--- title: 'macOS Security Guide' slugs: 'mac, cli, guide, macos, security' tags: 'guide, macos, security ' --- macOS: Commandline & Basic Security Guidelines === :::spoiler if you're looking for true security, forget macos and windows altogether - You should be looking at OpenBSD, Whonix and/or Qubes for desktop use || GrapheneOS for mobile. ::: ## Table of Contents [TOC] This is a really really really high-level starter guide whose aim is merely to ensure minimal security standards for users of macOS. > ==Regarding the CLI Commands: Probably the most important part of this entire document is this yellow warning== :arrow_down: :::warning **Since this guide will mostly focus on CLI commands there are a few commands whose importance and underlying capabilities should be highlighted due to their nature.** - `sudo` - enables temporary elevated permissions and as such should be treated with the utmost respect. If you do not know what the snippet does and it is prefeced with `sudo` stackexchange, manpages and search engines are there for a reason. - `rm -rf` - rm alone means `remove` though when prefaced with the -rf options it will force remove anything which follow. ie) `rm -rf ~/Documents` : will lliterally remove your entire Documents folder without asking for you to confirm, leaving traces or having any mercy for you. - `man` : the man command is actually your best friend. `man` stands for `manual` (as in manual pages or man pages). As such whenever unsure of a command or what it does `man <command>` in order to find out what it does, what operators can be used with it and what ties into it. ::: ## The Guide If you are a total beginner go back and read the yellow warning. (You do not have to be scared just ensure you **always have a current backup of your system** and that you fully trust whomever's code you're running and/or understand the commands you're typing in your prompt.). --- #### MacOS Firewall the built-in macOS firewall despite not being wordclass is probably enough for most individuals. If you are looking for something a bit more high-end though do some digging into `pfctl` also known as Packet Filtering (Native to the BSD community), OPNSense, FreeBSD, Shorewall, Suricata or just plain old iptables. PF is extremely powerful and should be explored, used and knowledge about it should be made commonly available to users; - though, let's get back to the simple macOS firewall. ```zsh # Turn on the firewall sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on # Turn on StealthMode sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on # Turn on Logging Mode sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on # Switch the Firewall to Block all incoming unnecessary connections. # This will temporarily break some services like Airplay Display mirroring # (but honestly, who needs that shit?)... # Do yourself a favor and go read something. sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on # Disallow automatically built-in apps from receiving connections. # Basically, you'll get a prompt to confirm connections before (Preferable) sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off # Same as the above command though the later is for built-in apps while this # is for signed applciations you download off the internet or package managers # Homebrew, macports, nix ... sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned off # List all apps which the firewall is currently blocking or allowing sudo /usr/libexec/ApplicationFirewall/socketfilterfw --listapps # Block a Specific Application (this requires the full application $PATH) sudo /usr/libexec/ApplicationFirewall/socketfilterfw --blockapp /usr/libexec/remoted # It is always good practice to restart the firewall after interactive with it sudo pkill -HUP socketfilterfw ``` --- #### Power Management ```zsh # These commands are pretty self explanatory if you do require further # assistance would like to know what they do specifically `man pmset` sudo pmset -a standby 0 sudo pmset -a standbydelay 0 sudo pmset -a powernap 0 sudo pmset -a ring 0 sudo pmset -a womp 0 sudo pmset -a networkoversleep 0 sudo pmset -a ttyskeepawake 0 sudo pmset -a tcpkeepalive 0 sudo pmset -a sleep 25 sudo pmset -a displaysleep 20 sudo pmset -a destroyfvkeyonstandby 1 ``` --- #### Metadata and Files Removing Metadata Attributes from Files is a good practice for security and privacy (reading them is also good practice for intelligence gathering). Commands like xattr and mdls can be used for this purpose. ```zsh # Print out attributes names and corresponding values of a given file xattr -l ~/Downloads/LittleSnitch.dmg # Removing the metadata attributes from the file. # This will delete the metadata information from where you've downloaded the # littlesnitch.dmg application url. xattr -d com.apple.metadata kMDDItemWhereFroms ~/Documents/LittleSnitch.dmg # Print of the values of all the metadata attirbutes associated with the # given file mdls ~/Downloads/LittleSnitch.dmg ``` --- #### The benefits of a Hosts File. The `hosts` file contains information regarding the known hosts on the network. A `hosts` file can be utilized for great things such as blocking unwanted connections, malware and ads. - There are plenty of respectable hosts file out there (and plenty of shitty ones too) and which one you choose is not only a matter of personal preference but also tied in with which operating system you're using. - Personally, I'm a big fan of Steven Black's always updated, always maintained hosts file which you can inspect directly within his github repo. In order to download and parse his hosts file automatically into your system's `hosts` file ```zsh # Curl and Append it using the `tee` command curl https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | sudo tee -a /etc/hosts # Flush the Directory Cache and kill mDNS Responder in order to load it sudo dscacheutil -flushcache ; sudo pkill -HUP mDNSResponder ``` - other options to using a hosts file is either using a paid service such as [nextdns](https://nextdns.io) or something like Pi-Hole. - Truth be told: one does not exclude the use of the other... #### Password Managers I cannot understate the importance of having and using a password manager. That being said you should also do your own research and figure out how the service you are using stores secrets. Here are a few options to get you started: - 1Password - KeypassXC - GoPass - BitWarden Premium - CyberArk - OneLogin Apple also maintains a document which is constantly updated regarding password managers nad the new macOS ventura claims Safari will be able to go virtually password-less using apple's `passKeys` [Apple Password Repo](https://github.com/apple/password-manager-resources) ##### **Yubikeys** :::info