Windows 10 Feedback, Diagnostics and Privacy…

From all the things that I saw in Windows 10 the one that got most of my attention is the Feedback and Diagnostics option.

At the moment I find really limited the amount of information that Microsoft gives related with the information that she collect using this feature.

This feature is the only one that we can’t disable, we can only change between 3 options.

As you use Windows, we collect performance and usage information that helps us identify and troubleshoot problems as well as improve our products and services. We recommend that you select Full for this setting.

  • Basic information is data that is vital to the operation of Windows. This data helps keep Windows and apps running properly by letting Microsoft know the capabilities of your device, what is installed, and whether Windows is operating correctly. This option also turns on basic error reporting back to Microsoft. If you select this option, we’ll be able to provide updates to Windows (through Windows Update, including malicious software protection by the Malicious Software Removal Tool), but some apps and features may not work correctly or at all.

  • Enhanced data includes all Basic data plus data about how you use Windows, such as how frequently or how long you use certain features or apps and which apps you use most often. This option also lets us collect enhanced diagnostic information, such as the memory state of your device when a system or app crash occurs, as well as measure reliability of devices, the operating system, and apps. If you select this option, we’ll be able to provide you with an enhanced and personalized Windows experience.

  • Full data includes all Basic and Enhanced data, and also turns on advanced diagnostic features that collect additional data from your device, such as system files or memory snapshots, which may unintentionally include parts of a document you were working on when a problem occurred. This information helps us further troubleshoot and fix problems. If an error report contains personal data, we won’t use that information to identify, contact, or target advertising to you. This is the recommended option for the best Windows experience and the most effective troubleshooting.

While I was  trying to see info on what is collected by this feature I stumble on this F.A.Q. page.

There the following question and answer is present:

Who sees the diagnostic and usage information that’s collected through feedback and diagnostics?

Microsoft employees, contractors, vendors, and partners might be provided access to relevant portions of the information collected, but they’re only permitted to use the information to repair or improve Microsoft products and services, or third-party software and hardware designed for use with Microsoft products and services.

This sentence basically says trust us,  we collect lots of information and give it to many persons but do not worry they will only use this to improve the product. 

Once more I trust in good faith but if we do not know how the they achieve the objective  and what is the information they collect it is hard to trust.

(UPDATE) – This features can only be disabled in the enterprise version of windows 10 by GPO value to 0 .

Microsoft Visual Studio, OSX and Linux

Microsoft has released a light version of Visual Studio for Linux and Mac OS X, there is also a version for Windows but that does not count…

https://code.visualstudio.com

What is interesting on this?

Well for start it seems that finally Microsoft considers the other OS systems important and the company might think to continue leading by incorporating their framework. (.net) into other Operating Systems.

The app seems more a first version of a trojan horse for OS X and Linux users to persuade them to install mono framework (.net).

Why I say this?
Because they advertise some interesting functionalities but apparently they only work if you install the mono framework.
Without the mono framework the tool is not much different from Text mate.

I am happy that Microsoft is trying to expand the .net framework to other platforms.

I had my first experience with mono in 2005 on earlier versions of .net and it was really useful. We used it to port some code into Linux but it was still immature back then, managed by enthusiasts without no real support from Microsoft.

Now with the .net foundation  and their projects things are starting to become more interesting, it is always good when we have competitors at same level JAVA and .NET… (now my Java friends and coworkers will stop talking with me because I used the words “same level” with java and .net…)

Java will have a huge headache in near future as .net starts spreading into Linux/Unix world.

Also it will be a huge advantage for the cloud when we have a major player like Microsoft Azure and we can start developing apps and tools using Linux instead of being exclusively obligated to have windows for a more efficient development.

According to the Microsoft Objectives .net apps will work in mobile phones, windows, Linux, MAC, etc. We can truly have the code once and use it everywhere…. 🙂

I am still waiting for Visual Studio 2015 for MAC… 🙂 that would be great…

Windows 10, License Agreements, Personal & Private Information!

I Today I have seen some news related with the License Agreement of Microsoft on Windows 10…

For what I have read it seems that they will allow themselves to scan all your machine and personal data so they can know you better. 🙂

I believe in good faith but I do not thrust companies that gather more than what is required  about us.

I accept the fact that when I am shopping I have to give my name and CC number I do not accept the fact that I have to give my age, gender, GPS coordinates, birth date and all other information that are not required to complete the service.

I found the statements strange about this data privacy policies, with curiosity I have started to read some policy documents and collect more information about this.

This is what I have found in the Windows 10 License Agreement.

 "Privacy; Consent to Use of Data. Your privacy is important to us. Some of the software features send or receive information when using those features. Many of these features can be switched off in the user interface, or you can choose not to use them. By accepting this agreement and using the software you agree that Microsoft may collect, use, and disclose the information as described in the Microsoft Privacy Statement (aka.ms/privacy), and as may be described in the user interface associated with the software features."

This is a very brief statement that points to other page and policy…

What does this means?!!?

I have checked the other page  that they call aka.ms/privacy   and found this user terms :

Personal Data we Collect

Microsoft collects data to operate effectively and provide you the best experiences with our services. You provide some of this data directly, such as when you create a Microsoft account, submit a search query to Bing, speak a voice command to Cortana, upload a document to OneDrive, or contact us for support. We get some of it by recording how you interact with our services by, for example, using technologies like cookies, and receiving error reports or usage data from software running on your device.

We also obtain data from third parties (including other companies). For example, we supplement the data we collect by purchasing demographic data from other companies. We also use services from other companies to help us determine a location based on your IP address in order to customize certain services to your location.

The data we collect depends on the services and features you use, and includes the following.

Name and contact data. We collect your first and last name, email address, postal address, phone number, and other similar contact data.

Credentials. We collect passwords, password hints, and similar security information used for authentication and account access.

Demographic data. We collect data about you such as your age, gender, country and preferred language.

