drduh / macos-security-and-privacy-guide Goto Github PK
View Code? Open in Web Editor NEWGuide to securing and improving privacy on macOS
Home Page: https://drduh.github.io/macOS-Security-and-Privacy-Guide/
License: MIT License
Guide to securing and improving privacy on macOS
Home Page: https://drduh.github.io/macOS-Security-and-Privacy-Guide/
License: MIT License
So I know this isn't fully just for OS-X but knowing some linux commands I think would be really helpful. What do you think of adding a small section labeled linux commands and we can add some common ones which would be helpful. An example is: netstat, or ifconfig/ipconfig
Let me know and I can start working on this and submit a pull request
Hi!
this line:
Don't use any of those Chromium-derived browsers. They are usually closed source, poorly maintained and make dubious claims to protect your privacy.
seems to contradict your earlier recommendation of Chrome (which is Chromium-derived). Perhaps clarify what you mean by "those Chromium-derived browsers"?
thanks.
Hello,
I understand you probuably dont want to add to much information on this subject but maybe something nice to add:
https://github.com/TheCreeper/PrivacyFox
Stay informed to react asap to new threads and security issues as updates and patches are always appearing several days afterwards... sometime even never.
http://arstechnica.com/security
https://www.sans.org/security-resources
https://www.qualys.com/company/newsroom/media-coverage
http://mobilesecurityreport.com
http://www.hotforsecurity.com
http://www.esecurityplanet.com/news
https://www.f-secure.com/en/web/labs_global/from-the-labs
Open this thread to add resources and info about El Capitan.
Some might be obsolete.
https://en.wikipedia.org/wiki/Sparse_image
http://osxdaily.com/2015/09/29/prepare-mac-os-x-el-capitan/
http://osxdaily.com/2015/09/30/create-os-x-el-capitan-boot-install-drive/
http://osxdaily.com/2015/10/01/clean-install-os-x-el-capitan-mac/
http://osxdaily.com/2015/10/09/howto-downgrade-os-x-el-capitan-mac/
http://osxdaily.com/2015/10/05/disable-rootless-system-integrity-protection-mac-os-x/
http://osxdaily.com/2015/05/04/disable-gatekeeper-command-line-mac-osx/
http://osxdaily.com/2015/10/12/secure-empty-trash-equivalent-mac-os-x/
I've noticed if you use OS X's VPN client (I have not tried openvpn) that if for some reason the VPN disconnects OS X will then start sending traffic over the next interface available. I'm not sure if there are any easy workarounds (I've seen posts where people setup the firewall to drop most traffic on the non-VPN interfaces) or if using openvpn can solve this problem (in which case, perhaps that should be made note of).
not related to security as such, but if people are running the dnsmasq.conf from this guide as-is, it might make sense to include cache-size
for tuning local caching of replies
# Set the size of the dnsmasq cache. The default is to keep 150 hostnames
cache-size=8192
similarly, as we only want to perform lookups via the config's server=
directives we should explicitly disable use of the resolv.conf for determining available nameservers
# forces dnsmasq to queries strictly in the order they appear
strict-order
# prevent dnsmasq from reading /etc/resolv.conf or any other file
no-resolv
In El Capitan OpenSSL's libraries are still provided but headers have been removed from the OS X SDKs. As a result, you should no longer encourage the use of brew link openssl --force
as clang
's default link and library paths mean that you may end up using newer Homebrew OpenSSL headers but link against the older, system version.
For a reproduction example see https://gist.github.com/tdsmith/4b502c5cc6e7d358acdf
Hi,
In the advanced settings of the firewall in OS X, there's a checkbox named "Automatically allow signed software to receive incoming connections". This checkbox is enabled by default on a new install of 10.11.1.
While one should be in control of what software is running and listens on ports, perhaps we should encourage setting this to off? Just because a software is signed doesn't mean we want incoming connections to it to be allowed by default.
