A place to cache linked articles (think custom and personal wayback machine)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

index.md 110KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929
  1. title: A practical guide to securing macOS.
  2. url: https://github.com/drduh/macOS-Security-and-Privacy-Guide
  3. hash_url: 8c60d76bd5445b36ad20e7279bb67864
  4. This is a collection of thoughts on securing a modern Apple Mac computer using macOS (formerly *OS X*) 10.12 "Sierra", as well as steps to improving online privacy.
  5. This guide is targeted to “power users” who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac.
  6. A system is only as secure as its administrator is capable of making it. There is no one single technology, software, nor technique to guarantee perfect computer security; a modern operating system and computer is very complex, and requires numerous incremental changes to meaningfully improve one's security and privacy posture.
  7. I am **not** responsible if you break a Mac by following any of these steps.
  8. If you wish to make a correction or improvement, please send a pull request or [open an issue](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues).
  9. - [Basics](#basics)
  10. - [Firmware](#firmware)
  11. - [Preparing and Installing macOS](#preparing-and-installing-macos)
  12. - [Virtualization](#virtualization)
  13. - [First boot](#first-boot)
  14. - [Admin and standard user accounts](#admin-and-standard-user-accounts)
  15. - [Full disk encryption](#full-disk-encryption)
  16. - [Firewall](#firewall)
  17. - [Application layer firewall](#application-layer-firewall)
  18. - [Third party firewalls](#third-party-firewalls)
  19. - [Kernel level packet filtering](#kernel-level-packet-filtering)
  20. - [Services](#services)
  21. - [Spotlight Suggestions](#spotlight-suggestions)
  22. - [Homebrew](#homebrew)
  23. - [DNS](#dns)
  24. - [Hosts file](#hosts-file)
  25. - [Dnsmasq](#dnsmasq)
  26. - [Test DNSSEC validation](#test-dnssec-validation)
  27. - [DNSCrypt](#dnscrypt)
  28. - [Captive portal](#captive-portal)
  29. - [Certificate authorities](#certificate-authorities)
  30. - [OpenSSL](#openssl)
  31. - [Curl](#curl)
  32. - [Web](#web)
  33. - [Privoxy](#privoxy)
  34. - [Browser](#browser)
  35. - [Plugins](#plugins)
  36. - [PGP/GPG](#pgpgpg)
  37. - [OTR](#otr)
  38. - [Tor](#tor)
  39. - [VPN](#vpn)
  40. - [Viruses and malware](#viruses-and-malware)
  41. - [System Integrity Protection](#system-integrity-protection)
  42. - [Gatekeeper and XProtect](#gatekeeper-and-xprotect)
  43. - [Passwords](#passwords)
  44. - [Backup](#backup)
  45. - [Wi-Fi](#wi-fi)
  46. - [SSH](#ssh)
  47. - [Physical access](#physical-access)
  48. - [System monitoring](#system-monitoring)
  49. - [OpenBSM audit](#openbsm-audit)
  50. - [DTrace](#dtrace)
  51. - [Execution](#execution)
  52. - [Network](#network)
  53. - [Binary Whitelisting](#binary-whitelisting)
  54. - [Miscellaneous](#miscellaneous)
  55. - [Related software](#related-software)
  56. - [Additional resources](#additional-resources)
  57. ## Basics
  58. The standard best security practices apply:
  59. * Create a threat model
  60. * What are you trying to protect and from whom? Is your adversary a [three letter agency](https://theintercept.com/document/2015/03/10/strawhorse-attacking-macos-ios-software-development-kit/) (if so, you may want to consider using [OpenBSD](http://www.openbsd.org/) instead), a nosy eavesdropper on the network, or determined [apt](https://en.wikipedia.org/wiki/Advanced_persistent_threat) orchestrating a campaign against you?
  61. * Study and [recognize threats](https://www.usenix.org/system/files/1401_08-12_mickens.pdf) and how to reduce attack surface against them.
  62. * Keep the system up to date
  63. * Patch, patch, patch your system and software.
  64. * macOS system updates can be completed using the App Store application, or the `softwareupdate` command-line utility - neither requires registering an Apple account.
  65. * Subscribe to announcement mailing lists (e.g., [Apple security-announce](https://lists.apple.com/mailman/listinfo/security-announce)) for programs you use often.
  66. * Encrypt sensitive data
  67. * In addition to full disk encryption, create one or many encrypted containers to store passwords, keys, personal documents, and other data at rest.
  68. * This will mitigate damage in case of compromise and data exfiltration.
  69. * Frequent backups
  70. * Create [regular backups](https://www.amazon.com/o/ASIN/0596102461/backupcentral) of your data and be ready to reimage in case of compromise.
  71. * Always encrypt before copying backups to external media or the "cloud".
  72. * Verify backups work by testing them regularly, for example by accessing certain files or performing a hash based comparison.
  73. * Click carefully
  74. * Ultimately, the security of a system can be reduced to its administrator.
  75. * Care should be taken when installing new software. Always prefer [free](https://www.gnu.org/philosophy/free-sw.en.html) and open source software ([which macOS is not](https://superuser.com/questions/19492/is-mac-os-x-open-source)).
  76. ## Firmware
  77. Setting a firmware password prevents your Mac from starting up from any device other than your startup disk. It may also be set to be required on each boot.
  78. This feature [can be helpful if your laptop is stolen](https://www.ftc.gov/news-events/blogs/techftc/2015/08/virtues-strong-enduser-device-controls), as the only way to reset the firmware password is through an Apple Store, or by using an [SPI programmer](https://reverse.put.as/2016/06/25/apple-efi-firmware-passwords-and-the-scbo-myth/), such as [Bus Pirate](http://ho.ax/posts/2012/06/unbricking-a-macbook/) or other flash IC programmer.
  79. 1. Start up pressing `Command` `R` keys to boot to [Recovery Mode](https://support.apple.com/en-au/HT201314) mode.
  80. 3. When the Recovery window appears, choose **Firmware Password Utility** from the Utilities menu.
  81. 4. In the Firmware Utility window that appears, select **Turn On Firmware Password**.
  82. 5. Enter a new password, then enter the same password in the **Verify** field.
  83. 6. Select **Set Password**.
  84. 7. Select **Quit Firmware Utility** to close the Firmware Password Utility.
  85. 8. Select the Apple menu and choose Restart or Shutdown.
  86. The firmware password will activate at next boot. To validate the password, hold `Alt` during boot - you should be prompted to enter the password.
  87. The firmware password can also be managed with the `firmwarepasswd` utility while booted into the OS.
  88. <img width="750" alt="Using a Dediprog SF600 to dump and flash a 2013 MacBook SPI Flash chip to remove a firmware password, sans Apple" src="https://cloud.githubusercontent.com/assets/12475110/17075918/0f851c0c-50e7-11e6-904d-0b56cf0080c1.png">
  89. *Using a [Dediprog SF600](http://www.dediprog.com/pd/spi-flash-solution/sf600) to dump and flash a 2013 MacBook SPI Flash chip to remove a firmware password, sans Apple*
  90. See [HT204455](https://support.apple.com/en-au/HT204455), [LongSoft/UEFITool](https://github.com/LongSoft/UEFITool) and [chipsec/chipsec](https://github.com/chipsec/chipsec) for more information.
  91. ## Preparing and Installing macOS
  92. There are several ways to install a fresh copy of macOS.
  93. The simplest way is to boot into [Recovery Mode](https://support.apple.com/en-us/HT201314) by holding `Command` `R` keys at boot. A system image can be downloaded and applied directly from Apple. However, this way exposes the serial number and other identifying information over the network in plaintext.
  94. <img width="500" alt="PII is transmitted to Apple in plaintext when using macOS Recovery" src="https://cloud.githubusercontent.com/assets/12475110/20312189/8987c958-ab20-11e6-90fa-7fd7c8c1169e.png">
  95. *Packet capture of an unencrypted HTTP conversation during macOS recovery*
  96. Another way is to download **macOS Sierra** from the [App Store](https://itunes.apple.com/us/app/macos-sierra/id1127487414) or some other place and create a custom, installable system image.
  97. The macOS Sierra installer application is [code signed](https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW6), which should be verified to make sure you received a legitimate copy, using the `codesign` command:
  98. ```
  99. $ codesign -dvv /Applications/Install\ macOS\ Sierra.app
  100. Executable=/Applications/Install macOS Sierra.app/Contents/MacOS/InstallAssistant
  101. Identifier=com.apple.InstallAssistant.Sierra
  102. Format=app bundle with Mach-O thin (x86_64)
  103. CodeDirectory v=20200 size=297 flags=0x200(kill) hashes=5+5 location=embedded
  104. Signature size=4167
  105. Authority=Apple Mac OS Application Signing
  106. Authority=Apple Worldwide Developer Relations Certification Authority
  107. Authority=Apple Root CA
  108. Info.plist entries=30
  109. TeamIdentifier=K36BKF7T3D
  110. Sealed Resources version=2 rules=7 files=137
  111. Internal requirements count=1 size=124
  112. ```
  113. macOS installers can be made with the `createinstallmedia` utility included in `Install macOS Sierra.app/Contents/Resources/`. See [Create a bootable installer for macOS](https://support.apple.com/en-us/HT201372), or run the utility without arguments to see how it works.
  114. **Note** Apple's installer [does not appear to work](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/120) across OS versions. If you want to build a 10.12 image, for example, the following steps must be run on a 10.12 machine!
  115. To create a **bootable USB macOS installer**, mount a USB drive, and erase and partition it, then use the `createinstallmedia` utility:
  116. ```
  117. $ diskutil list
  118. [Find disk matching correct size, usually "disk2"]
  119. $ diskutil unmountDisk /dev/disk2
  120. $ diskutil partitionDisk /dev/disk2 1 JHFS+ Installer 100%
  121. $ cd /Applications/Install\ macOS\ Sierra.app
  122. $ sudo ./Contents/Resources/createinstallmedia --volume /Volumes/Installer --applicationpath /Applications/Install\ macOS\ Sierra.app --nointeraction
  123. Erasing Disk: 0%... 10%... 20%... 30%... 100%...
  124. Copying installer files to disk...
  125. Copy complete.
  126. Making disk bootable...
  127. Copying boot files...
  128. Copy complete.
  129. Done.
  130. ```
  131. To create a custom, installable image which can be [restored](https://en.wikipedia.org/wiki/Apple_Software_Restore) to a Mac, you will need to find the file `InstallESD.dmg`, which is also inside `Install macOS Sierra.app`.
  132. With Finder, right click on the app, select **Show Package Contents** and navigate to **Contents** > **SharedSupport** to find the file `InstallESD.dmg`.
  133. You can [verify](https://support.apple.com/en-us/HT201259) the following cryptographic hashes to ensure you have the same copy with `openssl sha1 InstallESD.dmg` or `shasum -a 1 InstallESD.dmg` or `shasum -a 256 InstallESD.dmg` (in Finder, you can drag the file into a Terminal window to provide the full path).
  134. To determine which macOS versions and builds originally shipped with or are available for your Mac, see [HT204319](https://support.apple.com/en-us/HT204319).
  135. See [InstallESD_Hashes.csv](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/blob/master/InstallESD_Hashes.csv) in this repository for a list of current and previous file hashes. You can also Google the cryptographic hashes to ensure the file is genuine and has not been tampered with.
  136. To create the image, use [MagerValp/AutoDMG](https://github.com/MagerValp/AutoDMG), or to create it manually, mount and install the operating system to a temporary image:
  137. $ hdiutil attach -mountpoint /tmp/install_esd ./InstallESD.dmg
  138. $ hdiutil create -size 32g -type SPARSE -fs HFS+J -volname "macOS" -uid 0 -gid 80 -mode 1775 /tmp/output.sparseimage
  139. $ hdiutil attach -mountpoint /tmp/os -owners on /tmp/output.sparseimage
  140. $ sudo installer -pkg /tmp/install_esd/Packages/OSInstall.mpkg -tgt /tmp/os -verbose
  141. This part will take a while, so be patient. You can `tail -F /var/log/install.log` in another Terminal window to check progress.
  142. **(Optional)** Install additional software, such as [Wireshark](https://www.wireshark.org/download.html):
  143. $ hdiutil attach Wireshark\ 2.2.0\ Intel\ 64.dmg
  144. $ sudo installer -pkg /Volumes/Wireshark/Wireshark\ 2.2.0\ Intel\ 64.pkg -tgt /tmp/os
  145. $ hdiutil unmount /Volumes/Wireshark
  146. See [MagerValp/AutoDMG/wiki/Packages-Suitable-for-Deployment](https://github.com/MagerValp/AutoDMG/wiki/Packages-Suitable-for-Deployment) for caveats and [chilcote/outset](https://github.com/chilcote/outset) to instead processes packages and scripts at first boot.
  147. When you're done, detach, convert and verify the image:
  148. $ hdiutil detach /tmp/os
  149. $ hdiutil detach /tmp/install_esd
  150. $ hdiutil convert -format UDZO /tmp/output.sparseimage -o ~/sierra.dmg
  151. $ asr imagescan --source ~/sierra.dmg
  152. Now `sierra.dmg` is ready to be applied to one or multiple Macs. One could futher customize the image to include premade users, applications, preferences, etc.
  153. This image can be installed using another Mac in [Target Disk Mode](https://support.apple.com/en-us/HT201462) or from a bootable USB installer.
  154. To use **Target Disk Mode**, boot up the Mac you wish to image while holding the `T` key and connect it to another Mac using a Firewire, Thunderbolt or USB-C cable.
  155. If you don't have another Mac, boot to a USB installer, with `sierra.dmg` and other required files copied to it, by holding the *Option* key at boot.
  156. Run `diskutil list` to identify the connected Mac's disk, usually `/dev/disk2`
  157. **(Optional)** [Securely erase](https://www.backblaze.com/blog/securely-erase-mac-ssd/) the disk with a single pass (if previously FileVault-encrypted, the disk must first be unlocked and mounted as `/dev/disk3s2`):
  158. $ sudo diskutil secureErase freespace 1 /dev/disk3s2
  159. Partition the disk to Journaled HFS+:
  160. $ sudo diskutil unmountDisk /dev/disk2
  161. $ sudo diskutil partitionDisk /dev/disk2 1 JHFS+ macOS 100%
  162. Restore the image to the new volume:
  163. $ sudo asr restore --source ~/sierra.dmg --target /Volumes/macOS --erase --buffersize 4m
  164. You can also use the **Disk Utility** application to erase the connected Mac's disk, then restore `sierra.dmg` to the newly created partition.
