Mots clés :  
  macos 
  
  osx 
  
  harden 
  
  security 
  
  scap 
  
  privacy 
 
Hardening signifie renforcement. Le script ci-dessous renforce certes le système OS X, mais le rends également plus restreint en terme de fonctionnalités. De premier abord, je ne conseille l'application de ce script que si vous le comprenez. Sauf si vous estimez que la sécurité est votre priorité et que les fonctionnalités Apple (iCloud, Facetime, Timemachine, Dashboard, ...) ne vous sont pas nécessaires.




0x01. SCRIPT PRINCIPAL

 
#!/bin/bash
 
 
 
##
# Set environment
# ---------------------------------------------------------------------------------------------------------------------
#
 
PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/local/bin:/usr/local/bin:/opt/local/sbin:/usr/local/sbin
SHELL=/bin/bash
COLS=$(tput cols) ; [ ${COLS} -gt 150 ] && COLS=150
W="\\e[1;29m"
B="\\e[0m"
OK="[ \\e[1;32mOK\\e[0m ]"
KO="[ \\e[1;31mKO\\e[0m ]"
 
##
# Welcome
# --------------------------------------------------------------------------------------------------------------------
#
banner()
{
  COLS=$(tput cols) ; [ ${COLS} -gt 150 ] && COLS=150
  for i in $(seq 1 $COLS) ; do printf "—" ; done
  echo "
 
   SecureInfo.eu
                           >>  Hardening script  <<
 
                           Redactors :
 
                            • FREE : Mathias Bynens
                            • STIG : US Department of Defense
                            • STIG : US army, Digital Information Security Agency
 
"
  for i in $(seq 1 $COLS) ; do printf "—" ; done
 
}
 
 
 
##
# Separate titles
# --------------------------------------------------------------------------------------------------------------------
#
title()
{
  str=$(echo "$1"|tr "a-z" "A-Z")
	printf "\\n\\n$W[*] $str ...$B\\n"
}
 
 
 
##
# Align OK & KO
# --------------------------------------------------------------------------------------------------------------------
#
print_result()
{
  msg="$1"
  result="$2"
  for i in $(  seq $(( $COLS-${#msg}-${#result} ))  ) ; do printf " " ; done
  printf "$result"
}
 
 
 
##
# Specific local customized sudo (/usr/local/bin/sudo)
# --------------------------------------------------------------------------------------------------------------------
#
function write_usrlocalsudoers()
{
  file="/usr/local/etc/sudoers"
  [ ! -f "$file.bak" ] && cp "$file" "$file.bak"
  echo '# sudoers file.
# -------------
#
# This file MUST be edited with the 'visudo' command as root.
# Failure to use 'visudo' may result in syntax or file permission errors
# that prevent sudo from running.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
 
 
#
# Aliases
#--------------------------------------------------------------------
 
 
# Host alias specification
 
# User alias specification
 
# Cmnd alias specification
Cmnd_Alias APP_SYSTEM = /sbin/shutdown,/sbin/halt,/sbin/reboot,/sbin/mount_rorw,/sbin/umount,/sbin/umount_bin,/usr/local/sbin/umount_all
 
# Do not enter in shell as root
Cmnd_Alias SHELLS = /bin/zsh,/bin/bash,/bin/csh,/bin/ksh,/bin/sh,/bin/tcsh,/bin/rzsh,/usr/bin/login
 
# # Allow without TTY
# Cmnd_Alias APP_GUI = /Applications/VeraCrypt.app/Contents/MacOS/VeraCrypt,/Applications/Wireshark.app/Contents/MacOS/Wireshark-bin
 
 
 
#
# Environment
#--------------------------------------------------------------------
 
Defaults  env_reset
Defaults  env_keep += "BLOCKSIZE"
Defaults  env_keep += "COLORFGBG COLORTERM"
Defaults  env_keep += "__CF_USER_TEXT_ENCODING"
Defaults  env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
Defaults  env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
Defaults  env_keep += "LINES COLUMNS"
Defaults  env_keep += "LSCOLORS"
Defaults  env_keep += "SSH_AUTH_SOCK"
Defaults  env_keep += "TZ"
Defaults  env_keep += "EDITOR VISUAL"
Defaults  env_keep += "HOME MAIL"
Defaults  env_keep += "NOLOG_OUTPUT"
Defaults  env_keep += "NOLOG_INPUT"
 
 
#
# Security precognized by sudo politic
# -------------------------------------------------------------------
 
Defaults  env_delete += "BASH_FUNC"
Defaults  env_delete += "RUBYOPT"
Defaults  env_delete += "RUBYLIB"
Defaults  env_delete += "PYTHONUSERBASE"
Defaults  env_delete += "PYTHONINSPECT"
Defaults  env_delete += "PYTHONPATH"
Defaults  env_delete += "PYTHONHOME"
Defaults  env_delete += "TMPPREFIX"
Defaults  env_delete += "ZDOTDIR"
Defaults  env_delete += "READNULLCMD"
Defaults  env_delete += "NULLCMD"
Defaults  env_delete += "FPATH"
Defaults  env_delete += "PERL5DB"
Defaults  env_delete += "PERL5OPT"
Defaults  env_delete += "PathERL5LIB"
Defaults  env_delete += "PERLLIB"
Defaults  env_delete += "PERLIO_DEBUG"
Defaults  env_delete += "JAVA_TOOL_OPTIONS"
Defaults  env_delete += "SHELLOPTS"
Defaults  env_delete += "GLOBIGNORE"
Defaults  env_delete += "PS4"
Defaults  env_delete += "BASH_ENV"
Defaults  env_delete += "ENV"
Defaults  env_delete += "TERMCAP"
Defaults  env_delete += "TERMPATH"
Defaults  env_delete += "TERMINFO_DIRS"
Defaults  env_delete += "TERMINFO"
Defaults  env_delete += "DYLD_LIBRARY_PATH"
Defaults  env_delete += "LD_PRELOAD"
Defaults  env_delete += "PATH_LOCALE"
Defaults  env_delete += "NLSPATH"
Defaults  env_delete += "HOSTALIASES"
Defaults  env_delete += "RES_OPTIONS"
Defaults  env_delete += "LOCALDOMAIN"
Defaults  env_delete += "CDPATH"
Defaults  env_delete += "IFS"
Defaults  env_delete += "DYLD_PRINT_TO_FILE"
 