What about adding a new section, testing checking tools and services.
Check Browser Vulnerabilities
https://browsercheck.qualys.com
https://www.browserleaks.com
https://www.browserleaks.com/webrtc
https://www.browserleaks.com/firefox
https://www.poodletest.com - Check if browser is vulnerable due to SSLv3 via block ciphers support.
http://browserspy.dk - Show all the information a browser releases.
Check DNS Leak
https://dnsleaktest.com - Test if your defined DNS servers are leaking information, even when using a secure anonymity or privacy services.
Check Network Vulnerabilities
http://www.speedguide.net/scan.php - Scan Ports for vulnerabilities
http://www.speedguide.net/ports.php - Ports Database of known vulnerabilities
http://www.acunetix.com/free-network-security-scan
Check SSL of a Web Server
https://www.ssllabs.com/ssltest - Deep analysis of the configuration of an SSL web server
Informations
http://whoer.net - Information about the DNS you are using, not just a simple show IP tool.
http://lg.sdv.fr - IP4/6 Looking Glass and BGP map tools.
http://www.team-cymru.org/IP-ASN-mapping.html - map IP numbers to BGP prefixes and ASN for WHOIS, DNS and HTTP(S).
http://speedtest.net - Test you internet speed, useful to know the impact of using a VPN,...
Device Finger Printing
http://noc.to - Device Finger Printing test and reports. Source Code
https://panopticlick.eff.org - Raw DFP results
https://amiunique.org - Detailed DFP results and ressources.
Anti-Virus Comparatives
http://www.av-comparatives.org
https://www.av-test.org
Miscellaneous
https://geti2p.net - I2P is anonymous overlay network for privacy protection.
https://www.wireshark.org - WireShark is a network protocol analyzer.
https://nmap.org - "Network Mapper" for network discovery and security auditing.
http://sectools.org - Extensive list of 'all' security tools.
https://nordvpn.com/chat - Online secure encrypted chat.
https://nordvpn.com/secret-notes - Create a message that will be destroyed after first reading.
http://contagiodump.blogspot.be - Collection of latest malware samples, threats, observations and analyses.
Can I ask if it i possible for someone to provide friendly instructions on how to disable the bonjour multicast in OSX El Capitan 10.11 ? (btw discoveryd is out and mDNSrespoder... is back)
Nice write-up! I've done something similar a while ago: https://github.com/l1k/osxparanoia
Maybe you want to add some of my findings to your text or include that in your link list.
Hi I use this once in awhile but its a great framework developed by the security folks at Facebook and Etsy. If possible we could do a small write up regarding MIDAS. Let me know what you think
Protip: Use your Mac a little before turning on the fileVault encription. Install Programms, Setup First and click around to make your system Generated Random key stronger.
Not an anti-virus/malware, more a security monitoring and reporting tool for desktop computers, laptop, virtual machines and servers!
Really great, just installed it on our 5 devices.
What advantage I see with gears: if one of 'your' devices is 'compromised' you can warn its owner to avoid to connect to others and take action to restore it.
Free for 25 devices.
https://www.opswatgears.com/
I know that you already have a comment warning people that "VPN software [typically] overrides DNS settings on connect". However, I wonder if we can do better than that? By adding a pf rule to redirect all udp 53 traffic to the local dnsmasq (to prevent the network config nameserver setting having any effect) and only permit dnscrypt to perform the outgoing lookups (either trivially, using a non-53 port for the public server, or with a more advanced pf rule). Then we can add a small entry under the DNS section to explain how people may add additional server entries to their dnsmasq config to direct DNS queries for certain domains to specific upstream nameservers and hence only use the companies nameserver for looking up private domains within the company, and not sending all their DNS traffic that way.
e.g., server=/internal.example.com/192.168.100.1
will direct all queries in the internal domain to the correct nameserver. You can specify more than one domain in each server option. If there is more than one internal domain, you just include as many server options as is needed to specify them all.