  165. If you've followed these steps correctly, the target Mac should now have a new install of macOS Sierra.
  166. If you want to transfer any files, copy them to a shared folder like `/Users/Shared` on the mounted disk image, e.g. `cp Xcode_8.0.dmg /Volumes/macOS/Users/Shared`
  167. <img width="1280" alt="Finished restore install from USB recovery boot" src="https://cloud.githubusercontent.com/assets/12475110/14804078/f27293c8-0b2d-11e6-8e1f-0fb0ac2f1a4d.png">
  168. *Finished restore install from USB recovery boot*
  169. We're not done yet! Unless you have built the image with [AutoDMG](https://github.com/MagerValp/AutoDMG), or installed macOS to a second partition on your Mac, you will need to create a recovery partition (in order to use full disk encryption). You can do so using [MagerValp/Create-Recovery-Partition-Installer](https://github.com/MagerValp/Create-Recovery-Partition-Installer) or using the following manual steps:
  170. Download the file [RecoveryHDUpdate.dmg](https://support.apple.com/downloads/DL1464/en_US/RecoveryHDUpdate.dmg).
  171. ```
  172. RecoveryHDUpdate.dmg
  173. SHA-256: f6a4f8ac25eaa6163aa33ac46d40f223f40e58ec0b6b9bf6ad96bdbfc771e12c
  174. SHA-1: 1ac3b7059ae0fcb2877d22375121d4e6920ae5ba
  175. ```
  176. Attach and expand the installer, then run it:
  177. ```
  178. $ hdiutil attach RecoveryHDUpdate.dmg
  179. $ pkgutil --expand /Volumes/Mac\ OS\ X\ Lion\ Recovery\ HD\ Update/RecoveryHDUpdate.pkg /tmp/recovery
  180. $ hdiutil attach /tmp/recovery/RecoveryHDUpdate.pkg/RecoveryHDMeta.dmg
  181. $ /tmp/recovery/RecoveryHDUpdate.pkg/Scripts/Tools/dmtest ensureRecoveryPartition /Volumes/macOS/ /Volumes/Recovery\ HD\ Update/BaseSystem.dmg 0 0 /Volumes/Recovery\ HD\ Update/BaseSystem.chunklist
  182. ```
  183. Replace `/Volumes/macOS` with the path to the target disk mode-booted Mac as necessary.
  184. This step will take several minutes. Run `diskutil list` again to make sure **Recovery HD** now exists on `/dev/disk2` or equivalent identifier.
  185. Once you're done, eject the disk with `hdiutil unmount /Volumes/macOS` and power down the target disk mode-booted Mac.
  186. ### Virtualization
  187. To install macOS as a virtual machine (vm) using [VMware Fusion](https://www.vmware.com/products/fusion.html), follow the instructions above to create an image. You will **not** need to download and create a recovery partition manually.
  188. ```
  189. VMware-Fusion-8.5.2-4635224.dmg
  190. SHA-256: f6c54b98c9788d1df94d470661eedff3e5d24ca4fb8962fac5eb5dc56de63b77
  191. SHA-1: 37ec465673ab802a3f62388d119399cb94b05408
  192. ```
  193. For the Installation Method, select *Install OS X from the recovery partition*. Customize any memory or CPU requirements and complete setup. The guest vm should boot into [Recovery Mode](https://support.apple.com/en-us/HT201314) by default.
  194. In Recovery Mode, select a language, then Utilities > Terminal from the menubar.
  195. In the guest vm, type `ifconfig | grep inet` - you should see a private address like `172.16.34.129`
  196. On the host Mac, type `ifconfig | grep inet` - you should see a private gateway address like `172.16.34.1`
  197. From the host Mac, serve the installable image to the guest vm by editing `/etc/apache2/httpd.conf` and adding the following line to the top (using the gateway address assigned to the host Mac and port 80):
  198. Listen 172.16.34.1:80
  199. On the host Mac, link the image to the default Apache Web server directory:
  200. $ sudo ln ~/sierra.dmg /Library/WebServer/Documents
  201. From the host Mac, start Apache in the foreground:
  202. $ sudo httpd -X
  203. From the guest VM, install the disk image to the volume over the local network using `asr`:
  204. ```
  205. -bash-3.2# asr restore --source http://172.16.34.1/sierra.dmg --target /Volumes/Macintosh\ HD/ --erase --buffersize 4m
  206. Validating target...done
  207. Validating source...done
  208. Erase contents of /dev/disk0s2 (/Volumes/Macintosh HD)? [ny]: y
  209. Retrieving scan information...done
  210. Validating sizes...done
  211. Restoring ....10....20....30....40....50....60....70....80....90....100
  212. Verifying ....10....20....30....40....50....60....70....80....90....100
  213. Remounting target volume...done
  214. ```
  215. When it's finished, stop the Apache Web server on the host Mac by pressing `Control` `C` at the `sudo httpd -X` window and remove the image copy with `sudo rm /Library/WebServer/Documents/sierra.dmg`
  216. In the guest vm, select *Startup Disk* from the top-left corner Apple menu, select the hard drive and restart. You may wish to disable the Network Adapter in VMware for the initial guest vm boot.
  217. Take and Restore from saved guest vm snapshots before and after attempting risky browsing, for example, or use a guest vm to install and operate questionable software.
  218. ## First boot
  219. **Note** Before setting up macOS, consider disconnecting networking and configuring a firewall(s) first. However, [late 2016 MacBooks](https://www.ifixit.com/Device/MacBook_Pro_15%22_Late_2016_Touch_Bar) with Touch Bar hardware [require online OS activation](https://onemoreadmin.wordpress.com/2016/11/27/the-untouchables-apples-new-os-activation-for-touch-bar-macbook-pros/).
  220. On first boot, hold `Command` `Option` `P` `R` keys to [clear NVRAM](https://support.apple.com/en-us/HT204063).
  221. When macOS first starts, you'll be greeted by **Setup Assistant**.
  222. When creating your account, use a [strong password](http://www.explainxkcd.com/wiki/index.php/936:_Password_Strength) without a hint.
  223. If you enter your real name at the account setup process, be aware that your [computer's name and local hostname](https://support.apple.com/kb/PH18720) will comprise that name (e.g., *John Appleseed's MacBook*) and thus will appear on local networks and in various preference files. You can change them both in **System Preferences > Sharing** or with the following commands:
  224. $ sudo scutil --set ComputerName your_computer_name
  225. $ sudo scutil --set LocalHostName your_hostname
  226. ## Admin and standard user accounts
  227. The first user account is always an admin account. Admin accounts are members of the admin group and have access to `sudo`, which allows them to usurp other accounts, in particular root, and gives them effective control over the system. Any program that the admin executes can potentially obtain the same access, making this a security risk. Utilities like `sudo` have [weaknesses that can be exploited](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/) by concurrently running programs and many panes in System Preferences are [unlocked by default](http://csrc.nist.gov/publications/drafts/800-179/sp800_179_draft.pdf) [p. 61–62] for admin accounts. It is considered a best practice by [Apple](https://help.apple.com/machelp/mac/10.12/index.html#/mh11389) and [others](http://csrc.nist.gov/publications/drafts/800-179/sp800_179_draft.pdf) [p. 41–42] to use a separate standard account for day-to-day work and use the admin account for installations and system configuration.
  228. It is not strictly required to ever log into the admin account via the macOS login screen. The system will prompt for authentication when required and Terminal can do the rest. To that end, Apple provides some [recommendations](https://support.apple.com/HT203998) for hiding the admin account and its home directory. This can be an elegant solution to avoid having a visible 'ghost' account. The admin account can also be [removed from FileVault](http://apple.stackexchange.com/a/94373).
  229. #### Caveats
  230. 1. Only administrators can install applications in `/Applications` (local directory). Finder and Installer will prompt a standard user with an authentication dialog. Many applications can be installed in `~/Applications` instead (the directory can be created manually). As a rule of thumb: applications that do not require admin access – or do not complain about not being installed in `/Applications` – should be installed in the user directory, the rest in the local directory. Mac App Store applications are still installed in `/Applications` and require no additional authentication.
  231. 2. `sudo` is not available in shells of the standard user, which requires using `su` or `login` to enter a shell of the admin account. This can make some maneuvers trickier and requires some basic experience with command-line interfaces.
  232. 3. System Preferences and several system utilities (e.g. Wi-Fi Diagnostics) will require root privileges for full functionality. Many panels in System Preferences are locked and need to be unlocked separately by clicking on the lock icon. Some applications will simply prompt for authentication upon opening, others must be opened by an admin account directly to get access to all functions (e.g. Console).
  233. 4. There are third-party applications that will not work correctly because they assume that the user account is an admin. These programs may have to be executed by logging into the admin account, or by using the `open` utility.
  234. #### Setup
  235. Accounts can be created and managed in System Preferences. On settled systems, it is generally easier to create a second admin account and then demote the first account. This avoids data migration. Newly installed systems can also just add a standard account. Demoting an account can be done either from the the new admin account in System Preferences – the other account must be logged out – or by executing this command:
  236. ```
  237. sudo dscl . -delete /Groups/admin GroupMembership user_name
  238. ```
  239. ## Full disk encryption
  240. [FileVault](https://en.wikipedia.org/wiki/FileVault) provides full disk (technically, full _volume_) encryption on macOS.
  241. FileVault encryption will protect data at rest and prevent someone with physical access from stealing data or tampering with your Mac.
  242. With much of the cryptographic operations happening [efficiently in hardware](https://software.intel.com/en-us/articles/intel-advanced-encryption-standard-aes-instructions-set/), the performance penalty for FileVault is not noticeable.
  243. The security of FileVault greatly depends on the pseudo random number generator (PRNG).
  244. > The random device implements the Yarrow pseudo random number generator algorithm and maintains its entropy pool. Additional entropy is fed to the generator regularly by the SecurityServer daemon from random jitter measurements of the kernel.
  245. > SecurityServer is also responsible for periodically saving some entropy to disk and reloading it during startup to provide entropy in early system operation.
  246. See `man 4 random` for more information.
  247. The PRNG can be manually seeded with entropy by writing to /dev/random **before** enabling FileVault. This can be done by simply using the Mac for a little while before activating FileVault.
  248. To manually seed entropy *before* enabling FileVault:
  249. $ cat > /dev/random
  250. [Type random letters for a long while, then press Control-D]
  251. Enable FileVault with `sudo fdesetup enable` or through **System Preferences** > **Security & Privacy** and reboot.
  252. If you can remember your password, there's no reason to save the **recovery key**. However, your encrypted data will be lost forever if you can't remember the password or recovery key.
  253. If you want to know more about how FileVault works, see the paper [Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption](https://eprint.iacr.org/2012/374.pdf) (pdf) and related [presentation](http://www.cl.cam.ac.uk/~osc22/docs/slides_fv2_ifip_2013.pdf) (pdf). Also see [IEEE Std 1619-2007 “The XTS-AES Tweakable Block Cipher”](http://libeccio.di.unisa.it/Crypto14/Lab/p1619.pdf) (pdf).
  254. You may wish to enforce **hibernation** and evict FileVault keys from memory instead of traditional sleep to memory:
  255. $ sudo pmset -a destroyfvkeyonstandby 1
  256. $ sudo pmset -a hibernatemode 25
  257. > All computers have firmware of some type—EFI, BIOS—to help in the discovery of hardware components and ultimately to properly bootstrap the computer using the desired OS instance. In the case of Apple hardware and the use of EFI, Apple stores relevant information within EFI to aid in the functionality of macOS. For example, the FileVault key is stored in EFI to transparently come out of standby mode.
  258. > Organizations especially sensitive to a high-attack environment, or potentially exposed to full device access when the device is in standby mode, should mitigate this risk by destroying the FileVault key in firmware. Doing so doesn’t destroy the use of FileVault, but simply requires the user to enter the password in order for the system to come out of standby mode.
  259. If you choose to evict FileVault keys in standby mode, you should also modify your standby and power nap settings. Otherwise, your machine may wake while in standby mode and then power off due to the absence of the FileVault key. See [issue #124](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/124) for more information. These settings can be changed with:
  260. $ sudo pmset -a powernap 0
  261. $ sudo pmset -a standby 0
  262. $ sudo pmset -a standbydelay 0
  263. $ sudo pmset -a autopoweroff 0
  264. For more information, see [Best Practices for
  265. Deploying FileVault 2](http://training.apple.com/pdf/WP_FileVault2.pdf) (pdf) and paper [Lest We Remember: Cold Boot Attacks on Encryption Keys](https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf) (pdf)
  266. ## Firewall
  267. Before connecting to the Internet, it's a good idea to first configure a firewall.
  268. There are several types of firewall available for macOS.
  269. #### Application layer firewall
  270. Built-in, basic firewall which blocks **incoming** connections only.
  271. Note, this firewall does not have the ability to monitor, nor block **outgoing** connections.
  272. It can be controlled by the **Firewall** tab of **Security & Privacy** in **System Preferences**, or with the following commands.
  273. Enable the firewall:
  274. $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
  275. Enable logging:
  276. $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
  277. You may also wish to enable stealth mode:
  278. $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
  279. > Computer hackers scan networks so they can attempt to identify computers to attack. You can prevent your computer from responding to some of these scans by using **stealth mode**. When stealth mode is enabled, your computer does not respond to ICMP ping requests, and does not answer to connection attempts from a closed TCP or UDP port. This makes it more difficult for attackers to find your computer.
  280. Finally, you may wish to prevent *built-in software* as well as *code-signed, downloaded software from being whitelisted automatically*:
  281. $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned off
  282. $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off
  283. > Applications that are signed by a valid certificate authority are automatically added to the list of allowed apps, rather than prompting the user to authorize them. Apps included in macOS are signed by Apple and are allowed to receive incoming connections when this setting is enabled. For example, since iTunes is already signed by Apple, it is automatically allowed to receive incoming connections through the firewall.
  284. > If you run an unsigned app that is not listed in the firewall list, a dialog appears with options to Allow or Deny connections for the app. If you choose "Allow", macOS signs the application and automatically adds it to the firewall list. If you choose "Deny", macOS adds it to the list but denies incoming connections intended for this app.
  285. After interacting with `socketfilterfw`, you may want to restart (or terminate) the process:
  286. $ sudo pkill -HUP socketfilterfw
  287. #### Third party firewalls
  288. Programs such as [Little Snitch](https://www.obdev.at/products/littlesnitch/index.html), [Hands Off](https://www.oneperiodic.com/products/handsoff/), [Radio Silence](http://radiosilenceapp.com/) and [Security Growler](https://pirate.github.io/security-growler/) provide a good balance of usability and security.