 
 
#
# Options
#--------------------------------------------------------------------
 
# sudo variable
Defaults     badpass_message = "sudo: Sorry"
Defaults     !insults
Defaults     !logfile
Defaults     !visiblepw
 
# Restricted OSX base path
Defaults     secure_path = "/bin:/sbin:/usr/bin:/usr/sbin"
 
# Password policy: unlock one time but unlock forever only on current TTY
# Root password asked, to prevent script to use current user password
Defaults     passwd_timeout = 3
Defaults     timestamp_timeout = 0
Defaults     passwd_tries = 2
Defaults     tty_tickets
Defaults     rootpw
 
# # May be too restrictive
# # Sudo can only run in TTY
# Defaults             requiretty
# Defaults!APP_GUI    !requiretty
# Defaults!SUDO       !requiretty
 
 
 
#
# User privilege specification
#--------------------------------------------------------------------
 
# Unique super user always can do everything
root	ALL=(ALL)         ALL
 
# Same thing without a password for specific commands
%admin ALL=(ALL)         PASSWD:   ALL
%admin ALL=(root:wheel)  NOPASSWD: SUDO, APP_SYSTEM
%admin ALL=(root:wheel)  NOPASSWD: APP_GUI
' > "$file"
	chown 0:0 "$file"
	chmod 440 "$file"
}
 
 
 
##
# Harden audit OSX system
# --------------------------------------------------------------------------------------------------------------------
#
function write_securityaudit()
{
  file="/etc/security/audit_control"
  [ ! -f "$file.bak" ] && cp "$file" "$file.bak"
  echo '
#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $
#
## SecureInfo.eu - iUnix - /etc/security/audit_control
#
dir:/var/audit
flags:lo,fm,ad,aa
minfree:25
naflags:lo,aa
policy:cnt,argv,ahlt
filesz:2M
expire-after:7d
superuser-set-sflags-mask:has_authenticated,has_console_access
superuser-clear-sflags-mask:has_authenticated,has_console_access
member-set-sflags-mask:
member-clear-sflags-mask:has_authenticated
' > /etc/security/audit_control
audit -s
}
 
 
 
##
# Network hardening SecureInfo.eu hints
# --------------------------------------------------------------------------------------------------------------------
#
function write_sysctl()
{
  if ! touch /etc/sysctl.conf ; then
    echo '[!] Unable to write /etc/sysctl.conf'
    return 1
  fi
 
cat << EOF > /etc/sysctl.conf
 
	### SecureInfo.eu - iUnix - /etc/sysctl.conf
 
  # Be verbose, but not too much
  net.inet.ip.fw.verbose_limit=5
  net.inet.ip.fw.verbose=2
 
  # By default, drop packet to UDP closed port
  net.inet.udp.blackhole=1
 
  # By default, drop packet to TCP closed port
  net.inet.tcp.blackhole=2
 
  # TTL is 128, like Windows (decoy)
  net.inet.ip.ttl=128
 
  # Deny BAD TTL packets
  net.inet.ip.linklocal.in.allowbadttl=0
 
  # No broadcast ICMP echo
  net.inet.icmp.bmcastecho=0
 
  # No IP redirect
  net.inet.ip.redirect=0
 
  # Do not tog unattended ARP packets (to prevent DoS attack)
  net.link.ether.inet.log_arp_warnings=0
 
  # No IPv6 redirect
  net.inet6.ip6.redirect=0
 
  # Drop ICMP redirect
  net.inet.icmp.drop_redirect=1
 
  # Drop ICMPv redirect
  net.inet6.icmp.drop_redirect=1
 
  # Log ICMP redirect
  net.inet.icmp.log_redirect=1
 
  # Do not reply to ICMP mask request
  net.inet.icmp.maskrepl=0
 
  # Do not reply to spoofed source IP packet
  net.inet.ip.sourceroute=0
 
  # Don't care about IPv6
  net.inet6.ip6.fw.verbose=0
 
  # Disable ARP unicast
  net.link.ether.inet.arp_unicast_lim=0
 
  ## Disable scope route & ARP unicast
  # net.inet.ip.scopedroute=0  # Kernel Flag
  # net.inet.ip6.scopedroute=0 # See: "/Library/Preferences/SystemConfiguration/com.apple.Boot.plist"
 
  # IP forwarding for IPv6 must not be enabled
  net.inet6.ip6.forwarding=0
 
  # IP forwarding for IPv4 must not be enabled
  net.inet.ip.forwarding=0
 
  # The system must not send IPv6 ICMP redirects by default
  net.inet6.ip6.redirect=0
 
  # The system must not process Internet Control Message Protocol [ICMP] timestamp requests.
  net.inet.icmp.timestamp=0
 
EOF
}
 
 
 