Is there any risk by allowing these options in Syst. Prefs - Security - Confidential: ~
o send diagnostic data to Apple
o share with third party app developers
What's your opinion?
Data are sent, some might be giving a lot of details, are they even encrypted?
Instead of
brew install gpg
suggest using
brew install homebrew/versions/gnupg21
See this for more details
Hi drduh, hi rishadafc,
I do have the same problem like rishadafc, but I have not found an solution yet.
If I run "defaults read /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist" the following appears
{
KeepAlive = 1;
Label = "homebrew.mxcl.dnsmasq";
ProgramArguments = (
"/usr/local/opt/dnsmasq/sbin/dnsmasq",
"--keep-in-foreground",
"-C",
"/usr/local/etc/dnsmasq.conf"
);
RunAtLoad = 1;
}
If I run "sudo /usr/local/opt/dnsmasq/sbin/dnsmasq --keep-in-foreground -C /usr/local/etc/dnsmasq.conf" the following appears
dnsmasq: failed to create listening socket for 127.0.0.1: Address already in use
Do you know a solution for my problem? Thanks a lot and best regards, Jonas
Hello,
littlesnitch just block a netbios outgoing link while I was modifying the firewall.
action: deny
direction: outgoing
process: /usr/sbin/netbiosd
owner: system
destination: 185.94.111.1
port: 56198
protocol: 17
IP from qRator, Russia which collects lot of network data and provides interesting results.
Are the weaknesses of your ISP or Web Hosting Services could have a direct impact?
Thanks,
185.94.108.0 - 185.94.111.255
netname: RU-QRATOR-20150331
% Information related to '185.94.111.0/24AS197068'
route: 185.94.111.0/24
descr: radar.qrator.net scan network
Regarding the firmware password.
It is possible (and rather easy) to remove it with physical access to the machine via a SPI flasher.
It is good enough against lame thieves that have no info on how to do this but there are specialised flashers for this purpose being sold on the Internet so it's a protection on a limited threat scenario. Still it is recommended to have one anyway.
Best,
fG!
Since Mavericks, every OS X installer has included a tool to make installation media automatically. It's called createinstallmedia
and it can be found in /Applications/Install OS X Yosemite.app/Contents/Resources/createinstallmedia
. Run it in terminal with no arguments and it should explain how it's used. Faster and more reliable than flashing InstallESD.
Obviously no-SSHd running is the most secure option, but as it is a typical service that people might run for secure access, particularly in the non-laptop case, then recommending some hardening options might be sensible:
sudo tee /etc/sshd_config <<EOF
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
EOF
The options are taken from travis-ci's osx slave config. Essentially these would only permit ssh login using public key authentication against an entry in the given $USER's authorized_keys file, all other forms of password-based auth are disabled. If the suggestion in #9 gets added, then you probably also want to add the 'Administrator' username to DenyUsers
in sshd_config as well. Running brew install fail2ban
could be a recommended hardening step as well.
There are probably further restrictions that could be added, such as choosing a random unassigned port to open for SSHd access via the Port xxxx
directive in sshd_config. Similarly, enforcing only the most secure ciphers are used via the Ciphers
and MACs
options.
I have a machine w/ a few different users. In order to make privoxy work for all users, I need to put the privoxy *plist in LaunchDaemons, not LaunchAgents. Is there a reason I should not do this? Both dnsmasq and dnscrypt are setup through LaunchDaemons.
Don't know if you like this kind of explanations, some are already the main document.
Perhaps a small brief summary, something like
Firefox
OFF - Download abcde
ON - Stop this
Here is one I was not aware of:
http://www.makeuseof.com/tag/google-is-secretly-recording-you-heres-how-to-make-them-stop/
I followed the instructions to set up dnsmasq. As soon as I reach this step, I lose access to the internet:
sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1
I tried clearing my DNS cache but that did not work. I'm running OS X El Capitan.