  289. <img width="349" alt="Example of Little Snitch monitored session" src="https://cloud.githubusercontent.com/assets/12475110/10596588/c0eed3c0-76b3-11e5-95b8-9ce7d51b3d82.png">
  290. *Example of Little Snitch-monitored session*
  291. ```
  292. LittleSnitch-3.7.1.dmg
  293. SHA-256: e6332ee70385f459d9803b0a582d5344bb9dab28bcd56e247ae69866cc321802
  294. SHA-1: d5d602c0f76cd73051792dff0ac334bbdc66ae32
  295. ```
  296. These programs are capable of monitoring and blocking **incoming** and **outgoing** network connections. However, they may require the use of a closed source [kernel extension](https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/KernelProgramming/Extend/Extend.html).
  297. If the number of choices of allowing/blocking network connections is overwhelming, use **Silent Mode** with connections allowed, then periodically check your settings to gain understanding of what various applications are doing.
  298. It is worth noting that these firewalls can be bypassed by programs running as **root** or through [OS vulnerabilities](https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf) (pdf), but they are still worth having - just don't expect absolute protection.
  299. For more on how Little Snitch works, see the [Network Kernel Extensions Programming Guide](https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/NKEConceptual/socket_nke/socket_nke.html#//apple_ref/doc/uid/TP40001858-CH228-SW1) and [Shut up snitch! – reverse engineering and exploiting a critical Little Snitch vulnerability](https://reverse.put.as/2016/07/22/shut-up-snitch-reverse-engineering-and-exploiting-a-critical-little-snitch-vulnerability/).
  300. #### Kernel level packet filtering
  301. A highly customizable, powerful, but also most complicated firewall exists in the kernel. It can be controlled with `pfctl` and various configuration files.
  302. pf can also be controlled with a GUI application such as [IceFloor](http://www.hanynet.com/icefloor/) or [Murus](http://www.murusfirewall.com/).
  303. There are many books and articles on the subject of pf firewall. Here's is just one example of blocking traffic by IP address.
  304. Add the following into a file called `pf.rules`:
  305. ```
  306. set block-policy drop
  307. set fingerprints "/etc/pf.os"
  308. set ruleset-optimization basic
  309. set skip on lo0
  310. scrub in all no-df
  311. table <blocklist> persist
  312. block in log
  313. block in log quick from no-route to any
  314. pass out proto tcp from any to any keep state
  315. pass out proto udp from any to any keep state
  316. block log on en0 from {<blocklist>} to any
  317. ```
  318. Use the following commands:
  319. * `sudo pfctl -e -f pf.rules` to enable the firewall
  320. * `sudo pfctl -d` to disable the firewall
  321. * `sudo pfctl -t blocklist -T add 1.2.3.4` to add hosts to a blocklist
  322. * `sudo pfctl -t blocklist -T show` to view the blocklist
  323. * `sudo ifconfig pflog0 create` to create an interface for logging
  324. * `sudo tcpdump -ni pflog0` to dump the packets
  325. Unless you're already familiar with packet filtering, spending too much time configuring pf is not recommended. It is also probably unnecessary if your Mac is behind a [NAT](https://www.grc.com/nat/nat.htm) on a secured home network, for example.
  326. For an example of using pf to audit "phone home" behavior of user and system-level processes, see [fix-macosx/net-monitor](https://github.com/fix-macosx/net-monitor).
  327. ## Services
  328. Before you connect to the Internet, you may wish to disable some system services, which use up resources or phone home to Apple.
  329. See [fix-macosx/yosemite-phone-home](https://github.com/fix-macosx/yosemite-phone-home), [l1k/osxparanoia](https://github.com/l1k/osxparanoia) and [karek314/macOS-home-call-drop](https://github.com/karek314/macOS-home-call-drop) for further recommendations.
  330. Services on macOS are managed by **launchd**. See (launchd.info)[http://launchd.info/], as well as [Apple's Daemons and Services Programming Guide](https://developer.apple.com/library/mac/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html) and [Technical Note TN2083](https://developer.apple.com/library/mac/technotes/tn2083/_index.html)
  331. You can also run [KnockKnock](https://github.com/synack/knockknock) that shows more information about startup items.
  332. * Use `launchctl list` to view running user agents
  333. * Use `sudo launchctl list` to view running system daemons
  334. * Specify the service name to examine it, e.g. `launchctl list com.apple.Maps.mapspushd`
  335. * Use `defaults read` to examine job plists in `/System/Library/LaunchDaemons` and `/System/Library/LaunchAgents`
  336. * Use `man`, `strings` and Google to learn about what the agent/daemon runs
  337. For example, to learn what a system launch daemon or agent does, start with:
  338. $ defaults read /System/Library/LaunchDaemons/com.apple.apsd.plist
  339. Look at the `Program` or `ProgramArguments` section to see which binary is run, in this case `apsd`. To find more information about that, look at the man page with `man apsd`
  340. For example, if you're not interested in Apple Push Notifications, disable the service:
  341. $ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist
  342. **Note** Unloading services may break usability of some applications. Read the manual pages and use Google to make sure you understand what you're doing first.
  343. Be careful about disabling any system daemons you don't understand, as it may render your system unbootable. If you break your Mac, use [single user mode](https://support.apple.com/en-us/HT201573) to fix it.
  344. Use [Console](https://en.wikipedia.org/wiki/Console_(OS_X)) and [Activity Monitor](https://support.apple.com/en-us/HT201464) applications if you notice your Mac heating up, feeling sluggish, or generally misbehaving, as it may have resulted from your tinkering.
  345. To view currently disabled services:
  346. $ find /var/db/com.apple.xpc.launchd/ -type f -print -exec defaults read {} \; 2>/dev/null
  347. Annotated lists of launch daemons and agents, the respective program executed, and the programs' hash sums are included in this repository.
  348. **(Optional)** Run the `read_launch_plists.py` script and `diff` output to check for any discrepancies on your system, e.g.:
  349. $ diff <(python read_launch_plists.py) <(cat 16A323_launchd.csv)
  350. See also [cirrusj.github.io/Yosemite-Stop-Launch](http://cirrusj.github.io/Yosemite-Stop-Launch/) for descriptions of services and [Provisioning OS X and Disabling Unnecessary Services](https://vilimpoc.org/blog/2014/01/15/provisioning-os-x-and-disabling-unnecessary-services/) for another explanation.
  351. ## Spotlight Suggestions
  352. Disable **Spotlight Suggestions** in both the Spotlight preferences and Safari's Search preferences to avoid your search queries being sent to Apple.
  353. Also disable **Bing Web Searches** in the Spotlight preferences to avoid your search queries being sent to Microsoft.
  354. See [fix-macosx.com](https://fix-macosx.com/) for detailed instructions.
  355. > If you've upgraded to OS X 10.10 "Yosemite" and you're using the default settings, each time you start typing in Spotlight (to open an application or search for a file on your computer), your local search terms and location are sent to Apple and third parties (including Microsoft).
  356. **Note** This Web site and instructions may no longer work on macOS Sierra - see [issue 164](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/164).
  357. To download, view and apply their suggested fixes:
  358. ```
  359. $ curl -O https://fix-macosx.com/fix-macosx.py
  360. $ less fix-macosx.py
  361. $ python fix-macosx.py
  362. All done. Make sure to log out (and back in) for the changes to take effect.
  363. ```
  364. Speaking of Microsoft, you may want to see <https://fix10.isleaked.com/> just for fun.
  365. ## Homebrew
  366. Consider using [Homebrew](http://brew.sh/) to make software installations easier and to update userland tools (see [Apple’s great GPL purge](http://meta.ath0.com/2012/02/05/apples-great-gpl-purge/)).
  367. **Note** If you have not already installed Xcode or Command Line Tools, use `xcode-select --install` to download and install them from Apple.
  368. To [install Homebrew](https://github.com/Homebrew/brew/blob/master/docs/Installation.md#installation):
  369. $ mkdir homebrew && curl -L https://github.com/Homebrew/brew/tarball/master | tar xz --strip 1 -C homebrew
  370. Edit `PATH` in your shell or shell rc file to use `~/homebrew/bin` and `~/homebrew/sbin`. For example, `echo 'PATH=$PATH:~/homebrew/sbin:~/homebrew/bin' >> .zshrc`, then change your login shell to Z shell with `chsh -s /bin/zsh`, open a new Terminal window and run `brew update`.
  371. Homebrew uses SSL/TLS to talk with GitHub and verifies checksums of downloaded packages, so it's [fairly secure](https://github.com/Homebrew/homebrew/issues/18036).
  372. Remember to periodically run `brew update` and `brew upgrade` on trusted and secure networks to download and install software updates. To get information on a package before installation, run `brew info <package>` and check its recipe online.
  373. According to [Homebrew's Anonymous Aggregate User Behaviour Analytics](https://github.com/Homebrew/brew/blob/master/docs/Analytics.md), Homebrew gathers anonymous aggregate user behaviour analytics and reporting these to Google Analytics.
  374. To opt out of Homebrew's analytics, you can set `export HOMEBREW_NO_ANALYTICS=1` in your environment or shell rc file, or use `brew analytics off`.
  375. You may also wish to enable [additional security options](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/138), such as `HOMEBREW_NO_INSECURE_REDIRECT=1` and `HOMEBREW_CASK_OPTS=--require-sha`.
  376. ## DNS
  377. #### Hosts file
  378. Use the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) to block known malware, advertising or otherwise unwanted domains.
  379. Edit the hosts file as root, for example with `sudo vi /etc/hosts`. The hosts file can also be managed with the GUI app [2ndalpha/gasmask](https://github.com/2ndalpha/gasmask).
  380. To block a domain, append `0 example.com` or `0.0.0.0 example.com` or `127.0.0.1 example.com` to `/etc/hosts`
  381. There are many lists of domains available online which you can paste in, just make sure each line starts with `0`, `0.0.0.0`, `127.0.0.1`, and the line `127.0.0.1 localhost` is included.
  382. For hosts lists, see [someonewhocares.org](http://someonewhocares.org/hosts/zero/hosts), [l1k/osxparanoia/blob/master/hosts](https://github.com/l1k/osxparanoia/blob/master/hosts), [StevenBlack/hosts](https://github.com/StevenBlack/hosts) and [gorhill/uMatrix/hosts-files.json](https://github.com/gorhill/uMatrix/blob/master/assets/umatrix/hosts-files.json).
  383. To append a raw list:
  384. ```
  385. $ curl "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" | sudo tee -a /etc/hosts
  386. $ wc -l /etc/hosts
  387. 31998
  388. $ egrep -ve "^#|^255.255.255|^0.0.0.0|^127.0.0.0|^0 " /etc/hosts
  389. ::1 localhost
  390. fe80::1%lo0 localhost
  391. [should not return any other IP addresses]
  392. ```
  393. See `man hosts` and [FreeBSD Configuration Files](https://www.freebsd.org/doc/handbook/configtuning-configfiles.html) for more information.
  394. #### Dnsmasq
  395. Among other features, [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) is able to cache replies, prevent upstreaming queries for unqualified names, and block entire TLDs.
  396. Use in combination with DNSCrypt to additionally encrypt outgoing DNS traffic.
  397. If you don't wish to use DNSCrypt, you should at least use DNS [not provided](http://bcn.boulder.co.us/~neal/ietf/verisign-abuse.html) [by your ISP](http://hackercodex.com/guide/how-to-stop-isp-dns-server-hijacking/). Two popular alternatives are [Google DNS](https://developers.google.com/speed/public-dns/) and [OpenDNS](https://www.opendns.com/home-internet-security/).
  398. **(Optional)** [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity. All answers from DNSSEC protected zones are digitally signed. The signed records are authenticated via a chain of trust, starting with a set of verified public keys for the DNS root-zone. The current root-zone trust anchors may be downloaded [from IANA website](https://www.iana.org/dnssec/files). There are a number of resources on DNSSEC, but probably the best one is [dnssec.net website](http://www.dnssec.net).
  399. Install Dnsmasq (DNSSEC is optional):
  400. $ brew install dnsmasq --with-dnssec
  401. $ cp ~/homebrew/opt/dnsmasq/dnsmasq.conf.example ~/homebrew/etc/dnsmasq.conf
  402. Edit the configuration:
  403. $ vim ~/homebrew/etc/dnsmasq.conf
  404. Examine all the options. Here are a few recommended settings to enable:
  405. ```
  406. # Forward queries to DNSCrypt on localhost port 5355
  407. server=127.0.0.1#5355
  408. # Uncomment to forward queries to Google Public DNS
  409. #server=8.8.8.8
  410. # Never forward plain names
  411. domain-needed
  412. # Examples of blocking TLDs or subdomains
  413. address=/.onion/0.0.0.0
  414. address=/.local/0.0.0.0
  415. address=/.mycoolnetwork/0.0.0.0
  416. address=/.facebook.com/0.0.0.0
  417. # Never forward addresses in the non-routed address spaces
  418. bogus-priv
  419. # Reject private addresses from upstream nameservers
  420. stop-dns-rebind
  421. # Query servers in order
  422. strict-order
  423. # Set the size of the cache
  424. # The default is to keep 150 hostnames
  425. cache-size=8192
  426. # Optional logging directives
  427. log-async
  428. log-dhcp
  429. log-facility=/var/log/dnsmasq.log
  430. # Uncomment to log all queries
  431. #log-queries
  432. # Uncomment to enable DNSSEC
  433. #dnssec
  434. #trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
  435. #dnssec-check-unsigned
  436. ```
  437. Install and start the program (sudo is required to bind to [privileged port](https://unix.stackexchange.com/questions/16564/why-are-the-first-1024-ports-restricted-to-the-root-user-only) 53):
  438. $ sudo brew services start dnsmasq
  439. To set Dnsmasq as your local DNS server, open **System Preferences** > **Network** and select the active interface, then the **DNS** tab, select **+** and add `127.0.0.1`, or use:
  440. $ sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1
  441. Make sure Dnsmasq is correctly configured:
  442. ```
  443. $ scutil --dns
  444. DNS configuration
  445. resolver #1
  446. search domain[0] : whatever
  447. nameserver[0] : 127.0.0.1
  448. flags : Request A records, Request AAAA records
  449. reach : Reachable, Local Address, Directly Reachable Address
  450. $ networksetup -getdnsservers "Wi-Fi"
  451. 127.0.0.1
  452. ```
  453. **Note** Some VPN software overrides DNS settings on connect. See [issue #24](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/24) for more information.