Interests and favorites. We collect data about your interests and favorites, such as the teams you follow in a sports app, the stocks you track in a finance app, or the favorite cities you add to a weather app. In addition to those you explicitly provide, your interests and favorites may also be inferred or derived from other data we collect.

Payment data. We collect data necessary to process your payment if you make purchases, such as your payment instrument number (such as a credit card number), and the security code associated with your payment instrument.

Usage data. We collect data about how you interact with our services. This includes data, such as the features you use, the items you purchase, the web pages you visit, and the search terms you enter. This also includes data about your device, including IP address, device identifiers, regional and language settings, and data about the network, operating system, browser or other software you use to connect to the services. And it also includes data about the performance of the services and any problems you experience with them.

Contacts and relationships. We collect data about your contacts and relationships if you use a Microsoft service to manage contacts, or to communicate or interact with other people or organizations.

Location data. We collect data about your location, which can be either precise or imprecise. Precise location data can be Global Position System (GPS) data, as well as data identifying nearby cell towers and Wi-Fi hotspots, we collect when you enable location-based services or features. Imprecise location data includes, for example, a location derived from your IP address or data that indicates where you are located with less precision, such as at a city or postal code level.

Content. We collect content of your files and communications when necessary to provide you with the services you use. This includes: the content of your documents, photos, music or video you upload to a Microsoft service such as OneDrive. It also includes the content of your communications sent or received using Microsoft services, such as the:

    subject line and body of an email,
    text or other content of an instant message,
    audio and video recording of a video message, and
    audio recording and transcript of a voice message you receive or a text message you dictate.

Additionally, when you contact us, such as for customer support, phone conversations or chat sessions with our representatives may be monitored and recorded. If you enter our retail stores, your image may be captured by our security cameras.

You have choices about the data we collect. When you are asked to provide personal data, you may decline. But if you choose not to provide data that is necessary to provide a service, you may not be able to use some features or services.

Service-specific sections below describe additional data collection practices applicable to use of those services.

All this seems global to several services that Microsoft supplies to their customers.

The email situation is particularly strange…

Microsoft sells Office 365 services to companies, does this policy means that all their emails and documents contents are read and stored somewhere in a Microsoft Database? This gives Microsoft a huge power on the markets or Competitive Intelligence if they use this data.

Should we in good faith trust a corporation this information?

Google refuses to receive or relay encrypted email, I am now curious to see if the same happens in Outlook.com 🙂
This is global policy and might or might not apply to windows 10.

Thinking again the integration of Windows 10 with the other services will cause that windows 10 indirectly will make use of this license agreements… By using their extra services we might get covered by this policies without conscience and somewhere in time we will be giving Microsoft more information than what we wished…

Now in my thoughts Windows 10 free upgrade seems more interesting as it seems to be used as a strategy to sooner or later people use other Microsoft  cloud services and then most of this policies will apply and in the end Microsoft will have more power over people and lots of valuable aggregated data. If you use some of the advertised functionalities of Windows 10 you will have to use the cloud services, if you fall on that sweet talk you will be giving money and bonus value (information) to Microsoft.

Unless this companies explain very well:

1 – How the info is protected from third parties.

2 – How the info is protected from employees of the company

3 – How that info is processed

I will get suspicious.

Probably even after reading this information I will continue to be suspicious on this companies…

I did not manage to find all this until the moment.

It would be more easy to have in this huge amount of policies something like how we protect your data… 

I am not a lawyer but Microsoft is an American company so if NSA requests information from this databank I don’t think Microsoft can refuse…

Because this seems to be a global Policy lets see what specific information Microsoft collects from Windows 10 Operating systems, not counting with other services integration…

 

Location Services

Windows location service. Microsoft operates a location service that helps determine the precise geographic location of a specific Windows device. Depending on the capabilities of the device, location is determined using satellite global positioning service (GPS), detecting nearby cell towers and/or Wi-Fi access points and comparing that information against a database that Microsoft maintains of cell towers and Wi-Fi access points whose location is known, or deriving location from your IP address. When the location service is active on a Windows device, data about cell towers and Wi-Fi access points and their locations is collected by Microsoft and added to the location database after removing any data identifying the person or device from which it was collected. Microsoft may also share de-identified location data with third parties to provide and improve location and mapping services.

Windows services and features (such as browsers and Cortana), applications running on Windows, and websites opened in Windows browsers can access the Windows location service to determine location if you allow them to do so. Some features and apps request location permission when you first install Windows, some ask the first time you use the app, and others ask every time you access the location service. For information about certain Windows apps that use the location service, see the Windows Apps section below.

Data about a Windows device's recent location history is stored on the device, and certain apps and Windows features can access this location history. You can clear your device's location history at any time in the device's Settings menu.

In Settings, you can also view which applications have access to the location service or your device's location history, turn off or on access to the location service for particular applications, or turn off the location service. Note that on mobile devices, your mobile operator will have access to your location even if you turn off the location service.

Find My Phone. The Find My Phone feature allows you to find the location of your Windows phone from https://account.microsoft.com, even if you have turned off all access to the location service on the phone. If you have turned on the "save my location every few hours" feature in the Find My Phone settings on your phone, the Find My Phone feature will periodically send and store a single last known location of your phone, even if you have turned off location services on your phone. Each time a new location is sent, it replaces the previously-stored location.

Find My Device. The Find My Device feature allows an administrator of a Windows PC or tablet to find the location of that device if the administrator has enabled the location service for the device, even if other users have disabled location for themselves. When the administrator attempts to locate the device, users will see a notification in the notification center.

Windows Motion Sensing. Windows devices with motion activity detection can collect motion activity. This data can enable features such as a pedometer to count the number of steps you take, so a fitness application can estimate how many calories you burn. This data and history is stored on your device and can be accessed by applications you give permission to access and use that data.