I really appreciate the work you've done in the Security and Privacy Guide.
I'm interested in how you implement the "Services" section.
Do you incorporate the functions there via a login script (.profile, .bashrc, etc.)
Or do you run them manually?
When I run them manually, I'm required to authenticate some of the services, which would make login script implementation cumbersome.
Just wondering how you do it, and perhaps adding those instructions to the README.MD.
Thanks again for a great guide!
May I suggest a section, of few additions to mention useless/weak and/or holes in protections/tools/settings and if the available alternatives.
Sorry no time to do it.
Thanks for your great work.
VPN - PPTP, useless unsecure, better than nothing
VPN but still use ISP DNS, not all exchange through VPN and VPN with DNSLeak-browser involved
VPN disconnect without killswitch (block all communication if vpn stops)
VPN and accessing your usual accounts, eg gmail, webmail, contacts...
WIFI - WEP
Mobile phone/Computer with Location activated
Browser Finger Print, uses one only for secure works, another for whatever
HTTP with MiTM, move to HTTPS
You get the idea...
Forgot this one, still used by so many, not by the audience here of coz :-) Zip passwords !
Hi DrDuh,
Up to you to evaluate and see what to do with these sites, remarks, questions or explanations collected from....., some are above my ItQ 👀
Sorry for my usual mess.
Thank you,
https://letsencrypt.org
https://github.com/okTurtles/dnschain
http://thehackernews.com/2015/10/nsa-crack-encryption.html
http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html
FOR FASTER VPN
VPN for privacy... but VPN are always starting after other programs which might already have accessed internet...
Paranoia
Who is behind these testing websites.
Nice places to collect data, browser fingerprints... especially when you are testing your 'uncompleted/unsafe' configuration.
whoer, browserleaks, ipleak and similar, why so many 'secret/domain-by-proxy...' whois?
We use Google Public DNS server, which we consider unproblematic. It is not only the biggest public server with over 130 billion requests per day and works fast, but also does not store personally identifiable information nor IP-addresses permanently and all temporary logs are deleted after 48 hours at the latest. (from a VPN provider... don't remember)
Though Google DNS Resolvers are censuring several kinds of sites and are among companies providing data to bigbro...
2FA
Don't forget to have a 'backup', e.g. like printed code for Google Authenticator, in case your phone is down.
Don't know where to add this two free applications...
UTM Home Edition
https://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx
Free Home Use Firewall is a fully equipped software version of the Sophos UTM firewall, available at no cost for home users – no strings attached. It features full Network, Web, Mail and Web Application Security with VPN functionality and protects up to 50 IP addresses.
Requires a dedicated newly formatted PC, not a Mac.
I like this feature: can use multiple Internet connections at the same time, giving you more bandwidth.
UTM Essential Firewall
https://www.sophos.com/en-us/products/free-tools/sophos-utm-essential-firewall.aspx
Free version of the Sophos UTM software and offers fundamental security functions to help protect any business network. Start today and implement a firewall into your company’s IT environment—without charge and no strings attached.
Unfortunately its currently Firefox-only as Chrome hasn't supplied the necessary hooks yet, but it is still probably worth linking to Certificate Patrol.
The last dnscrypt upgrade through homebrew changed the path to the dnscrypt-resolvers.csv
file from /usr/local/Cellar/dnscrypt-proxy/1.6.0/share/dnscrypt-proxy/dnscrypt-resolvers.csv
to /usr/local/Cellar/dnscrypt-proxy/1.6.0_1/share/dnscrypt-proxy/dnscrypt-resolvers.csv
Is there any way to automatically correct those changes, so it doesn't break the homebrew.mxcl.dnscrypt-proxy.plist
on each upgrade?