##
# Network hardening SecureInfo.eu hints
# --------------------------------------------------------------------------------------------------------------------
#
function secureinfo_enhancement()
{
  msg="  [+] Disable shell for user root"
  printf "\\n$msg"
	chsh -s /sbin/nologin root >/dev/null 2>&1
  print_result "$msg" "$OK"
 
  msg="  [+] Write /etc/sysctl.conf security file"
  printf "\\n$msg"
	write_sysctl
	res=$KO ; grep -sq "SecureInfo.eu" "/etc/sysctl.conf" && res=$OK
  print_result "$msg" "$res"
 
  msg="  [+] Write /etc/security/audit_control file"
  printf "\\n$msg"
	write_securityaudit >/dev/null 2>&1
	res=$KO ; grep -sq "SecureInfo.eu" "/etc/security/audit_control" && res=$OK
  print_result "$msg" "$res"
 
  msg="  [+] Writting hardend sudoers"
  printf "\\n$msg"
	res=$KO ; write_usrlocalsudoers && res=$OK
	print_result "$msg" "$res"
 
  msg="  [+] Disable GameController service"
  printf "\\n$msg"
	launchctl unload -w /System/Library/LaunchDaemons/com.apple.GameController.gamecontrollerd.plist 2>/dev/null
	launchctl unload -w /System/Library/LaunchAgents/com.apple.gamed.plist 2>/dev/null
	print_result "$msg" "$OK"
 
  msg="  [+] Disable FindMyMac services (this computer does not use iCloud services)"
  printf "\\n$msg"
	launchctl unload -w /System/Library/LaunchDaemons/com.apple.findmymac.plist 2>/dev/null
	launchctl unload -w /System/Library/LaunchDaemons/com.apple.findmymacmessenger.plist 2>/dev/null
	launchctl unload -w /System/Library/LaunchDaemons/com.apple.icloud.findmydeviced.plist 2>/dev/null
	launchctl unload -w /System/Library/LaunchAgents/com.apple.findmymacmessenger.plist 2>/dev/null
	launchctl unload -w /System/Library/LaunchAgents/com.apple.icloud.findmydeviced.findmydevice-user-agent.plist 2>/dev/null
	print_result "$msg" "$OK"
 
  msg="  [+] Disable XSan services (this computer is not a XSan server)"
  printf "\\n$msg"
	launchctl unload -w /System/Library/LaunchDaemons/com.apple.xsan.plist 2>/dev/null
	launchctl unload -w /System/Library/LaunchDaemons/com.apple.xsandaily.plist 2>/dev/null
	print_result "$msg" "$OK"
 
  msg="  [+] Disable voice over share services"
  printf "\\n$msg"
	launchctl unload -w /System/Library/LaunchAgents/com.apple.VoiceOver.plist 2>/dev/null
	print_result "$msg" "$OK"
 
  msg="  [+] Disable Spotlight/Appstore/Safari suggestions"
  printf "\\n$msg"
	launchctl unload -w /System/Library/LaunchAgents/com.apple.suggestd.plist 2>/dev/null
	print_result "$msg" "$OK"
 
  msg="  [+] Disable power chime (startup sound)"
  printf "\\n$msg"
	sed -i 's|<true/>|<false/>|1' /System/Library/LaunchAgents/com.apple.powerchime.plist
	print_result "$msg" "$OK"
 
  msg="  [+] Disable photos social share services"
  printf "\\n$msg"
	launchctl unload -w /System/Library/LaunchAgents/com.apple.SocialPushAgent.plist 2>/dev/null
	print_result "$msg" "$OK"
 
  msg="  [+] Disable photos library services (this computer is not a multimedia station)"
  printf "\\n$msg"
	launchctl unload -w /System/Library/LaunchAgents/com.apple.PhotoLibraryMigrationUtility.XPC.plist 2>/dev/null
	launchctl unload -w /System/Library/LaunchAgents/com.apple.photolibraryd.plist 2>/dev/null
	print_result "$msg" "$OK"
}
 
 
 
 
##
# Mathias Bynens / "Hacky script", found on GitHub to customise for developer/admin
# URL: https://github.com/mathiasbynens/dotfiles/blob/master/.osx
# --------------------------------------------------------------------------------------------------------------------
#
function auto_configure()
{
  msg="  [+] Disable Spotlight indexing for any volume that gets mounted and has not yet been indexed before"
  printf "\\n$msg"
  defaults write /.Spotlight-V100/VolumeConfiguration Exclusions -array "/Volumes"
  print_result "$msg" "$OK"
 
  msg="  [+] Automatically quit printer app once the print jobs complete"
  printf "\\n$msg"
  defaults write com.apple.print.PrintingPrefs "Quit When Finished" -bool true
  print_result "$msg" "$OK"
 
  msg="  [+] Displaying ASCII control characters using caret notation in standard text views"
  printf "\\n$msg"
  defaults write NSGlobalDomain NSTextShowsControlCharacters -bool true
  print_result "$msg" "$OK"
 
  msg="  [+] Save to disk, rather than iCloud, by default"
  printf "\\n$msg"
  defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false
  print_result "$msg" "$OK"
 
  msg="  [+] Removing duplicates in the 'Open With' menu"
  printf "\\n$msg"
  /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -kill \\
   -r -domain local -domain system -domain user
  print_result "$msg" "$OK"
 
  msg="  [+] Disable smart quotes and smart dashes"
  printf "\\n$msg"
  defaults write NSGlobalDomain NSAutomaticQuoteSubstitutionEnabled -bool false
  defaults write NSGlobalDomain NSAutomaticDashSubstitutionEnabled -bool false
  print_result "$msg" "$OK"
 
  msg="  [+] Disable the sudden motion sensor (it's not useful for SSDs/current MacBooks)"
  printf "\\n$msg"
  pmset -a sms 0 >/dev/null 2>&1
  print_result "$msg" "$OK"
 
  msg="  [+] Disable the menubar transparency"
  printf "\\n$msg"
  defaults write com.apple.universalaccess reduceTransparency -bool true
  print_result "$msg" "$OK"
 
  msg="  [+] Enabling full keyboard access for all controls (enable Tab in modal dialogs, menu windows, etc.)"
  printf "\\n$msg"
  defaults write NSGlobalDomain AppleKeyboardUIMode -int 3
  print_result "$msg" "$OK"
 
  msg="  [+] Disable auto-correct"
  printf "\\n$msg"
  defaults write NSGlobalDomain NSAutomaticSpellingCorrectionEnabled -bool false
  print_result "$msg" "$OK"
 