  454. ##### Test DNSSEC validation
  455. Test DNSSEC validation succeeds for signed zones:
  456. $ dig +dnssec icann.org
  457. Reply should have `NOERROR` status and contain `ad` flag. For instance,
  458. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47039
  459. ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
  460. Test DNSSEC validation fails for zones that are signed improperly:
  461. $ dig www.dnssec-failed.org
  462. Reply should have `SERVFAIL` status. For instance,
  463. ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15190
  464. ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
  465. #### dnscrypt
  466. Use [dnscrypt](https://dnscrypt.org/) to encrypt DNS traffic to the provider of choice.
  467. If you prefer a GUI application, see [alterstep/dnscrypt-osxclient](https://github.com/alterstep/dnscrypt-osxclient).
  468. Install DNSCrypt from Homebrew:
  469. $ brew install dnscrypt-proxy
  470. If using in combination with Dnsmasq, find the file `homebrew.mxcl.dnscrypt-proxy.plist`
  471. ```
  472. $ find ~/homebrew -name homebrew.mxcl.dnscrypt-proxy.plist
  473. /Users/drduh/homebrew/Cellar/dnscrypt-proxy/1.7.0/homebrew.mxcl.dnscrypt-proxy.plist
  474. ```
  475. Edit it to have the line:
  476. <string>--local-address=127.0.0.1:5355</string>
  477. Below the line:
  478. <string>/usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy</string>
  479. <img width="1015" alt="dnscrypt" src="https://cloud.githubusercontent.com/assets/12475110/19222914/8e6f853e-8e31-11e6-8dd6-27c33cbfaea5.png">
  480. *Append a local-address line to use DNScrypt on a port other than 53, like 5355*
  481. This can also be done using Homebrew, by installing `gnu-sed` and using the `gsed` command:
  482. $ sudo gsed -i "/sbin\\/dnscrypt-proxy<\\/string>/a<string>--local-address=127.0.0.1:5355<\\/string>\n" $(find ~/homebrew -name homebrew.mxcl.dnscrypt-proxy.plist)
  483. By default, the `resolvers-list` will point to the dnscrypt version specific resolvers file. When dnscrypt is updated, this version may no longer exist, and if it does, may point to an outdated file. This can be fixed by changing the resolvers file in `/Library/LaunchDaemons/homebrew.mxcl.dnscrypt-proxy.plist` to the symlinked version in `/usr/local/share`:
  484. <string>--resolvers-list=/usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv</string>
  485. Start DNSCrypt:
  486. $ brew services start dnscrypt-proxy
  487. Make sure DNSCrypt is running:
  488. ```
  489. $ sudo lsof -Pni UDP:5355
  490. COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
  491. dnscrypt- 83 nobody 7u IPv4 0x1773f85ff9f8bbef 0t0 UDP 127.0.0.1:5355
  492. $ ps A | grep '[d]nscrypt'
  493. 83 ?? Ss 0:00.27 /Users/drduh/homebrew/opt/dnscrypt-proxy/sbin/dnscrypt-proxy --local-address=127.0.0.1:5355 --ephemeral-keys --resolvers-list=/Users/drduh/homebrew/opt/dnscrypt-proxy/share/dnscrypt-proxy/dnscrypt-resolvers.csv --resolver-name=dnscrypt.eu-dk --user=nobody
  494. ```
  495. > By default, dnscrypt-proxy runs on localhost (127.0.0.1), port 53,
  496. and under the "nobody" user using the dnscrypt.eu-dk DNSCrypt-enabled
  497. resolver. If you would like to change these settings, you will have to edit the plist file (e.g., --resolver-address, --provider-name, --provider-key, etc.)
  498. This can be accomplished by editing `homebrew.mxcl.dnscrypt-proxy.plist`
  499. You can run your own [dnscrypt server](https://github.com/Cofyc/dnscrypt-wrapper) (see also [drduh/Debian-Privacy-Server-Guide#dnscrypt](https://github.com/drduh/Debian-Privacy-Server-Guide#dnscrypt)) from a trusted location or use one of many [public servers](https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv) instead.
  500. Confirm outgoing DNS traffic is encrypted:
  501. ```
  502. $ sudo tcpdump -qtni en0
  503. IP 10.8.8.8.59636 > 77.66.84.233.443: UDP, length 512
  504. IP 77.66.84.233.443 > 10.8.8.8.59636: UDP, length 368
  505. $ dig +short -x 77.66.84.233
  506. resolver2.dnscrypt.eu
  507. ```
  508. See also [What is a DNS leak](https://dnsleaktest.com/what-is-a-dns-leak.html), the [mDNSResponder manual page](https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/mDNSResponder.8.html) and [ipv6-test.com](http://ipv6-test.com/).
  509. ## Captive portal
  510. When macOS connects to new networks, it **probes** the network and launches a Captive Portal assistant utility if connectivity can't be determined.
  511. An attacker could trigger the utility and direct a Mac to a site with malware without user interaction, so it's best to disable this feature and log in to captive portals using your regular Web browser, provided you have first disable any custom dns and/or proxy settings.
  512. $ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false
  513. See also [Apple OS X Lion Security: Captive Portal Hijacking Attack](https://www.securestate.com/blog/2011/10/07/apple-os-x-lion-captive-portal-hijacking-attack), [Apple's secret "wispr" request](http://blog.erratasec.com/2010/09/apples-secret-wispr-request.html), [How to disable the captive portal window in Mac OS Lion](https://web.archive.org/web/20130407200745/http://www.divertednetworks.net/apple-captiveportal.html), and [An undocumented change to Captive Network Assistant settings in OS X 10.10 Yosemite](https://grpugh.wordpress.com/2014/10/29/an-undocumented-change-to-captive-network-assistant-settings-in-os-x-10-10-yosemite/).
  514. ## Certificate authorities
  515. macOS comes with [over 200](https://support.apple.com/en-us/HT202858) root authority certificates installed from for-profit corporations like Apple, Verisign, Thawte, Digicert and government agencies from China, Japan, Netherlands, U.S., and more! These Certificate Authorities (CAs) are capable of issuing SSL/TLS certificates for any domain, code signing certificates, etc.
  516. For more information, see [Certification Authority Trust Tracker](https://github.com/kirei/catt), [Analysis of the HTTPS certificate ecosystem](http://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf) (pdf), and [You Won’t Be Needing These Any More: On Removing Unused Certificates From Trust Stores](http://www.ifca.ai/fc14/papers/fc14_submission_100.pdf) (pdf).
  517. You can inspect system root certificates in **Keychain Access**, under the **System Roots** tab or by using the `security` command line tool and `/System/Library/Keychains/SystemRootCertificates.keychain` file.
  518. You can disable certificate authorities through Keychain Access by marking them as **Never Trust** and closing the window:
  519. <img width="450" alt="A certificate authority certificate" src="https://cloud.githubusercontent.com/assets/12475110/19222972/6b7aabac-8e32-11e6-8efe-5d3219575a98.png">
  520. The risk of a [man in the middle](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) attack in which a coerced or compromised certificate authority trusted by your system issues a fake/rogue SSL certificate is quite low, but still [possible](https://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates).
  521. ## OpenSSL
  522. The version of OpenSSL in Sierra is `0.9.8zh` which is [not current](https://apple.stackexchange.com/questions/200582/why-is-apple-using-an-older-version-of-openssl). It doesn't support TLS 1.1 or newer, elliptic curve ciphers, and [more](https://stackoverflow.com/questions/27502215/difference-between-openssl-09-8z-and-1-0-1).
  523. Apple declares OpenSSL **deprecated** in their [Cryptographic Services Guide](https://developer.apple.com/library/mac/documentation/Security/Conceptual/cryptoservices/GeneralPurposeCrypto/GeneralPurposeCrypto.html) document. Their version also has patches which may [surprise you](https://hynek.me/articles/apple-openssl-verification-surprises/).
  524. If you're going to use OpenSSL on your Mac, download and install a recent version of OpenSSL with `brew install openssl`. Note, linking brew to be used in favor of `/usr/bin/openssl` may interfere with building software. See [issue #39](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/39).
  525. Compare the TLS protocol and cipher between the homebrew version and the system version of OpenSSL:
  526. ```
  527. $ ~/homebrew/bin/openssl version; echo | ~/homebrew/bin openssl s_client -connect github.com:443 2>&1 | grep -A2 SSL-Session
  528. OpenSSL 1.0.2j 26 Sep 2016
  529. SSL-Session:
  530. Protocol : TLSv1.2
  531. Cipher : ECDHE-RSA-AES128-GCM-SHA256
  532. $ /usr/bin/openssl version; echo | /usr/bin/openssl s_client -connect github.com:443 2>&1 | grep -A2 SSL-Session
  533. OpenSSL 0.9.8zh 14 Jan 2016
  534. SSL-Session:
  535. Protocol : TLSv1
  536. Cipher : AES128-SHA
  537. ```
  538. See also [Comparison of TLS implementations](https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations), [How's My SSL](https://www.howsmyssl.com/), [Qualys SSL Labs Tools](https://www.ssllabs.com/projects/) and for detailed explanations and with latest vulnerabilities tests [ssl-checker.online-domain-tools.com](http://ssl-checker.online-domain-tools.com).
  539. ## Curl
  540. The version of Curl which comes with macOS uses [Secure Transport](https://developer.apple.com/library/mac/documentation/Security/Reference/secureTransportRef/) for SSL/TLS validation.
  541. If you prefer to use OpenSSL, install with `brew install curl --with-openssl` and ensure it's the default with `brew link --force curl`
  542. Here are several recommended [options](http://curl.haxx.se/docs/manpage.html) to add to `~/.curlrc` (see `man curl` for more):
  543. ```
  544. user-agent = "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0"
  545. referer = ";auto"
  546. connect-timeout = 10
  547. progress-bar
  548. max-time = 90
  549. verbose
  550. show-error
  551. remote-time
  552. ipv4
  553. ```
  554. ## Web
  555. ### Privoxy
  556. Consider using [Privoxy](http://www.privoxy.org/) as a local proxy to filter Web browsing traffic.
  557. A signed installation package for privoxy can be downloaded from [silvester.org.uk](http://silvester.org.uk/privoxy/OSX/) or [Sourceforge](http://sourceforge.net/projects/ijbswa/files/Macintosh%20%28OS%20X%29/). The signed package is [more secure](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/65) than the Homebrew version, and attracts full support from the Privoxy project.
  558. Alternatively, install and start privoxy using Homebrew:
  559. $ brew install privoxy
  560. $ brew services start privoxy
  561. By default, privoxy listens on local TCP port 8118.
  562. Set the system **http** proxy for your active network interface `127.0.0.1` and `8118` (This can be done through **System Preferences > Network > Advanced > Proxies**):
  563. $ sudo networksetup -setwebproxy "Wi-Fi" 127.0.0.1 8118
  564. **(Optional)** Set the system **https** proxy, which still allows for domain name filtering, with:
  565. $ sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 8118
  566. Confirm the proxy is set:
  567. ```
  568. $ scutil --proxy
  569. <dictionary> {
  570. ExceptionsList : <array> {
  571. 0 : *.local
  572. 1 : 169.254/16
  573. }
  574. FTPPassive : 1
  575. HTTPEnable : 1
  576. HTTPPort : 8118
  577. HTTPProxy : 127.0.0.1
  578. }
  579. ```
  580. Visit <http://p.p/> in a browser, or with Curl:
  581. ```
  582. $ ALL_PROXY=127.0.0.1:8118 curl -I http://p.p/
  583. HTTP/1.1 200 OK
  584. Content-Length: 2401
  585. Content-Type: text/html
  586. Cache-Control: no-cache
  587. ```
  588. Privoxy already comes with many good rules, however you can also write your own.
  589. Edit `~/homebrew/etc/privoxy/user.action` to filter elements by domain or with regular expressions.
  590. Here are some examples:
  591. ```
  592. { +block{social networking} }
  593. www.facebook.com/(extern|plugins)/(login_status|like(box)?|activity|fan)\.php
  594. .facebook.com
  595. { +block{unwanted images} +handle-as-image }
  596. .com/ads/
  597. /.*1x1.gif
  598. /.*fb-icon.[jpg|gif|png]
  599. /assets/social-.*
  600. /cleardot.gif
  601. /img/social.*
  602. ads.*.co.*/
  603. ads.*.com/
  604. { +redirect{s@http://@https://@} }
  605. .google.com
  606. .wikipedia.org
  607. code.jquery.com
  608. imgur.com
  609. ```
  610. Verify Privoxy is blocking and redirecting:
  611. ```
  612. $ ALL_PROXY=127.0.0.1:8118 curl ads.foo.com/ -IL
  613. HTTP/1.1 403 Request blocked by Privoxy
  614. Content-Type: image/gif
  615. Content-Length: 64
  616. Cache-Control: no-cache
  617. $ ALL_PROXY=127.0.0.1:8118 curl imgur.com/ -IL
  618. HTTP/1.1 302 Local Redirect from Privoxy
  619. Location: https://imgur.com/
  620. Content-Length: 0
  621. Date: Sun, 09 Oct 2016 18:48:19 GMT
  622. HTTP/1.1 200 OK
  623. Content-Type: text/html; charset=utf-8
  624. ```
  625. You can replace ad images with pictures of kittens, for example, by starting the a local Web server and [redirecting blocked requests](https://www.privoxy.org/user-manual/actions-file.html#SET-IMAGE-BLOCKER) to localhost.
  626. ### Browser
  627. The Web browser poses the largest security and privacy risk, as its fundamental job is to download and execute untrusted code from the Internet.
  628. Use [Google Chrome](https://www.google.com/chrome/browser/desktop/) for most of your browsing. It offers [separate profiles](https://www.chromium.org/user-experience/multi-profiles), [good sandboxing](https://www.chromium.org/developers/design-documents/sandbox), [frequent updates](http://googlechromereleases.blogspot.com/) (including Flash, although you should disable it - see below), and carries [impressive credentials](https://www.chromium.org/Home/chromium-security/brag-sheet).
  629. Chrome also comes with a great [PDF viewer](http://0xdabbad00.com/2013/01/13/most-secure-pdf-viewer-chrome-pdf-viewer/).
  630. If you don't want to use Chrome, [Firefox](https://www.mozilla.org/en-US/firefox/new/) is an excellent browser as well. Or simply use both. See discussion in issues [#2](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/2), [#90](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/90).