Most of the personal things on the computer can be disabled so theoretically you can control what you give.

That is good and correct from manufacturer but what happens when you start using all other cloud services?

For some information it really does not need to collect data from your computer or GPS, all it needs is to correlate data using your IP with third-party information and it will know where you are, it will be even better if it gets your BSSID or SSID.

Reading a bit more…

Your backup of encryption key goes to the OneDrive where probably enters in the Backup cycle of Microsoft Cloud and can be stored for some time… even after we delete it… 🙂

Device encryption. Device encryption helps protect the data stored on your device by encrypting it using BitLocker Drive Encryption technology. When device encryption is on, Windows automatically encrypts the drive Windows is installed on and generates a recovery key. The BitLocker recovery key for your device is automatically backed up online in your Microsoft OneDrive account.

Information of our connectivity is also interesting…

Remember when I said they only need to get your IP or BSSID or SSID?

Here is the policy on what they collect from us.

Usage and connectivity data. Microsoft regularly collects basic information about your Windows device including usage data, app compatibility data, and network and connectivity information. This data is transmitted to Microsoft and stored with one or more unique identifiers that can help us recognize an individual user on an individual device and understand the device's service issues and use patterns. The data we collect includes:

    Configuration data, including the manufacturer of your device, model, number of processors, display size and resolution, date, region and language settings, and other data about the capabilities of the device.
    The software (including drivers and firmware supplied by device manufacturers), installed on the device.
    Performance and reliability data, such as how quickly programs respond to input, how many problems you experience with an app or device, or how quickly information is sent or received over a network connection.
    App use data for apps that run on Windows (including Microsoft and third party apps), such as how frequently and for how long you use apps, which app features you use most often, how often you use Windows Help and Support, which services you use to sign into apps, and how many folders you typically create on your desktop.
    Network and connection data, such as the device's IP address, number of network connections in use, and data about the networks you connect to, such as mobile networks, Bluetooth, and identifiers (BSSID and SSID), connection requirements and speed of Wi-Fi networks you connect to.
    Other hardware devices connected to the device.

Some diagnostic data is vital to the operation of Windows and cannot be turned off if you use Windows. Other data collection is optional, and you will be able to turn this data collection on or off in Settings.

Why they need my BSSID and SSID???
If I am using a public one, for what I have read, they buy that info from third parties, if it is personal why do they need to have it?

And finally I love the last statement “Some diagnostic data is vital to the operation of Windows and cannot be turned off if you use Windows.

I am now curious if some companies when they give this diagnostics to Microsoft really know what is in the package…

I believe some know but most just have good faith. Same as users.

What is this part that we can’t disable and keeps feeding Microsoft with our data?!?!?!

In reality this makes redundant the GPS situation… the difference is just the precision that they can pin point you on the map.

Also this is interesting, if you use a wi-fi network and you use Tor to make your traffic anonymous it means that somehow in specific situations they can get your wi-fi information? That information correlated with other info will make Tor useless…

This with the policy that you are forced to accept windows updates makes me think in some more conspiracy theories… 😛

Probably is some requirement that governments need…

Speaking of data retention…

Microsoft retains personal data for as long as necessary to provide the services and fulfill the transactions you have requested, or for other essential purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. For example:

    For Bing search queries, we de-identify stored queries by removing the entirety of the IP address after 6 months, and cookie IDs and other cross-session identifiers after 18 months.
    In Outlook.com, when your Deleted Items folder is emptied, those emptied items remain in our system for up to 30 days before final deletion.
    If you remove a credit card from your account, Microsoft will retain transaction records containing your credit card number for as long as reasonably necessary to complete any existing transactions, to comply with Microsoft's legal and reporting requirements, and for the detection and prevention of fraud.

Strangely I did not find nothing related with OneDrive Retention Policy… Remember the place where it is stored our encryption key?!!!

Well I found all this in around 2 hours reading policies and jumping around from one to another…

I might be wrong but it seems in some cases they are collecting more that what they need to provide us the services they sell.

I hope this creates more awareness to people and they can decide in conscience if they want to give or not personal information control to corporations.

Kali Linux, Raspberry PI and 64GB SD card not fully used…

I have installed the Kali Linux image for the fist time in a RaspberryPi to play a bit and understand what we can do with it…

I used a 64GB SD card but the image does not use all the available space on the SD card.
The official installation has a config that allow us to expand the disk so I guess we can use that to do the same in Kali.

How can I install the rasps-config tool?
What do I need to make it work correctly?

I have found this walk through to expand the disk, I hope it is useful to others.

 

wget http://archive.raspberrypi.org/debian/pool/main/r/raspi-config/raspi-config_20150131-1_all.deb
wget http://http.us.debian.org/debian/pool/main/t/triggerhappy/triggerhappy_0.3.4-2_armhf.deb
wget http://http.us.debian.org/debian/pool/main/l/lua5.1/lua5.1_5.1.5-7.1_armhf.deb
dpkg -i triggerhappy_0.3.4-2_armhf.deb
dpkg -i lua5.1_5.1.5-7.1_armhf.deb
dpkg -i raspi-config_20150131-1_all.deb
raspi-config

How to check if a used iPhone is stolen.

I confess that I just noticed this tool recently, I find it very useful, everyone should have knowledge of it.

Apple is trying to address the situation of the stolen mobile phones. It seems hard and isolated in this hard work but at least it is trying.

Apple phones have a very high demand either as used or new.

Since the release of the IOS7 that apple requires the typing of the previous Apple id activation account and password before it changes to another account.

But this is not enough, Apple now has created a tool to check a phone activation lock status. With this tool we are able to check if the used phone was stolen or not.

This might be very useful if you’re trying to get a used phone over the internet!

No one likes to buy a brick, or not being able to activate the phone with our apple id… Or, even worse, being caught with stolen property.

In order to check the phone status you will need the IMEI or the serial number (International Mobile Equipment Identifier) this numbers  are unique identifiers to each phone.