I noticed the SIP section included in the guide but it doesn't have much on disabling it and since SIP is enabled by default. Obviously, it is super trivial to just type:
# csrutil disable
At the bash prompt, however if you do not do it you can't follow the guide. None of the changes will hold, if they are even possible.
luanchctl
commands fail and can not find any services runningAfter removing it the following programs can be deleted:
If you dump too many programs or services the OS WILL destabilize. I unloaded many services as well. I unloaded all of the ones in the guide without too many issues.
Stability Other services and daemons (and possibly some of the below) can cripple and destabilize the OS. It seems to rely a lot more heavily on the core services and CPU spikes seem to occur due to persistant connection attempts or program requirements.
FirmwareYou can not dump ram with this PW enabled, which is a bitch. This has always been the case, but it isn't mentioned. If there is a way to do it, would love to know.
Dump unused Languages You CAN NOT dump unused languages with monolingual unless you are running rootless.
tl;dr please include csrutil disable
in the guide as running does not seem possible without doing that first.
I've been a long time user of the streisand project.
I'm also an user of dnsmasq for development purposes (to redirect all *.dev domains to localhost)
So, reading about dnscrypt on your guide, it seemed like an easy addiction to get some extra level of privacy.
Your instructions were crystal clear, and after the setup, everything worked fine... Until the moment that I connected to my VPN using tunnelblick.
Most VPNs override the DNS settings, and therefore they break with dnscrypt.
Has something like this happened to you before? If so, how did you fix it?
Hi,
I'm the OS X maintainer for Privoxy. The Homebrew recipe for Privoxy installation is weak in a number of regards, chief among which is that it leaves Privoxy running as root which is of course an unnecessary security risk. The supported installer (available at http://sourceforge.net/projects/ijbswa/files/Macintosh%20%28OS%20X%29/) does not suffer the weaknesses of the Homebrew recipe (it is also as easy to uninstall and includes complete instructions for configuration and obtaining support). Please could you consider altering the HTTP section of your instructions to point readers to this installer instead of using Homebrew?
Separately, many thanks for creating this guide - I've been reading through it with great interest!
Regards,
Ian Silvester
For those who think an AV is a good thing... private joke
It is here, menu FREE - freebies.
If you want to be nice, you can click my affiliate link below, even if I get nothing on this one... it is free :-)
https://stacksocial.com/?rid=1465893
Thanks
Hello,
Sorry, don't have time to write it 'correctly' for a merge, I make a copy/paste from my ugly site ;-)
First, may I suggest to add a table of contents/index on top for main subjects.
I have no link with the following, I am using several of them.
Thanks,
Stf
For your VPN chapter and other tools/services you can find very great deal (sometimes free for life) at
Concerning VPN, I have bought 3 for-life deals (ipnator, vpnunlimited and tigervpn), I will try to make a small report about them, how they are on a mac (and android).
StackSocial.com
Giveaways and deals available for just few days of normally paying software, hardware, tutorials, bundles, gadgets... Some discount are up to 99%, some are free or you give your own price.
Pay attention, some offers can be cheaper on other shopping sites
If you want to thanks me for sparing you hundreds of dollars you can click on my affiliate link
https://stacksocial.com/?rid=1465893
StartSSL.com
Free 256-bit SSL Certificate (Class 1) including Web server certificates (SSL/TLS), Client and Email Certificates (S/MIME).
With a 128 bits and 256 bits encryption, 10000 $USD insurance guaranteed.
Valid one year and can be renewed for free.
https://www.comodo.com/home/email-security/free-email-certificate.php
Free for personal/home users and 12 USD/year for business users.
Comodo free email certificate provides digital signature for confidentiality, secure encryption, protect against identity theft, integrates with MS Office and usual applications, trusted by most email clients.
Check their free products page: antivirus, security tools, total uninstaller, firewall, rescue disk, backup...
SSLlabs.com
Free online security testing tools: SSL Server Test checks the configuration of SSL web server, SSL Client Test lists all SSL/TLS capabilities of your browser and SSL Fingerprint test.