  msg="  [+] Disable display from automatically adjusting brightness? (y/n)"
  printf "\\n$msg"
  defaults write /Library/Preferences/com.apple.iokit.AmbientLightSensor "Automatic Display Enabled" -bool false
  print_result "$msg" "$OK"
 
  msg="  [+] Disable keyboard from automatically adjusting backlight brightness in low light? (y/n)"
  printf "\\n$msg"
  defaults write /Library/Preferences/com.apple.iokit.AmbientLightSensor "Automatic Keyboard Enabled" -bool false
  print_result "$msg" "$OK"
 
  msg="  [+] Requiring password immediately after sleep or screen saver begins"
  printf "\\n$msg"
  defaults write com.apple.screensaver askForPassword -int 1
  defaults write com.apple.screensaver askForPasswordDelay -int 0
  print_result "$msg" "$OK"
 
  msg="  [+] Enabling subpixel font rendering on non-Apple LCDs"
  printf "\\n$msg"
  defaults write NSGlobalDomain AppleFontSmoothing -int 2
  print_result "$msg" "$OK"
 
  msg="  [+] Avoid creation of .DS_Store files on network volumes"
  printf "\\n$msg"
  defaults write com.apple.desktopservices DSDontWriteNetworkStores -bool true
  print_result "$msg" "$OK"
 
  msg="  [+] Allowing text selection in Quick Look/Preview in Finder by default"
  printf "\\n$msg"
  defaults write com.apple.finder QLEnableTextSelection -bool true
  print_result "$msg" "$OK"
 
  msg="  [+] Privacy: Don't send search queries to Apple"
  printf "\\n$msg"
  defaults write com.apple.Safari UniversalSearchEnabled -bool false
  defaults write com.apple.Safari SuppressSearchSuggestions -bool true
  print_result "$msg" "$OK"
 
  msg="  [+] Hiding Safari's bookmarks bar by default"
  printf "\\n$msg"
  defaults write com.apple.Safari ShowFavoritesBar -bool false
  print_result "$msg" "$OK"
 
  msg="  [+] Prevent Time Machine from prompting to use new hard drives as backup volume"
  printf "\\n$msg"
  defaults write com.apple.TimeMachine DoNotOfferNewDisksForBackup -bool true
  print_result "$msg" "$OK"
 
  msg="  [+] Disable local Time Machine backups? (This can take up a ton of SSD space on <=128GB SSDs)"
  printf "\\n$msg"
  hash tmutil &> /dev/null && tmutil disablelocal
  print_result "$msg" "$OK"
 
}
 
 
 
##
# U_Apple_OS_X_10-10_Workstation_V1R2_Manual-xccdf.xml from DoD & DISA Security technical information guide (STIG)
# DoD : (US) Department of Defense
# DISA : (US military) Defense Information System Agency
# --------------------------------------------------------------------------------------------------------------------
#
dod_hardening()
{
  msg="  [+] Disabled RSH protocol (not encrypted) : "
  printf "\\n$msg"
  launchctl disable system/com.apple.rexecd
  launchctl print-disabled system | grep -sq com.apple.rexecd && print_result "$msg" "$OK"
 
  msg="  [+] The operating system must implement cryptography to protect the integrity of remote access sessions : "
  printf "\\n$msg"
  launchctl disable system/com.apple.telnetd
  launchctl print-disabled system | grep -sq com.apple.telnetd && print_result "$msg" "$OK"
 
  msg="  [+] The rshd service must be disabled : "
  printf "\\n$msg"
  launchctl disable system/com.apple.rshd
  launchctl print-disabled system | grep -sq com.apple.rshd && print_result "$msg" "$OK"
 
  msg="  [+] The operating system must monitor remote access methods : "
  printf "\\n$msg"
  sed -i.bak '/^flags/ s/$/,lo/' /etc/security/audit_control; audit -s >/dev/null 2>&1
  grep -sq ^flags /etc/security/audit_control && print_result "$msg" "$OK"
 
  msg="  [+] The operating system must enforce requirements for remote connections to the information system : "
  printf "\\n$msg"
  launchctl disable system/com.apple.screensharing
  launchctl print-disabled system | grep -sq com.apple.screensharing && print_result "$msg" "$OK"
 
  # msg="  [+] The Bluetooth software driver must be removed : "
  # rm -rf /System/Library/Extensions/IOBluetoothFamily.kext /System/Library/Extensions/IOBluetoothHIDDriver.kext
  # touch /System/Library/Extensions
  # kextstat | grep -i -sq bluetooth || print_result "$msg" "$OK"
 
  # msg="  [+] Wi-Fi support software must be disabled : "
  # networksetup -setnetworkserviceenabled 'Wi-Fi' off
  # networksetup -listallnetworkservices
 
  msg="  [+] Infrared [IR] support must be disabled : "
  printf "\\n$msg"
  defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool FALSE
  defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled |grep -sq 1 || \\
   print_result "$msg" "$OK"
 
  msg="  [+] Automatic actions must be disabled for blank CDs : "
  printf "\\n$msg"
  system_profiler SPConfigurationProfileDataType | grep -A 2 'com.apple.digihub.blank.cd.appeared'2>&1|grep -sq  "1" || \\
   print_result "$msg" "$KO"
 
  msg="  [+] Automatic actions must be disabled for blank DVDs : "
  printf "\\n$msg"
  system_profiler SPConfigurationProfileDataType | grep -A 2 'com.apple.digihub.blank.dvd.appeared' 2>&1|grep -sq "1" || \\
   print_result "$msg" "$KO"
 
  msg="  [+] Automatic actions must be disabled for music CDs : "
  printf "\\n$msg"
  system_profiler SPConfigurationProfileDataType | grep -A 2 'com.apple.digihub.blank.cd.music.appeared'2>&1|grep -sq  "1" || \\
   print_result "$msg" "$KO"
 
