Try   HackMD

macOS: Commandline & Basic Security Guidelines

if you're looking for true security, forget macos and windows altogether - You should be looking at OpenBSD, Whonix and/or Qubes for desktop use || GrapheneOS for mobile.

Table of Contents

This is a really really really high-level starter guide whose aim is merely to ensure minimal security standards for users of macOS.

Regarding the CLI Commands: Probably the most important part of this entire document is this yellow warning :arrow_down:

Since this guide will mostly focus on CLI commands there are a few commands whose importance and underlying capabilities should be highlighted due to their nature.

  • sudo - enables temporary elevated permissions and as such should be treated with the utmost respect. If you do not know what the snippet does and it is prefeced with sudo stackexchange, manpages and search engines are there for a reason.
  • rm -rf - rm alone means remove though when prefaced with the -rf options it will force remove anything which follow.
    ie) rm -rf ~/Documents : will lliterally remove your entire Documents folder without asking for you to confirm, leaving traces or having any mercy for you.
  • man : the man command is actually your best friend. man stands for manual (as in manual pages or man pages). As such whenever unsure of a command or what it does man <command> in order to find out what it does, what operators can be used with it and what ties into it.

The Guide

If you are a total beginner go back and read the yellow warning. (You do not have to be scared just ensure you always have a current backup of your system and that you fully trust whomever's code you're running and/or understand the commands you're typing in your prompt.).

MacOS Firewall

the built-in macOS firewall despite not being wordclass is probably enough for most individuals. If you are looking for something a bit more high-end though do some digging into pfctl also known as Packet Filtering (Native to the BSD community), OPNSense, FreeBSD, Shorewall, Suricata or just plain old iptables. PF is extremely powerful and should be explored, used and knowledge about it should be made commonly available to users; - though, let's get back to the simple macOS firewall.

# Turn on the firewall
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
# Turn on StealthMode
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
# Turn on Logging Mode
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on

# Switch the Firewall to Block all incoming unnecessary connections. 
# This will temporarily break some services like Airplay Display mirroring 
# (but honestly, who needs that shit?)...
# Do yourself a favor and go read something.

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on

# Disallow automatically built-in apps from receiving connections.
# Basically, you'll get a prompt to confirm connections before (Preferable)
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off

# Same as the above command though the later is for built-in apps while this 
# is for signed applciations you download off the internet or package managers 
# Homebrew, macports, nix ...
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned off

# List all apps which the firewall is currently blocking or allowing
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --listapps

# Block a Specific Application (this requires the full application $PATH)
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --blockapp /usr/libexec/remoted

# It is always good practice to restart the firewall after interactive with it
sudo pkill -HUP socketfilterfw

Power Management

# These commands are pretty self explanatory if you do require further
# assistance would like to know what they do specifically `man  pmset`

sudo pmset -a standby 0
sudo pmset -a standbydelay 0 
sudo pmset -a powernap 0
sudo pmset -a ring 0 
sudo pmset -a womp 0 
sudo pmset -a networkoversleep 0 
sudo pmset -a ttyskeepawake 0
sudo pmset -a tcpkeepalive 0
sudo pmset -a sleep 25
sudo pmset -a displaysleep 20
sudo pmset -a destroyfvkeyonstandby 1

Metadata and Files

Removing Metadata Attributes from Files is a good practice for security and privacy (reading them is also good practice for intelligence gathering).
Commands like xattr and mdls can be used for this purpose.

# Print out attributes names and corresponding values of a given file
xattr -l ~/Downloads/LittleSnitch.dmg

# Removing the metadata attributes from the file.
# This will delete the metadata information from where you've downloaded the
# littlesnitch.dmg application url.
xattr -d com.apple.metadata kMDDItemWhereFroms ~/Documents/LittleSnitch.dmg

# Print of the values of all the metadata attirbutes associated with the
# given file
mdls ~/Downloads/LittleSnitch.dmg

The benefits of a Hosts File.

The hosts file contains information regarding the known hosts on the network. A hosts file can be utilized for great things such as blocking unwanted connections, malware and ads.

  • There are plenty of respectable hosts file out there (and plenty of shitty ones too) and which one you choose is not only a matter of personal preference but also tied in with which operating system you're using.
  • Personally, I'm a big fan of Steven Black's always updated, always maintained hosts file which you can inspect directly within his github repo.