Once you get one of them you can go to the apple activation lock status website ( Apple Activation Lock Status ), type the IMEI or Serial number on the forms and fill the remaining information, press continue.

The next screen will show you if the phone has its activation lock feature enabled.

If activation lock is on, the following things might be going on:

1 – The phone is stolen and the seller can’t disable the activation lock.

2 – The seller forgot to turn off the activation lock and will be able to deactivate it in order to complete the sell.

 

Apple and 4K monitors….

Apple 4k monitor…

For some time I always wished to have a 4k Monitor, Samsung had released one…

The problem is that I can not use the 4k monitor and the thunderbolt monitor at same time with the thunderbolt ports, both are disabled each time I try to connect them…

It only remains the HDMI port, it works fine if I connect the Thunderbolt monitor in one of the Thunderbolt ports and the 4K monitor in the HDMI.

Cons on this configuration:

The 4k Monitor only works at 30hz instead of 60hz and that sucks.

The image is not that good and makes my eyes hurt.

If I connect the 4k monitor in the Thunderbolt port it works ok at 60hz.

Why site developers insist in forcing us the language of the country where we are?!

Lately I noticed that the sites started to ignore the configuration in our browsers that inform which language we prefer.

They started to enforce the language related with the ip address and correspondent country…

In a modern society with so many people traveling it does not seem logic being constantly forced to change things in order to read the information, or force people to use languages that are not their native ones.

I started quitting to read some and replace them by others that do not do that auto change.

Here is an example:

(check the selected language in the bottom right, regardless this I have configured on my browser the English language also… )

Google forcing German

MAC OS X file system Introduction

Knowing the hierarchical organisation of a file system of a determined operating system is very important for every person that works in security.

This is the normal structure of the Apple file system.
For this we consider that the system has the User1 created.

Hidden folders will be coloured in green.

Normal viewable folders will be coloured in Purple.

/ – the root path of the file system.
/ApplicationsThis directory is where you install apps intended for use by all users of a computer.
/Network This directory contains the list of computers in the local area network.
/SystemThis directory contains the system resources required by OS X to run.
/Users This directory contains one or more user home directories.
/Users/User1/Applications Contains user-specific apps
/Users/User1/Desktop Contains the items on the user’s desktop.
/Users/User1/DocumentsContains user documents and files.
/Users/User1/DownloadsContains files downloaded from the Internet.
/Users/User1/LibraryContains user-specific app files (hidden in OS X v10.7 and later)
/Users/User1/MoviesContains the user’s video files.
/Users/User1/Music Contains the user’s music files.
/Users/User1/PicturesContains the user’s photos.
/Users/User1/PublicContains content the user wants to share.
/Users/User1/SitesContains web pages used by the user’s personal site.

/binContains essential command-line binaries. Typically, you execute these binaries from command-line scripts.
/dev Contains essential device files, such as mount points for attached hardware.
/etc Contains host-specific configuration files.
/sbin Contains essential system binaries.
/tmp Contains temporary files created by apps and the system.
/usr Contains non-essential command-line binaries, libraries, header files, and other data.
/var Contains log files and other files whose content is variable. (Log files are typically viewed using the Console app.)

/Volumes It is the mount point of all drives connected to the system

/Private – destination of some symbolic links

/Net – shortcut access to network drives

/Home

/Cores – Directory for the Core Dumps

/Trashes – Everything that we have putted on trash

/Spotlight – Information related with spotlight

/Developer – Path to old Xcode information

There are two primary techniques for identifying the type of content in a file:

  • Uniform Type Identifiers (UTIs) – string that uniquely identifies a class of entities considered to have a “type.” UTIsprovide consistent identifiers for data that all apps and services can recognise and rely upon.
    • public.text—A public type that identifies text data.
    • public.jpeg—A public type that identifies JPEG image data.
    • com.apple.bundle—An Apple type that identifies a bundle directory.
    • com.apple.application-bundle—An Apple type that identifies a bundled app.
  • Filename extensions – A filename extension is a string of characters appended to the end of a file and separated from the main filename with a period.

Kable Deutschland and Dyndns… :( first piece…

Well my Dyndns has stopped working in Kable Deutschland…

I am a bit pissed…

It appears that they have changed from IPv4 to IPv6 and there is somewhere in their network a conversion back to IPv4… 🙁 that I think it is killing my DynDNS functionality…

I am trying to see how I can bypass this issue…

Talking with them is hard (almost impossible, I am dependent on good will from the support team in speaking English…) because I do not speak German… 🙁 so I guess I will need to know how I can reconfigure my devices… 🙂

Most of the pages that speak about similar issues are in German also so they are not much helpful to me…

First lets us know a bit more about the device… (Enumeration)

I asked for the cheapest one… I got an unknown (to me) cable modem CBN brand / model number CH6640E
After some search i found the following manual on the device…
http://www.ktech.no/CG6640E_User_Guide_English.pdf

German Version…
https://www.kabeldeutschland.de/psources/media/Handbuch_compal_cbn_ch6640e.pdf

There are some differences on the manuals… But even this German version has more menus than my device…

More info about the device…

Vendor CBN Inc.
Model CH6640E
Hardware Version 1.0
Firmware Version CH6640-3.5.11.7-NOSH
Boot Version PSPU-Boot(BBU) 1.0.12.19m1-CBN03

Interesting reading, it seems that the device can have wi-fi but some how it is not functional might be because it is not there or because someone disabled it in the firmware… (well I did not ask the wi-fi version to make it cheaper…) I will check this later.

In one of the documents I read that there is 2 special users configured on the device… 🙂

1 – Admin with default password admin for access to the gateway pages user access…
2 – root with default password compalbn for access to the Operator mode… I guess this is the equal to a privilege user… 🙂

Of course Kabeldeutschland has changed the password or disabled this functionality… 😛

the menu schema according with the manuals is not the same also…

It seems that I have some missing menus.