Regardless of what Password Manager you go with. One thing you should SERIOUSLY consider is getting yourself a **Yubikey** (A USB+NFC Hardware Device which can be used for MFA[Multi Factor Authentcation] - You know what this is: it's that pain in the ass process where you've got to punch in the numbers from authy or confirm you're the one logging into your email by dancing the macarena[or some other bs]) - Yubikeys Make this Process a WHOLE lot simpler by allowing you to simply touch a little 'thumb-drive-like' device and it also does a whole lot more (From storing your PGP Keys, SSH authentication, TOTP, FIDO2, WebAuthn. - Please take some time to go over Yubico's Selection of Products and get yourself **at least TWO**(trust on me on this one - in case one fails, gets lost or eaten by your dog - it'll be a nightmare.) > [Yubico's Yubikey 5c Website](https://www.yubico.com/br/product/yubikey-5c-nfc/) ::: ### GnuPG --- **The GNU Privacy Guard** > There are plenty of articles and general information on GnuPG (It has been used, proved, tested, re-tested and is the Go-To for years). - GnuPG is a free implementation of the OpenPGP standards (commonly known as PGP) - GnuPG allows you to encrypt and sign your data and communications You can Find more info on GnuPG at [GnuPG](https://gnupg.org) - The following is a hardened gpg.conf file (Usually the common $PATH for this file is $HOME/.gnupg/gpg.conf) ```zsh auto-key-locate keyserver personal-digest-preferences SHA512 SHA384 default-preference-list SHA512 SHA384 AES256 ZLIB BZIP2 ZIP Uncompressed cert-digest-algo SHA512 s2k-digest-algo SHA512 s2k-cipher-algo AES256 keyid-format 0xlong fixed-list-mode no-comments no-emit-version no-emit-version list-options show-uid-validity verify-options show-uid-validity charset utf-8 require-cross-certification with-fingerprint use-agent verbose auto-key-retrieve no-symkey-cache throw-keyids # Keyserver URL #keyserver # Verbose output ``` #### Package Managers --- In order to install and use unbundled system goodies and third-party apps from the command-line (from GUI's to Custom CLI commands or different versions of curl, wget, python, pip, gnupg, ruby, openssl, tmux, dnsx, docker...). For Casks(GUI Apps) make sure the binary is signed : `export HOMEBREW_CASK_OPTS=--require-sha` - [Homebrew](https://brew.sh) - [NIX](https://nixos.org/download.html#nix-install-macos) - [MacPorts](https://www.macports.org/) ### Homebrew Install --- > in order to install **homebrew**) just copy and paste the snippet from their [website](https://brew.sh) ```zsh /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" ``` > Now you can install programs using the `brew command` directly from your prompt. ```zsh # Homebrew's is maintained by OpenSource Developers # Which means: The programs within homebrew are nine times out of ten a lot # more up-to-date than the ones provided by apple. # You can and should check this yourself # $ curl --version # $ brew cat curl # Let's extend homebrew into also being able to download GUI programs # Commonly referred to Casks brew tap homebrew/casks # For Background Services # eg. dnsmasq, privoxy, stubby, dnscrypt, unbound brew tap homebrew/services # Install stubby : DNS privacy enabled stub resolver # service based on getdns brew install stubby # READ the Output and follow the guidelines in order to properly install and run stubby as background daemon - this is not rocket science. # For Fonts brew tap homebrew/cask-fonts # Install Hack Patched Nerd Font brew install font-hack-nerd-font # For Specific `Cask` (GUI) Versions brew tap homebrew/cask-versions # Homebrew's is maintained by OpenSource Developers # Which means: The programs within homebrew are nine times out of ten a lot # more up-to-date than the ones provided by apple. # Install nmap (the Network Explorer's toolkit) brew install nmap # WireShark CLi brew install neovim # Install Spotify brew install spotify # Install a better Terminal app (Apple's terminal is # incredible limited and does not process 24-bit # color) brew install iterm2 # Most Commonly Used brew install alacritty # Rust-based OpenGL GPU Accelerated Terminal # Search for a program brew search gpg # Will return both Formulae (CLI) and Casks(GUI) # Search for a random web-browser brew search --desc browser # Updating Homebrew and cleaning out unnecessary files and leftovers brew update && brew upgrade && brew cleanup --verbose # Ensuring Homebrew is Correctly Installed brew doctor # You can retrieve a certain Formulate or Casks' particular sha, download url and other # info using either one of these brew cat brew info brew autoremove --verbose # Turn off homebrew anayltics brew analytics off # Uninstall a Cask(GUI), Service or homebrew-installed CLI, TUI Program (Formulae) brew uninstall --force <formulae> # Substitute <caskname> with the desired GUI you want to zap out of your system brew rm --cask --zap --force <caskName> # List all Homebrew Commands brew commands ``` Extra --- ==1. The Best Advice Anyone in Security can ever Give you is **Common Sense**== > If you do however decide to go down the OPSEC/OSINT rabbit hole, always remember rule #1: ==__**STFU**__== :bulb: **Word to the Wise** :nerd_face: this is :sunglasses: > If you're a stranger to git, homebrew, terminal-commands and computers at large - a word to the wise: > **Better Late then Never** You should definitely understand and learn how to use the machines you spend your entire days behind (Not to mention trust all your data, bank accounts, personal preferences, secrets, password (must i go on?)) **Word to the Unwise** :confused: :cold_sweat: :shit: > Please keep automating your home with all the new smart connected devices while using passwords like `PaS5w0rd` and `@password123` or `!Password1`. --- ### Appendix and FAQ :::info This is a really really really high-level overview of macOS best practices... If you'd like Further Information, search engines are there for a reason. ::: ### Links and Further Information - [cURL](https://curl.se) - [Debian HandBook - Packet Filtering](https://debian-handbook.info/browse/squeeze/sect.firewall-packet-filtering.html) - [Yubico](https://yubico.com) - [NitroKey](https://nitroke) - [GnuPG](https://gnupg.org) - [GetDNS](https://getdnsapi.net) - [Pi-Hole](https://pi-hole.net/) - [Next DNS](https://nextdns.io) - [DNSCrypt](https://dnscrypt.info) - [Murus PF GUI](https://murusfirewall.com/) - [Little Snitch](https://obdev.at/products/littlesnitch/index.html) - [Apple Developer Docs : Public-Private Key Authentication](https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication) - [GrapheneOS - the operating system you should be using](https://grapheneos.org) ###### tags: `CLI` `Documentation` `Starter Guides`
Last changed by  
Rake
1013