  631. If using Firefox, see [TheCreeper/PrivacyFox](https://github.com/TheCreeper/PrivacyFox) for recommended privacy preferences. Also be sure to check out [NoScript](https://noscript.net/) for Mozilla-based browsers, which allows whitelist-based, pre-emptive script blocking.
  632. Create at least three profiles, one for browsing **trusted** Web sites (email, banking), another for **mostly trusted** Web sites (link aggregators, news sites), and a third for a completely **cookie-less** and **script-less** experience.
  633. * One profile **without cookies or Javascript** enabled (e.g., turned off in `chrome://settings/content`) which should be the preferred profile to visiting untrusted Web sites. However, many pages will not load at all without Javascript enabled.
  634. * One profile with [uMatrix](https://github.com/gorhill/uMatrix) or [uBlock Origin](https://github.com/gorhill/uBlock) (or both). Use this profile for visiting **mostly trusted** Web sites. Take time to learn how these firewall extensions work. Other frequently recommended extensions are [Privacy Badger](https://www.eff.org/privacybadger), [HTTPSEverywhere](https://www.eff.org/https-everywhere) and [CertPatrol](http://patrol.psyced.org/) (Firefox only).
  635. * One or more profile(s) for secure and trusted browsing needs, such as banking and email only.
  636. The idea is to separate and compartmentalize data, so that an exploit or privacy violation in one "session" does not necessarily affect data in another.
  637. In each profile, visit `chrome://plugins/` and disable **Adobe Flash Player**. If you must use Flash, visit `chrome://settings/contents` to enable **Let me choose when to run plugin content**, under the Plugins section (also known as *click-to-play*).
  638. Take some time to read through [Chromium Security](https://www.chromium.org/Home/chromium-security) and [Chromium Privacy](https://www.chromium.org/Home/chromium-privacy).
  639. For example you may wish to disable [DNS prefetching](https://www.chromium.org/developers/design-documents/dns-prefetching) (see also [DNS Prefetching and Its Privacy Implications](https://www.usenix.org/legacy/event/leet10/tech/full_papers/Krishnan.pdf) (pdf)).
  640. Also be aware of [WebRTC](https://en.wikipedia.org/wiki/WebRTC#Concerns), which may reveal your local or public (if connected to VPN) IP address(es). This can be disabled with extensions such as [uBlock Origin](https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address) and [rentamob/WebRTC-Leak-Prevent](https://github.com/rentamob/WebRTC-Leak-Prevent).
  641. Many Chromium-derived browsers are not recommended. They are usually [closed source](http://yro.slashdot.org/comments.pl?sid=4176879&cid=44774943), [poorly maintained](https://plus.google.com/+JustinSchuh/posts/69qw9wZVH8z), [have bugs](https://code.google.com/p/google-security-research/issues/detail?id=679), and make dubious claims to protect privacy. See [The Private Life of Chromium Browsers](http://thesimplecomputer.info/the-private-life-of-chromium-browsers).
  642. Safari is not recommended. The code is a mess and [security](https://nakedsecurity.sophos.com/2014/02/24/anatomy-of-a-goto-fail-apples-ssl-bug-explained-plus-an-unofficial-patch/) [vulnerabilities](https://vimeo.com/144872861) are frequent, and slower to patch (see [discussion on Hacker News](https://news.ycombinator.com/item?id=10150038)). Security does [not appear](https://discussions.apple.com/thread/5128209) to be a priority for Safari. If you do use it, at least [disable](https://thoughtsviewsopinions.wordpress.com/2013/04/26/how-to-stop-downloaded-files-opening-automatically/) the **Open "safe" files after downloading** option in Preferences, and be aware of other [privacy nuances](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/93).
  643. Other miscellaneous browsers, such as [Brave](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/94), are not evaluated in this guide, so are neither recommended nor actively discouraged from use.
  644. For more information about security conscious browsing, see [HowTo: Privacy & Security Conscious Browsing](https://gist.github.com/atcuno/3425484ac5cce5298932), [browserleaks.com](https://www.browserleaks.com/) and [EFF Panopticlick](https://panopticlick.eff.org/).
  645. ### Plugins
  646. **Adobe Flash**, **Oracle Java**, **Adobe Reader**, **Microsoft Silverlight** (Netflix now works with [HTML5](https://help.netflix.com/en/node/23742)) and other plugins are [security risks](https://news.ycombinator.com/item?id=9901480) and should not be installed.
  647. If they are necessary, only use them in a disposable virtual machine and subscribe to security announcements to make sure you're always patched.
  648. See [Hacking Team Flash Zero-Day](http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-zero-day-integrated-into-exploit-kits/), [Java Trojan BackDoor.Flashback](https://en.wikipedia.org/wiki/Trojan_BackDoor.Flashback), [Acrobat Reader: Security Vulnerabilities](http://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-497/Adobe-Acrobat-Reader.html), and [Angling for Silverlight Exploits](https://blogs.cisco.com/security/angling-for-silverlight-exploits), for example.
  649. ## PGP/GPG
  650. PGP is a standard for encrypting email end to end. That means only the chosen recipients can decrypt a message, unlike regular email which is read and forever archived by providers.
  651. **GPG**, or **GNU Privacy Guard**, is a GPL licensed program compliant with the standard.
  652. **GPG** is used to verify signatures of software you download and install, as well as [symmetrically](https://en.wikipedia.org/wiki/Symmetric-key_algorithm) or [asymmetrically](https://en.wikipedia.org/wiki/Public-key_cryptography) encrypt files and text.
  653. Install from Homebrew with `brew install gnupg2`.
  654. If you prefer a graphical application, download and install [GPG Suite](https://gpgtools.org/).
  655. Here are several [recommended options](https://github.com/drduh/config/blob/master/gpg.conf) to add to `~/.gnupg/gpg.conf`:
  656. ```
  657. auto-key-locate keyserver
  658. keyserver hkps://hkps.pool.sks-keyservers.net
  659. keyserver-options no-honor-keyserver-url
  660. keyserver-options ca-cert-file=/etc/sks-keyservers.netCA.pem
  661. keyserver-options no-honor-keyserver-url
  662. keyserver-options debug
  663. keyserver-options verbose
  664. personal-cipher-preferences AES256 AES192 AES CAST5
  665. personal-digest-preferences SHA512 SHA384 SHA256 SHA224
  666. default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
  667. cert-digest-algo SHA512
  668. s2k-digest-algo SHA512
  669. s2k-cipher-algo AES256
  670. charset utf-8
  671. fixed-list-mode
  672. no-comments
  673. no-emit-version
  674. keyid-format 0xlong
  675. list-options show-uid-validity
  676. verify-options show-uid-validity
  677. with-fingerprint
  678. ```
  679. Install the keyservers [CA certificate](https://sks-keyservers.net/verify_tls.php):
  680. $ curl -O https://sks-keyservers.net/sks-keyservers.netCA.pem
  681. $ sudo mv sks-keyservers.netCA.pem /etc
  682. These settings will configure GnuPG to use SSL when fetching new keys and prefer strong cryptographic primitives.
  683. See also [ioerror/duraconf/configs/gnupg/gpg.conf](https://github.com/ioerror/duraconf/blob/master/configs/gnupg/gpg.conf). You should also take some time to read [OpenPGP Best Practices](https://help.riseup.net/en/security/message-security/openpgp/best-practices).
  684. If you don't already have a keypair, create one using `gpg --gen-key`. Also see [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide).
  685. Read [online](https://alexcabal.com/creating-the-perfect-gpg-keypair/) [guides](https://security.stackexchange.com/questions/31594/what-is-a-good-general-purpose-gnupg-key-setup) and practice encrypting and decrypting email to yourself and your friends. Get them interested in this stuff!
  686. ## OTR
  687. OTR stands for **off-the-record** and is a cryptographic protocol for encrypting and authenticating conversations over instant messaging.
  688. You can use OTR on top of any existing [XMPP](https://xmpp.org/about) chat service, even Google Hangouts (which only encrypts conversations between users and the server using TLS).
  689. The first time you start a conversation with someone new, you'll be asked to verify their public key fingerprint. Make sure to do this in person or by some other secure means (e.g. GPG encrypted mail).
  690. A popular macOS GUI client for XMPP and other chat protocols is [Adium](https://adium.im/)
  691. Consider downloading the [beta version](https://beta.adium.im/) which uses OAuth2, making logging in to Google accounts [more](https://adium.im/blog/2015/04/) [secure](https://trac.adium.im/ticket/16161).
  692. ```
  693. Adium_1.5.11b3.dmg
  694. SHA-256: 999e1931a52dc327b3a6e8492ffa9df724a837c88ad9637a501be2e3b6710078
  695. SHA-1: ca804389412f9aeb7971ade6812f33ac739140e6
  696. ```
  697. Remember to [disable logging](https://trac.adium.im/ticket/15722) for OTR chats with Adium.
  698. A good console-based XMPP client is [profanity](http://www.profanity.im/), which can be installed with `brew install profanity`
  699. For improved anonymity, check out [Tor Messenger](https://blog.torproject.org/blog/tor-messenger-beta-chat-over-tor-easily), although it is still in beta, as well as [Ricochet](https://ricochet.im/) (which has recently received a thorough [security audit](https://ricochet.im/files/ricochet-ncc-audit-2016-01.pdf) (pdf)), which both use the Tor network rather than relying on messaging servers.
  700. If you want to know how OTR works, read the paper [Off-the-Record Communication, or, Why Not To Use PGP](https://otr.cypherpunks.ca/otr-wpes.pdf) (pdf)
  701. ## Tor
  702. Tor is an anonymizing proxy which can be used for browsing the Web.
  703. Download Tor Browser from the [offical Tor Project Web site](https://www.torproject.org/projects/torbrowser.html).
  704. Do **not** attempt to configure other browsers or applications to use Tor as you will likely make a mistake which will compromise your anonymity.
  705. Download both the `dmg` and `asc` signature files, then verify the disk image has been signed by Tor developers:
  706. ```
  707. $ cd Downloads
  708. $ file Tor*
  709. TorBrowser-6.0.5-osx64_en-US.dmg: bzip2 compressed data, block size = 900k
  710. TorBrowser-6.0.5-osx64_en-US.dmg.asc: PGP signature Signature (old)
  711. $ gpg Tor*asc
  712. gpg: assuming signed data in `TorBrowser-6.0.5-osx64_en-US.dmg'
  713. gpg: Signature made Fri Sep 16 07:51:52 2016 EDT using RSA key ID D40814E0
  714. gpg: Can't check signature: public key not found
  715. $ gpg --recv 0xD40814E0
  716. gpg: requesting key D40814E0 from hkp server keys.gnupg.net
  717. gpg: key 93298290: public key "Tor Browser Developers (signing key) <torbrowser@torproject.org>" imported
  718. gpg: no ultimately trusted keys found
  719. gpg: Total number processed: 1
  720. gpg: imported: 1 (RSA: 1)
  721. $ gpg Tor*asc
  722. gpg: assuming signed data in 'TorBrowser-6.0.5-osx64_en-US.dmg'
  723. gpg: Signature made Fri Sep 16 07:51:52 2016 EDT using RSA key ID D40814E0
  724. gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>" [unknown]
  725. gpg: WARNING: This key is not certified with a trusted signature!
  726. gpg: There is no indication that the signature belongs to the owner.
  727. Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
  728. Subkey fingerprint: BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0
  729. ```
  730. Make sure `Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>"` appears in the output. The warning about the key not being certified is benign, as it has not yet been manually assigned trust.
  731. See [How to verify signatures for packages](https://www.torproject.org/docs/verifying-signatures.html) for more information.
  732. To finish installing Tor Browser, open the disk image and drag the it into the Applications folder, or with:
  733. ```
  734. $ hdiutil mount TorBrowser-6.0.5-osx64_en-US.dmg
  735. $ cp -rv /Volumes/Tor\ Browser/TorBrowser.app /Applications
  736. ```
  737. It is also possible to verify the Tor application's code signature was made by with The Tor Project's Apple developer ID **MADPSAYN6T**:
  738. ```
  739. $ codesign -dvv /Applications/TorBrowser.app
  740. Executable=/Applications/TorBrowser.app/Contents/MacOS/firefox
  741. Identifier=org.mozilla.tor browser
  742. Format=app bundle with Mach-O thin (x86_64)
  743. CodeDirectory v=20200 size=247 flags=0x0(none) hashes=5+3 location=embedded
  744. Library validation warning=OS X SDK version before 10.9 does not support Library Validation
  745. Signature size=4247
  746. Authority=Developer ID Application: The Tor Project, Inc (MADPSAYN6T)
  747. Authority=Developer ID Certification Authority
  748. Authority=Apple Root CA
  749. Signed Time=Nov 30, 2016, 10:40:34 AM
  750. Info.plist entries=21
  751. TeamIdentifier=MADPSAYN6T
  752. Sealed Resources version=2 rules=12 files=130
  753. Internal requirements count=1 size=184
  754. ```
  755. To view certificate details, extract it with `codesign` and decode it with `openssl`:
  756. ```
  757. $ codesign -d --extract-certificates /Applications/TorBrowser.app
  758. Executable=/Applications/TorBrowser.app/Contents/MacOS/firefox
  759. $ file codesign*
  760. codesign0: data
  761. codesign1: data
  762. codesign2: data
  763. $ openssl x509 -inform der -in codesign0 -subject -issuer -startdate -enddate -noout
  764. subject= /UID=MADPSAYN6T/CN=Developer ID Application: The Tor Project, Inc (MADPSAYN6T)/OU=MADPSAYN6T/O=The Tor Project, Inc/C=US
  765. issuer= /CN=Developer ID Certification Authority/OU=Apple Certification Authority/O=Apple Inc./C=US
  766. notBefore=Apr 12 22:40:13 2016 GMT
  767. notAfter=Apr 13 22:40:13 2021 GMT
  768. $ openssl x509 -inform der -in codesign0 -fingerprint -noout
  769. SHA1 Fingerprint=95:80:54:F1:54:66:F3:9C:C2:D8:27:7A:29:21:D9:61:11:93:B3:E8
  770. $ openssl x509 -inform der -in codesign0 -fingerprint -sha256 -noout
  771. SHA256 Fingerprint=B5:0D:47:F0:3E:CB:42:B6:68:1C:6F:38:06:2B:C2:9F:41:FA:D6:54:F1:29:D3:E4:DD:9C:C7:49:35:FF:F5:D9
  772. ```
  773. Tor traffic is **encrypted** to the [exit node](https://en.wikipedia.org/wiki/Tor_(anonymity_network)#Exit_node_eavesdropping) (i.e., cannot be read by a passive network eavesdropper), but Tor use **can** be identified - for example, TLS handshake "hostnames" will show up in plaintext:
  774. ```
  775. $ sudo tcpdump -An "tcp" | grep "www"
  776. listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
  777. .............". ...www.odezz26nvv7jeqz1xghzs.com.........