Sadly one of the things that it is missing is the logs webpage…

I will have to find if I can have access to that info in another way. 🙁

In the manual it seems that some firmware have the webpage where we can set up dyndns configuration…
I wonder if they disabled it on purpose or it is my device that does not handle this extra configs… 🙁

Lets try do see what firmware has that option and what are the available firmware… 🙂

Manufacturer…

http://www.icbn.com.tw
That conveniently has his page under construction… 🙁 now at 04-01-2015…

This are the listening ports from inside…

PORT SCAN

PORT STATE SERVICE VERSION
21/tcp open tcpwrapped
53/tcp open domain dnsmasq 2.46
80/tcp open tcpwrapped
554/tcp open tcpwrapped
5000/tcp open sip (SIP end point; Status: 501 Not Implemented)
7070/tcp open tcpwrapped

For now this is all…

 

MAC OSX 10.9 Hardening

How to harden your MAC OS X

This is a guide to help all administrators that want to have a well harden MAC OS X Operating system.
This is a reference, your needs might be different but this might be considered a base line for starting the hardening.
The Version for this document is OS X 10.9
I will try to do another for the latest version OS X 10.10 with the differences

I will use the terminal commands to make it easier for administrators to build custom scripts and deploy them in automated way.

1 – Updates

List available software for updates

1
softwareupdate -l

if there is no software that needs to be updated the result will be “no new software available”

Install all Available software

1
sudo softwareupdate -i packagename

Enable Auto Update

Verify the status:

1
defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled

Make sure the result is: 1

Configure auto update:

1
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1

Update applications

Verify the status:

1
defaults read /Library/Preferences/com.apple.storeagent AutoUpdate

Verify the value returned is: 1

Configure App auto update:

1
sudo defaults write /Library/Preferences/com.apple.storeagent AutoUpdate -int 1

Enable system and security update

Verify the status:

1
defaults read /Library/Preferences/com.apple.SoftwareUpdate | egrep '(ConfigDataInstall|CriticalUpdateInstall)'

Value the value returned: ConfigDataInstall = 1; CriticalUpdateInstall = 1;

Configure Security Auto Updates

1
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -int 1 && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -int 1

Configuring System Preferences

Disable Bluetooth

Verify the status:

1
defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState

Verify return value: 0

If value is 1 bluetooth is enabled
Check if there are paired devices:

1
system_profiler | grep "Bluetooth:" -A 20 | grep Connectable

Verify return value: Connectable:Yes

Disable Bluetooth if no device is connected:

1
2
sudo defaults write /Library/Preferences/com.apple.Bluetooth \ ControllerPowerState -int 0
sudo killall -HUP blued

Disable Bluetooth Discoverable mode

Verify the status:

1
/usr/sbin/system_profiler SPBluetoothDataType | grep -i discoverable

Verify returned value is: Off

Disable discoverable bluetooth

1
2
3
uuid=`/usr/sbin/system_profiler SPHardwareDataType | grep "Hardware UUID" | cut -c22-57`
/usr/bin/defaults write /Users/$@/Library/Preferences/ByHost/com.apple.Bluetooth.$uuid DiscoverableState -bool "no"
/usr/sbin/chown $@ /Users/$@/Library/Preferences/ByHost/com.apple.Bluetooth.$uuid.plist

Show the bluetooth status in the menu bar

Verify the status:

1
defaults read com.apple.systemuiserver menuExtras | grep Bluetooth.menu

Verify the returned value is: /System/Library/CoreServices/Menu Extras/Bluetooth.menu

show status in the status menu bar:

1
defaults write com.apple.systemuiserver menuExtras -array-add "/System/Library/CoreServices/Menu Extras/Bluetooth.menu"

Automatic set Date and time

Verify the status:

1
sudo systemsetup -getusingnetworktime

Verify the output is: Network Time: 0

Configure auto update Date and Time:

1
sudo systemsetup –setnetworktimeserver

Activate Screen Saver

Verify the device status:

1
2
3
4
5
6
7
8
9
UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep "IOPlatformUUID" | sed -e 's/^.* "\(.*\)"$/\1/'`
for i in $(find /Users -type d -maxdepth 1)
      do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID
            if [ -e $PREF.plist ]
                 then
                      echo -n "Checking User: '$i': "
                      defaults read $PREF.plist idleTime 2>&1
            fi
done

Verify the output is the wanted value e.g.: <1200 for <20 than minutes

Verify user configured status:

1
defaults -currentHost read com.apple.screensaver idleTime

Verify the output is the wanted value e.g.: <1200 for <20 than minutes

Configure Screen Saver after 10 minutes:

1
defaults -currentHost write com.apple.screensaver idleTime -int 600

 Secure Screen Saver Corners

Verify the status:

1
defaults read ~/Library/Preferences/com.apple.dock | grep -i corner

Verify that output is not 6 for any key user.

This is the script to disable hot corners but I was not able to find a specific script only for the hot corners that specifically disable screen saver, I will try to do one later.
This was taken from github.

/klynch/827581
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
-- By Richard Kulesus, 2009.  Released without license!
-- Use this for whatever!
-- I seriously despise code authors who copyright tiny bits of obvious code
-- like it's some great treasure.  This is small and simple, and if it saves
-- the next guy some time and trouble coding applescript I'll feel good!
--
-- Quickly change all the hot-corners to do what you want.
-- Particularly useful for presentations and full-screen games.
-- Customize the activity of each hot-corner with "all windows/application windows/dashboard/disable screen saver/none/show desktop/show spaces/sleep display/start screen saver"
-- The MODIFIERS are the keys which can be used to supplement hot-corner activation.
-- Here I've set them all to {}, which is none.  Options are "command/control/none/option/shift"
-- Dashboard in a fullscreen application.
--
-- Version 1.0
--  - Initial release
--
tell application "System Events"
	activate
	if UI elements enabled then
		tell expose preferences
			set properties of the top left screen corner to {activity:none, modifiers:{}}
			set properties of the top right screen corner to {activity:none, modifiers:{}}
			set properties of the bottom left screen corner to {activity:none, modifiers:{}}
			set properties of the bottom right screen corner to {activity:none, modifiers:{}}
		end tell
	else
		tell application "System Preferences"
			activate
			set current pane to pane "com.apple.preference.universalaccess"
			display dialog "UI element scripting is not enabled. Check \"Enable access for assistive devices\""
		end tell
	end if
end tell
 
tell application "System Preferences" to quit

Confirm if sleep is configured with a value larger than the screen saver

Verify status:

1
pmset -g | grep displaysleep

Configure sleep

1
sudo pmset -c displaysleep 0

If the display sleeps before the screen saver is active the computer may be unlocked and available for an unauthorized user.

Set a Screen Corner to start the screen saver

Verify status:

1
defaults read ~/Library/Preferences/com.apple.dock | grep -i corner

At least on of the corners should have the value of 5 for each user.
If not enable screen corner for the screen saver

An adaptation of the script that was done to enable hot corners that I found on github
In this example is for top left corner.
I did not test this script…

/klynch/827581
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
-- By Richard Kulesus, 2009.  Released without license!
-- Use this for whatever!
-- I seriously despise code authors who copyright tiny bits of obvious code
-- like it's some great treasure.  This is small and simple, and if it saves
-- the next guy some time and trouble coding applescript I'll feel good!
--
-- Quickly change all the hot-corners to do what you want.
-- Particularly useful for presentations and full-screen games.
-- Customize the activity of each hot-corner with "all windows/application windows/dashboard/disable screen saver/none/show desktop/show spaces/sleep display/start screen saver"
-- The MODIFIERS are the keys which can be used to supplement hot-corner activation.
-- Here I've set them all to {}, which is none.  Options are "command/control/none/option/shift"
-- Dashboard in a fullscreen application.
--
-- Version 1.0
--  - Initial release
--
 
tell application "System Events"
	activate
	if UI elements enabled then
		tell expose preferences
			set properties of the top left screen corner to {activity:Start Screen Saver, modifiers:{}}
		end tell
	else
		tell application "System Preferences"
			activate
			set current pane to pane "com.apple.preference.universalaccess"
			display dialog "UI element scripting is not enabled. Check \"Enable access for assistive devices\""
		end tell
	end if
end tell
tell application "System Preferences" to quit

Another option could be the following:

1
defaults write com.apple.dock wvous-tl-corner -string "Start Screen Saver"

Disable Remote Apple Events

Verify status:

1
sudo systemsetup -getremoteappleevents

Verify output is: Remote Apple Events: Off

Disable:

1
sudo systemsetup -setremoteappleevents off

Disable Internt Sharing

Verify:

1
sudo defaults read /Library/Preferences/SystemConfiguration/com.apple.nat | \ grep -i Enabled

no output should be found

Disable:

1
2
sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat \ NAT -dict Enabled -int 0
sudo launchctl unload -w /System/Library/LaunchDaemons/ \ com.apple.InternetSharing.plist

Disable Screen Sharing

Verify:

1
sudo launchctl load /System/Library/LaunchDaemons/com.apple.screensharing.plist

Verify the value returned is: nothing found to load

Disable:

1
sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.screensharing.plist

 Disable Printer Sharing

Verify:

1
system_profiler SPPrintersDataType

The output should show “Shared: No” for all printers. If no printers are present, the above command will yield “Status: The printers list is empty.”

Disable:

1
/usr/sbin/lpadmin -p printer -u allow:[your_username] ENTER

Disable Remote Login

Verify:

1
sudo systemsetup -getremotelogin

Disable:

1
sudo systemsetup -setremotelogin off

Disable DVD or CD Sharing

Verify:

1
sudo launchctl list | egrep ODSAgent

Disable:

1
2
defaults write com.apple.NetworkBrowser EnableODiskBrowsing -bool false
defaults write com.apple.NetworkBrowser ODSSupported -bool false

Disable File Sharing

Verify:

1
sudo launchctl list | egrep '(ftp|nmdb|smdb|AppleFileServer)'

Disable:

1
2
3
4
5
6
sudo launchctl unload -w \ /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist
sudo launchctl unload -w /System/Library/LaunchDaemons/ftp.plist
sudo defaults delete \
/Library/Preferences/SystemConfiguration/com.apple.smb.server EnabledServices
sudo launchctl unload -w /System/Library/LaunchDaemons/nmbd.plist
sudo launchctl unload -w /System/Library/LaunchDaemons/smbd.plist

Disable Remote Management

Verify:

1
ps -ef | egrep ARDAgent
Ensure /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Conten ts/MacOS/ARDAgent is not present

Disable:

1
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop

Disable Wake for network Access

Verify:

1
pmset -g | grep womp

Disable:

1
sudo pmset -a womp 0

Disable Sleeping When connected to power

Verify:

1
pmset -g | grep sleep
Output should be 0

Disable:

1
sudo pmset -c sleep 0

Enable File Vault

Verify:

1
diskutil cs list | grep -i encryption
Output should be: Encryption Status: Unlocked and Encryption Type: AES-XTS

Configuration:

1
fdesetup enable -user USERNAME -outputplist &gt; ~/recoverykey.plist

Enable gate Keeper

1
sudo spctl --status

Configuring:

1
sudo spctl --master-enable

Enable Firewall

Verify:

1
defaults read /Library/Preferences/com.apple.alf global state
Output Value should be: 1 or 2

Configuration:

1
defaults write /Library/Preferences/com.apple.alf global state - int
Value 1 for specific services 2 for essential services

Enable Secure Keyboard Entry

Verify:

1
defaults read -app Terminal SecureKeyboardEntry

Output should be: 1
Configuration

1
defaults write -app Terminal SecureKeyboardEntry true

Disable Core Dumps

Verify:

1
launchctl limit core

Disable:

1
launchctl limit core 0,/pre&gt;

Configure Secure Empty Trash

Verify:

1
defaults read ~/Library/Preferences/com.apple.finder EmptyTrashSecurely

Configure:

1
defaults write ~/Library/Preferences/com.apple.finder EmptyTrashSecurely true

Configuring Logging

Configure asl.conf

Verify:

1
sudo egrep "^flags:" /etc/security/audit_control

Ensure at least the following flags are present:

  1. lo – audit successful/failed login/logout events
  2. ad – audit successful/failed administrative events
  3. fd – audit successful/failed file deletion events
  4. fm – audit successful/failed file attribute modification events o -all – audit all failed events across all audit classes

configuration:

  1. Open a terminal session and edit the /etc/security/audit_control file
  2. Find the line beginning with “flags”
  3. Add the following flags: lo, ad, fd, fm, -all.
  4. Save the file.

Retain System Log for 90 days

Verify:

1
grep -i ttl /etc/asl.conf
Verify that the ttl for system.log is greater than 90 days

Configuration:

1
sudo vim /etc/asl.conf

system.log mode=0640 format=bsd rotate=utc compress file_max=5M ttl=90

Retain appfirewall.log for 90 or more days

Verification:

1
grep -i ttl /etc/asl.conf

Verify that the ttl for appfirewall.log is greater than 90 days

Configuration:

1
sudo vim /etc/asl.conf

> appfirewall.log mode=0640 format=bsd rotate=utc compress file_max=5M ttl=90

Retain auth.log for 90 or more days

Verification:

1
grep -i ttl /etc/asl/com.apple.authd

Configuration:

1
sudo vim /etc/asl/com.apple.authd

* file /var/log/authd.log mode=0640 format=bsd rotate=utc compress file_max=5M ttl=90

Enable Security Auditing

Verification:

1
sudo launchctl list | grep -i auditd

Configuration:

1
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist

Configure Security Auditing Flags

Verification:

1
sudo egrep "^flags:" /etc/security/audit_control

Ensure at least the following flags are present:

  1. lo – audit successful/failed login/logout events
  2. ad – audit successful/failed administrative events
  3. fd – audit successful/failed file deletion events
  4. fm – audit successful/failed file attribute modification events o -all – audit all failed events across all audit classes

Configuration:

  1. Open a terminal session and edit the /etc/security/audit_control file
  2. Find the line beginning with “flags”
  3. Add the following flags: lo, ad, fd, fm, -all.
  4. Save the file.

Retain Install Log for defined days (xxx)

Verification:

1
grep -i ttl /etc/asl/com.apple.install

Configuration

1
sudo vim /etc/asl/com.apple.install

* file /var/log/install.log mode=0640 format=bsd rotate=utc compress file_max=5M ttl=xxx

Network Configurations

Disable Bonjur advertising service

Verification:

1
defaults read /Library/Preferences/com.apple.alf global state

Disable:

1
sudo nano "/System/Library/LaunchDaemons/com.apple.mDNSResponder.plist"

Add string

1
2
3
4
5
ProgramArguments
 
     /usr/sbin/mDNSResponder
     -launchd
     -NoMulticastAdvertisements

Enable Show wifi Status in Menu bar

1
defaults read com.apple.systemuiserver menuExtras | grep AirPort.menu
Output should is: /System/Library/CoreServices/Menu Extras/AirPort.menu

File System permissions and access controls

Secure Home Folders

Verification:

1
ls -l /Users/
Output is: drwx—— and drwx–x–x

Configuration

1
sudo chmod -R og-rwx /Users/

Or

1
sudo chmod -R og-rw /Users/

Repair Permissions Regulary

Verification

1
cat /var/log/system.log* | grep RepairPermissions

Configuration:

1
diskutil repairPermissions /

Check Applications for proper Permissions

Verification:

1
sudo find /Applications -iname "*\.app" -type d -perm -2 -ls
Output should be: drwxr-xr-x

Configuration:

1
sudo chmod -R o-w /Applications/Bad\ Permissions.app/

Check System order for world writable files

Verification:

1
sudo find /System -type d -perm -2 -ls

Configuration:

1
sudo chmod -R o-w /Bad/Directory

Check Library folder for world writable files

Verification:

1
sudo find /Library -type d -perm -2 -ls

Configuration:

1
sudo chmod -R o-w /Bad/Directory

Reduce Sudo Time out Period

Verification:

1
sudo cat /etc/sudoers | grep timestamp
Output should be:Defaults timestamp_timeout=0

Configuration:

1
sudo visudo
add line in the #Defaults specification
Defaults timestamp_timeout=0

Automatically lock the login key chain after 15 minutes of inactivity and when sleeping

Verification:

1
security show-keychain-info

Configuration:

  1. Open Utilities
  2. Select Keychain Access
  3. Select a keychain
  4. Select Edit
  5. Select Change Settings for keychain
  6. Authenticate, if requested.
  7. Select Lock when sleeping setting
Change the Lock after # minutes of inactivity setting for the Login Keychain to 15 minutes or based on the access frequency of the security credentials included in the keychain for other keychains.

Do not enable the “root” account

Verification:

1
dscl . -read /Users/root AuthenticationAuthority
Output value should be: No such key: AuthenticationAuthority

Configuration:

  1. Open System Preferences,
  2. Uses & Groups.
  3. Click the lock icon to unlock it.
  4. In the Network Account Server section,
  5. click Join or Edit.
  6. Click Open Directory Utility.
  7. Click the lock icon to unlock it.
  8. Select the Edit menu
  9. Disable Root User.