In order to download and parse his hosts file automatically into your system's hosts file

# Curl and Append it using the `tee` command
curl https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | sudo tee -a /etc/hosts

# Flush the Directory Cache and kill mDNS Responder in order to load it
sudo dscacheutil -flushcache ; sudo pkill -HUP mDNSResponder
  • other options to using a hosts file is either using a paid service such as nextdns or something like Pi-Hole.
  • Truth be told: one does not exclude the use of the other

Password Managers

I cannot understate the importance of having and using a password manager.
That being said you should also do your own research and figure out how the service you are using stores secrets. Here are a few options to get you started:

  • 1Password
  • KeypassXC
  • GoPass
  • BitWarden Premium
  • CyberArk
  • OneLogin

Apple also maintains a document which is constantly updated regarding password managers nad the new macOS ventura claims Safari will be able to go virtually password-less using apple's passKeys
Apple Password Repo

Yubikeys

Regardless of what Password Manager you go with. One thing you should SERIOUSLY consider is getting yourself a Yubikey (A USB+NFC Hardware Device which can be used for MFA[Multi Factor Authentcation] - You know what this is: it's that pain in the ass process where you've got to punch in the numbers from authy or confirm you're the one logging into your email by dancing the macarena[or some other bs])

  • Yubikeys Make this Process a WHOLE lot simpler by allowing you to simply touch a little 'thumb-drive-like' device and it also does a whole lot more (From storing your PGP Keys, SSH authentication, TOTP, FIDO2, WebAuthn.

  • Please take some time to go over Yubico's Selection of Products and get yourself at least TWO(trust on me on this one - in case one fails, gets lost or eaten by your dog - it'll be a nightmare.)

Yubico's Yubikey 5c Website

GnuPG

The GNU Privacy Guard

There are plenty of articles and general information on GnuPG (It has been used, proved, tested, re-tested and is the Go-To for years).

  • GnuPG is a free implementation of the OpenPGP standards (commonly known as PGP)

  • GnuPG allows you to encrypt and sign your data and communications
    You can Find more info on GnuPG at GnuPG

  • The following is a hardened gpg.conf file (Usually the common $PATH for this file is $HOME/.gnupg/gpg.conf)

auto-key-locate keyserver
personal-digest-preferences SHA512 SHA384
default-preference-list SHA512 SHA384 AES256 ZLIB BZIP2 ZIP Uncompressed
cert-digest-algo SHA512
s2k-digest-algo SHA512
s2k-cipher-algo AES256
keyid-format 0xlong
fixed-list-mode
no-comments
no-emit-version
no-emit-version
list-options show-uid-validity
verify-options show-uid-validity
charset utf-8
require-cross-certification
with-fingerprint
use-agent
verbose
auto-key-retrieve
no-symkey-cache
throw-keyids
# Keyserver URL
#keyserver
# Verbose output

Package Managers

In order to install and use unbundled system goodies and third-party apps from the command-line (from GUI's to Custom CLI commands or different versions of curl, wget, python, pip, gnupg, ruby, openssl, tmux, dnsx, docker). For Casks(GUI Apps) make sure the binary is signed : export HOMEBREW_CASK_OPTS=--require-sha

Homebrew Install

in order to install homebrew) just copy and paste the snippet from their website

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

Now you can install programs using the brew command directly from your prompt.

# Homebrew's is maintained by OpenSource Developers
# Which means: The programs within homebrew are nine times out of ten a lot
# more up-to-date than the ones provided by apple.
# You can and should check this yourself
# $ curl --version 
# $ brew cat curl 


# Let's extend homebrew into also being able to download GUI programs
# Commonly referred to Casks
brew tap homebrew/casks

# For Background Services
# eg. dnsmasq, privoxy, stubby, dnscrypt, unbound
brew tap homebrew/services

# Install stubby : DNS privacy enabled stub resolver # service based on getdns
brew install stubby  # READ the Output and follow the guidelines in order to properly install and run stubby as background daemon - this is not rocket science.

