if you're looking for true security, forget macos and windows altogether - You should be looking at OpenBSD, Whonix and/or Qubes for desktop use || GrapheneOS for mobile.
This is a really really really high-level starter guide whose aim is merely to ensure minimal security standards for users of macOS.
Regarding the CLI Commands: Probably the most important part of this entire document is this yellow warning
Image Not Showing Possible ReasonsLearn More →
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Since this guide will mostly focus on CLI commands there are a few commands whose importance and underlying capabilities should be highlighted due to their nature.
sudo
- enables temporary elevated permissions and as such should be treated with the utmost respect. If you do not know what the snippet does and it is prefeced with sudo
stackexchange, manpages and search engines are there for a reason.rm -rf
- rm alone means remove
though when prefaced with the -rf options it will force remove anything which follow.rm -rf ~/Documents
: will lliterally remove your entire Documents folder without asking for you to confirm, leaving traces or having any mercy for you.man
: the man command is actually your best friend. man
stands for manual
(as in manual pages or man pages). As such whenever unsure of a command or what it does man <command>
in order to find out what it does, what operators can be used with it and what ties into it.If you are a total beginner go back and read the yellow warning. (You do not have to be scared just ensure you always have a current backup of your system and that you fully trust whomever's code you're running and/or understand the commands you're typing in your prompt.).
the built-in macOS firewall despite not being wordclass is probably enough for most individuals. If you are looking for something a bit more high-end though do some digging into pfctl
also known as Packet Filtering (Native to the BSD community), OPNSense, FreeBSD, Shorewall, Suricata or just plain old iptables. PF is extremely powerful and should be explored, used and knowledge about it should be made commonly available to users; - though, let's get back to the simple macOS firewall.
Removing Metadata Attributes from Files is a good practice for security and privacy (reading them is also good practice for intelligence gathering).
Commands like xattr and mdls can be used for this purpose.
The hosts
file contains information regarding the known hosts on the network. A hosts
file can be utilized for great things such as blocking unwanted connections, malware and ads.
In order to download and parse his hosts file automatically into your system's hosts
file
I cannot understate the importance of having and using a password manager.
That being said you should also do your own research and figure out how the service you are using stores secrets. Here are a few options to get you started:
Apple also maintains a document which is constantly updated regarding password managers nad the new macOS ventura claims Safari will be able to go virtually password-less using apple's passKeys
Apple Password Repo
Regardless of what Password Manager you go with. One thing you should SERIOUSLY consider is getting yourself a Yubikey (A USB+NFC Hardware Device which can be used for MFA[Multi Factor Authentcation] - You know what this is: it's that pain in the ass process where you've got to punch in the numbers from authy or confirm you're the one logging into your email by dancing the macarena[or some other bs])
Yubikeys Make this Process a WHOLE lot simpler by allowing you to simply touch a little 'thumb-drive-like' device and it also does a whole lot more (From storing your PGP Keys, SSH authentication, TOTP, FIDO2, WebAuthn.
Please take some time to go over Yubico's Selection of Products and get yourself at least TWO(trust on me on this one - in case one fails, gets lost or eaten by your dog - it'll be a nightmare.)
The GNU Privacy Guard
There are plenty of articles and general information on GnuPG (It has been used, proved, tested, re-tested and is the Go-To for years).
GnuPG is a free implementation of the OpenPGP standards (commonly known as PGP)
GnuPG allows you to encrypt and sign your data and communications
You can Find more info on GnuPG at GnuPG
The following is a hardened gpg.conf file (Usually the common $PATH for this file is $HOME/.gnupg/gpg.conf)
In order to install and use unbundled system goodies and third-party apps from the command-line (from GUI's to Custom CLI commands or different versions of curl, wget, python, pip, gnupg, ruby, openssl, tmux, dnsx, docker…). For Casks(GUI Apps) make sure the binary is signed : export HOMEBREW_CASK_OPTS=--require-sha
in order to install homebrew) just copy and paste the snippet from their website
Now you can install programs using the
brew command
directly from your prompt.
1. The Best Advice Anyone in Security can ever Give you is Common Sense
If you do however decide to go down the OPSEC/OSINT rabbit hole,
always remember rule #1: STFU
If you're a stranger to git, homebrew, terminal-commands and computers at large - a word to the wise:
Better Late then Never You should definitely understand and learn how to use the machines you spend your entire days behind (Not to mention trust all your data, bank accounts, personal preferences, secrets, password (must i go on?))
Word to the Unwise
Please keep automating your home with all the new smart connected devices while using passwords like
PaS5w0rd
and@password123
or!Password1
.
This is a really really really high-level overview of macOS best practices… If you'd like Further Information, search engines are there for a reason.
CLI
Documentation
Starter Guides