Hardening signifie renforcement. Le script ci-dessous renforce certes le système OS X, mais le rends également plus restreint en terme de fonctionnalités. De premier abord, je ne conseille l'application de ce script que si vous le comprenez. Sauf si vous estimez que la sécurité est votre priorité et que les fonctionnalités Apple (iCloud, Facetime, Timemachine, Dashboard, ...) ne vous sont pas nécessaires.
0x01. SCRIPT PRINCIPAL
#!/bin/bash ## # Set environment # --------------------------------------------------------------------------------------------------------------------- # PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/local/bin:/usr/local/bin:/opt/local/sbin:/usr/local/sbin SHELL=/bin/bash COLS=$(tput cols) ; [ ${COLS} -gt 150 ] && COLS=150 W="\e[1;29m" B="\e[0m" OK="[ \e[1;32mOK\e[0m ]" KO="[ \e[1;31mKO\e[0m ]" ## # Welcome # -------------------------------------------------------------------------------------------------------------------- # banner() { COLS=$(tput cols) ; [ ${COLS} -gt 150 ] && COLS=150 for i in $(seq 1 $COLS) ; do printf "—" ; done echo " SecureInfo.eu >> Hardening script << Redactors : • FREE : Mathias Bynens • STIG : US Department of Defense • STIG : US army, Digital Information Security Agency " for i in $(seq 1 $COLS) ; do printf "—" ; done } ## # Separate titles # -------------------------------------------------------------------------------------------------------------------- # title() { str=$(echo "$1"|tr "a-z" "A-Z") printf "\n\n$W[*] $str ...$B\n" } ## # Align OK & KO # -------------------------------------------------------------------------------------------------------------------- # print_result() { msg="$1" result="$2" for i in $( seq $(( $COLS-${#msg}-${#result} )) ) ; do printf " " ; done printf "$result" } ## # Specific local customized sudo (/usr/local/bin/sudo) # -------------------------------------------------------------------------------------------------------------------- # function write_usrlocalsudoers() { file="/usr/local/etc/sudoers" [ ! -f "$file.bak" ] && cp "$file" "$file.bak" echo '# sudoers file. # ------------- # # This file MUST be edited with the 'visudo' command as root. # Failure to use 'visudo' may result in syntax or file permission errors # that prevent sudo from running. # # See the sudoers man page for the details on how to write a sudoers file. # # # Aliases #-------------------------------------------------------------------- # Host alias specification # User alias specification # Cmnd alias specification Cmnd_Alias APP_SYSTEM = /sbin/shutdown,/sbin/halt,/sbin/reboot,/sbin/mount_rorw,/sbin/umount,/sbin/umount_bin,/usr/local/sbin/umount_all # Do not enter in shell as root Cmnd_Alias SHELLS = /bin/zsh,/bin/bash,/bin/csh,/bin/ksh,/bin/sh,/bin/tcsh,/bin/rzsh,/usr/bin/login # # Allow without TTY # Cmnd_Alias APP_GUI = /Applications/VeraCrypt.app/Contents/MacOS/VeraCrypt,/Applications/Wireshark.app/Contents/MacOS/Wireshark-bin # # Environment #-------------------------------------------------------------------- Defaults env_reset Defaults env_keep += "BLOCKSIZE" Defaults env_keep += "COLORFGBG COLORTERM" Defaults env_keep += "__CF_USER_TEXT_ENCODING" Defaults env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE" Defaults env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME" Defaults env_keep += "LINES COLUMNS" Defaults env_keep += "LSCOLORS" Defaults env_keep += "SSH_AUTH_SOCK" Defaults env_keep += "TZ" Defaults env_keep += "EDITOR VISUAL" Defaults env_keep += "HOME MAIL" Defaults env_keep += "NOLOG_OUTPUT" Defaults env_keep += "NOLOG_INPUT" # # Security precognized by sudo politic # ------------------------------------------------------------------- Defaults env_delete += "BASH_FUNC" Defaults env_delete += "RUBYOPT" Defaults env_delete += "RUBYLIB" Defaults env_delete += "PYTHONUSERBASE" Defaults env_delete += "PYTHONINSPECT" Defaults env_delete += "PYTHONPATH" Defaults env_delete += "PYTHONHOME" Defaults env_delete += "TMPPREFIX" Defaults env_delete += "ZDOTDIR" Defaults env_delete += "READNULLCMD" Defaults env_delete += "NULLCMD" Defaults env_delete += "FPATH" Defaults env_delete += "PERL5DB" Defaults env_delete += "PERL5OPT" Defaults env_delete += "PathERL5LIB" Defaults env_delete += "PERLLIB" Defaults env_delete += "PERLIO_DEBUG" Defaults env_delete += "JAVA_TOOL_OPTIONS" Defaults env_delete += "SHELLOPTS" Defaults env_delete += "GLOBIGNORE" Defaults env_delete += "PS4" Defaults env_delete += "BASH_ENV" Defaults env_delete += "ENV" Defaults env_delete += "TERMCAP" Defaults env_delete += "TERMPATH" Defaults env_delete += "TERMINFO_DIRS" Defaults env_delete += "TERMINFO" Defaults env_delete += "DYLD_LIBRARY_PATH" Defaults env_delete += "LD_PRELOAD" Defaults env_delete += "PATH_LOCALE" Defaults env_delete += "NLSPATH" Defaults env_delete += "HOSTALIASES" Defaults env_delete += "RES_OPTIONS" Defaults env_delete += "LOCALDOMAIN" Defaults env_delete += "CDPATH" Defaults env_delete += "IFS" Defaults env_delete += "DYLD_PRINT_TO_FILE" # # Options #-------------------------------------------------------------------- # sudo variable Defaults badpass_message = "sudo: Sorry" Defaults !insults Defaults !logfile Defaults !visiblepw # Restricted OSX base path Defaults secure_path = "/bin:/sbin:/usr/bin:/usr/sbin" # Password policy: unlock one time but unlock forever only on current TTY # Root password asked, to prevent script to use current user password Defaults passwd_timeout = 3 Defaults timestamp_timeout = 0 Defaults passwd_tries = 2 Defaults tty_tickets Defaults rootpw # # May be too restrictive # # Sudo can only run in TTY # Defaults requiretty # Defaults!APP_GUI !requiretty # Defaults!SUDO !requiretty # # User privilege specification #-------------------------------------------------------------------- # Unique super user always can do everything root ALL=(ALL) ALL # Same thing without a password for specific commands %admin ALL=(ALL) PASSWD: ALL %admin ALL=(root:wheel) NOPASSWD: SUDO, APP_SYSTEM %admin ALL=(root:wheel) NOPASSWD: APP_GUI ' > "$file" chown 0:0 "$file" chmod 440 "$file" } ## # Harden audit OSX system # -------------------------------------------------------------------------------------------------------------------- # function write_securityaudit() { file="/etc/security/audit_control" [ ! -f "$file.bak" ] && cp "$file" "$file.bak" echo ' # # $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $ # ## SecureInfo.eu - iUnix - /etc/security/audit_control # dir:/var/audit flags:lo,fm,ad,aa minfree:25 naflags:lo,aa policy:cnt,argv,ahlt filesz:2M expire-after:7d superuser-set-sflags-mask:has_authenticated,has_console_access superuser-clear-sflags-mask:has_authenticated,has_console_access member-set-sflags-mask: member-clear-sflags-mask:has_authenticated ' > /etc/security/audit_control audit -s } ## # Network hardening SecureInfo.eu hints # -------------------------------------------------------------------------------------------------------------------- # function write_sysctl() { if ! touch /etc/sysctl.conf ; then echo '[!] Unable to write /etc/sysctl.conf' return 1 fi cat << EOF > /etc/sysctl.conf ### SecureInfo.eu - iUnix - /etc/sysctl.conf # Be verbose, but not too much net.inet.ip.fw.verbose_limit=5 net.inet.ip.fw.verbose=2 # By default, drop packet to UDP closed port net.inet.udp.blackhole=1 # By default, drop packet to TCP closed port net.inet.tcp.blackhole=2 # TTL is 128, like Windows (decoy) net.inet.ip.ttl=128 # Deny BAD TTL packets net.inet.ip.linklocal.in.allowbadttl=0 # No broadcast ICMP echo net.inet.icmp.bmcastecho=0 # No IP redirect net.inet.ip.redirect=0 # Do not tog unattended ARP packets (to prevent DoS attack) net.link.ether.inet.log_arp_warnings=0 # No IPv6 redirect net.inet6.ip6.redirect=0 # Drop ICMP redirect net.inet.icmp.drop_redirect=1 # Drop ICMPv redirect net.inet6.icmp.drop_redirect=1 # Log ICMP redirect net.inet.icmp.log_redirect=1 # Do not reply to ICMP mask request net.inet.icmp.maskrepl=0 # Do not reply to spoofed source IP packet net.inet.ip.sourceroute=0 # Don't care about IPv6 net.inet6.ip6.fw.verbose=0 # Disable ARP unicast net.link.ether.inet.arp_unicast_lim=0 ## Disable scope route & ARP unicast # net.inet.ip.scopedroute=0 # Kernel Flag # net.inet.ip6.scopedroute=0 # See: "/Library/Preferences/SystemConfiguration/com.apple.Boot.plist" # IP forwarding for IPv6 must not be enabled net.inet6.ip6.forwarding=0 # IP forwarding for IPv4 must not be enabled net.inet.ip.forwarding=0 # The system must not send IPv6 ICMP redirects by default net.inet6.ip6.redirect=0 # The system must not process Internet Control Message Protocol [ICMP] timestamp requests. net.inet.icmp.timestamp=0 EOF } ## # Network hardening SecureInfo.eu hints # -------------------------------------------------------------------------------------------------------------------- # function secureinfo_enhancement() { msg=" [+] Disable shell for user root" printf "\n$msg" chsh -s /sbin/nologin root >/dev/null 2>&1 print_result "$msg" "$OK" msg=" [+] Write /etc/sysctl.conf security file" printf "\n$msg" write_sysctl res=$KO ; grep -sq "SecureInfo.eu" "/etc/sysctl.conf" && res=$OK print_result "$msg" "$res" msg=" [+] Write /etc/security/audit_control file" printf "\n$msg" write_securityaudit >/dev/null 2>&1 res=$KO ; grep -sq "SecureInfo.eu" "/etc/security/audit_control" && res=$OK print_result "$msg" "$res" msg=" [+] Writting hardend sudoers" printf "\n$msg" res=$KO ; write_usrlocalsudoers && res=$OK print_result "$msg" "$res" msg=" [+] Disable GameController service" printf "\n$msg" launchctl unload -w /System/Library/LaunchDaemons/com.apple.GameController.gamecontrollerd.plist 2>/dev/null launchctl unload -w /System/Library/LaunchAgents/com.apple.gamed.plist 2>/dev/null print_result "$msg" "$OK" msg=" [+] Disable FindMyMac services (this computer does not use iCloud services)" printf "\n$msg" launchctl unload -w /System/Library/LaunchDaemons/com.apple.findmymac.plist 2>/dev/null launchctl unload -w /System/Library/LaunchDaemons/com.apple.findmymacmessenger.plist 2>/dev/null launchctl unload -w /System/Library/LaunchDaemons/com.apple.icloud.findmydeviced.plist 2>/dev/null launchctl unload -w /System/Library/LaunchAgents/com.apple.findmymacmessenger.plist 2>/dev/null launchctl unload -w /System/Library/LaunchAgents/com.apple.icloud.findmydeviced.findmydevice-user-agent.plist 2>/dev/null print_result "$msg" "$OK" msg=" [+] Disable XSan services (this computer is not a XSan server)" printf "\n$msg" launchctl unload -w /System/Library/LaunchDaemons/com.apple.xsan.plist 2>/dev/null launchctl unload -w /System/Library/LaunchDaemons/com.apple.xsandaily.plist 2>/dev/null print_result "$msg" "$OK" msg=" [+] Disable voice over share services" printf "\n$msg" launchctl unload -w /System/Library/LaunchAgents/com.apple.VoiceOver.plist 2>/dev/null print_result "$msg" "$OK" msg=" [+] Disable Spotlight/Appstore/Safari suggestions" printf "\n$msg" launchctl unload -w /System/Library/LaunchAgents/com.apple.suggestd.plist 2>/dev/null print_result "$msg" "$OK" msg=" [+] Disable power chime (startup sound)" printf "\n$msg" sed -i 's|<true/>|<false/>|1' /System/Library/LaunchAgents/com.apple.powerchime.plist print_result "$msg" "$OK" msg=" [+] Disable photos social share services" printf "\n$msg" launchctl unload -w /System/Library/LaunchAgents/com.apple.SocialPushAgent.plist 2>/dev/null print_result "$msg" "$OK" msg=" [+] Disable photos library services (this computer is not a multimedia station)" printf "\n$msg" launchctl unload -w /System/Library/LaunchAgents/com.apple.PhotoLibraryMigrationUtility.XPC.plist 2>/dev/null launchctl unload -w /System/Library/LaunchAgents/com.apple.photolibraryd.plist 2>/dev/null print_result "$msg" "$OK" } ## # Mathias Bynens / "Hacky script", found on GitHub to customise for developer/admin # URL: https://github.com/mathiasbynens/dotfiles/blob/master/.osx # -------------------------------------------------------------------------------------------------------------------- # function auto_configure() { msg=" [+] Disable Spotlight indexing for any volume that gets mounted and has not yet been indexed before" printf "\n$msg" defaults write /.Spotlight-V100/VolumeConfiguration Exclusions -array "/Volumes" print_result "$msg" "$OK" msg=" [+] Automatically quit printer app once the print jobs complete" printf "\n$msg" defaults write com.apple.print.PrintingPrefs "Quit When Finished" -bool true print_result "$msg" "$OK" msg=" [+] Displaying ASCII control characters using caret notation in standard text views" printf "\n$msg" defaults write NSGlobalDomain NSTextShowsControlCharacters -bool true print_result "$msg" "$OK" msg=" [+] Save to disk, rather than iCloud, by default" printf "\n$msg" defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false print_result "$msg" "$OK" msg=" [+] Removing duplicates in the 'Open With' menu" printf "\n$msg" /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -kill \ -r -domain local -domain system -domain user print_result "$msg" "$OK" msg=" [+] Disable smart quotes and smart dashes" printf "\n$msg" defaults write NSGlobalDomain NSAutomaticQuoteSubstitutionEnabled -bool false defaults write NSGlobalDomain NSAutomaticDashSubstitutionEnabled -bool false print_result "$msg" "$OK" msg=" [+] Disable the sudden motion sensor (it's not useful for SSDs/current MacBooks)" printf "\n$msg" pmset -a sms 0 >/dev/null 2>&1 print_result "$msg" "$OK" msg=" [+] Disable the menubar transparency" printf "\n$msg" defaults write com.apple.universalaccess reduceTransparency -bool true print_result "$msg" "$OK" msg=" [+] Enabling full keyboard access for all controls (enable Tab in modal dialogs, menu windows, etc.)" printf "\n$msg" defaults write NSGlobalDomain AppleKeyboardUIMode -int 3 print_result "$msg" "$OK" msg=" [+] Disable auto-correct" printf "\n$msg" defaults write NSGlobalDomain NSAutomaticSpellingCorrectionEnabled -bool false print_result "$msg" "$OK" msg=" [+] Disable display from automatically adjusting brightness? (y/n)" printf "\n$msg" defaults write /Library/Preferences/com.apple.iokit.AmbientLightSensor "Automatic Display Enabled" -bool false print_result "$msg" "$OK" msg=" [+] Disable keyboard from automatically adjusting backlight brightness in low light? (y/n)" printf "\n$msg" defaults write /Library/Preferences/com.apple.iokit.AmbientLightSensor "Automatic Keyboard Enabled" -bool false print_result "$msg" "$OK" msg=" [+] Requiring password immediately after sleep or screen saver begins" printf "\n$msg" defaults write com.apple.screensaver askForPassword -int 1 defaults write com.apple.screensaver askForPasswordDelay -int 0 print_result "$msg" "$OK" msg=" [+] Enabling subpixel font rendering on non-Apple LCDs" printf "\n$msg" defaults write NSGlobalDomain AppleFontSmoothing -int 2 print_result "$msg" "$OK" msg=" [+] Avoid creation of .DS_Store files on network volumes" printf "\n$msg" defaults write com.apple.desktopservices DSDontWriteNetworkStores -bool true print_result "$msg" "$OK" msg=" [+] Allowing text selection in Quick Look/Preview in Finder by default" printf "\n$msg" defaults write com.apple.finder QLEnableTextSelection -bool true print_result "$msg" "$OK" msg=" [+] Privacy: Don't send search queries to Apple" printf "\n$msg" defaults write com.apple.Safari UniversalSearchEnabled -bool false defaults write com.apple.Safari SuppressSearchSuggestions -bool true print_result "$msg" "$OK" msg=" [+] Hiding Safari's bookmarks bar by default" printf "\n$msg" defaults write com.apple.Safari ShowFavoritesBar -bool false print_result "$msg" "$OK" msg=" [+] Prevent Time Machine from prompting to use new hard drives as backup volume" printf "\n$msg" defaults write com.apple.TimeMachine DoNotOfferNewDisksForBackup -bool true print_result "$msg" "$OK" msg=" [+] Disable local Time Machine backups? (This can take up a ton of SSD space on <=128GB SSDs)" printf "\n$msg" hash tmutil &> /dev/null && tmutil disablelocal print_result "$msg" "$OK" } ## # U_Apple_OS_X_10-10_Workstation_V1R2_Manual-xccdf.xml from DoD & DISA Security technical information guide (STIG) # DoD : (US) Department of Defense # DISA : (US military) Defense Information System Agency # -------------------------------------------------------------------------------------------------------------------- # dod_hardening() { msg=" [+] Disabled RSH protocol (not encrypted) : " printf "\n$msg" launchctl disable system/com.apple.rexecd launchctl print-disabled system | grep -sq com.apple.rexecd && print_result "$msg" "$OK" msg=" [+] The operating system must implement cryptography to protect the integrity of remote access sessions : " printf "\n$msg" launchctl disable system/com.apple.telnetd launchctl print-disabled system | grep -sq com.apple.telnetd && print_result "$msg" "$OK" msg=" [+] The rshd service must be disabled : " printf "\n$msg" launchctl disable system/com.apple.rshd launchctl print-disabled system | grep -sq com.apple.rshd && print_result "$msg" "$OK" msg=" [+] The operating system must monitor remote access methods : " printf "\n$msg" sed -i.bak '/^flags/ s/$/,lo/' /etc/security/audit_control; audit -s >/dev/null 2>&1 grep -sq ^flags /etc/security/audit_control && print_result "$msg" "$OK" msg=" [+] The operating system must enforce requirements for remote connections to the information system : " printf "\n$msg" launchctl disable system/com.apple.screensharing launchctl print-disabled system | grep -sq com.apple.screensharing && print_result "$msg" "$OK" # msg=" [+] The Bluetooth software driver must be removed : " # rm -rf /System/Library/Extensions/IOBluetoothFamily.kext /System/Library/Extensions/IOBluetoothHIDDriver.kext # touch /System/Library/Extensions # kextstat | grep -i -sq bluetooth || print_result "$msg" "$OK" # msg=" [+] Wi-Fi support software must be disabled : " # networksetup -setnetworkserviceenabled 'Wi-Fi' off # networksetup -listallnetworkservices msg=" [+] Infrared [IR] support must be disabled : " printf "\n$msg" defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool FALSE defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled |grep -sq 1 || \ print_result "$msg" "$OK" msg=" [+] Automatic actions must be disabled for blank CDs : " printf "\n$msg" system_profiler SPConfigurationProfileDataType | grep -A 2 'com.apple.digihub.blank.cd.appeared'2>&1|grep -sq "1" || \ print_result "$msg" "$KO" msg=" [+] Automatic actions must be disabled for blank DVDs : " printf "\n$msg" system_profiler SPConfigurationProfileDataType | grep -A 2 'com.apple.digihub.blank.dvd.appeared' 2>&1|grep -sq "1" || \ print_result "$msg" "$KO" msg=" [+] Automatic actions must be disabled for music CDs : " printf "\n$msg" system_profiler SPConfigurationProfileDataType | grep -A 2 'com.apple.digihub.blank.cd.music.appeared'2>&1|grep -sq "1" || \ print_result "$msg" "$KO" msg=" [+] Automatic actions must be disabled for picture CDs : " printf "\n$msg" system_profiler SPConfigurationProfileDataType | grep -A 2 'com.apple.digihub.blank.cd.picture.appeared'2>&1|grep -sq "1" || \ print_result "$msg" "$KO" msg=" [+] Automatic actions must be disabled for video DVDs : " printf "\n$msg" system_profiler SPConfigurationProfileDataType | grep -A 2 'com.apple.digihub.blank.dvd.video.appeared'2>&1|grep -sq "1" || \ print_result "$msg" "$KO" msg=" [+] SMB File Sharing must be disabled unless required : " printf "\n$msg" launchctl disable system/com.apple.smbd launchctl print-disabled system | grep -sq com.apple.smbd && print_result "$msg" "$OK" msg=" [+] Apple File (AFP) Sharing must be disabled : " printf "\n$msg" launchctl disable system/com.apple.AppleFileServer launchctl print-disabled system | grep -sq com.apple.AppleFileServer && print_result "$msg" "$OK" msg=" [+] The NFS daemon must be disabled unless required : " printf "\n$msg" launchctl disable system/com.apple.nfsd launchctl print-disabled system | grep -sq com.apple.nfsd && print_result "$msg" "$OK" msg=" [+] The NFS lock daemon must be disabled unless required : " printf "\n$msg" launchctl disable system/com.apple.lockd launchctl print-disabled system | grep -sq com.apple.lockd && print_result "$msg" "$OK" msg=" [+] The NFS stat daemon must be disabled unless required : " printf "\n$msg" launchctl disable system/com.apple.statd.notify launchctl print-disabled system | grep -sq com.apple.statd.notify && print_result "$msg" "$OK" msg=" [+] The operating system must generate audit records for privileged activities or other system-level access." printf "\n$msg" sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; audit -s >/dev/null 2>&1 print_result "$msg" "$OK" msg=" [+] The operating system must generate audit records when successful/unsuccessful logon attempts occur." printf "\n$msg" sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control; audit -s >/dev/null 2>&1 print_result "$msg" "$OK" msg=" [+] The operating system must initiate session audits at system startup : " printf "\n$msg" launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist >/dev/null 2>&1 launchctl list | grep -sq com.apple.auditd && print_result "$msg" "$OK" msg="\n [+] The operating system must provide audit record generation capability for DoD-defined auditable events" msg=$msg"\n for all operating system components." printf "\n$msg" msg="$(printf "$msg"|tail -n1)" sed -i.bak '/^flags/ s/$/,lo,ad,aa/' /etc/security/audit_control; audit -s >/dev/null 2>&1 print_result "$msg" "$OK" msg="\n [+] The operating system must generate audit records for all account creations, modifications, disabling," msg=$msg"\n and termination events." printf "\n$msg" msg="$(printf "$msg"|tail -n1)" sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; audit -s >/dev/null 2>&1 print_result "$msg" "$OK" msg="\n [+] The operating system must allocate audit record storage capacity to store at least one weeks worth of" msg=$msg"\n audit records, when audit records are not immediately sent to a central audit record storage facility." printf "\n$msg" msg="$(printf "$msg"|tail -n1)" sed -i.bak 's/.*expire-after.*/expire-after:7d/' /etc/security/audit_control; audit -s >/dev/null 2>&1 print_result "$msg" "$OK" msg="\n [+] The operating system must provide an immediate warning to the SA and ISSO (at a minimum) when" msg=$msg"\n allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity." printf "\n$msg" msg="$(printf "$msg"|tail -n1)" sed -i.bak 's/.*minfree.*/minfree:25/' /etc/security/audit_control; audit -s >/dev/null 2>&1 print_result "$msg" "$OK" msg=" [+] The operating system must provide an immediate real-time alert to the SA and ISSO, at a minimum," msg=$msg"\n of all audit failure events requiring real-time alerts." printf "\n\n$msg" sed -i.bak 's/logger -p/logger -s -p/' /etc/security/audit_warn; audit -s >/dev/null 2>&1 msg=" of all audit failure events requiring real-time alerts." print_result "$msg" "$OK" msg="\n [+] The audit service must be configured to create log files with the correct ownership to prevent" msg=$msg"\n normal users from reading audit logs. Audit logs contain sensitive data about the system and about" msg=$msg"\n users. If log files are set to only be readable and writable by root or administrative users with" msg=$msg"\n sudo, the risk is mitigated : " printf "\n$msg" msg="$(printf "$msg"|tail -n1)" ( chown root /var/audit/* >/dev/null 2>&1 ls -le $(grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') 2>&1| grep -vsq current ) >/dev/null 2>&1 && print_result "$msg" "$OK" msg="\n [+] The audit service must be configured to create log files with the correct group-ownership to prevent" msg=$msg"\n normal users from reading audit logs. Audit logs contain sensitive data about the system and about users." msg=$msg"\n If log files are set to only be readable and writable by root or administrative users with sudo, the" msg=$msg"\n risk is mitigated : " printf "\n$msg" msg="$(printf "$msg"|tail -n1)" chgrp wheel /var/audit/* >/dev/null 2>&1 ls -le $(grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') 2>&1| grep -vsq current && print_result "$msg" "$OK" msg="\n [+] The audit service must be configured to create log files with the correct group-ownership to prevent" msg=$msg"\n normal users from reading audit logs. Audit logs contain sensitive data about the system and about users." msg=$msg"\n If log files are set to only be readable and writable by root or administrative users with sudo, the" msg=$msg"\n risk is mitigated." printf "\n$msg" msg="$(printf "$msg"|tail -n1)" chgrp wheel /var/audit >/dev/null 2>&1 ls -lde $(grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') >/dev/null 2>&1 print_result "$msg" "$OK" msg=" [+] Log files must not contain ACLs." printf "\n\n$msg" chmod -R -N /var/log >/dev/null 2>&1 chmod -R -N /var/audit >/dev/null 2>&1 print_result "$msg" "$OK" msg=" [+] The Security assessment policy subsystem must be enabled : " printf "\n$msg" spctl --master-enable >/dev/null 2>&1 spctl --status | grep -sq enabled && print_result "$msg" "$OK" # msg=" [+] A configuration profile must be installed." # printf "\n$msg" # profiles -H # print_result "$msg" "$OK" # msg=" [+] The operating system must employ a deny-all, permit-by-exception policy to allow the execution" # msg=$msg"\n of authorized software programs : " # printf "\n$msg" # msg="$(printf "$msg"|tail -n1)" # profiles -Pv | grep -sq 'Application Restrictions' && print_result "$msg" "$OK" || print_result "$msg" "$KO" msg=" [+] The system preference panel iCloud must be removed." printf "\n\n$msg" rm -rf /System/Library/PreferencePanes/iCloudPref.prefPane msg=" [+] Sending diagnostic and usage data to Apple must be disabled : " printf "\n$msg" system_profiler SPConfigurationProfileDataType | grep AutoSubmit || print_result "$msg" "$OK" msg=" [+] Find My Mac must be disabled : " printf "\n$msg" launchctl disable system/com.apple.findmymacd launchctl print-disabled system | grep -sq com.apple.findmymacd && print_result "$msg" "$OK" msg=" [+] Find My Mac messenger must be disabled : " printf "\n$msg" launchctl disable system/com.apple.findmymacmessenger launchctl print-disabled system | grep -sq com.apple.findmymacmessenger && print_result "$msg" "$OK" msg=" [+] Location Services must be disabled : " printf "\n$msg" system_profiler SPConfigurationProfileDataType | grep -sq DisableLocationServices && print_result "$msg" "$OK" msg=" [+] Bonjour multicast advertising must be disabled on the system : " printf "\n$msg" res=$KO defaults read /System/Library/LaunchDaemons/com.apple.mDNSResponder|grep -sq NoMulticastAdvertisements || \ /usr/libexec/PlistBuddy -c "Add :ProgramArguments:2 string '-NoMulticastAdvertisements'" \ /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist defaults read /System/Library/LaunchDaemons/com.apple.mDNSResponder | \ grep -sq NoMulticastAdvertisements /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist && res=$OK print_result "$msg" "$res" msg=" [+] The UUCP service must be disabled : " printf "\n$msg" res=$KO launchctl disable system/com.apple.uucp launchctl print-disabled system | grep -sq com.apple.uucp && res=$OK print_result "$msg" "$res" msg=" [+] The operating system must require individuals to be authenticated with an individual authenticator" msg=$msg"\n prior to using a group authenticator : " printf "\n\n$msg" msg="$(printf "$msg"|tail -n1)" sed -i.bak 's/^[\#]*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config res=$KO ; grep -sq "^PermitRootLogin no" /etc/ssh/sshd_config && res=$OK print_result "$msg" "$res" msg="\n [+] The operating system must implement replay-resistant authentication mechanisms for network access" msg=$msg"\n to privileged accounts : " printf "\n$msg" msg="$(printf "$msg"|tail -n1)" sed -i.bak 's/.*Protocol.*/Protocol 2/' /etc/ssh/sshd_config res=$KO ; grep -sq "^Protocol 2" /etc/ssh/sshd_config && res=$OK print_result "$msg" "$res" msg=" [+] The operating system must transmit only cryptographically-protected passwords (disable telnetd) : " printf "\n\n$msg" launchctl disable system/com.apple.telnetd >/dev/null 2>&1 launchctl print-disabled system | grep -sq com.apple.telnetd && print_result "$msg" "$OK" msg=" [+] The SSH daemon ClientAliveInterval option must be set correctly : " printf "\n$msg" sed -i.bak 's/.*ClientAliveInterval.*/ClientAliveInterval 600/' /etc/ssh/sshd_config grep -sq "^ClientAliveInterval 600" /etc/ssh/sshd_config && print_result "$msg" "$OK" msg=" [+] The SSH daemon ClientAliveCountMax option must be set correctly : " printf "\n$msg" sed -i.bak 's/.*ClientAliveCountMax.*/ClientAliveCountMax 0/' /etc/ssh/sshd_config grep -sq "^ClientAliveCountMax 0" /etc/ssh/sshd_config && print_result "$msg" "$OK" msg=" [+] The SSH daemon LoginGraceTime must be set correctly : " printf "\n$msg" sed -i.bak 's/.*LoginGraceTime.*/LoginGraceTime 30/' /etc/ssh/sshd_config grep -sq "^LoginGraceTime 30" /etc/ssh/sshd_config && print_result "$msg" "$OK" msg="\n [+] The operating system must issue or obtain public key certificates under an appropriate certificate" msg=$msg"\n policy from an approved service provider : " printf "\n$msg" msg="$(printf "$msg"|tail -n1)" security dump-keychain | grep labl | awk -F\" '{ print $4 }'|grep -vE "^Avast|^Apple|^com.apple"|\ grep "." && print_result "$msg" "$KO" # msg=" [+] The usbmuxd daemon must be disabled : " # printf "\n\n$msg" # launchctl unload -w /System/Library/LaunchDaemons/com.apple.usbmuxd.plist >/dev/null 2>&1 # launchctl list | grep -sq usbmuxd || print_result "$msg" "$OK" msg=" [+] Bluetooth devices must not be allowed to wake the computer." printf "\n\n$msg" defaults -currentHost delete com.apple.Bluetooth RemoteWakeEnabled >/dev/null 2>&1 print_result "$msg" "$OK" msg=" [+] Remote Apple Events must be disabled." printf "\n$msg" launchctl disable system/com.apple.AEServer >/dev/null 2>&1 launchctl print-disabled system | grep -sq com.apple.AEServer && print_result "$msg" "$OK" msg=" [+] The root account must be the only account having a UID of 0 -> " printf "\n$msg" dscl . -list /Users UniqueID | grep -w 0 | grep -Ev "^root\s+0"|grep . || print_result "$msg" "$OK" msg=" [+] The application firewall must be disabled (iUnix : managed by ipfw & HandsOff)." printf "\n$msg" /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off msg=" [+] All public directories must be owned by root or an application account... -> " printf "\n$msg" find / -type d -perm +o+w -not -uid 0 -exec chown root {} \; >/dev/null 2>&1 [ $? -eq 0 ] && print_result "$msg" "$OK" || print_result "$msg" "$KO" msg=" [+] The finger service must be disabled." printf "\n$msg" launchctl disable system/com.apple.fingerd launchctl print-disabled system | grep com.apple.fingerd msg=" [+] The sticky bit must be set on all public directories... -> " printf "\n$msg" find / -type d \( -perm -0002 -a ! -perm -1000 \) -exec chmod +t {} \; >/dev/null 2>&1 print_result "$msg" "$OK" msg=" [+] The prompt for Apple ID and iCloud must be disabled." printf "\n$msg" ( defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant \ DidSeeCloudSetup -bool TRUE defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant \ LastSeenCloudProductVersion '10.11' ) >/dev/null 2>&1 print_result "$msg" "$OK" msg=" [+] Users must not have Apple IDs signed into iCloud -> " printf "\n$msg" print_result "$msg" "$OO" find /Users/*/Library -name 'MobileMeAccounts.plist' -exec defaults delete '{}' \; 2>/dev/null msg=" [+] iTunes Music Sharing must be disabled : " printf "\n$msg" system_profiler SPConfigurationProfileDataType | grep disableSharedMusic|grep -sq 1 && print_result "$msg" "$KO" msg=" [+] Secure virtual memory must be used." printf "\n$msg" defaults write /Library/Preferences/com.apple.virtualMemory DisableEncryptedSwap -bool FALSE print_result "$msg" "$OK" msg=" [+] Internet Sharing must be disabled : " printf "\n$msg" launchctl disable system/com.apple.NetworkSharing launchctl print-disabled system | grep -sq com.apple.NetworkSharing && print_result "$msg" "$OK" msg=" [+] The operating system must shut down by default upon audit failure (unless availability is" msg=$msg"\n an overriding concern) : " printf "\n$msg" msg=" an overriding concern) : " sed -i.bak '/^policy/ s/$/,ahlt/' /etc/security/audit_control; audit -s >/dev/null 2>&1 grep ^policy /etc/security/audit_control | grep -sq ahlt && print_result "$msg" "$OK" msg=" [+] AirDrop must be disabled -> " printf "\n$msg" system_profiler SPConfigurationProfileDataType | grep DisableAirDrop || print_result "$msg" "$KO" msg="\n [+] The operating system must generate audit records for all kernel module load, unload, and restart" msg=$msg"\n actions, and also for all program initiations." msg="$(printf "$msg"|tail -n1)" printf "\n$msg" sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; audit -s >/dev/null 2>&1 print_result "$msg" "$OK" msg="\n [+] The operating system must generate audit records when successful/unsuccessful attempts to" msg=$msg"\n modify security objects occur." msg="$(printf "$msg"|tail -n1)" printf "\n$msg" sed -i.bak '/^flags/ s/$/,fm/' /etc/security/audit_control; audit -s >/dev/null 2>&1 print_result "$msg" "$OK" msg="\n [+] The operating system must generate audit records when successful/unsuccessful attempts to" msg=$msg"\n modify security levels occur." msg="$(printf "$msg"|tail -n1)" printf "\n$msg" sed -i.bak '/^flags/ s/$/,fm/' /etc/security/audit_control; audit -s >/dev/null 2>&1 print_result "$msg" "$OK" msg="\n [+] The operating system must generate audit records when successful/unsuccessful attempts to" msg=$msg"\n modify categories of information (e.g., classification levels) occur." msg="$(printf "$msg"|tail -n1)" printf "\n$msg" sed -i.bak '/^flags/ s/$/,fm/' /etc/security/audit_control; audit -s >/dev/null 2>&1 print_result "$msg" "$OK" msg="\n [+] The operating system must generate audit records when successful/unsuccessful attempts to" msg=$msg"\n delete privileges occur." msg="$(printf "$msg"|tail -n1)" printf "\n$msg" sed -i.bak '/^flags/ s/$/,fm/' /etc/security/audit_control; audit -s >/dev/null 2>&1 print_result "$msg" "$OK" msg="\n [+] The operating system must generate audit records when successful/unsuccessful attempts to" msg=$msg"\n access privileges occur." msg="$(printf "$msg"|tail -n1)" printf "\n$msg" sed -i.bak '/^flags/ s/$/,lo,ad,aa/' /etc/security/audit_control; audit -s >/dev/null 2>&1 print_result "$msg" "$OK" msg=" [+] Web Sharing must be disabled : " printf "\n$msg" launchctl disable system/org.apache.httpd launchctl print-disabled system | grep -sq org.apache.httpd && print_result "$msg" "$OK" msg=" [+] iCloud features must be disabled." printf "\n$msg" launchctl disable system/com.apple.icloud.findmydeviced launchctl disable system/com.apple.SafariCloudHistoryPushAgent launchctl disable system/com.apple.icloud.fmfd launchctl disable system/com.apple.iCloudUserNotificationsd print_result "$msg" "$OK" msg=" [+] FTP Sharing must be disabled : " printf "\n$msg" launchctl disable system/com.apple.ftpd launchctl print-disabled system | grep -sq com.apple.ftpd && print_result "$msg" "$OK" } ## # Check if changes can be applied # -------------------------------------------------------------------------------------------------------------------- # if [ -x /usr/bin/csrutil ]; then if csrutil status|grep enabled ; then echo echo '[!] OS X system integrity enabled, unable to harden system.' echo ' What to do:' echo ' 1- at boot: CMD+R' echo ' 2- launch Terminal' echo ' 3- type: csrutil disable' echo ' 4- reboot' echo ' 5- execute hardening script' echo ' 6- reboot and press CMD+R' echo ' 7- launch Terminal' echo ' 8- type: csrutil enable' echo ' 9- reboot' echo return 1 fi fi ## # Apply changes # -------------------------------------------------------------------------------------------------------------------- # clear banner # Create groups and attach current admin user to this groups NEW_INSTALL=1 [ -f "/Applications/CLI.app/Contents/MacOS/iTerm" -a -f "/opt/local/bin/pv" -a -f "/usr/local/libexec/rclocal" ] && \ NEW_INSTALL=0 if [ $NEW_INSTALL -eq 1 ]; then if [ "$USER" != "root" ]; then user=$USER else printf "[?] Enter the user to add to administration groups: " read user fi for group in compilers schedulers sudoers netadmin; do echo "[+] Creating group $group ..." dseditgroup -o create $group echo "[+] Adding $user to $group ..." dseditgroup -o edit -a $user -t user $group done fi title "Auto-configuring OSX" auto_configure title "Applying DoD/DISA hardening policy" dod_hardening title "SecureInfo.eu enhancement" secureinfo_enhancement msg=" [+] Hardening files permissions" printf "\n$msg" res=$KO ; /usr/local/libexec/build_custom_permissions fix_all >/dev/null 2>&1 && res=$OK print_result "$msg" "$res" msg=" [+] Removing useless apps & services" printf "\n$msg" res=$KO ; /usr/local/libexec/remove-osx-apps >/dev/null 2>&1 && res=$OK print_result "$msg" "$res" echo echo echo "[!] Need restart to take all effects." echo
0x02. RENFORCEMENT DES PERMISSIONS UNIX
L'idée est de n'autoriser l'exécution de certains programmes à des groupes d'utilisateurs :
- seuls les utilisateurs du groupe "compilers" ont le droit d'exécuter : gcc, xcodebuild, ...
- seuls les utilisateurs du groupe "netadmin" ont le droit d'exécuter : ifconfig, netstat, ...
- seuls les utilisateurs du groupe "schedulers" ont le droit d'exécuter : at, crontab, ...
- seuls les utilisateurs du groupe "sudoers" ont le droit d'exécuter : su, sudo, ...
build_custom_permissions est téléchargeable ici.
0x03. SUPPRESSION DES LOGICIELS INUTILES
L'idée est de supprimer les programmes qui sont inutilisés en les déplaçants dans un dossier de sauvegarde (/Backup) :
FaceTime Game Center Safari Photos Messages Mail DVD Player Dashboard Utilities/Migration Assistant Utilities/Boot Camp Assistant Utilities/AirPort Utility
remove-osx-apps est téléchargeable ici.
=> Écrit par : Nicolas, le 11 février 2016