Abine.com
Free temporary masked emails. Also encrypted passwords, protect credit card and phone numbers, block hidden trackers, auto-fill, sync...
SpamFence.net
Free spamfilter services, 99% accuracy and no false-positive!
Objective-see.com
(1. KnockKnock UI - list persistently installed programs to reveal potential malware.)
2. Dylib Hijack Scanner - list apps which can or have been hijacked by malicious dynamic libraries.
3. BlockBlock - prevent installation of any persistent programs without your authorization.
Bleep.pm
Highly secure, p2p, encrypted and native messaging application.
Fruux.com
Manage and synchronize contacts, calendars and tasks.
A very good backup.
Is it worth elaborating slightly on secure backup strategies and recommend some ways of performing zero-knowledge off-site backups where only you have access to the encryption key used?
Hi,
Thanks for the guide. Do you think setting up a non-admin and running under that along with an admin account for other things should be added, after the installation section? Running anything with elevated permissions is asking for trouble, especially a user account.
It might be worth noting that there are ~/Applications and ~/Library/LaunchAgents and ~/Library/Frameworks folders that can all be used instead of installing things system wide.
I'm happy to put these in pull requests if you agree they're worth it.
Regards,
iain
Hello,
Thank you for this guide! I totally understand what I'm doing with this. However i got 2 things. The first is that you actually don't have to download the updates 10.10.4 and 10.10.5 anymore. Apple updated Yosemite to 10.10.5 for download in the app store.
Now the second one. On the subject Services you wrote a script:
function disable_agent {
echo "Disabling ${1}"
launchctl unload -w /System/Library/LaunchAgents/${1}.plist
}
What language is that? is that applescript? because I'm not really much into programming yet and don't know how to run it.
prov3it
Hi,
Can someone verify these hashes for the InstallESD.dmg file are what I have here for the 10.11.1 installer I downloaded from the Mac App Store yesterday? The guide needs to be updated with the new ones.
InstallESD.dmg
SHA-256: 6275929722c35674fce90d2272d383d49696096e8626ee7f7900dd0334167a9a
SHA-1: 306a080c07e293b6765ba950bab213572704acec
Also, what's the new build number? That info needs changing too I guess.
Cheers.
I could submit a PR for this but I'm not sure where to put them in the guide or how useful they will be over the tools and guides mentioned already so it's up to you to add them.
CIRCL automatic launch object detection for Mac OS X
Python script for updating the hosts file
CIS's Security Benchmark for OS X
Using Chome as a recommended browser is a bit confusing.
Why would anyone go through all of the trouble to secure an OS X system, but then use a closed-source browser that has a history of consumer privacy issues?
Hi,
I just started reading the guide and since imaging is my day job I was happy to see that you started with a solid introduction to deploying OS X. However I'd like to propose some changes to the first section:
Now on to reading the rest of the guide... :)
A problem with downloading OS disk images (as opposed to receiving them on mass-produced physical media like CDs) is the threat that you receive a "special" version that is somehow compromised.
The threat model here is both Apple trying to slip you with a special version of OS X if it wants to spy on you, or a third party messing with your copy.
While there is no way for us to know the "true copy", it might be useful to include a hash of a disk image of OS X that we believe to be un-tampered. This way, if you come across a disk image with a different hash, you know something is fishy.
2FA - Two-Factor Authentication for Websites and Mobile Apps
google authenticator and authy
authy is easier and more features, also more simpler when start using a new device!
https://support.google.com/accounts/topic/28786?hl=en
https://en.wikipedia.org/wiki/Google_Authenticator
https://www.authy.com/
I found another interesting computer forensic tool that could he useful to people. Its called OSXAuditor and its a great tool to extract information from a mac. And best of all, its open source!! =)
Here is the github link: https://github.com/jipegit/OSXAuditor
I can do a small write and submit a pull request on it as well
instead of
brew install openssl && brew link openssl
it should be
brew install openssl && brew link --force openssl
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.