Skip to content

Latest commit

 

History

History
executable file
·
2394 lines (1645 loc) · 151 KB

File metadata and controls

executable file
·
2394 lines (1645 loc) · 151 KB

This guide is a collection of techniques for improving the security and privacy of a modern Apple Macintosh computer ("MacBook") running a recent version of macOS (formerly known as "OS X").

This guide is targeted to power users who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac.

A system is only as secure as its administrator is capable of making it. There is no one single technology, software, nor technique to guarantee perfect computer security; a modern operating system and computer is very complex, and requires numerous incremental changes to meaningfully improve one's security and privacy posture.

This guide is provided on an 'as is' basis without any warranties of any kind. Only you are responsible if you break anything or get in any sort of trouble by following this guide.

To suggest an improvement, please send a pull request or open an issue.

This guide is also available in 简体中文.

Basics

Standard security best practices apply:

  • Create a threat model

    • What are you trying to protect and from whom? Is your adversary a three letter agency (if so, you may want to consider using OpenBSD instead); a nosy eavesdropper on the network; or a determined apt orchestrating a campaign against you?
    • Recognize threats and how to reduce attack surface against them.
  • Keep the system up to date

    • Patch the base operating system and all third party software.
    • macOS system updates can be completed using the App Store application, or the softwareupdate command-line utility - neither requires registering an Apple account. Updates can also be downloaded directly from Apple's support site.
    • Subscribe to announcement mailing lists like Apple security-announce.
  • Encrypt sensitive data at rest

    • In addition to full disk encryption, consider creating one or several encrypted partitions or volumes to store passwords, cryptographic keys, personal documents, etc. at rest.
    • This will mitigate damage in case of compromise and data theft.
  • Assure data availability

    • Create regular backups of your data and be ready to format and re-install the operating system in case of compromise.
    • Always encrypt locally before copying backups to external media or the "cloud".
    • Verify backups work by testing them regularly, for example by accessing certain files or performing a hash based comparison.
  • Click carefully

    • Ultimately, the security of a system can be reduced to its administrator.
    • Care should be taken when installing new software. Always prefer free and open source software (which macOS is not).

Preparing and installing macOS

There are several ways to install macOS.

The simplest way is to boot into Recovery Mode by holding Command and R keys at boot. A system image can be downloaded and applied directly from Apple. However, this way exposes the serial number and other identifying information over the network in plain text, which may not be desired for privacy reasons.

PII is transmitted to Apple in plain text when using macOS Recovery

Packet capture of an unencrypted HTTP conversation during macOS recovery

An alternative way to install macOS is to first download macOS Mojave from the App Store or elsewhere, and create a custom installable system image.

Verifying installation integrity

The macOS installation application is code signed, which should be verified to make sure you received a legitimate copy, using the pkgutil --check-signature or codesign -dvv commands.

To verify the code signature and integrity of macOS application bundles:

$ pkgutil --check-signature /Applications/Install\ macOS\ Catalina.app
Package "Install macOS Catalina":
   Status: signed by a certificate trusted by Mac OS X
   Certificate Chain:
    1. Software Signing
       SHA1 fingerprint: 01 3E 27 87 74 8A 74 10 3D 62 D2 CD BF 77 A1 34 55 17 C4 82
       -----------------------------------------------------------------------------
    2. Apple Code Signing Certification Authority
       SHA1 fingerprint: 1D 01 00 78 A6 1F 4F A4 69 4A FF 4D B1 AC 26 6C E1 B4 59 46
       -----------------------------------------------------------------------------
    3. Apple Root CA
       SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60

Use the codesign command to examine an application's code signature:

$ codesign -dvv /Applications/Install\ macOS\ Catalina.app
Executable=/Applications/Install macOS Catalina.app/Contents/MacOS/InstallAssistant_springboard
Identifier=com.apple.InstallAssistant.Catalina
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=276 flags=0x2000(library-validation) hashes=3+3 location=embedded
Platform identifier=9
Signature size=4628
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Info.plist entries=33
TeamIdentifier=not set
Sealed Resources version=2 rules=13 files=234
Internal requirements count=1 size=84

Creating a bootable USB installer

Instead of booting from the network or using target disk mode, a bootable macOS installer can be made with the createinstallmedia utility included in Contents/Resources folder of the installer application bundle. See Create a bootable installer for macOS, or run the utility without arguments to see how it works.

To create a bootable USB installer, mount a USB drive, and erase and partition it, then use the createinstallmedia utility:

$ diskutil list
[Find disk matching correct size, usually the last disk, e.g. /dev/disk2]

$ diskutil unmountDisk /dev/disk2

$ diskutil partitionDisk /dev/disk2 1 JHFS+ Installer 100%

$ cd /Applications/Install\ macOS\ Catalina.app

$ sudo ./Contents/Resources/createinstallmedia --volume /Volumes/Installer --nointeraction
Erasing disk: 0%... 10%... 20%... 30%... 100%
Copying to disk: 0%... 10%... 20%... 30%... 40%... 50%... 60%... 70%... 80%... 90%... 100%
Making disk bootable...
Copying boot files...
Install media now available at "/Volumes/Install macOS Catalina"

Creating an install image

Note Apple's AutoDMG installer does not appear to work across OS versions. If you want to build a 10.14 image, for example, the following steps must be performed on macOS 10.14!