Disable automatic login

Verification:

1
defaults read /Library/Preferences/com.apple.loginwindow | grep autoLoginUser

Configuration:

1
sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser

Require a password to wake the computer from sleep or screen saver

Verification:

1
defaults read com.apple.screensaver askForPassword

Configuration:

1
defaults write com.apple.screensaver askForPassword -int 1

Require an administrator password to get access to system-wide preferences

Verification:

  1. In System Preferences: Security,
  2. General tab
  3. under Advanced,
  4. verify “Require an administrator password to get access to system-wide preferences” is checked.

Configuration:

  1. In System Preferences:
  2. Security,
  3. General tab under Advanced,
  4. check “Require an administrator password to access system-wide preferences”
  5. Disable ability to login to another user’s active and locked session

Verification:

1
grep -i "group=admin,wheel fail_safe" /etc/pam.d/screensaver

Remediation:

1
sudo vi /etc/pam.d/screensaver
  1. Locate account required pam_group.so no_warn group=admin,wheel fail_safe
  2. Remove “admin,”
  3. Save

Complex passwords must contain an Alphabetic Character

Verification:

1
pwpolicy -getglobalpolicy | tr " " "\n" | grep requiresAlpha

Configuration:

1
sudo pwpolicy -setglobalpolicy "maxFailedLoginAttempts=5 minChars=15 requiresNumeric=1 requiresAlpha=1 requiresSymbol=1"

Complex passwords must contain a Numeric Character

Verification:

1
pwpolicy -getglobalpolicy | tr " " "\n" | grep requiresSymbol

Configuration:

1
sudo pwpolicy -setglobalpolicy "maxFailedLoginAttempts=5 minChars=15

requiresNumeric=1 requiresAlpha=1 requiresSymbol=1″

Complex passwords must contain a Symbolic Character

Verification:

1
pwpolicy -getglobalpolicy | tr " " "\n" | grep requiresSymbol

Configuration:

1
sudo pwpolicy -setglobalpolicy "maxFailedLoginAttempts=5 minChars=15 requiresNumeric=1 requiresAlpha=1 requiresSymbol=1"

Set a minimum password length

Verification:

1
pwpolicy -getglobalpolicy | tr " " "\n" | grep minChars

Configuration:

1
sudo pwpolicy -setglobalpolicy "maxFailedLoginAttempts=5 minChars=15 requiresNumeric=1 requiresAlpha=1 requiresSymbol=1"

Configure account lockout threshold

Verification:

1
pwpolicy -getglobalpolicy | tr " " "\n" | grep maxFailedLoginAttempts

Configuration:

1
sudo pwpolicy -setglobalpolicy "maxFailedLoginAttempts=5 minChars=15 requiresNumeric=1 requiresAlpha=1 requiresSymbol=1"

Create an access warning for the login window

Verification:

1
defaults read /Library/Preferences/com.apple.loginwindow.plist LoginwindowText

Configuration:

Add text with elevated privileges:

1
sudo defaults write /Library/Preferences/com.apple.loginwindow \ LoginwindowText "your text here"

Remove Text with elevated privileges

1
sudo defaults delete /Library/Preferences/com.apple.loginwindow \ LoginwindowText

Do not enter a password-related hint

Verification:

  1. Open System Preferences
  2. Select Users & Groups
  3. Highlight the user
  4. Select Change Password
  5. Verify that no text is entered in the Password hint box

Configuration:

  1. Open System Preferences
  2. Select Users & Groups
  3. Highlight the user
  4. Select Change Password
  5. Verify that no text is entered in the Password hint box

Secure individual keychain items

Verification:

  1. Open Utilities
  2. Select Keychain Access
  3. Double-click keychain
  4. Select Access Control
  5. Verify if the box next to “Ask for Keychain Password” is checked

Configuration:

  1. Open Utilities
  2. Select Keychain Access
  3. Double-click keychain
  4. Select Access Control
  5. Check box next to “Ask for Keychain Password”

Create specialized keychains for different purposes

Verification:

  1. Open Utilities
  2. Select Keychain Access
  3. Verify there are multiple keychains listed under Keychains on the upper left-hand
    side of the window

Configuration:

  1. Open Utilities
  2. Select Keychain Access
  3. Select File
  4. Select New Keychain
  5. Input name of new keychain next to Save As
  6. Select Create
  7. Drag and drop desired keychain items into new keychain from login keychain

Display login window as name and password

Verification:

1
defaults read /Library/Preferences/com.apple.loginwindow SHOWFULLNAME

Configuration:

1
sudo defaults write /Library/Preferences/com.apple.loginwindow \ SHOWFULLNAME -bool yes

Disable “Show password hints”

Verification:

1
defaults read /Library/Preferences/com.apple.loginwindow RetriesUntilHint

Configuration:

1
sudo defaults write /Library/Preferences/com.apple.loginwindow \ RetriesUntilHint -int 0

Disable guest account login

Verification:

1
sudo defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled
Output should be: 0

Configuration:

1
sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool NO

Disable “Allow guests to connect to shared folders”

Verification:

1
defaults read /Library/Preferences/com.apple.AppleFileServer | grep -i guest
Output should be guestAccess = 0;

for SMB sharing:

1
defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server | grep -i guest
Output should be AllowGuestAccess = 0;

Configuration:

AFP configuration:

1
sudo defaults write /Library/Preferences/com.apple.AppleFileServer \ guestAccess -bool no

SMB Configuration:

1
sudo defaults write \ /Library/Preferences/SystemConfiguration/com.apple.smb.server \ AllowGuestAccess -bool no

Turn on filename extensions

Verification

1
defaults read NSGlobalDomain AppleShowAllExtensions

Configuration

  1. Select Finder
  2. Select Preferences
  3. Check Show all filename extensions

Disable the automatic run of safe files in Safari

Verification:

1
defaults read com.apple.Safari AutoOpenSafeDownloads

Output should be: 0
Configuration:

1
defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no