  msg="  [+] Automatic actions must be disabled for picture CDs : "
  printf "\\n$msg"
  system_profiler SPConfigurationProfileDataType | grep -A 2 'com.apple.digihub.blank.cd.picture.appeared'2>&1|grep -sq  "1" || \\
   print_result "$msg" "$KO"
 
  msg="  [+] Automatic actions must be disabled for video DVDs : "
  printf "\\n$msg"
  system_profiler SPConfigurationProfileDataType | grep -A 2 'com.apple.digihub.blank.dvd.video.appeared'2>&1|grep -sq  "1" || \\
   print_result "$msg" "$KO"
 
  msg="  [+] SMB File Sharing must be disabled unless required : "
  printf "\\n$msg"
  launchctl disable system/com.apple.smbd
  launchctl print-disabled system | grep -sq com.apple.smbd && print_result "$msg" "$OK"
 
  msg="  [+] Apple File (AFP) Sharing must be disabled : "
  printf "\\n$msg"
  launchctl disable system/com.apple.AppleFileServer
  launchctl print-disabled system | grep -sq com.apple.AppleFileServer && print_result "$msg" "$OK"
 
  msg="  [+] The NFS daemon must be disabled unless required : "
  printf "\\n$msg"
  launchctl disable system/com.apple.nfsd
  launchctl print-disabled system | grep -sq com.apple.nfsd && print_result "$msg" "$OK"
 
  msg="  [+] The NFS lock daemon must be disabled unless required : "
  printf "\\n$msg"
  launchctl disable system/com.apple.lockd
  launchctl print-disabled system | grep -sq com.apple.lockd && print_result "$msg" "$OK"
 
  msg="  [+] The NFS stat daemon must be disabled unless required : "
  printf "\\n$msg"
  launchctl disable system/com.apple.statd.notify
  launchctl print-disabled system | grep -sq com.apple.statd.notify && print_result "$msg" "$OK"
 
  msg="  [+] The operating system must generate audit records for privileged activities or other system-level access."
  printf "\\n$msg"
  sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; audit -s >/dev/null 2>&1
  print_result "$msg" "$OK"
 
  msg="  [+] The operating system must generate audit records when successful/unsuccessful logon attempts occur."
  printf "\\n$msg"
  sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control; audit -s >/dev/null 2>&1
  print_result "$msg" "$OK"
 
  msg="  [+] The operating system must initiate session audits at system startup : "
  printf "\\n$msg"
  launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist >/dev/null 2>&1
  launchctl list | grep -sq com.apple.auditd && print_result "$msg" "$OK"
 
  msg="\\n  [+] The operating system must provide audit record generation capability for DoD-defined auditable events"
  msg=$msg"\\n      for all operating system components."
  printf "\\n$msg"
  msg="$(printf "$msg"|tail -n1)"
  sed -i.bak '/^flags/ s/$/,lo,ad,aa/' /etc/security/audit_control; audit -s >/dev/null 2>&1
  print_result "$msg" "$OK"
 
  msg="\\n  [+] The operating system must generate audit records for all account creations, modifications, disabling,"
  msg=$msg"\\n      and termination events."
  printf "\\n$msg"
  msg="$(printf "$msg"|tail -n1)"
  sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; audit -s >/dev/null 2>&1
  print_result "$msg" "$OK"
 
  msg="\\n  [+] The operating system must allocate audit record storage capacity to store at least one weeks worth of"
  msg=$msg"\\n      audit records, when audit records are not immediately sent to a central audit record storage facility."
  printf "\\n$msg"
  msg="$(printf "$msg"|tail -n1)"
  sed -i.bak 's/.*expire-after.*/expire-after:7d/' /etc/security/audit_control; audit -s >/dev/null 2>&1
  print_result "$msg" "$OK"
 
  msg="\\n  [+] The operating system must provide an immediate warning to the SA and ISSO (at a minimum) when"
  msg=$msg"\\n      allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity."
  printf "\\n$msg"
  msg="$(printf "$msg"|tail -n1)"
  sed -i.bak 's/.*minfree.*/minfree:25/' /etc/security/audit_control; audit -s >/dev/null 2>&1
  print_result "$msg" "$OK"
 
  msg="  [+] The operating system must provide an immediate real-time alert to the SA and ISSO, at a minimum,"
  msg=$msg"\\n      of all audit failure events requiring real-time alerts."
  printf "\\n\\n$msg"
  sed -i.bak 's/logger -p/logger -s -p/' /etc/security/audit_warn; audit -s >/dev/null 2>&1
  msg="      of all audit failure events requiring real-time alerts."
  print_result "$msg" "$OK"
 
  msg="\\n  [+] The audit service must be configured to create log files with the correct ownership to prevent"
  msg=$msg"\\n      normal users from reading audit logs. Audit logs contain sensitive data about the system and about"
  msg=$msg"\\n      users. If log files are set to only be readable and writable by root or administrative users with"
  msg=$msg"\\n      sudo, the risk is mitigated : "
  printf "\\n$msg"
  msg="$(printf "$msg"|tail -n1)"
  ( chown root /var/audit/* >/dev/null 2>&1
  ls -le $(grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') 2>&1| grep -vsq current ) >/dev/null 2>&1 && print_result "$msg" "$OK"
 
  msg="\\n  [+] The audit service must be configured to create log files with the correct group-ownership to prevent"
  msg=$msg"\\n      normal users from reading audit logs. Audit logs contain sensitive data about the system and about users."
  msg=$msg"\\n      If log files are set to only be readable and writable by root or administrative users with sudo, the"
  msg=$msg"\\n      risk is mitigated : "
  printf "\\n$msg"
  msg="$(printf "$msg"|tail -n1)"
  chgrp wheel /var/audit/* >/dev/null 2>&1
  ls -le $(grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') 2>&1| grep -vsq current && print_result "$msg" "$OK"
 