Read more

index

Intro to About Rake: The Outer Edge of Technology

6/21/2023
Static RAM PUF

[TOC] Notes: Kerchoff's Principle, CIA Triangle, Certificate Authority, Registration Authority, Remote Attestation, Intel SGX, AMD TrustZone, eFUSE, SRAM PUF, Instrinsic-ID, NXP, G+D, SecureFPGA, Trussed, openTitan Introduction Traditional Security Measures taken by SemiConductor Manufacturers. Semiconductor Manufacturers offer hardware based, step-up SKUs, implemented via : BBRAM/eFuse Options/One Time Password Solutions/Wire Bond-out/Die-specifc.

12/19/2022
Untitled

_ _ __ /_\ _ __ __ _| |_ ___ _ __ ___ _ _ ___ / _| __ _ //_\\| '_ \ / _` | __/ _ \| '_ ` _ \| | | | / _ \| |_ / _` | / _ \ | | | (_| | || (_) | | | | | | |_| | | (_) | _| | (_| | \_/ \_/_| |_|\__,_|\__\___/|_| |_| |_|\__, | \___/|_| \__,_| |___/ ___ _ _____ _ _ / _ \ |__ ___ _ __ ___ _ __ /__ \_ __ __ _ _ __ ___ __ _ ___| |_(_) ___ _ __ / /_)/ '_ \ / _ \| '_ \ / _ \| '_ \ / /\/ '__/ _` | '_ \/ __|/ _` |/ __| __| |/ _ \| '_ \ / ___/| | | | (_) | | | | (_) | | | | / / | | | (_| | | | \__ \ (_| | (__| |_| | (_) | | | |

10/28/2022
Untitled

CypherPunk Manifesto Back to activism.net/cypherpunk/ A Cypherpunk's Manifesto by Eric Hughes Privacy is necessary for an open society in the electronic age. Privacy is not secrecy. A private matter is something one doesn't want the whole world to know, but a secret matter is something one doesn't want anybody to know. Privacy is the power to selectively reveal oneself to the world. If two parties have some sort of dealings, then each has a memory of their interaction. Each party can speak about their own memory of this; how could anyone prevent it? One could pass laws against it, but the freedom of speech, even more than privacy, is fundamental to an open society; we seek not to restrict any speech at all. If many parties speak together in the same forum, each can speak to all the others and aggregate together knowledge about individuals and other parties. The power of electronic communications has enabled such group speech, and it will not go away merely because we might want it to. Since we desire privacy, we must ensure that each party to a transaction have knowledge only of that which is directly necessary for that transaction. Since any information can be spoken of, we must ensure that we reveal as little as possible. In most cases personal identity is not salient. When I purchase a magazine at a store and hand cash to the clerk, there is no need to know who I am. When I ask my electronic mail provider to send and receive messages, my provider need not know to whom I am speaking or what I am saying or what others are saying to me; my provider only need know how to get the message there and how much I owe them in fees. When my identity is revealed by the underlying mechanism of the transaction, I have no privacy. I cannot here selectively reveal myself; I must always reveal myself.

10/8/2022
Read more from Rake
Published on HackMD