To create a custom install image which can be restored to a Mac (using a USB-C cable and target disk mode, for example), use MagerValp/AutoDMG.

Manual way

Note The following instructions appear to work only on macOS versions before 10.13.

Find InstallESD.dmg which is inside the installation application. Locate it in Terminal or with Finder, right click on the application bundle, select Show Package Contents and navigate to Contents > SharedSupport to find the file InstallESD.dmg

Verify file integrity by comparing its SHA-256 hash with others found in InstallESD_Hashes.csv or notpeter/apple-installer-checksums.

To determine which macOS versions and builds originally shipped with or are available for a Mac, see HT204319.

$ shasum -a 256 InstallESD.dmg

Mount and install the operating system to a temporary image:

$ hdiutil attach -mountpoint /tmp/InstallESD ./InstallESD.dmg

$ hdiutil create -size 32g -type SPARSE -fs HFS+J -volname "macOS" -uid 0 -gid 80 -mode 1775 /tmp/macos.sparseimage

$ hdiutil attach -mountpoint /tmp/macos -owners on /tmp/macos.sparseimage

$ sudo installer -pkg /tmp/InstallESD/Packages/OSInstall.mpkg -tgt /tmp/macos -verbose
installer: OS Install started.
#############
[...]

The installation will take a while, so be patient. Use tail -F /var/log/install.log in another terminal to monitor progress and check for errors.

Once the installation is complete, detach, convert and verify the image:

$ hdiutil detach /tmp/macos
"disk4" unmounted.
"disk4" ejected.

$ hdiutil detach /tmp/InstallESD
"disk3" unmounted.
"disk3" ejected.

$ hdiutil convert -format UDZO /tmp/macos.sparseimage -o ~/sierra.dmg
Preparing imaging engine...
[...]

$ asr imagescan --source ~/sierra.dmg

The file sierra.dmg is now ready to be applied over Target Disk Mode, from a bootable USB installer, booting from the network or recovery mode. The image could be further customized to include provisioned users, installed applications, preferences, for example.

Target disk mode

To use Target Disk Mode, boot up the Mac you wish to image while holding the T key and connect it to another Mac using a USB-C, Thunderbolt or Firewire cable.

If you don't have another Mac, boot to a USB installer, with sierra.dmg and other required files copied to it, by holding the Option key at boot.

Use the command diskutil list to identify the disk of the connected Mac, usually /dev/disk2

Optionally, securely erase the disk with a single pass (if previously FileVault-encrypted, the disk must first be unlocked and mounted as /dev/disk3s2):

$ sudo diskutil secureErase freespace 1 /dev/disk3s2

Partition the disk to Journaled HFS+:

$ sudo diskutil unmountDisk /dev/disk2

$ sudo diskutil partitionDisk /dev/disk2 1 JHFS+ macOS 100%

Restore the image to the new volume, making sure /dev/disk2 is the disk being erased:

$ sudo asr restore --source ~/sierra.dmg --target /Volumes/macOS --erase --buffersize 4m
[...]
Erase contents of /dev/disk2s2 (/Volumes/macOS)? [ny]:y
[...]

The Disk Utility application may also be used to erase the connected disk and restore sierra.dmg to the newly created partition.

To transfer any files, copy them to a shared folder like /Users/Shared on the mounted disk image, e.g. cp Xcode_8.0.dmg /Volumes/macOS/Users/Shared

Finished restore install from USB recovery boot

Finished restore install from USB recovery boot

Creating a recovery partition

Unless you have built the image with AutoDMG, or installed macOS to a second partition on the same Mac, you will need to create a recovery partition in order to use full disk encryption. You can do so using MagerValp/Create-Recovery-Partition-Installer or manually by following these steps:

Download RecoveryHDUpdate.dmg and verify its integrity:

$ shasum -a 256 RecoveryHDUpdate.dmg
f6a4f8ac25eaa6163aa33ac46d40f223f40e58ec0b6b9bf6ad96bdbfc771e12c  RecoveryHDUpdate.dmg

Attach and expand the installer, then run it - again ensuring /Volumes/macOS path is the newly created partition on the connected disk:

$ hdiutil attach RecoveryHDUpdate.dmg

$ pkgutil --expand /Volumes/Mac\ OS\ X\ Lion\ Recovery\ HD\ Update/RecoveryHDUpdate.pkg /tmp/recovery

$ hdiutil attach /tmp/recovery/RecoveryHDUpdate.pkg/RecoveryHDMeta.dmg

$ /tmp/recovery/RecoveryHDUpdate.pkg/Scripts/Tools/dmtest ensureRecoveryPartition /Volumes/macOS/ /Volumes/Recovery\ HD\ Update/BaseSystem.dmg 0 0 /Volumes/Recovery\ HD\ Update/BaseSystem.chunklist
[...]
Creating recovery partition: finished

Run diskutil list again to make sure Recovery HD now exists on /dev/disk2. Eject the disk with hdiutil unmount /Volumes/macOS and power down the target disk mode-booted Mac.

Virtualization

To install macOS as a virtual machine (VM) using VMware Fusion, follow the instructions above to create an image. You will not need to download and create a recovery partition manually.

For the Installation Method, select Install macOS from the recovery partition. Customize any memory or CPU requirements and complete setup. The guest VM should boot into Recovery Mode by default.

Note If the virtual machine does not boot due to a kernel panic, adjust the memory and process resource settings.