  msg="\\n  [+] The audit service must be configured to create log files with the correct group-ownership to prevent"
  msg=$msg"\\n      normal users from reading audit logs. Audit logs contain sensitive data about the system and about users."
  msg=$msg"\\n      If log files are set to only be readable and writable by root or administrative users with sudo, the"
  msg=$msg"\\n      risk is mitigated."
  printf "\\n$msg"
  msg="$(printf "$msg"|tail -n1)"
  chgrp wheel /var/audit >/dev/null 2>&1
  ls -lde $(grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') >/dev/null 2>&1
  print_result "$msg" "$OK"
 
  msg="  [+] Log files must not contain ACLs."
  printf "\\n\\n$msg"
  chmod -R -N /var/log >/dev/null 2>&1
  chmod -R -N /var/audit >/dev/null 2>&1
  print_result "$msg" "$OK"
 
  msg="  [+] The Security assessment policy subsystem must be enabled : "
  printf "\\n$msg"
  spctl --master-enable >/dev/null 2>&1
  spctl --status | grep -sq enabled && print_result "$msg" "$OK"
 
  # msg="  [+] A configuration profile must be installed."
  # printf "\\n$msg"
  # profiles -H
  # print_result "$msg" "$OK"
 
  # msg="  [+] The operating system must employ a deny-all, permit-by-exception policy to allow the execution"
  # msg=$msg"\\n      of authorized software programs : "
  # printf "\\n$msg"
  # msg="$(printf "$msg"|tail -n1)"
  # profiles -Pv | grep -sq 'Application Restrictions' && print_result "$msg" "$OK" || print_result "$msg" "$KO"
 
  msg="  [+] The system preference panel iCloud must be removed."
  printf "\\n\\n$msg"
  rm -rf /System/Library/PreferencePanes/iCloudPref.prefPane
 
  msg="  [+] Sending diagnostic and usage data to Apple must be disabled : "
  printf "\\n$msg"
  system_profiler SPConfigurationProfileDataType | grep AutoSubmit || print_result "$msg" "$OK"
 
  msg="  [+] Find My Mac must be disabled : "
  printf "\\n$msg"
  launchctl disable system/com.apple.findmymacd
  launchctl print-disabled system | grep -sq com.apple.findmymacd && print_result "$msg" "$OK"
 
  msg="  [+] Find My Mac messenger must be disabled : "
  printf "\\n$msg"
  launchctl disable system/com.apple.findmymacmessenger
  launchctl print-disabled system | grep -sq com.apple.findmymacmessenger && print_result "$msg" "$OK"
 
  msg="  [+] Location Services must be disabled : "
  printf "\\n$msg"
  system_profiler SPConfigurationProfileDataType | grep -sq DisableLocationServices && print_result "$msg" "$OK"
 
  msg="  [+] Bonjour multicast advertising must be disabled on the system : "
  printf "\\n$msg"
	res=$KO
	defaults read /System/Library/LaunchDaemons/com.apple.mDNSResponder|grep -sq NoMulticastAdvertisements || \\
   /usr/libexec/PlistBuddy -c "Add :ProgramArguments:2 string '-NoMulticastAdvertisements'" \\
   /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
  defaults read /System/Library/LaunchDaemons/com.apple.mDNSResponder | \\
   grep -sq NoMulticastAdvertisements /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist  && res=$OK
  print_result "$msg" "$res"
 
  msg="  [+] The UUCP service must be disabled : "
  printf "\\n$msg"
	res=$KO
  launchctl disable system/com.apple.uucp
  launchctl print-disabled system | grep -sq com.apple.uucp && res=$OK
	print_result "$msg" "$res"
 
  msg="  [+] The operating system must require individuals to be authenticated with an individual authenticator"
  msg=$msg"\\n      prior to using a group authenticator : "
  printf "\\n\\n$msg"
  msg="$(printf "$msg"|tail -n1)"
  sed -i.bak 's/^[\\#]*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
  res=$KO ; grep -sq "^PermitRootLogin no" /etc/ssh/sshd_config && res=$OK
	print_result "$msg" "$res"
 
  msg="\\n  [+] The operating system must implement replay-resistant authentication mechanisms for network access"
  msg=$msg"\\n      to privileged accounts : "
  printf "\\n$msg"
  msg="$(printf "$msg"|tail -n1)"
  sed -i.bak 's/.*Protocol.*/Protocol 2/' /etc/ssh/sshd_config
  res=$KO ; grep -sq "^Protocol 2" /etc/ssh/sshd_config && res=$OK
	print_result "$msg" "$res"
 
  msg="  [+] The operating system must transmit only cryptographically-protected passwords (disable telnetd) : "
  printf "\\n\\n$msg"
  launchctl disable system/com.apple.telnetd >/dev/null 2>&1
  launchctl print-disabled system | grep -sq com.apple.telnetd && print_result "$msg" "$OK"
 
  msg="  [+] The SSH daemon ClientAliveInterval option must be set correctly : "
  printf "\\n$msg"
  sed -i.bak 's/.*ClientAliveInterval.*/ClientAliveInterval 600/' /etc/ssh/sshd_config
  grep -sq "^ClientAliveInterval 600" /etc/ssh/sshd_config && print_result "$msg" "$OK"
 
  msg="  [+] The SSH daemon ClientAliveCountMax option must be set correctly : "
  printf "\\n$msg"
  sed -i.bak 's/.*ClientAliveCountMax.*/ClientAliveCountMax 0/' /etc/ssh/sshd_config
  grep -sq "^ClientAliveCountMax 0" /etc/ssh/sshd_config && print_result "$msg" "$OK"
 
  msg="  [+] The SSH daemon LoginGraceTime must be set correctly : "
  printf "\\n$msg"
  sed -i.bak 's/.*LoginGraceTime.*/LoginGraceTime 30/' /etc/ssh/sshd_config
  grep -sq "^LoginGraceTime 30" /etc/ssh/sshd_config && print_result "$msg" "$OK"
 
  msg="\\n  [+] The operating system must issue or obtain public key certificates under an appropriate certificate"
  msg=$msg"\\n      policy from an approved service provider : "
  printf "\\n$msg"
  msg="$(printf "$msg"|tail -n1)"
  security dump-keychain | grep labl | awk -F\\" '{ print $4 }'|grep -vE "^Avast|^Apple|^com.apple"|\\
   grep "." && print_result "$msg" "$KO"
 