  778. .............#.!...www.bxbko3qi7vacgwyk4ggulh.com.........
  779. .6....m.....>...:.........|../* Z....W....X=..6...C../....................................0...0..0.......'....F./0.. *.H........0%1#0!..U....www.b6zazzahl3h3faf4x2.com0...160402000000Z..170317000000Z0'1%0#..U....www.tm3ddrghe22wgqna5u8g.net0..0..
  780. ```
  781. See [Tor Protocol Specification](https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt) and [Tor/TLSHistory](https://trac.torproject.org/projects/tor/wiki/org/projects/Tor/TLSHistory) for more information.
  782. You may wish to additionally obfuscate Tor traffic using a [pluggable transport](https://www.torproject.org/docs/pluggable-transports.html), such as [Yawning/obfs4proxy](https://github.com/Yawning/obfs4) or [SRI-CSL/stegotorus](https://github.com/SRI-CSL/stegotorus).
  783. This can be done by setting up your own [Tor relay](https://www.torproject.org/docs/tor-relay-debian.html) or finding an existing private or public [bridge](https://www.torproject.org/docs/bridges.html.en#RunningABridge) to serve as an obfuscating entry node.
  784. For extra security, use Tor inside a [VirtualBox](https://www.virtualbox.org/wiki/Downloads) or [VMware](https://www.vmware.com/products/fusion) virtualized [GNU/Linux](http://www.brianlinkletter.com/installing-debian-linux-in-a-virtualbox-virtual-machine/) or [BSD](http://www.openbsd.org/faq/faq4.html) machine.
  785. Finally, remember the Tor network provides [anonymity](https://www.privateinternetaccess.com/blog/2013/10/how-does-privacy-differ-from-anonymity-and-why-are-both-important/), which is not necessarily synonymous with privacy. The Tor network does not guarantee protection against a global observer capable of traffic analysis and [correlation](https://blog.torproject.org/category/tags/traffic-correlation). See also [Seeking Anonymity in an Internet Panopticon](http://bford.info/pub/net/panopticon-cacm.pdf) (pdf) and [Traffic Correlation on Tor by Realistic Adversaries](http://www.ohmygodel.com/publications/usersrouted-ccs13.pdf) (pdf).
  786. Also see [Invisible Internet Project (I2P)](https://geti2p.net/en/about/intro) and its [Tor comparison](https://geti2p.net/en/comparison/tor).
  787. ## VPN
  788. If you use your Mac on untrusted networks - airports, cafes, etc. - your network traffic is being monitored and possibly tampered with.
  789. It is a good idea to use a VPN which encrypts **all** outgoing network traffic (i.e., not **split tunnel**) with a provider you trust. For an example of how to set up and host your own VPN, see [drduh/Debian-Privacy-Server-Guide](https://github.com/drduh/Debian-Privacy-Server-Guide).
  790. Don't just blindly sign up for a VPN service without understanding the full implications and how your traffic will be routed. If you don't understand how the VPN works or are not familiar with the software used, you are probably better off without it.
  791. When choosing a VPN service or setting up your own, be sure to research the protocols, key exchange algorithms, authentication mechanisms, and type of encryption being used. Some protocols, such as [PPTP](https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security), should be avoided in favor of [OpenVPN](https://en.wikipedia.org/wiki/OpenVPN), for example.
  792. Some clients may send traffic over the next available interface when VPN is interrupted or disconnected. See [scy/8122924](https://gist.github.com/scy/8122924) for an example on how to allow traffic only over VPN.
  793. Another set of scripts to lock down your system so it will only access the internet via a VPN can be found as part of the Voodoo Privacy project - [sarfata/voodooprivacy](https://github.com/sarfata/voodooprivacy) and there is an updated guide to setting up an IPSec VPN on a virtual machine ([hwdsl2/setup-ipsec-vpn](https://github.com/hwdsl2/setup-ipsec-vpn)) or a docker container ([hwdsl2/docker-ipsec-vpn-server](https://github.com/hwdsl2/docker-ipsec-vpn-server)).
  794. ## Viruses and malware
  795. There is an [ever-increasing](https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html) amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software!
  796. Some malware comes bundled with both legitimate software, such as the [Java bundling Ask Toolbar](http://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/), and some with illegitimate software, such as [Mac.BackDoor.iWorm](https://docs.google.com/document/d/1YOfXRUQJgMjJSLBSoLiUaSZfiaS_vU3aG4Bvjmz6Dxs/edit?pli=1) bundled with pirated programs. [Malwarebytes Anti-Malware for Mac](https://www.malwarebytes.com/antimalware/mac/) is an excellent program for ridding oneself of "garden-variety" malware and other "crapware".
  797. See [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) and [Malware Persistence on OS X Yosemite](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite) to learn about how garden-variety malware functions.
  798. You could periodically run a tool like [Knock Knock](https://github.com/synack/knockknock) to examine persistent applications (e.g. scripts, binaries). But by then, it is probably too late. Maybe applications such as [Block Block](https://objective-see.com/products/blockblock.html) and [Ostiarius](https://objective-see.com/products/ostiarius.html) will help. See warnings and caveats in [issue #90](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/90) first, however. Using an application such as [Little Flocker](https://www.littleflocker.com/) can also protect parts of the filesystem from unauthorized writes similar to how Little Snitch protects the network (note, however, the software is still in beta and should be [used with caution](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/pull/128)).
  799. **Anti-virus** programs are a double-edged sword -- not useful for **advanced** users and will likely increase attack surface against sophisticated threats, however possibly useful for catching "garden variety" malware on **novice** users' Macs. There is also the additional processing overhead to consider.
  800. See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sophailv2.pdf) (pdf), [Analysis and Exploitation of an ESET Vulnerability](http://googleprojectzero.blogspot.ro/2015/06/analysis-and-exploitation-of-eset.html), [a trivial Avast RCE](https://code.google.com/p/google-security-research/issues/detail?id=546), [Popular Security Software Came Under Relentless NSA and GCHQ Attacks](https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/), and [AVG: "Web TuneUP" extension multiple critical vulnerabilities](https://code.google.com/p/google-security-research/issues/detail?id=675).
  801. Therefore, the best anti-virus is **Common Sense 2016**. See more discussion in [issue #44](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/44).
  802. Local privilege escalation bugs are plenty on macOS, so always be careful when downloading and running untrusted programs or trusted programs from third party websites or downloaded over HTTP ([example](http://arstechnica.com/security/2015/08/0-day-bug-in-fully-patched-os-x-comes-under-active-exploit-to-hijack-macs/)).
  803. Have a look at [The Safe Mac](http://www.thesafemac.com/) for past and current Mac security news.
  804. Also check out [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html) malware for Mac OS: [root installation for MacOS](https://github.com/hackedteam/vector-macos-root), [Support driver for Mac Agent](https://github.com/hackedteam/driver-macos) and [RCS Agent for Mac](https://github.com/hackedteam/core-macos), which is a good example of advanced malware with capabilities to hide from **userland** (e.g., `ps`, `ls`), for example. For more, see [A Brief Analysis of an RCS Implant Installer](https://objective-see.com/blog/blog_0x0D.html) and [reverse.put.as](https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/)
  805. ## System Integrity Protection
  806. [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) is a security feature since OS X 10.11 "El Capitan". It is enabled by default, but [can be disabled](https://derflounder.wordpress.com/2015/10/01/system-integrity-protection-adding-another-layer-to-apples-security-model/), which may be necessary to change some system settings, such as deleting root certificate authorities or unloading certain launch daemons. Keep this feature on, as it is by default.
  807. From [What's New in OS X 10.11](https://developer.apple.com/library/prerelease/mac/releasenotes/MacOSX/WhatsNewInOSX/Articles/MacOSX10_11.html):
  808. > A new security policy that applies to every running process, including privileged code and code that runs out of the sandbox. The policy extends additional protections to components on disk and at run-time, only allowing system binaries to be modified by the system installer and software updates. Code injection and runtime attachments to system binaries are no longer permitted.
  809. Also see [What is the “rootless” feature in El Capitan, really?](https://apple.stackexchange.com/questions/193368/what-is-the-rootless-feature-in-el-capitan-really)
  810. Some MacBook hardware has shipped with [SIP disabled](http://appleinsider.com/articles/16/11/17/system-integrity-protection-disabled-by-default-on-some-touch-bar-macbook-pros). To verify SIP is enabled, use the command `csrutil status`, which should return: `System Integrity Protection status: enabled.` Otherwise, [enable SIP](https://developer.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html) through Recovery Mode.
  811. ## Gatekeeper and XProtect
  812. **Gatekeeper** and the **quarantine** system try to prevent unsigned or "bad" programs and files from running and opening.
  813. **XProtect** prevents the execution of known bad files and outdated plugin versions, but does nothing to cleanup or stop existing malware.
  814. Both offer trivial protection against common risks and are fine at default settings.
  815. See also [Mac Malware Guide : How does Mac OS X protect me?](http://www.thesafemac.com/mmg-builtin/) and [Gatekeeper, XProtect and the Quarantine attribute](http://ilostmynotes.blogspot.com/2012/06/gatekeeper-xprotect-and-quarantine.html).
  816. **Note** Quarantine stores information about downloaded files in `~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2`, which may pose a privacy risk. To examine the file, simply use `strings` or the following command:
  817. $ echo 'SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent;' | sqlite3 /Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
  818. See [here](http://www.zoharbabin.com/hey-mac-i-dont-appreciate-you-spying-on-me-hidden-downloads-log-in-os-x/) for more information.
  819. To permanently disable this feature, [clear the file](https://superuser.com/questions/90008/how-to-clear-the-contents-of-a-file-from-the-command-line) and [make it immutable](http://hints.macworld.com/article.php?story=20031017061722471):
  820. $ :>~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
  821. $ sudo chflags schg ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
  822. Furthermore, macOS attaches metadata ([HFS+ extended attributes](https://en.wikipedia.org/wiki/Extended_file_attributes#OS_X)) to downloaded files:
  823. ```
  824. $ ls -l@ ~/Downloads/TorBrowser-6.0.5-osx64_en-US.dmg
  825. -rw-r--r--@ 1 drduh staff 59322237 Oct 9 15:20 TorBrowser-6.0.5-osx64_en-US.dmg
  826. com.apple.metadata:kMDItemWhereFroms 186
  827. com.apple.quarantine 68
  828. $ xattr -l ~/Downloads/TorBrowser-6.0.5-osx64_en-US.dmg
  829. com.apple.metadata:kMDItemWhereFroms:
  830. 00000000 62 70 6C 69 73 74 30 30 A2 01 02 5F 10 4D 68 74 |bplist00..._.Mht|
  831. 00000010 74 70 73 3A 2F 2F 64 69 73 74 2E 74 6F 72 70 72 |tps://dist.torpr|
  832. 00000020 6F 6A 65 63 74 2E 6F 72 67 2F 74 6F 72 62 72 6F |oject.org/torbro|
  833. 00000030 77 73 65 72 2F 36 2E 30 2E 35 2F 54 6F 72 42 72 |wser/6.0.5/TorBr|
  834. 00000040 6F 77 73 65 72 2D 36 2E 30 2E 35 2D 6F 73 78 36 |owser-6.0.5-osx6|
  835. 00000050 34 5F 65 6E 2D 55 53 2E 64 6D 67 5F 10 39 68 74 |4_en-US.dmg_.9ht|
  836. 00000060 74 70 73 3A 2F 2F 77 77 77 2E 74 6F 72 70 72 6F |tps://www.torpro|
  837. 00000070 6A 65 63 74 2E 6F 72 67 2F 64 6F 77 6E 6C 6F 61 |ject.org/downloa|
  838. 00000080 64 2F 64 6F 77 6E 6C 6F 61 64 2D 65 61 73 79 2E |d/download-easy.|
  839. 00000090 68 74 6D 6C 2E 65 6E 08 0B 5B 00 00 00 00 00 00 |html.en..[......|
  840. 000000A0 01 01 00 00 00 00 00 00 00 03 00 00 00 00 00 00 |................|
  841. 000000B0 00 00 00 00 00 00 00 00 00 97 |..........|
  842. 000000ba
  843. com.apple.quarantine: 0081;52fb9173;Google Chrome.app;3AB6D46E-4AC5-3C3E-B427-32C7F804AAA3
  844. $ xattr -d com.apple.metadata:kMDItemWhereFroms ~/Downloads/TorBrowser-6.0.5-osx64_en-US.dmg
  845. $ xattr -d com.apple.quarantine ~/Downloads/TorBrowser-6.0.5-osx64_en-US.dmg
  846. $ xattr -l ~/Downloads/TorBrowser-6.0.5-osx64_en-US.dmg
  847. [No output after removal.]
  848. ```
  849. ## Passwords
  850. You can generate strong passwords with OpenSSL:
  851. $ openssl rand -base64 30
  852. LK9xkjUEAemc1gV2Ux5xqku+PDmMmCbSTmwfiMRI
  853. Or GPG:
  854. $ gpg --gen-random -a 0 30
  855. 4/bGZL+yUEe8fOqQhF5V01HpGwFSpUPwFcU3aOWQ
  856. Or `/dev/urandom` output:
  857. $ dd if=/dev/urandom bs=1 count=30 2>/dev/null | base64
  858. CbRGKASFI4eTa96NMrgyamj8dLZdFYBaqtWUSxKe
  859. With control over character sets:
  860. $ LANG=C tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 40 | head -n 1
  861. jm0iKn7ngQST8I0mMMCbbi6SKPcoUWwCb5lWEjxK
  862. $ LANG=C tr -dc 'DrDuh0-9' < /dev/urandom | fold -w 40 | head -n 1
  863. 686672u2Dh7r754209uD312hhh23uD7u41h3875D
  864. You can also generate passwords, even memorable ones, using **Keychain Access** password assistant, or a command line equivalent like [anders/pwgen](https://github.com/anders/pwgen).
  865. Keychains are encrypted with a [PBKDF2 derived key](https://en.wikipedia.org/wiki/PBKDF2) and are a _pretty safe_ place to store credentials. See also [Breaking into the OS X keychain](http://juusosalonen.com/post/30923743427/breaking-into-the-os-x-keychain). Also be aware that Keychain [does not encrypt](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/118) the names corresponding to password entries.