In Recovery Mode, select a language, then select Utilities > Terminal from the menu bar.

In the guest VM, type ifconfig | grep inet - you should see a private address like 172.16.34.129

On the host Mac, type ifconfig | grep inet - you should see a private gateway address like 172.16.34.1. From the host Mac, you should be able to ping 172.16.34.129 or the equivalent guest VM address.

From the host Mac, serve the installable image to the guest VM by editing /etc/apache2/httpd.conf and adding the following line to the top (using the gateway address assigned to the host Mac and port 80):

Listen 172.16.34.1:80

On the host Mac, link the image to the default Apache Web server directory:

$ sudo ln ~/sierra.dmg /Library/WebServer/Documents

From the host Mac, start Apache in the foreground:

$ sudo httpd -X

From the guest VM, install the disk image to the volume over the local network using asr:

-bash-3.2# asr restore --source http://172.16.34.1/sierra.dmg --target /Volumes/Macintosh\ HD/ --erase --buffersize 4m
	Validating target...done
	Validating source...done
	Erase contents of /dev/disk0s2 (/Volumes/Macintosh HD)? [ny]: y
	Retrieving scan information...done
	Validating sizes...done
	Restoring  ....10....20....30....40....50....60....70....80....90....100
	Verifying  ....10....20....30....40....50....60....70....80....90....100
	Remounting target volume...done

When it's finished, stop the Apache Web server on the host Mac by pressing Control C at the sudo httpd -X window and remove the image copy with sudo rm /Library/WebServer/Documents/sierra.dmg

In the guest VM, select Startup Disk from the menubar top-left, select the hard drive and restart. You may wish to disable the Network Adapter in VMware to configure the guest VM initially.

Take and Restore from saved guest VM snapshots before and after attempting risky browsing, for example, or use a guest VM to install and operate questionable software.

First boot

Note Before setting up macOS, consider disconnecting networking and configuring a firewall(s) first. However, late 2016 MacBooks with Touch Bar hardware require online OS activation (also see next section).

On first boot, hold Command Option P R keys to clear NVRAM.

When macOS first starts, you'll be greeted by Setup Assistant.

When creating the first account, use a strong password without a hint.

If you enter your real name at the account setup process, be aware that your computer's name and local hostname will comprise that name (e.g., John Appleseed's MacBook) and thus will appear on local networks and in various preference files.

Both should be verified and updated as needed in System Preferences > Sharing or with the following commands after installation:

$ sudo scutil --set ComputerName MacBook
$ sudo scutil --set LocalHostName MacBook

System activation

A few words on the privacy implications of activating "Touch Bar" MacBook devices from your friendly anonymous security researcher:

Apple increasingly seems (despite vague claims to the contrary) increasingly interested in merging or "unifying" the two OSes, and there are constantly rumors of fundamental changes to macOS that make it far more like iOS than the macOS of old. Apple's introduction of ARM-based coprocessors running iOS/sepOS, first with the T1 processor on the TouchBar MacBook Pros (run the TouchBar, implement NFC/ApplePay, add biometric login using sep, and verify firmware integrity) and the iMac Pro's T2 (implements/verifies embedded device firmware, implements secure boot, etc) seems to cement this concern and basically renders using macOS devices without sending metadata to Apple difficult to impossible.

iOS devices have always required "activation" on first boot and when the battery has gone dead which initializes sepOS to proceed with verified boot. First boot activation not only initializes sepOS as discussed below, but sends metadata to Apple (and carriers via Apple with cellular devices) to activate the baseband and SIM. In activation processes after first boot, just as with first boot, a long list of highly sensitive metadata are sent hashed (note hashing does not give you any privacy from Apple here since they link this exact metadata to payment information at purchase) to Apple so it can return the personalized response required for secure boot to complete. What is particularly worrying about this process is that it is a network-linked secure boot process where centralized external servers have the power to dictate what the device should boot. Equally there are significant privacy concerns with devices constantly sending metadata (both during activation and other Apple-linked/-hosted activities) and linking IP addresses very strongly with real identities based on purchase payment information and if a cellular device, metadata collected about SIM, etc unless such connections are blocked at the network level (which is only possible on self-managed infrastructure, i.e. not cellular) and doing this basically renders using the device impossible since simply installing an application requires sending device metadata to Apple.

That the activation verification mechanism is designed specifically to rely on unique device identifiers that are associated with payment information at purchase and actively associated on a continuing basis by Apple for every Apple-hosted service that the device interacts with (Apple ID-based services, softwareupdate, iMessage, FaceTime, etc.) the ability (and invitation) for Apple to silently send targeted malicious updates to devices matching specific unique ID criteria is a valid concern, and something that should not be dismissed as unlikely, especially given Apple's full compliance with recently implemented Chinese (and other authoritarian and "non-authoritarian" countries') national security laws.

iOS has from the start been designed with very little end-user control with no way for end-users to configure devices according to their wishes while maintaining security and relies heavily on new, closed source code. While macOS has for most of its history been designed on the surface in a similar fashion, power and enterprise users can (for the moment) still configure their devices relatively securely while maintaining basically zero network interaction with Apple and with the installation of third party software/kernel extensions, completely control the network stack and intercept filesystem events on a per-process basis. macOS, despite having a good deal of closed source code, was designed at a very different period in Apple's history and was designed more in line with open source standards, and designed to be configurable and controllable by enterprise/power users.

The introduction of these coprocessors to Mac devices, while increasing security in many ways, brings with it all the issues with iOS discussed above, and means that running mac devices securely with complete user control, and without forced network interaction with the Apple mothership in highly sensitive corporate and other environments problematic and risky. Given this author is unaware of the exact hardware configuration of the coprocessors, the following may be inaccurate. However, given the low-level nature of these coprocessors, it would not surprise the author if these coprocessors, if not already, will eventually have separate network access of their own, independent of the Intel CPU (indications suggest not currently the case for T1; unclear on T2), which leads to concerns similar to those that many have raised around Intel ME/AMT (and of course mac devices also have ME in the Intel CPU...). One could argue that these coprocessors increase security, and in many ways that is the case, but not the user's security against a malicious Apple.

The lack of configurability is the key issue. Apple could have introduced secure boot and firmware protection without making it require network access, without making verification linked to device-unique IDs and without introducing an enormous amount of potentially exploitable code to protect against a much smaller, but highly exploitable codebase, while running on a coprocessor with a highly privileged position on the board which gives immense power to an adversary with manufacturer compliance for targeted attacks.

This is an ongoing concern and in the worst case scenario could potentially represent the end of macs as independent, end-user controllable and relatively secure systems appropriate for sensitive environments with strict network and security policies.

From iOS, The Future Of macOS, Freedom, Security And Privacy In An Increasingly Hostile Global Environment.

Admin and standard user accounts

The first user account is always an admin account. Admin accounts are members of the admin group and have access to sudo, which allows them to usurp other accounts, in particular root, and gives them effective control over the system. Any program that the admin executes can potentially obtain the same access, making this a security risk.

Utilities like sudo have weaknesses that can be exploited by concurrently running programs and many panes in System Preferences are unlocked by default (pdf) (p. 61–62) for admin accounts.

It is considered a best practice by Apple and others (pdf) (p. 41–42) to use a separate standard account for day-to-day work and use the admin account for installations and system configuration.

It is not strictly required to ever log into the admin account via the macOS login screen. The system will prompt for authentication when required and Terminal can do the rest. To that end, Apple provides some recommendations for hiding the admin account and its home directory. This can be an elegant solution to avoid having a visible 'ghost' account. The admin account can also be removed from FileVault for additional hardening.

Caveats

  • Only administrators can install applications in /Applications (local directory). Finder and Installer will prompt a standard user with an authentication dialog. Many applications can be installed in ~/Applications instead (the directory can be created manually). As a rule of thumb: applications that do not require admin access – or do not complain about not being installed in /Applications – should be installed in the user directory, the rest in the local directory. Mac App Store applications are still installed in /Applications and require no additional authentication.
  • sudo is not available in shells of the standard user, which requires using su or login to enter a shell of the admin account. This can make some maneuvers trickier and requires some basic experience with command-line interfaces.
  • System Preferences and several system utilities (e.g. Wi-Fi Diagnostics) will require root privileges for full functionality. Many panels in System Preferences are locked and need to be unlocked separately by clicking on the lock icon. Some applications will simply prompt for authentication upon opening, others must be opened by an admin account directly to get access to all functions (e.g. Console).
  • There are third-party applications that will not work correctly because they assume that the user account is an admin. These programs may have to be executed by logging into the admin account, or by using the open utility.
  • See additional discussion in issue #167.

Setup

Accounts can be created and managed in System Preferences. On settled systems, it is generally easier to create a second admin account and then demote the first account. This avoids data migration. Newly installed systems can also just add a standard account.

Demoting an account can be done either from the the new admin account in System Preferences – the other account must be logged out – or by executing these commands (it may not be necessary to execute both, see issue #179):

$ sudo dscl . -delete /Groups/admin GroupMembership <username>
$ sudo dscl . -delete /Groups/admin GroupMembers <GeneratedUID>

To find the “GeneratedUID” of an account:

$ dscl . -read /Users/<username> GeneratedUID

See also this post for more information about how macOS determines group membership.

Full disk encryption

FileVault provides full disk (technically, full volume) encryption on macOS.

FileVault encryption protects data at rest and hardens (but not always prevents) someone with physical access from stealing data or tampering with your Mac.

With much of the cryptographic operations happening efficiently in hardware, the performance penalty for FileVault is not noticeable.

Like all cryptosystems, the security of FileVault greatly depends on the quality of the pseudo random number generator (PRNG).

The random device implements the Yarrow pseudo random number generator algorithm and maintains its entropy pool. Additional entropy is fed to the generator regularly by the SecurityServer daemon from random jitter measurements of the kernel.

See man 4 random for more information.

Turning on FileVault in System Preferences after installing macOS, rather than creating an encrypted partition for the installation first, is more secure, because more PRNG entropy is available then.

Additionally, the PRNG can be manually seeded with entropy by writing to /dev/random before enabling FileVault. This can be done by simply using the Mac for a little while before activating FileVault.

It may also be possible to increase entropy with an external source, like OneRNG. See Entropy and Random Number Generators and Fun with encryption and randomness for more information.

Enable FileVault with sudo fdesetup enable or through System Preferences > Security & Privacy and reboot.

If you can remember the password, there's no reason to save the recovery key. However, all encrypted data will be lost forever if without either the password or recovery key.

To learn about how FileVault works, see the paper Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption (pdf) and related presentation (pdf). Also see IEEE Std 1619-2007: The XTS-AES Tweakable Block Cipher (pdf).

Optional Enforce system hibernation and evict FileVault keys from memory instead of traditional sleep to memory:

$ sudo pmset -a destroyfvkeyonstandby 1
$ sudo pmset -a hibernatemode 25

All computers have firmware of some type - EFI, BIOS - to help in the discovery of hardware components and ultimately to properly bootstrap the computer using the desired OS instance. In the case of Apple hardware and the use of EFI, Apple stores relevant information within EFI to aid in the functionality of macOS. For example, the FileVault key is stored in EFI to transparently come out of standby mode.

Organizations especially sensitive to a high-attack environment, or potentially exposed to full device access when the device is in standby mode, should mitigate this risk by destroying the FileVault key in firmware. Doing so doesn't destroy the use of FileVault, but simply requires the user to enter the password in order for the system to come out of standby mode.

If you choose to evict FileVault keys in standby mode, you should also modify your standby and power nap settings. Otherwise, your machine may wake while in standby mode and then power off due to the absence of the FileVault key. See issue #124 for more information. These settings can be changed with:

$ sudo pmset -a powernap 0
$ sudo pmset -a standby 0
$ sudo pmset -a standbydelay 0
$ sudo pmset -a autopoweroff 0

For more information, see Best Practices for Deploying FileVault 2 (pdf) and paper Lest We Remember: Cold Boot Attacks on Encryption Keys (pdf)

Note APFS may make evicting FileVault keys redundant - see discussion and links in issue #283.

Firmware

Setting a firmware password prevents a Mac from starting up from any device other than the startup disk. It may also be set to be required on each boot. This may be useful for mitigating some attacks which require physical access to hardware. See How to set a firmware password on your Mac for official documentation.

This feature can be helpful if your laptop is lost or stolen, protects against Direct Memory Access (DMA) attacks which can read your FileVault passwords and inject kernel modules such as pcileech, as the only way to reset the firmware password is through an Apple Store, or by using an SPI programmer, such as Bus Pirate or other flash IC programmer.

  1. Start up pressing Command and R keys to boot to Recovery Mode mode.
  2. When the Recovery window appears, choose Firmware Password Utility from the Utilities menu.
  3. In the Firmware Utility window that appears, select Turn On Firmware Password.
  4. Enter a new password, then enter the same password in the Verify field.
  5. Select Set Password.
  6. Select Quit Firmware Utility to close the Firmware Password Utility.
  7. Select Restart or Shutdown from the Apple menu in the top-left corner.

The firmware password will activate at next boot. To validate the password, hold Alt during boot - you should be prompted to enter the password.

The firmware password can also be managed with the firmwarepasswd utility while booted into the OS. For example, to prompt for the firmware password when attempting to boot from a different volume:

$ sudo firmwarepasswd -setpasswd -setmode command

To verify the firmware password:

$ sudo firmwarepasswd -verify
Verifying Firmware Password
Enter password:
Correct

A firmware password may be bypassed by a determined attacker or Apple, with physical access to the computer.

Using a Dediprog SF600 to dump and flash a 2013 MacBook SPI Flash chip to remove a firmware password, sans Apple

Using a Dediprog SF600 to dump and flash a 2013 MacBook SPI Flash chip to remove a firmware password, sans Apple

As of macOS 10.15 Catalina, the firmwarepasswd program has a new option -disable-reset-capability. According to Apple's new Platform Security page, this effectively prevents any firmware password resets, even by Apple themselves:

For users who want no one but themselves to remove their Firmware Password by software means, the -disable-reset-capability option has been added to the firmwarepasswd command-line tool in macOS 10.15. Before setting this option, users must to acknowledge that if the password is forgotten and needs removal, the user must bear the cost of the motherboard replacement necessary to achieve this.

Newer Mac models (Mac Pro, iMac Pro, Macbook with TouchBar) with Apple T2 chips, which provide a secure enclave for encrypted keys, lessen the risk of EFI firmware attacks. See this blog post for more information.

See LongSoft/UEFITool, chipsec/chipsec and discussion in issue #213 for more information.

Firewall

There are several types of firewalls available for macOS.

Application layer firewall

Built-in, basic firewall which blocks incoming connections only. This firewall does not have the ability to monitor, nor block outgoing connections.

It can be controlled by the Firewall tab of Security & Privacy in System Preferences, or with the following commands.

Enable the firewall with logging and stealth mode:

$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
Firewall is enabled. (State = 1)

$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
Turning on log mode

$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
Stealth mode enabled

Computer hackers scan networks so they can attempt to identify computers to attack. You can prevent your computer from responding to some of these scans by using stealth mode. When stealth mode is enabled, your computer does not respond to ICMP ping requests, and does not answer to connection attempts from a closed TCP or UDP port. This makes it more difficult for attackers to find your computer.

To prevent built-in software as well as code-signed, downloaded software from being whitelisted automatically:

$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned off
Disabled allow signed built-in applications automatically

$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off
Disabled allow signed downloaded applications automatically

Applications that are signed by a valid certificate authority are automatically added to the list of allowed apps, rather than prompting the user to authorize them. Apps included in macOS are signed by Apple and are allowed to receive incoming connections when this setting is enabled. For example, since iTunes is already signed by Apple, it is automatically allowed to receive incoming connections through the firewall.