# For Fonts
brew tap homebrew/cask-fonts

# Install Hack Patched Nerd Font 
brew install font-hack-nerd-font

# For Specific `Cask` (GUI) Versions
brew tap homebrew/cask-versions

# Homebrew's is maintained by OpenSource Developers
# Which means: The programs within homebrew are nine times out of ten a lot
# more up-to-date than the ones provided by apple.

# Install nmap (the Network Explorer's toolkit)
brew install nmap 

# WireShark CLi
brew install neovim

# Install Spotify
brew install spotify

# Install a better Terminal app (Apple's terminal is # incredible limited and does not process 24-bit      # color)
brew install iterm2 # Most Commonly Used
brew install alacritty # Rust-based OpenGL GPU Accelerated Terminal 

# Search for a program
brew search gpg # Will return both Formulae (CLI) and Casks(GUI)

# Search for a random web-browser
brew search --desc browser

# Updating Homebrew and cleaning out unnecessary files and leftovers
brew update && brew upgrade && brew cleanup --verbose 

# Ensuring Homebrew is Correctly Installed
brew doctor

# You can retrieve a certain Formulate or Casks' particular sha, download url and other # info using either one of these
brew cat
brew info
brew autoremove --verbose

# Turn off homebrew anayltics
brew analytics off

# Uninstall a Cask(GUI), Service or homebrew-installed CLI, TUI Program (Formulae)
brew uninstall --force <formulae>

# Substitute <caskname> with the desired GUI you want to zap out of your system
brew rm --cask --zap --force <caskName>

# List all Homebrew Commands
brew commands

Extra

1. The Best Advice Anyone in Security can ever Give you is Common Sense

If you do however decide to go down the OPSEC/OSINT rabbit hole,
always remember rule #1: STFU

:bulb: Word to the Wise :nerd_face: this is :sunglasses:

If you're a stranger to git, homebrew, terminal-commands and computers at large - a word to the wise:
Better Late then Never You should definitely understand and learn how to use the machines you spend your entire days behind (Not to mention trust all your data, bank accounts, personal preferences, secrets, password (must i go on?))

Word to the Unwise :confused: :cold_sweat: :shit:

Please keep automating your home with all the new smart connected devices while using passwords like PaS5w0rd and @password123 or !Password1.

Appendix and FAQ

This is a really really really high-level overview of macOS best practices If you'd like Further Information, search engines are there for a reason.

tags: CLI Documentation Starter Guides
Last changed by 
Rake
0
1936

Read more

index

Intro to About Rake: The Outer Edge of Technology

Dec 9, 2024
Headings

<a name="top"></a>

May 7, 2024
Static RAM PUF

[TOC] Notes: Kerchoff&apos;s Principle, CIA Triangle, Certificate Authority, Registration Authority, Remote Attestation, Intel SGX, AMD TrustZone, eFUSE, SRAM PUF, Instrinsic-ID, NXP, G+D, SecureFPGA, Trussed, openTitan Introduction Traditional Security Measures taken by SemiConductor Manufacturers. Semiconductor Manufacturers offer hardware based, step-up SKUs, implemented via : BBRAM/eFuse Options/One Time Password Solutions/Wire Bond-out/Die-specifc.

Dec 19, 2022
Untitled

_ _ __ /_\ _ __ __ _| |_ ___ _ __ ___ _ _ ___ / _| __ _ //_\\| &apos;_ \ / _` | __/ _ \| &apos;_ ` _ \| | | | / _ \| |_ / _` | / _ \ | | | (_| | || (_) | | | | | | |_| | | (_) | _| | (_| | \_/ \_/_| |_|\__,_|\__\___/|_| |_| |_|\__, | \___/|_| \__,_| |___/ ___ _ _____ _ _ / _ \ |__ ___ _ __ ___ _ __ /__ \_ __ __ _ _ __ ___ __ _ ___| |_(_) ___ _ __ / /_)/ &apos;_ \ / _ \| &apos;_ \ / _ \| &apos;_ \ / /\/ &apos;__/ _` | &apos;_ \/ __|/ _` |/ __| __| |/ _ \| &apos;_ \ / ___/| | | | (_) | | | | (_) | | | | / / | | | (_| | | | \__ \ (_| | (__| |_| | (_) | | | |

Oct 28, 2022
Read more from Rake
Published on HackMD