  866. Alternatively, you can manage an encrypted passwords file yourself with GnuPG (shameless plug for my [drduh/pwd.sh](https://github.com/drduh/pwd.sh) password manager script).
  867. In addition to passwords, ensure eligible online accounts, such as GitHub, Google accounts, banking, have [two factor authentication](https://en.wikipedia.org/wiki/Two-factor_authentication) enabled.
  868. Look to [Yubikey](https://www.yubico.com/products/yubikey-hardware/yubikey-neo/) for a two factor and private key (e.g., ssh, gpg) hardware token. See [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) and [trmm.net/Yubikey](https://trmm.net/Yubikey). One of two Yubikey's slots can also be programmed to emit a long, static password (which can be used in combination with a short, memorized password, for example).
  869. ## Backup
  870. Always encrypt files locally before backing them up to external media or online services.
  871. One way is to use a symmetric cipher with GPG and a password of your choosing.
  872. To encrypt a directory:
  873. $ tar zcvf - ~/Downloads | gpg -c > ~/Desktop/backup-$(date +%F-%H%M).tar.gz.gpg
  874. To decrypt an archive:
  875. $ gpg -o ~/Desktop/decrypted-backup.tar.gz -d ~/Desktop/backup-2015-01-01-0000.tar.gz.gpg && \
  876. tar zxvf ~/Desktop/decrypted-backup.tar.gz
  877. You may also create encrypted volumes using **Disk Utility** or `hdiutil`:
  878. $ hdiutil create ~/Desktop/encrypted.dmg -encryption -size 1g -volname "Name" -fs JHFS+
  879. Also see the following applications and services: [SpiderOak](https://spideroak.com/), [Arq](https://www.arqbackup.com/), [Espionage](https://www.espionageapp.com/), and [restic](https://restic.github.io/).
  880. ## Wi-Fi
  881. macOS remembers access points it has connected to. Like all wireless devices, the Mac will broadcast all access point names it remembers (e.g., *MyHomeNetwork*) each time it looks for a network, such as when waking from sleep.
  882. This is a privacy risk, so remove networks from the list in **System Preferences** > **Network** > **Advanced** when they're no longer needed.
  883. Also see [Signals from the Crowd: Uncovering Social Relationships through Smartphone Probes](http://conferences.sigcomm.org/imc/2013/papers/imc148-barberaSP106.pdf) (pdf) and [Wi-Fi told me everything about you](http://confiance-numerique.clermont-universite.fr/Slides/M-Cunche-2014.pdf) (pdf).
  884. Saved Wi-Fi information (SSID, last connection, etc.) can be found in `/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist`
  885. You may wish to [spoof the MAC address](https://en.wikipedia.org/wiki/MAC_spoofing) of your network card before connecting to new and untrusted wireless networks to mitigate passive fingerprinting:
  886. $ sudo ifconfig en0 ether $(openssl rand -hex 6 | sed 's%\(..\)%\1:%g; s%.$%%')
  887. **Note** MAC addresses will reset to hardware defaults on each boot.
  888. Also see [feross/SpoofMAC](https://github.com/feross/SpoofMAC).
  889. Finally, WEP protection on wireless networks is [not secure](http://www.howtogeek.com/167783/htg-explains-the-difference-between-wep-wpa-and-wpa2-wireless-encryption-and-why-it-matters/) and you should favor connecting to **WPA2** protected networks only to mitigate the risk of passive eavesdroppers.
  890. ## SSH
  891. For outgoing ssh connections, use hardware- or password-protected keys, [set up](http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/) remote hosts and consider [hashing](http://nms.csail.mit.edu/projects/ssh/) them for added privacy.
  892. Here are several recommended [options](https://www.freebsd.org/cgi/man.cgi?query=ssh_config&sektion=5) to add to `~/.ssh/config`:
  893. Host *
  894. PasswordAuthentication no
  895. ChallengeResponseAuthentication no
  896. HashKnownHosts yes
  897. **Note** [macOS Sierra permanently remembers SSH key passphrases by default](https://openradar.appspot.com/28394826). Append the option `UseKeyChain no` to turn this feature off.
  898. You can also use ssh to create an [encrypted tunnel](http://blog.trackets.com/2014/05/17/ssh-tunnel-local-and-remote-port-forwarding-explained-with-examples.html) to send your traffic through, which is similar to a VPN.
  899. For example, to use Privoxy on a remote host:
  900. $ ssh -C -L 5555:127.0.0.1:8118 you@remote-host.tld
  901. $ sudo networksetup -setwebproxy "Wi-Fi" 127.0.0.1 5555
  902. $ sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 5555
  903. Or to use an ssh connection as a [SOCKS proxy](https://www.mikeash.com/ssh_socks.html):
  904. $ ssh -NCD 3000 you@remote-host.tld
  905. By default, macOS does **not** have sshd or *Remote Login* enabled.
  906. To enable sshd and allow incoming ssh connections:
  907. $ sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist
  908. Or use the **System Preferences** > **Sharing** menu.
  909. If you are going to enable sshd, at least disable password authentication and consider further [hardening](https://stribika.github.io/2015/01/04/secure-secure-shell.html) your configuration.
  910. To `/etc/sshd_config`, add:
  911. ```
  912. PasswordAuthentication no
  913. ChallengeResponseAuthentication no
  914. UsePAM no
  915. ```
  916. Confirm whether sshd is enabled or disabled:
  917. $ sudo lsof -Pni TCP:22
  918. ## Physical access
  919. Keep your Mac physically secure at all times. Don't leave it unattended in hotels and such.
  920. A skilled attacker with unsupervised physical access to your computer can infect the boot ROM to install a keylogger and steal your password - see [Thunderstrike](https://trmm.net/Thunderstrike), for example.
  921. A helpful tool is [usbkill](https://github.com/hephaest0s/usbkill), which is *"an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer"*.
  922. Consider purchasing a [privacy filter](https://www.amazon.com/s/ref=nb_sb_noss_2?url=node%3D15782001&field-keywords=macbook) for your screen to thwart shoulder surfers.
  923. ## System monitoring
  924. #### OpenBSM audit
  925. macOS has a powerful OpenBSM auditing capability. You can use it to monitor process execution, network activity, and much more.
  926. To tail audit logs, use the `praudit` utility:
  927. ```
  928. $ sudo praudit -l /dev/auditpipe
  929. header,201,11,execve(2),0,Thu Sep 1 12:00:00 2015, + 195 msec,exec arg,/Applications/.evilapp/rootkit,path,/Applications/.evilapp/rootkit,path,/Applications/.evilapp/rootkit,attribute,100755,root,wheel,16777220,986535,0,subject,drduh,root,wheel,root,wheel,412,100005,50511731,0.0.0.0,return,success,0,trailer,201,
  930. header,88,11,connect(2),0,Thu Sep 1 12:00:00 2015, + 238 msec,argument,1,0x5,fd,socket-inet,2,443,173.194.74.104,subject,drduh,root,wheel,root,wheel,326,100005,50331650,0.0.0.0,return,failure : Operation now in progress,4354967105,trailer,88
  931. header,111,11,OpenSSH login,0,Thu Sep 1 12:00:00 2015, + 16 msec,subject_ex,drduh,drduh,staff,drduh,staff,404,404,49271,::1,text,successful login drduh,return,success,0,trailer,111,
  932. ```
  933. See the manual pages for `audit`, `praudit`, `audit_control` and other files in `/etc/security`
  934. **Note** although `man audit` says the `-s` flag will synchronize the audit configuration, it appears necessary to reboot for changes to take effect.
  935. See articles on [ilostmynotes.blogspot.com](http://ilostmynotes.blogspot.com/2013/10/openbsm-auditd-on-os-x-these-are-logs.html) and [derflounder.wordpress.com](https://derflounder.wordpress.com/2012/01/30/openbsm-auditing-on-mac-os-x/) for more information.
  936. #### DTrace
  937. `iosnoop` monitors disk I/O
  938. `opensnoop` monitors file opens
  939. `execsnoop` monitors execution of processes
  940. `errinfo` monitors failed system calls
  941. `dtruss` monitors all system calls
  942. See `man -k dtrace` for more information.
  943. **Note** [System Integrity Protection](https://github.com/drduh/OS-X-Security-and-Privacy-Guide#system-integrity-protection) [interferes](http://internals.exposed/blog/dtrace-vs-sip.html) with DTrace, so it may no longer be possible to use these tools.
  944. #### Execution
  945. `ps -ef` lists information about all running processes.
  946. You can also view processes with **Activity Monitor**.
  947. `launchctl list` and `sudo launchctl list` list loaded and running user and system launch daemons and agents.
  948. #### Network
  949. List open network files:
  950. $ sudo lsof -Pni
  951. List contents of various network-related data structures:
  952. $ sudo netstat -atln
  953. You can also use [Wireshark](https://www.wireshark.org/) from the command line.
  954. Monitor DNS queries and replies:
  955. ```
  956. $ tshark -Y "dns.flags.response == 1" -Tfields \
  957. -e frame.time_delta \
  958. -e dns.qry.name \
  959. -e dns.a \
  960. -Eseparator=,
  961. ```
  962. Monitor HTTP requests and responses:
  963. ```
  964. $ tshark -Y "http.request or http.response" -Tfields \
  965. -e ip.dst \
  966. -e http.request.full_uri \
  967. -e http.request.method \
  968. -e http.response.code \
  969. -e http.response.phrase \
  970. -Eseparator=/s
  971. ```
  972. Monitor x509 certificates:
  973. ```
  974. $ tshark -Y "ssl.handshake.certificate" -Tfields \
  975. -e ip.src \
  976. -e x509sat.uTF8String \
  977. -e x509sat.printableString \
  978. -e x509sat.universalString \
  979. -e x509sat.IA5String \
  980. -e x509sat.teletexString \
  981. -Eseparator=/s -Equote=d
  982. ```
  983. Also see the simple networking monitoring application [BonzaiThePenguin/Loading](https://github.com/BonzaiThePenguin/Loading).
  984. ## Binary Whitelisting
  985. [google/santa](https://github.com/google/santa/) is a security software developed for Google's corporate Macintosh fleet and open sourced.
  986. > Santa is a binary whitelisting/blacklisting system for macOS. It consists of a kernel extension that monitors for executions, a userland daemon that makes execution decisions based on the contents of a SQLite database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server.
  987. Santa uses the [Kernel Authorization API](https://developer.apple.com/library/content/technotes/tn2127/_index.html) to monitor and allow/disallow binaries from executing in the kernel. Binaries can be white- or black-listed by unique hash or signing developer certificate. Santa can be used to only allow trusted code execution, or to blacklist known malware from executing on a Mac, similar to Bit9 software for Windows.
  988. **Note** Santa does not currently have a graphical user interface for managing rules. The following instructions are for advanced users only!
  989. To install Santa, visit the [Releases](https://github.com/google/santa/releases) page and download the latest disk image, the mount it and install the contained package:
  990. ```
  991. $ hdiutil mount ~/Downloads/santa-0.9.14.dmg
  992. $ sudo installer -pkg /Volumes/santa-0.9.14/santa-0.9.14.pkg -tgt /
  993. ```
  994. By default, Santa installs in "Monitor" mode (meaning, nothing gets blocked, only logged) and comes with two rules: one for Apple binaries and another for Santa software itself.
  995. Verify Santa is running and its kernel module is loaded:
  996. ```
  997. $ santactl status
  998. >>> Daemon Info
  999. Mode | Monitor
  1000. File Logging | No
  1001. Watchdog CPU Events | 0 (Peak: 0.00%)
  1002. Watchdog RAM Events | 0 (Peak: 0.00MB)
  1003. >>> Kernel Info
  1004. Kernel cache count | 0
  1005. >>> Database Info
  1006. Binary Rules | 0
  1007. Certificate Rules | 2
  1008. Events Pending Upload | 0
  1009. $ ps -ef | grep "[s]anta"
  1010. 0 786 1 0 10:01AM ?? 0:00.39 /Library/Extensions/santa-driver.kext/Contents/MacOS/santad --syslog
  1011. $ kextstat | grep santa
  1012. 119 0 0xffffff7f822ff000 0x6000 0x6000 com.google.santa-driver (0.9.14) 693D8E4D-3161-30E0-B83D-66A273CAE026 <5 4 3 1>
  1013. ```
  1014. Create a blacklist rule to prevent iTunes from executing:
  1015. $ sudo santactl rule --blacklist --path /Applications/iTunes.app/
  1016. Added rule for SHA-256: e1365b51d2cb2c8562e7f1de36bfb3d5248de586f40b23a2ed641af2072225b3.
  1017. Try to launch iTunes - it will be blocked.
  1018. $ open /Applications/iTunes.app/
  1019. LSOpenURLsWithRole() failed with error -10810 for the file /Applications/iTunes.app.
  1020. <img width="450" alt="Santa block dialog when attempting to run a blacklisted program" src="https://cloud.githubusercontent.com/assets/12475110/21062284/14ddde88-be1e-11e6-8e9b-32f8a44c0cf6.png">
  1021. To remove the rule:
  1022. $ sudo santactl rule --remove --path /Applications/iTunes.app/
  1023. Removed rule for SHA-256: e1365b51d2cb2c8562e7f1de36bfb3d5248de586f40b23a2ed641af2072225b3.
  1024. Open iTunes:
  1025. $ open /Applications/iTunes.app/
  1026. [iTunes will open successfully]
  1027. Create a new, example C program:
  1028. ```
  1029. $ cat <<EOF > foo.c
  1030. > #include <stdio.h>
  1031. > main() { printf("Hello World\n”); }
  1032. > EOF
  1033. ```
  1034. Compile the program with GCC (requires installation of Xcode or command-line tools):
  1035. ```
  1036. $ gcc -o foo foo.c
  1037. $ file foo
  1038. foo: Mach-O 64-bit executable x86_64
  1039. $ codesign -d foo
  1040. foo: code object is not signed at all
  1041. ```
  1042. Run it:
  1043. ```
  1044. $ ./foo
  1045. Hello World
  1046. ```
  1047. Toggle Santa into “Lockdown” mode, which only allows whitelisted binaries to run:
  1048. $ sudo defaults write /var/db/santa/config.plist ClientMode -int 2
  1049. Try to run the unsigned binary:
  1050. ```
  1051. $ ./foo
  1052. bash: ./foo: Operation not permitted
  1053. Santa
  1054. The following application has been blocked from executing
  1055. because its trustworthiness cannot be determined.