If you run an unsigned app that is not listed in the firewall list, a dialog appears with options to Allow or Deny connections for the app. If you choose "Allow", macOS signs the application and automatically adds it to the firewall list. If you choose "Deny", macOS adds it to the list but denies incoming connections intended for this app.

After interacting with socketfilterfw, restart the process by sending a line hangup signal:

$ sudo pkill -HUP socketfilterfw

Third party firewalls

Programs such as Little Snitch, Hands Off, Radio Silence, LuLu and Security Growler provide a good balance of usability and security.

These programs are capable of monitoring and blocking incoming and outgoing network connections. However, they may require the use of a closed source kernel extension.

If the number of choices of allowing/blocking network connections is overwhelming, use Silent Mode with connections allowed, then periodically check the configuration to gain understanding of applications and what they are doing.

It is worth noting that these firewalls can be bypassed by programs running as root or through OS vulnerabilities (pdf), but they are still worth having - just don't expect absolute protection. However, some malware actually deletes itself and doesn't execute if Little Snitch, or other security software, is installed.

For more on how Little Snitch works, see the Network Kernel Extensions Programming Guide and Shut up snitch! – reverse engineering and exploiting a critical Little Snitch vulnerability.

Kernel level packet filtering

A highly customizable, powerful, but also most complicated firewall exists in the kernel. It can be controlled with pfctl and various configuration files.

pf can also be controlled with a GUI application such as IceFloor or Murus.

There are many books and articles on the subject of pf firewall. Here's is just one example of blocking traffic by IP address.

Add the following into a file called pf.rules:

wifi = "en0"
ether = "en7"
set block-policy drop
set fingerprints "/etc/pf.os"
set ruleset-optimization basic
set skip on lo0
scrub in all no-df
table <blocklist> persist
block in log
block in log quick from no-route to any
block log on $wifi from { <blocklist> } to any
block log on $wifi from any to { <blocklist> }
antispoof quick for { $wifi $ether }
pass out proto tcp from { $wifi $ether } to any keep state
pass out proto udp from { $wifi $ether } to any keep state
pass out proto icmp from $wifi to any keep state

Then use the following commands to manipulate the firewall:

  • sudo pfctl -e -f pf.rules to enable the firewall and load the configuration
  • sudo pfctl -d to disable the firewall
  • sudo pfctl -t blocklist -T add 1.2.3.4 to add an IP address to the blocklist
  • sudo pfctl -t blocklist -T show to view the blocklist
  • sudo ifconfig pflog0 create to create an interface for logging
  • sudo tcpdump -ni pflog0 to view filtered packets

Unless you're already familiar with packet filtering, spending too much time configuring pf is not recommended. It is also probably unnecessary if your Mac is behind a NAT on a secure home network.

It is possible to use the pf firewall to block network access to entire ranges of network addresses, for example to a whole organization:

Query Merit RADb for the list of networks in use by an autonomous system, like Facebook:

$ whois -h whois.radb.net '!gAS32934'

Copy and paste the list of networks returned into the blocklist command:

$ sudo pfctl -t blocklist -T add 31.13.24.0/21 31.13.64.0/24 157.240.0.0/16

Confirm the addresses were added:

$ sudo pfctl -t blocklist -T show
No ALTQ support in kernel
ALTQ related functions disabled
   31.13.24.0/21
   31.13.64.0/24
   157.240.0.0/16

Confirm network traffic is blocked to those addresses (note that DNS requests will still work):

$ dig a +short facebook.com
157.240.2.35

$ curl --connect-timeout 5 -I http://facebook.com/
*   Trying 157.240.2.35...
* TCP_NODELAY set
* Connection timed out after 5002 milliseconds
* Closing connection 0
curl: (28) Connection timed out after 5002 milliseconds

$ sudo tcpdump -tqni pflog0 'host 157.240.2.35'
IP 192.168.1.1.62771 > 157.240.2.35.80: tcp 0
IP 192.168.1.1.62771 > 157.240.2.35.80: tcp 0
IP 192.168.1.1.62771 > 157.240.2.35.80: tcp 0
IP 192.168.1.1.62771 > 157.240.2.35.80: tcp 0
IP 192.168.1.1.162771 > 157.240.2.35.80: tcp 0

Outgoing TCP SYN packets are blocked, so a TCP connection is not established and thus a Web site is effectively blocked at the IP layer.

To use pf to audit "phone home" behavior of user and system-level processes, see fix-macosx/net-monitor. See drduh/config/scripts/pf-blocklist.sh for more inspiration.

Services

Note System Integrity Protection does not allow disabling system services on recent macOS versions. Either temporarily disable SIP or disable services from Recovery Mode. See Issue 334 for more information.

See fix-macosx/yosemite-phone-home, l1k/osxparanoia and karek314/macOS-home-call-drop for further recommendations.

Services on macOS are managed by launchd. See launchd.info, as well as Apple's Daemons and Services Programming Guide and Technical Note TN2083

You can also run KnockKnock that shows more information about startup items.

  • Use launchctl list to view running user agents
  • Use sudo launchctl list to view running system daemons
  • Specify the service name to examine it, e.g. launchctl list com.apple.Maps.mapspushd
  • Use defaults read to examine job plists in /System/Library/LaunchDaemons and /System/Library/LaunchAgents
  • Use man and strings to find out more about what an agent/daemon does

For example, to learn what a system launch daemon or agent does, start with:

$ defaults read /System/Library/LaunchDaemons/com.apple.apsd.plist

Look at the Program or ProgramArguments section to see which binary is run, in this case apsd. To find more information about that, look at the man page with man apsd

For example, if you're not interested in Apple Push Notifications, disable the service:

$ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist

Note Unloading services may break usability of some applications. Read the manual pages and use Google to make sure you understand what you're doing first.

Be careful about disabling any system daemons you don't understand, as it may render your system unbootable. If you break your Mac, use single user mode to fix it.

Use Console and Activity Monitor applications if you notice your Mac heating up, feeling sluggish, or generally misbehaving, as it may have resulted from your tinkering.

To view the status of services:

$ find /var/db/com.apple.xpc.launchd/ -type f -print -exec defaults read {} \; 2>/dev/null

Annotated lists of launch daemons and agents, the respective program executed, and the programs' hash sums are included in this repository.

(Optional) Run the read_launch_plists.py script and diff output to check for any discrepancies on your system, e.g.:

$ diff <(python read_launch_plists.py | sort ) <(cat 16A323_launchd.csv | sort )

See also cirrusj.github.io/Yosemite-Stop-Launch for descriptions of services and Provisioning OS X and Disabling Unnecessary Services for another explanation.

Persistent login items may also exist in these directories:

  • /Library/LaunchAgents
  • /Library/LaunchDaemons
  • /Library/ScriptingAdditions
  • /Library/StartupItems
  • /System/Library/LaunchAgents
  • /System/Library/LaunchDaemons
  • /System/Library/ScriptingAdditions
  • /System/Library/StartupItems
  • ~/Library/LaunchAgents
  • ~/Library/Preferences/com.apple.loginitems.plist

See Mac OSX Startup (pdf) for more information.

Spotlight Suggestions

Disable Spotlight Suggestions in both the Spotlight preferences and Safari's Search preferences to avoid your search queries being sent to Apple.

Also disable Bing Web Searches in the Spotlight preferences to avoid your search queries being sent to Microsoft.

See fix-macosx.com for detailed instructions.

If you've upgraded to OS X 10.10 "Yosemite" and you're using the default settings, each time you start typing in Spotlight (to open an application or search for a file on your computer), your local search terms and location are sent to Apple and third parties (including Microsoft).

Note This Web site and instructions may no longer work on macOS Sierra - see issue 164.

For comparison to Windows 10, see https://fix10.isleaked.com/

Homebrew

Consider using Homebrew to make software installations easier and to update userland tools (see Apple's great GPL purge).

Note If you have not already installed Xcode or Command Line Tools, use xcode-select --install to download and install them, or check Apple's developer site.

Install Homebrew:

$ mkdir homebrew && curl -L https://github.com/Homebrew/brew/tarball/master | tar xz --strip 1 -C homebrew

Edit PATH in your shell or shell rc file to use ~/homebrew/bin and ~/homebrew/sbin. For example, echo 'PATH=$PATH:~/homebrew/sbin:~/homebrew/bin' >> .zshrc, then change your login shell to Z shell with chsh -s /bin/zsh, open a new Terminal window and run brew update.

Homebrew uses SSL/TLS to talk with GitHub and verifies integrity of downloaded packages, so it's fairly secure.

Remember to periodically run brew update and brew upgrade on trusted and secure networks to download and install software updates. To get information on a package before installation, run brew info <package> and check its recipe online.

According to Homebrew's Anonymous Aggregate User Behaviour Analytics, Homebrew gathers anonymous aggregate user behaviour analytics and reporting these to Google Analytics.

To opt out of Homebrew's analytics, you can set export HOMEBREW_NO_ANALYTICS=1 in your environment or shell rc file, or use brew analytics off.

You may also wish to enable additional security options, such as HOMEBREW_NO_INSECURE_REDIRECT=1 and HOMEBREW_CASK_OPTS=--require-sha.

DNS

Hosts file

Use the hosts file to block known malware, advertising or otherwise unwanted domains.

Edit the hosts file as root, for example with sudo vi /etc/hosts. The hosts file can also be managed with the GUI app 2ndalpha/gasmask.

To block a domain by A record, append any one of the following lines to /etc/hosts:

0 example.com
0.0.0.0 example.com
127.0.0.1 example.com

Note IPv6 uses the AAAA DNS record type, rather than A record type, so you may also want to block those connections by also including ::1 example.com entries, like shown here.

There are many lists of domains available online which you can paste in, just make sure each line starts with 0, 0.0.0.0, 127.0.0.1, and the line 127.0.0.1 localhost is included.

Here are some popular and useful hosts lists:

Append a list of hosts with the tee command and confirm only non-routable addresses or comments were added:

$ curl https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | sudo tee -a /etc/hosts

$ wc -l /etc/hosts
65580

$ egrep -ve "^#|^255.255.255.255|^127.|^0.|^::1|^ff..::|^fe80::" /etc/hosts | sort | uniq | egrep -e "[1,2]|::"
[No output]

See man hosts and FreeBSD Configuration Files for more information.

See the dnsmasq section of this guide for more hosts blocking options.

dnscrypt

To encrypt outgoing DNS traffic, consider using jedisct1/dnscrypt-proxy. In combination with dnsmasq and DNSSEC, the integrity and authenticity of DNS traffic is greatly improved.

