Thursday, May 06, 2021

Hardening macOS - Ricard Bejarano



How?

Install a fresh copy of macOS

Note: this step is optional, but highly recommended, it's best to start off with a clean system to avoid possible misconfiguration.

  1. Boot into Recovery Mode (hold command + R during boot)

  2. (Optional) Go to the Utilities > Firmware Password Utility and consider setting up a firmware password to protect your data should it be lost or stolen

  3. Format the boot drive and install macOS from scratch (Warning: this step will permanently delete the contents of the boot drive)

First boot

  1. Clear the NVRAM (hold command + P + R during boot) (skip if you set up a Firmware Password previously)

  2. Create an administrator user account with a strong password and no hint. This user is for administration purposes only.

  3. Go to System Preferences > Users & Groups and create an unprivileged user account for day-to-day use, it is considered best practice by Apple itself

  4. Go to System Preferences > Users & Groups > Guest User and uncheck Allow guests to log in to this computer

  5. Go to System Preferences > Software Update and consider enabling automatic updates (if you are not comfortable enabling this, consider at least turning on security updates by going into Advanced… and checking Install system data files and security updates)

  6. Go to System Preferences > Security & Privacy > General and set Require password after sleep to immediately or 5 seconds

  7. Go to System Preferences > Security & Privacy > General and set Allow apps downloaded from to App Store or App Store and identified developers

  8. Go to System Preferences > Security & Privacy > Firewall and turn on the firewall

  9. Go to System Preferences > Security & Privacy > Firewall > Firewall Options… and check Block all incoming connections

  10. Go to System Preferences > Security & Privacy > Privacy > Location and uncheck Enable Location Services

  11. Go to System Preferences > Security & Privacy > Privacy > Analytics and uncheck Share Mac Analytics

  12. Go to System Preferences > Sharing and anonymize the computer's name, this name can be see by those connected to the same network as yours

  13. Go to System Preferences > Sharing and turn off every service (turn on only when using it and disable afterwards)

  14. Go to System Preferences > Network > Advanced > DNS, add two entries to DNS Servers for 1.1.1.1 and 1.0.0.1 and remove any other server

  15. Go to System Preferences > Spotlight > Search Results and uncheck Spotlight Suggestions and Allow Spotlight Suggestions in Look up

  16. Go to System Preferences > General and uncheck Allow Handoff between this Mac and your iCloud devices

  17. Go to System Preferences > Bluetooth and turn off Bluetooth (turn on only when using it and disable afterwards)

  18. Go to Finder > Preferences > Advanced and check Show all filename extensions

  19. Disable Captive Portal (use your browser instead):

    sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false
  20. Disable Crash Reporter:

    sudo defaults write com.apple.CrashReporter DialogType none
  21. Block malicious domain names using the /etc/hosts file (see StevenBlack/hosts)

  22. Consider running an outbound firewall such as Little Snitch (proprietary, full-featured) or LuLu (open-source, very basic)

  23. Consider doing binary whitelisting with google/santa

  24. Go to System Preferences > Security & Privacy > FileVault and turn on FileVault (note: may take some time)

  25. Secure FileVault when on sleep:

    sudo sh -c 'pmset -a destroyfvkeyonstandby 1; pmset -a hibernatemode 25; pmset -a powernap 0; pmset -a standby 0; pmset -a standbydelay 0; pmset -a autopoweroff 0'
  26. If you plan on using ssh with ssh-agent, add a safe timeout parameter to ssh-agent to protect your credentials:

    # make a copy of com.openssh.ssh-agent.plist:
    sudo cp -p /System/Library/LaunchAgents/com.openssh.ssh-agent.plist /Library/LaunchAgents/local.com.openssh.ssh-agent.plist
    # edit the file
    sudo vim /Library/LaunchAgents/local.com.openssh.ssh-agent.plist
    <!-- add the missing lines to the file -->
    <key>ProgramArguments</key>
    <array>
    <string>/usr/bin/ssh-agent</string>
    <string>-l</string>
    <string>-t</string>
    <string>8h</string>
    </array>
    # apply the changes
    sudo launchctl unload -w /System/Library/LaunchAgents/com.openssh.ssh-agent.plist
    sudo launchctl load /Library/LaunchAgents/local.com.openssh.ssh-agent.plist
  27. Edit /etc/auto_master as root and comment the line beginning with /net (note: this is a workaround to an unpatched vulnerability)

  28. Reboot and log back in as the unprivileged user

Second boot (user)

  1. Go to System Preferences > Security & Privacy > Privacy > Contacts/Calendars/Reminders/Photos and remove any apps that shouldn't have access to any of those folders, if any

  2. Go to System Preferences > Security & Privacy > Privacy > Camera/Microphoneand remove any app you don't want to have access to the camera or microphone, if any

  3. Go to System Preferences > Security & Privacy > Privacy > Full Disk Access and remove any app you don't want to have full-disk access, if any

  4. Go to System Preferences > Security & Privacy > Privacy > Advertising, check Limit Ad Tracking and click Reset Advertising Identifier

  5. Carefully assess and install a web browser. Regardless of your browser…

    • …block third-party cookies
    • …disable DNS preloading
    • …disable Flash support
    • …install an ad blocker
    • …enable Do Not Track
    • …opt-out of telemetry
    • …consider using a privacy-respecting search engine in lieu of Google
    • …consider a whitelist approach to JavaScript execution

    Note: if using Safari, go to Safari > Preferences > Search and uncheck "Include Safari Suggestions" and to Safari > Preferences > General and uncheck "Open"safe" files after downloading"

  6. Consider tunneling your traffic through a VPN when connected to untrusted networks (see ThatOnePrivacyGuy's VPN comparison or roll your own)

  7. Consider using a privacy-respecting email service provider (see ThatOnePrivacyGuy's email comparison or roll your own)

  8. Consider setting up PGP/GPG encryption for email regardless of your email service provider

That's it?

No.

Again, you don't have a "100% secure system", you are just a lot harder to screw with than everyone else in the city.

Keep in mind that securing a system is not a one-time job, you must actively backup your data, patch your system, look out for new vulnerabilities… Some general best practices are:

  1. Keep your system up-to-date, both macOS and installed software

  2. Prevent unattended physical access to the device from anyone but yourself

  3. Encrypt sensitive data on rest and on transit

  4. Backup your data, multiple, encrypted (of course) copies of your data in different physical locations

  5. Keep your guard up, you are your system's last line of defense


No comments: