@@ -545,46 +545,6 @@ actions:
545545 recommend : standard
546546 code : defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false
547547 revertCode : defaults delete NSGlobalDomain NSDocumentSaveNewDocumentsToCloud
548- -
549- category : Security improvements
550- children :
551- -
552- category : Configure macOS Application Firewall
553- children :
554- -
555- name : Enable firewall
556- recommend : standard
557- docs : https://www.stigviewer.com/stig/apple_os_x_10.13/2018-10-01/finding/V-81681
558- code : /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
559- revertCode : /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
560- -
561- name : Turn on firewall logging
562- recommend : standard
563- docs : https://www.stigviewer.com/stig/apple_os_x_10.13/2018-10-01/finding/V-81671
564- code : /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
565- revertCode : /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode off
566- -
567- name : Turn on stealth mode
568- recommend : standard
569- docs : https://www.stigviewer.com/stig/apple_os_x_10.8_mountain_lion_workstation/2015-02-10/finding/V-51327
570- code : /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
571- revertCode : /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode off
572- -
573- name : Disable Spotlight indexing
574- code : sudo mdutil -i off -d /
575- revertCode : sudo mdutil -i on /
576- -
577- name : Disable Captive portal
578- docs :
579- - https://web.archive.org/web/20171008071031if_/http://blog.erratasec.com/2010/09/apples-secret-wispr-request.html#.WdnPa5OyL6Y
580- - https://web.archive.org/web/20130407200745/http://www.divertednetworks.net/apple-captiveportal.html
581- - https://web.archive.org/web/20170622064304/https://grpugh.wordpress.com/2014/10/29/an-undocumented-change-to-captive-network-assistant-settings-in-os-x-10-10-yosemite/
582- code : sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active -bool false
583- revertCode : sudo defaults delete /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active
584- -
585- name : Require a password to wake the computer from sleep or screen saver
586- code : defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true
587- revertCode : sudo defaults delete /Library/Preferences/com.apple.screensaver askForPassword
588548 -
589549 name : Do not show recent items on dock
590550 docs : https://developer.apple.com/documentation/devicemanagement/dock
@@ -674,6 +634,181 @@ actions:
674634revertCode : |-
675635 defaults delete com.apple.Siri 'StatusMenuVisible'
676636 defaults delete com.apple.Siri 'UserHasDeclinedEnable'
637+
638+ name : Disable Spotlight indexing
639+ code : sudo mdutil -i off -d /
640+ revertCode : sudo mdutil -i on /
641+ -
642+ category : Security improvements
643+ children :
644+ -
645+ category : Configure macOS Application Firewall
646+ children :
647+ -
648+ name : Enable application firewall
649+ recommend : standard
650+ docs :
651+ - https://www.stigviewer.com/stig/apple_os_x_10.13/2018-10-01/finding/V-81681
652+ - https://daiderd.com/nix-darwin/manual/index.html
653+ - https://developer.apple.com/documentation/devicemanagement/firewall
654+ code : |-
655+ /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
656+ sudo defaults write /Library/Preferences/com.apple.alf globalstate -bool true
657+ defaults write com.apple.security.firewall EnableFirewall -bool true
658+ revertCode : |-
659+ /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
660+ sudo defaults write /Library/Preferences/com.apple.alf globalstate -bool false
661+ defaults write com.apple.security.firewall EnableFirewall -bool false
662+
663+ name : Turn on firewall logging
664+ recommend : standard
665+ docs :
666+ - https://www.stigviewer.com/stig/apple_os_x_10.13/2018-10-01/finding/V-81671
667+ - https://daiderd.com/nix-darwin/manual/index.html
668+ code : |-
669+ /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
670+ sudo defaults write /Library/Preferences/com.apple.alf loggingenabled -bool true
671+ revertCode : |-
672+ /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode off
673+ sudo defaults write /Library/Preferences/com.apple.alf loggingenabled -bool false
674+
675+ name : Turn on stealth mode
676+ recommend : standard
677+ docs :
678+ - https://www.stigviewer.com/stig/apple_os_x_10.8_mountain_lion_workstation/2015-02-10/finding/V-51327
679+ - https://daiderd.com/nix-darwin/manual/index.html
680+ - https://developer.apple.com/documentation/devicemanagement/firewall
681+ code : |-
682+ /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
683+ sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true
684+ defaults write com.apple.security.firewall EnableStealthMode -bool true
685+ revertCode : |-
686+ /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode off
687+ sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false
688+ defaults write com.apple.security.firewall EnableStealthMode -bool false
689+
690+ category : Disable auto-permitting incoming traffic for apps
691+ children :
692+ -
693+ name : Prevent automatically allowing incoming connections to signed apps
694+ docs : https://daiderd.com/nix-darwin/manual/index.html
695+ recommend : strict
696+ code : sudo defaults write /Library/Preferences/com.apple.alf allowsignedenabled -bool false
697+ revertCode : sudo defaults write /Library/Preferences/com.apple.alf allowsignedenabled -bool true
698+ -
699+ name : Prevent automatically allowing incoming connections to downloaded signed apps
700+ docs : https://daiderd.com/nix-darwin/manual/index.html
701+ recommend : strict
702+ code : sudo defaults write /Library/Preferences/com.apple.alf allowdownloadsignedenabled -bool false
703+ revertCode : sudo defaults write /Library/Preferences/com.apple.alf allowdownloadsignedenabled -bool true
704+ -
705+ name : Disable Captive portal
706+ # An attacker could trigger the utility and direct a Mac to a site with malware without user interaction,
707+ # so it's best to disable this feature and log in to captive portals using regular Web browser instead.
708+ recommend : standard
709+ docs :
710+ # Risks with captive portals:
711+ - https://www.eff.org/deeplinks/2017/08/how-captive-portals-interfere-wireless-security-and-privacy
712+ # More about apple Captive portal:
713+ - https://web.archive.org/web/20171008071031if_/http://blog.erratasec.com/2010/09/apples-secret-wispr-request.html#.WdnPa5OyL6Y
714+ - https://web.archive.org/web/20130407200745/http://www.divertednetworks.net/apple-captiveportal.html
715+ - https://web.archive.org/web/20170622064304/https://grpugh.wordpress.com/2014/10/29/an-undocumented-change-to-captive-network-assistant-settings-in-os-x-10-10-yosemite/
716+ code : sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active -bool false
717+ revertCode : sudo defaults delete /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active
718+ -
719+ category : Use screen saver for protection
720+ children :
721+ -
722+ name : Require a password to wake the computer from sleep or screen saver
723+ # The screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account.
724+ docs : https://www.stigviewer.com/stig/apple_macos_11_big_sur/2020-11-27/finding/V-230744
725+ code : sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true
726+ revertCode : sudo defaults delete /Library/Preferences/com.apple.screensaver askForPassword
727+ -
728+ name : Initiate session lock five seconds after screen saver is started
729+ docs : https://www.stigviewer.com/stig/apple_macos_11_big_sur/2020-11-27/finding/V-230745
730+ # An unattended system with an excessive grace period is vulnerable to a malicious user.
731+ code : sudo defaults write /Library/Preferences/com.apple.screensaver 'askForPasswordDelay' -int 5
732+ revertCode : sudo defaults delete /Library/Preferences/com.apple.screensaver 'askForPasswordDelay'
733+ -
734+ category : Disable guest accounts
735+ docs :
736+ - https://www.stigviewer.com/stig/apple_macos_11_big_sur/2021-06-16/finding/V-230823
737+ - https://www.stigviewer.com/stig/apple_os_x_10.13/2018-10-01/finding/V-81615
738+ children :
739+ -
740+ name : Disables signing in as Guest from the login screen
741+ code : sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool NO
742+ revetCode : sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool YES
743+ -
744+ name : Disables Guest access to file shares over AF
745+ code : sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool NO
746+ revetCode : sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool YES
747+ -
748+ name : Disables Guest access to file shares over SMB
749+ code : sudo defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool NO
750+ revetCode : sudo defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool YES
751+ -
752+ category : Prevent unauthorized connections
753+ children :
754+ -
755+ name : Disable remote login (incoming SSH and SFTP connections)
756+ recommend : standard
757+ docs : https://osxdaily.com/2016/08/16/enable-ssh-mac-command-line/
758+ # Check if enabled: sudo systemsetup -getremotelogin, returns "Remote Login: On" or "Off"
759+ code : echo 'yes' | sudo systemsetup -setremotelogin off
760+ revertCode : sudo systemsetup -setremotelogin on
761+ -
762+ name : Disable insecure TFTP service
763+ recommend : standard
764+ # If the system does not require Trivial File Transfer Protocol (TFTP), then support for
765+ # it is non-essential and should be disabled. The information system should be configured to
766+ # provide only essential capabilities. Disabling TFTP helps prevent the unauthorized connection
767+ # of devices and the unauthorized transfer of information.
768+ docs : https://www.stigviewer.com/stig/apple_macos_11_big_sur/2021-06-16/finding/V-230813
769+ code : sudo launchctl disable 'system/com.apple.tftpd'
770+ revertCode : sudo launchctl enable 'system/com.apple.tftpd'
771+ -
772+ name : Disable Bonjour multicast advertising
773+ recommend : standard
774+ docs : https://www.stigviewer.com/stig/apple_os_x_10.11/2017-04-06/finding/V-67593
775+ code : sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool true
776+ revertCode : sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool false
777+ -
778+ name : Disable insecure telnet protocol
779+ recommend : standard
780+ docs :
781+ - https://www.stigviewer.com/stig/apple_os_x_10.13/2020-09-11/finding/V-214882
782+ - https://www.stigviewer.com/stig/apple_os_x_10.10_yosemite_workstation/2017-04-06/finding/V-59671
783+ code : sudo launchctl disable system/com.apple.telnetd
784+ revertCode : sudo launchctl enable system/com.apple.telnetd
785+ -
786+ category : Disable printer sharing (IPP, LDP, SMB and Bonjour protocols)
787+ # Used typically for servers
788+ # By default, the CUPS only listens to requests from the machine that it's running on
789+ # cupsctl is a tool to manage the configuration of the CUPS daemon
790+ docs :
791+ - https://www.cups.org/doc/sharing.html
792+ - https://www.cups.org/doc/security.html # Security risks
793+ children :
794+ -
795+ name : Disable sharing of local printers with other computers
796+ recommend : standard
797+ docs : https://www.cups.org/doc/man-cupsctl.html
798+ code : cupsctl --no-share-printers
799+ revertCode : cupsctl --share-printers
800+ -
801+ name : Disable printing from any address including the Internet
802+ recommend : standard
803+ docs : https://www.cups.org/doc/man-cupsctl.html
804+ code : cupsctl --no-remote-any
805+ revertCode : cupsctl --remote-any
806+ -
807+ name : Disable remote printer administration
808+ recommend : standard
809+ docs : https://www.cups.org/doc/man-cupsctl.html
810+ code : cupsctl --no-remote-admin
811+ revertCode : cupsctl --remote-admin
677812 -
678813 category : Privacy over security
679814 children :
0 commit comments