \ AllowGuestAccess -bool no |
sudo defaults write \ /Library/Preferences/SystemConfiguration/com.apple.smb.server \ AllowGuestAccess -bool no
Turn on filename extensions
Verification
1
| defaults read NSGlobalDomain AppleShowAllExtensions |
defaults read NSGlobalDomain AppleShowAllExtensions
Configuration
- Select Finder
- Select Preferences
- Check Show all filename extensions
Disable the automatic run of safe files in Safari
Verification:
1
| defaults read com.apple.Safari AutoOpenSafeDownloads |
defaults read com.apple.Safari AutoOpenSafeDownloads
Output should be: 0
Configuration:
1
| defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no |
defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no