#   msg="  [+] The usbmuxd daemon must be disabled : "
#   printf "\\n\\n$msg"
#   launchctl unload -w /System/Library/LaunchDaemons/com.apple.usbmuxd.plist >/dev/null 2>&1
#   launchctl list | grep -sq usbmuxd || print_result "$msg" "$OK"
 
  msg="  [+] Bluetooth devices must not be allowed to wake the computer."
  printf "\\n\\n$msg"
	defaults -currentHost delete com.apple.Bluetooth RemoteWakeEnabled >/dev/null 2>&1
  print_result "$msg" "$OK"
 
  msg="  [+] Remote Apple Events must be disabled."
  printf "\\n$msg"
  launchctl disable system/com.apple.AEServer >/dev/null 2>&1
  launchctl print-disabled system | grep -sq com.apple.AEServer && print_result "$msg" "$OK"
 
  msg="  [+] The root account must be the only account having a UID of 0 -> "
  printf "\\n$msg"
  dscl . -list /Users UniqueID | grep -w 0 | grep -Ev "^root\\s+0"|grep . || print_result "$msg" "$OK"
 
  msg="  [+] The application firewall must be disabled (iUnix : managed by ipfw & HandsOff)."
  printf "\\n$msg"
  /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
 
  msg="  [+] All public directories must be owned by root or an application account... -> "
  printf "\\n$msg"
  find / -type d -perm +o+w -not -uid 0 -exec chown root {} \\; >/dev/null 2>&1
  [ $? -eq 0 ] && print_result "$msg" "$OK" || print_result "$msg" "$KO"
 
  msg="  [+] The finger service must be disabled."
  printf "\\n$msg"
  launchctl disable system/com.apple.fingerd
  launchctl print-disabled system | grep com.apple.fingerd
 
  msg="  [+] The sticky bit must be set on all public directories... -> "
  printf "\\n$msg"
  find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -exec chmod +t {} \\; >/dev/null 2>&1
  print_result "$msg" "$OK"
 
  msg="  [+] The prompt for Apple ID and iCloud must be disabled."
  printf "\\n$msg"
  (
    defaults write  /System/Library/User\\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant \\
     DidSeeCloudSetup -bool TRUE
    defaults write /System/Library/User\\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant \\
     LastSeenCloudProductVersion '10.11'
  ) >/dev/null 2>&1
  print_result "$msg" "$OK"
 
  msg="  [+] Users must not have Apple IDs signed into iCloud -> "
  printf "\\n$msg"
  print_result "$msg" "$OO"
  find /Users/*/Library -name 'MobileMeAccounts.plist' -exec defaults delete '{}' \\; 2>/dev/null
 
  msg="  [+] iTunes Music Sharing must be disabled : "
  printf "\\n$msg"
  system_profiler SPConfigurationProfileDataType | grep disableSharedMusic|grep -sq 1 && print_result "$msg" "$KO"
 
  msg="  [+] Secure virtual memory must be used."
  printf "\\n$msg"
  defaults write /Library/Preferences/com.apple.virtualMemory DisableEncryptedSwap -bool FALSE
  print_result "$msg" "$OK"
 
  msg="  [+] Internet Sharing must be disabled : "
  printf "\\n$msg"
  launchctl disable system/com.apple.NetworkSharing
  launchctl print-disabled system | grep -sq com.apple.NetworkSharing && print_result "$msg" "$OK"
 
  msg="  [+] The operating system must shut down by default upon audit failure (unless availability is"
  msg=$msg"\\n      an overriding concern) : "
  printf "\\n$msg"
  msg="      an overriding concern) : "
  sed -i.bak '/^policy/ s/$/,ahlt/' /etc/security/audit_control; audit -s >/dev/null 2>&1
  grep ^policy /etc/security/audit_control | grep -sq ahlt && print_result "$msg" "$OK"
 
  msg="  [+] AirDrop must be disabled -> "
  printf "\\n$msg"
  system_profiler SPConfigurationProfileDataType | grep DisableAirDrop || print_result "$msg" "$KO"
 
  msg="\\n  [+] The operating system must generate audit records for all kernel module load, unload, and restart"
  msg=$msg"\\n      actions, and also for all program initiations."
  msg="$(printf "$msg"|tail -n1)"
  printf "\\n$msg"
  sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; audit -s >/dev/null 2>&1
  print_result "$msg" "$OK"
 
  msg="\\n  [+] The operating system must generate audit records when successful/unsuccessful attempts to"
  msg=$msg"\\n      modify security objects occur."
  msg="$(printf "$msg"|tail -n1)"
  printf "\\n$msg"
  sed -i.bak '/^flags/ s/$/,fm/' /etc/security/audit_control; audit -s >/dev/null 2>&1
  print_result "$msg" "$OK"
 
  msg="\\n  [+] The operating system must generate audit records when successful/unsuccessful attempts to"
  msg=$msg"\\n      modify security levels occur."
  msg="$(printf "$msg"|tail -n1)"
  printf "\\n$msg"
  sed -i.bak '/^flags/ s/$/,fm/' /etc/security/audit_control; audit -s >/dev/null 2>&1
  print_result "$msg" "$OK"
 