  1056. Path: /Users/demouser/foo
  1057. Identifier: 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed
  1058. Parent: bash (701)
  1059. ```
  1060. To whitelist a specific binary, determine its SHA-256 sum:
  1061. ```
  1062. $ santactl fileinfo /Users/demouser/foo
  1063. Path : /Users/demouser/foo
  1064. SHA-256 : 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed
  1065. SHA-1 : 4506f3a8c0a5abe4cacb98e6267549a4d8734d82
  1066. Type : Executable (x86-64)
  1067. Code-signed : No
  1068. Rule : Blacklisted (Unknown)
  1069. ```
  1070. Add a whitelist rule:
  1071. $ sudo santactl rule --whitelist --sha256 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed
  1072. Added rule for SHA-256: 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed.
  1073. Run it:
  1074. ```
  1075. $ ./foo
  1076. Hello World
  1077. ```
  1078. It's allowed and works!
  1079. Applications can also be whitelisted by developer certificate (so that new binary versions will not need to be manually whitelisted on each update). For example, download and run Google Chrome - it will be blocked by Santa in "Lockdown" mode:
  1080. ```
  1081. $ curl -sO https://dl.google.com/chrome/mac/stable/GGRO/googlechrome.dmg
  1082. $ hdiutil mount googlechrome.dmg
  1083. $ cp -r /Volumes/Google\ Chrome/Google\ Chrome.app /Applications/
  1084. $ open /Applications/Google\ Chrome.app/
  1085. LSOpenURLsWithRole() failed with error -10810 for the file /Applications/Google Chrome.app.
  1086. ```
  1087. Whitelist the application by its developer certificate (first item in the Signing Chain):
  1088. ```
  1089. $ santactl fileinfo /Applications/Google\ Chrome.app/
  1090. Path : /Applications/Google Chrome.app/Contents/MacOS/Google Chrome
  1091. SHA-256 : 0eb08224d427fb1d87d2276d911bbb6c4326ec9f74448a4d9a3cfce0c3413810
  1092. SHA-1 : 9213cbc7dfaaf7580f3936a915faa56d40479f6a
  1093. Bundle Name : Google Chrome
  1094. Bundle Version : 2883.87
  1095. Bundle Version Str : 55.0.2883.87
  1096. Type : Executable (x86-64)
  1097. Code-signed : Yes
  1098. Rule : Blacklisted (Unknown)
  1099. Signing Chain:
  1100. 1. SHA-256 : 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153
  1101. SHA-1 : 85cee8254216185620ddc8851c7a9fc4dfe120ef
  1102. Common Name : Developer ID Application: Google Inc.
  1103. Organization : Google Inc.
  1104. Organizational Unit : EQHXZ8M8AV
  1105. Valid From : 2012/04/26 07:10:10 -0700
  1106. Valid Until : 2017/04/27 07:10:10 -0700
  1107. 2. SHA-256 : 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f
  1108. SHA-1 : 3b166c3b7dc4b751c9fe2afab9135641e388e186
  1109. Common Name : Developer ID Certification Authority
  1110. Organization : Apple Inc.
  1111. Organizational Unit : Apple Certification Authority
  1112. Valid From : 2012/02/01 14:12:15 -0800
  1113. Valid Until : 2027/02/01 14:12:15 -0800
  1114. 3. SHA-256 : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024
  1115. SHA-1 : 611e5b662c593a08ff58d14ae22452d198df6c60
  1116. Common Name : Apple Root CA
  1117. Organization : Apple Inc.
  1118. Organizational Unit : Apple Certification Authority
  1119. Valid From : 2006/04/25 14:40:36 -0700
  1120. Valid Until : 2035/02/09 13:40:36 -0800
  1121. ```
  1122. In this case, `15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153` is the SHA-256 of Google’s Apple developer certificate (team ID EQHXZ8M8AV). To whitelist it:
  1123. ```
  1124. $ sudo santactl rule --whitelist --certificate --sha256 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153
  1125. Added rule for SHA-256: 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153.
  1126. ```
  1127. Google Chrome should now launch, and subsequent updates to the application will continue to work as long as the code signing certificate doesn’t change or expire.
  1128. To disable “Lockdown” mode:
  1129. $ sudo defaults delete /var/db/santa/config.plist ClientMode
  1130. See `/var/log/santa.log` to monitor ALLOW and DENY execution decisions.
  1131. **Note** Python, Bash and other interpreters are whitelisted (since they are signed by Apple's developer certificate), so Santa will not be able to block such scripts from executing. Thus, a potential non-binary program which disables Santa is a weakness (not vulnerability, since it is so by design) to take note of.
  1132. ## Miscellaneous
  1133. If you wish, disable [Diagnostics & Usage Data](https://github.com/fix-macosx/fix-macosx/wiki/Diagnostics-&-Usage-Data).
  1134. If you want to play **music** or watch **videos**, use [VLC media player](https://www.videolan.org/vlc/index.html) which is free and open source.
  1135. If you want to use **torrents**, use [Transmission](http://www.transmissionbt.com/download/) which is free and open source (note: like all software, even open source projects, [malware may still find its way in](http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/)). You may also wish to use a block list to avoid peering with known bad hosts - see [Which is the best blocklist for Transmission](https://giuliomac.wordpress.com/2014/02/19/best-blocklist-for-transmission/) and [johntyree/3331662](https://gist.github.com/johntyree/3331662).
  1136. Manage default file handlers with [duti](http://duti.org/), which can be installed with `brew install duti`. One reason to manage extensions is to prevent auto-mounting of remote filesystems in Finder (see [Protecting Yourself From Sparklegate](https://www.taoeffect.com/blog/2016/02/apologies-sky-kinda-falling-protecting-yourself-from-sparklegate/)). Here are several recommended handlers to manage:
  1137. ```
  1138. $ duti -s com.apple.Safari afp
  1139. $ duti -s com.apple.Safari ftp
  1140. $ duti -s com.apple.Safari nfs
  1141. $ duti -s com.apple.Safari smb
  1142. ```
  1143. Monitor system logs with the **Console** application or `syslog -w` or `log stream` commands.
  1144. In systems prior to macOS Sierra (10.12), enable the [tty_tickets flag](https://derflounder.wordpress.com/2016/09/21/tty_tickets-option-now-on-by-default-for-macos-sierras-sudo-tool/) in `/etc/sudoers` to restrict the sudo session to the Terminal window/tab that started it. To do so, use `sudo visudo` and add the line `Defaults tty_tickets`.
  1145. Set your screen to lock as soon as the screensaver starts:
  1146. $ defaults write com.apple.screensaver askForPassword -int 1
  1147. $ defaults write com.apple.screensaver askForPasswordDelay -int 0
  1148. Expose hidden files and Library folder in Finder:
  1149. $ defaults write com.apple.finder AppleShowAllFiles -bool true
  1150. $ chflags nohidden ~/Library
  1151. Show all filename extensions (so that "Evil.jpg.app" cannot masquerade easily).
  1152. $ defaults write NSGlobalDomain AppleShowAllExtensions -bool true
  1153. Don't default to saving documents to iCloud:
  1154. $ defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false
  1155. Enable [Secure Keyboard Entry](https://security.stackexchange.com/questions/47749/how-secure-is-secure-keyboard-entry-in-mac-os-xs-terminal) in Terminal (unless you use [YubiKey](https://mig5.net/content/secure-keyboard-entry-os-x-blocks-interaction-yubikeys) or applications such as [TextExpander](https://smilesoftware.com/textexpander/secureinput)).
  1156. Disable crash reporter (the dialog which appears after an application crashes and prompts to report the problem to Apple):
  1157. $ defaults write com.apple.CrashReporter DialogType none
  1158. Disable Bonjour [multicast advertisements](https://www.trustwave.com/Resources/SpiderLabs-Blog/mDNS---Telling-the-world-about-you-(and-your-device)/):
  1159. $ sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES
  1160. [Disable Handoff](https://apple.stackexchange.com/questions/151481/why-is-my-macbook-visibile-on-bluetooth-after-yosemite-install) and Bluetooth features, if they aren't necessary.
  1161. Consider [sandboxing](https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/sandbox-exec.1.html) your applications. See [fG! Sandbox Guide](https://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v0.1.pdf) (pdf) and [s7ephen/OSX-Sandbox--Seatbelt--Profiles](https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles).
  1162. Did you know Apple has not shipped a computer with TPM since [2006](http://osxbook.com/book/bonus/chapter10/tpm/)?
  1163. ## Related software
  1164. [Santa](https://github.com/google/santa/) - A binary whitelisting/blacklisting system for macOS.
  1165. [kristovatlas/osx-config-check](https://github.com/kristovatlas/osx-config-check) - checks your OSX machine against various hardened configuration settings.
  1166. [Lockdown](https://objective-see.com/products/lockdown.html) - audits and remediates security configuration settings.
  1167. [Dylib Hijack Scanner](https://objective-see.com/products/dhs.html) - scan for applications that are either susceptible to dylib hijacking or have been hijacked.
  1168. [Little Flocker](https://www.littleflocker.com/) - "Little Snitch for files"; prevents applications from accessing files.
  1169. [facebook/osquery](https://github.com/facebook/osquery) - can be used to retrieve low level system information. Users can write SQL queries to retrieve system information.
  1170. [google/grr](https://github.com/google/grr) - incident response framework focused on remote live forensics.
  1171. [yelp/osxcollector](https://github.com/yelp/osxcollector) - forensic evidence collection & analysis toolkit for OS X.
  1172. [jipegit/OSXAuditor](https://github.com/jipegit/OSXAuditor) - analyzes artifacts on a running system, such as quarantined files, Safari, Chrome and Firefox history, downloads, HTML5 databases and localstore, social media and email accounts, and Wi-Fi access point names.
  1173. [libyal/libfvde](https://github.com/libyal/libfvde) - library to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes.
  1174. [CISOfy/lynis](https://github.com/CISOfy/lynis) - cross-platform security auditing tool and assists with compliance testing and system hardening.
  1175. ## Additional resources
  1176. *In no particular order*
  1177. [MacOS Hardening Guide - Appendix of \*OS Internals: Volume III - Security & Insecurity Internals](http://newosxbook.com/files/moxii3/AppendixA.pdf)
  1178. [Mac Developer Library: Secure Coding Guide](https://developer.apple.com/library/mac/documentation/Security/Conceptual/SecureCodingGuide/Introduction.html)
  1179. [OS X Core Technologies Overview White Paper](https://www.apple.com/osx/all-features/pdf/osx_elcapitan_core_technologies_overview.pdf)
  1180. [Reverse Engineering Mac OS X blog](https://reverse.put.as/)
  1181. [Reverse Engineering Resources](http://samdmarshall.com/re.html)
  1182. [Patrick Wardle's Objective-See blog](https://objective-see.com/blog.html)
  1183. [Managing Macs at Google Scale (LISA '13)](https://www.usenix.org/conference/lisa13/managing-macs-google-scale)
  1184. [OS X Hardening: Securing a Large Global Mac Fleet (LISA '13)](https://www.usenix.org/conference/lisa13/os-x-hardening-securing-large-global-mac-fleet)
  1185. [DoD Security Technical Implementation Guides for Mac OS](http://iase.disa.mil/stigs/os/mac/Pages/mac-os.aspx)
  1186. [The EFI boot process](http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/efi-boot-process.html)
  1187. [The Intel Mac boot process](http://refit.sourceforge.net/info/boot_process.html)
  1188. [Userland Persistence on Mac OS X](https://archive.org/details/joshpitts_shmoocon2015)
  1189. [Developing Mac OSX kernel rootkits](http://phrack.org/issues/66/16.html#article)
  1190. [IOKit kernel code execution exploit](https://code.google.com/p/google-security-research/issues/detail?id=135)
  1191. [Hidden backdoor API to root privileges in Apple OS X](https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/)
  1192. [IPv6 Hardening Guide for OS X](http://www.insinuator.net/2015/02/ipv6-hardening-guide-for-os-x/)
  1193. [Harden the World: Mac OSX 10.11 El Capitan](http://docs.hardentheworld.org/OS/OSX_10.11_El_Capitan/)
  1194. [Hacker News discussion](https://news.ycombinator.com/item?id=10148077)
  1195. [Hacker News discussion 2](https://news.ycombinator.com/item?id=13023823)
  1196. [Apple Open Source](https://opensource.apple.com/)
  1197. [OS X 10.10 Yosemite: The Ars Technica Review](http://arstechnica.com/apple/2014/10/os-x-10-10/)
  1198. [CIS Apple OSX 10.10 Benchmark](https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.10_Benchmark_v1.1.0.pdf) (pdf)
  1199. [How to Switch to the Mac](https://taoofmac.com/space/HOWTO/Switch)
  1200. [Security Configuration For Mac OS X Version 10.6 Snow Leopard](http://www.apple.com/support/security/guides/docs/SnowLeopard_Security_Config_v10.6.pdf) (pdf)
  1201. [EFF Surveillance Self-Defense Guide](https://ssd.eff.org/)
  1202. [MacAdmins on Slack](https://macadmins.herokuapp.com/)
  1203. [iCloud security and privacy overview](http://support.apple.com/kb/HT4865)
  1204. [Demystifying the DMG File Format](http://newosxbook.com/DMG.html)
  1205. [There's a lot of vulnerable OS X applications out there (Sparkle Framework RCE)](https://vulnsec.com/2016/osx-apps-vulnerabilities/)
  1206. [iSeeYou: Disabling the MacBook Webcam Indicator LED](https://jscholarship.library.jhu.edu/handle/1774.2/36569)
  1207. [Mac OS X Forensics - Technical Report](https://www.ma.rhul.ac.uk/static/techrep/2015/RHUL-MA-2015-8.pdf) (pdf)
  1208. [Mac Forensics: Mac OS X and the HFS+ File System](https://cet4861.pbworks.com/w/file/fetch/71245694/mac.forensics.craiger-burke.IFIP.06.pdf) (pdf)
  1209. [Extracting FileVault 2 Keys with Volatility](https://tribalchicken.com.au/security/extracting-filevault-2-keys-with-volatility/)
  1210. [Auditing and Exploiting Apple IPC](https://googleprojectzero.blogspot.com/2015/09/revisiting-apple-ipc-1-distributed_28.html)
  1211. [Mac OS X and iOS Internals: To the Apple's Core by Jonathan Levin](https://www.amazon.com/Mac-OS-iOS-Internals-Apples/dp/1118057651)
  1212. [Demystifying the i-Device NVMe NAND (New storage used by Apple)](http://ramtin-amin.fr/#nvmepcie)