  msg="\\n  [+] The operating system must generate audit records when successful/unsuccessful attempts to"
  msg=$msg"\\n      modify categories of information (e.g., classification levels) occur."
  msg="$(printf "$msg"|tail -n1)"
  printf "\\n$msg"
  sed -i.bak '/^flags/ s/$/,fm/' /etc/security/audit_control; audit -s >/dev/null 2>&1
  print_result "$msg" "$OK"
 
  msg="\\n  [+] The operating system must generate audit records when successful/unsuccessful attempts to"
  msg=$msg"\\n      delete privileges occur."
  msg="$(printf "$msg"|tail -n1)"
  printf "\\n$msg"
  sed -i.bak '/^flags/ s/$/,fm/' /etc/security/audit_control; audit -s >/dev/null 2>&1
  print_result "$msg" "$OK"
 
  msg="\\n  [+] The operating system must generate audit records when successful/unsuccessful attempts to"
  msg=$msg"\\n      access privileges occur."
  msg="$(printf "$msg"|tail -n1)"
  printf "\\n$msg"
  sed -i.bak '/^flags/ s/$/,lo,ad,aa/' /etc/security/audit_control; audit -s >/dev/null 2>&1
  print_result "$msg" "$OK"
 
  msg="  [+] Web Sharing must be disabled : "
  printf "\\n$msg"
  launchctl disable system/org.apache.httpd
  launchctl print-disabled system | grep -sq org.apache.httpd && print_result "$msg" "$OK"
 
  msg="  [+] iCloud features must be disabled."
  printf "\\n$msg"
  launchctl disable system/com.apple.icloud.findmydeviced
  launchctl disable system/com.apple.SafariCloudHistoryPushAgent
  launchctl disable system/com.apple.icloud.fmfd
  launchctl disable system/com.apple.iCloudUserNotificationsd
  print_result "$msg" "$OK"
 
  msg="  [+] FTP Sharing must be disabled : "
  printf "\\n$msg"
  launchctl disable system/com.apple.ftpd
  launchctl print-disabled system | grep -sq com.apple.ftpd && print_result "$msg" "$OK"
}
 
 
 
##
# Check if changes can be applied
# --------------------------------------------------------------------------------------------------------------------
#
 
if [ -x /usr/bin/csrutil ]; then
  if csrutil status|grep enabled ; then
		echo
    echo '[!] OS X system integrity enabled, unable to harden system.'
		echo '    What to do:'
    echo '    1- at boot: CMD+R'
    echo '    2- launch Terminal'
    echo '    3- type: csrutil disable'
    echo '    4- reboot'
    echo '    5- execute hardening script'
    echo '    6- reboot and press CMD+R'
    echo '    7- launch Terminal'
    echo '    8- type: csrutil enable'
    echo '    9- reboot'
		echo
    return 1
  fi
fi
 
 
 
##
# Apply changes
# --------------------------------------------------------------------------------------------------------------------
#
 
clear
banner
 
 
 
# Create groups and attach current admin user to this groups
NEW_INSTALL=1
[ -f "/Applications/CLI.app/Contents/MacOS/iTerm" -a -f "/opt/local/bin/pv" -a -f "/usr/local/libexec/rclocal" ] && \\
 NEW_INSTALL=0
 
if [ $NEW_INSTALL -eq 1 ]; then
	if [ "$USER" != "root" ]; then
		user=$USER
	else
		printf "[?] Enter the user to add to administration groups: "
		read user
	fi
	for group in compilers  schedulers sudoers netadmin; do
		echo "[+] Creating group $group ..."
		dseditgroup -o create $group
		echo "[+] Adding $user to $group ..."
		dseditgroup -o edit -a $user -t user $group
	done
fi
 
title "Auto-configuring OSX"
auto_configure
 
title "Applying DoD/DISA hardening policy"
dod_hardening
 
title "SecureInfo.eu enhancement"
secureinfo_enhancement
 
  msg="  [+] Hardening files permissions"
  printf "\\n$msg"
  res=$KO ; /usr/local/libexec/build_custom_permissions fix_all >/dev/null 2>&1 && res=$OK
  print_result "$msg" "$res"
 
  msg="  [+] Removing useless apps & services"
  printf "\\n$msg"
  res=$KO ; /usr/local/libexec/remove-osx-apps >/dev/null 2>&1 && res=$OK
  print_result "$msg" "$res"
 
 
echo
echo
echo "[!] Need restart to take all effects."
echo
 
 
 




0x02. RENFORCEMENT DES PERMISSIONS UNIX


L'idée est de n'autoriser l'exécution de certains programmes à des groupes d'utilisateurs :
- seuls les utilisateurs du groupe "compilers" ont le droit d'exécuter : gcc, xcodebuild, ...
- seuls les utilisateurs du groupe "netadmin" ont le droit d'exécuter : ifconfig, netstat, ...
- seuls les utilisateurs du groupe "schedulers" ont le droit d'exécuter : at, crontab, ...
- seuls les utilisateurs du groupe "sudoers" ont le droit d'exécuter : su, sudo, ...

build_custom_permissions est téléchargeable ici.





0x03. SUPPRESSION DES LOGICIELS INUTILES


L'idée est de supprimer les programmes qui sont inutilisés en les déplaçants dans un dossier de sauvegarde (/Backup) : 


FaceTime
Game Center
Safari
Photos       
Messages
Mail
DVD Player
Dashboard

Utilities/Migration Assistant
Utilities/Boot Camp Assistant
Utilities/AirPort Utility


remove-osx-apps est téléchargeable ici.



   =>   Écrit par : Nicolas, le 11 février 2016


 
Mots clés :  
  macos 
  
  osx 
  
  harden 
  
  security 
  
  scap 
  
  privacy 
    >   Articles connexes :

Comment gagner du temps sur Internet



OpenSCAP



/tmp et /var/log en noexec sur macOS



Durcissement de Windows



STIG



XCCDF



Rapports d’erreurs Windows ...



Sécurisation du Macbook Air



2327675