JayBrown/DNSCrypt-Menu and jedisct1/bitbar-dnscrypt-proxy-switcher provide a graphical user interface to dnscrypt.

Install dnscrypt from Homebrew and follow the instructions to configure and start dnscrypt-proxy:

$ brew install dnscrypt-proxy

If using in combination with Dnsmasq, find the file homebrew.mxcl.dnscrypt-proxy.plist by running

$ brew info dnscrypt-proxy

which will show a location like /usr/local/etc/dnscrypt-proxy.toml

Open it in a text editor, find the line starting with listen_addresses = and edit that line to use DNScrypt on a port other than 53, like 5355:

listen_addresses = ['127.0.0.1:5355', '[::1]:5355']

Start DNSCrypt:

$ sudo brew services restart dnscrypt-proxy

Make sure DNSCrypt is running:

$ sudo lsof +c 15 -Pni UDP:5355
COMMAND          PID   USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
dnscrypt-proxy 15244 nobody    7u  IPv4 0x1337f85ff9f8beef      0t0  UDP 127.0.0.1:5355
dnscrypt-proxy 15244 nobody   10u  IPv6 0x1337f85ff9f8beef      0t0  UDP [::1]:5355
dnscrypt-proxy 15244 nobody   12u  IPv4 0x1337f85ff9f8beef      0t0  UDP 127.0.0.1:5355
dnscrypt-proxy 15244 nobody   14u  IPv6 0x1337f85ff9f8beef      0t0  UDP [::1]:5355

By default, dnscrypt-proxy runs on localhost (127.0.0.1), port 53, and under the "nobody" user using the resolvers specified in https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md. If you would like to change these settings, you will have to edit the configuration file (e.g. listen_addresses, user_name, urls, etc.)

This can be accomplished by editing /usr/local/etc/dnscrypt-proxy.toml as described above.

You can run your own dnscrypt server (see also drduh/Debian-Privacy-Server-Guide#dnscrypt) from a trusted location or use one of many public servers instead.

Confirm outgoing DNS traffic is encrypted:

$ sudo tcpdump -qtni en0
IP 10.8.8.8.59636 > 107.181.168.52: UDP, length 512
IP 107.181.168.52 > 10.8.8.8.59636: UDP, length 368

$ dig +short -x 128.180.155.106.49321
d0wn-us-ns4

dnscrypt-proxy also has the capability to blacklist domains, including the use of wild-cards. See the Sample configuration file for dnscrypt-proxy for the options.

Note Applications and programs may resolve DNS using their own provided servers. If dnscrypt-proxy is used, it is possible to disable all other, non-dnscrypt DNS traffic with the following pf rules:

block drop quick on !lo0 proto udp from any to any port = 53
block drop quick on !lo0 proto tcp from any to any port = 53

See also What is a DNS leak, the mDNSResponder manual page and ipv6-test.com.

Dnsmasq

Among other features, dnsmasq is able to cache replies, prevent upstream queries for unqualified names, and block entire top-level domain names.

Use in combination with DNSCrypt to additionally encrypt outgoing DNS traffic.

If you don't wish to use DNSCrypt, you should at least use DNS not provided by your ISP. Two popular alternatives are Google DNS and OpenDNS.

(Optional) DNSSEC is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity. All answers from DNSSEC protected zones are digitally signed. The signed records are authenticated via a chain of trust, starting with a set of verified public keys for the DNS root-zone. The current root-zone trust anchors may be downloaded from IANA website. There are a number of resources on DNSSEC, but probably the best one is dnssec.net website.

Install Dnsmasq (DNSSEC is optional):

$ brew install dnsmasq --with-dnssec

Download drduh/config/dnsmasq.conf:

$ curl -o homebrew/etc/dnsmasq.conf https://raw.githubusercontent.com/drduh/config/master/dnsmasq.conf

Edit the file and examine all the options. To block entire levels of domains, append drduh/config/domains or your own rules.

Install and start the program (sudo is required to bind to privileged port 53):

$ sudo brew services start dnsmasq

To set Dnsmasq as your local DNS server, open System Preferences > Network and select the active interface, then the DNS tab, select + and add 127.0.0.1, or use:

$ sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1

Make sure Dnsmasq is correctly configured:

$ scutil --dns | head
DNS configuration

resolver #1
  search domain[0] : whatever
  nameserver[0] : 127.0.0.1
  flags    : Request A records, Request AAAA records
  reach    : 0x00030002 (Reachable,Local Address,Directly Reachable Address)

$ networksetup -getdnsservers "Wi-Fi"
127.0.0.1

Note Some VPN software overrides DNS settings on connect. See issue #24 and drduh/config/scripts/macos-dns.sh.

Test DNSSEC validation

Test DNSSEC validation succeeds for signed zones - the reply should have NOERROR status and contain ad flag:

$ dig +dnssec icann.org
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47039
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

Test DNSSEC validation fails for zones that are signed improperly - the reply should have SERVFAIL status:

$ dig www.dnssec-failed.org
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15190
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

Captive portal

When macOS connects to new networks, it checks for Internet connectivity and may launch a Captive Portal assistant utility application.

An attacker could trigger the utility and direct a Mac to a site with malware without user interaction, so it's best to disable this feature and log in to captive portals using your regular Web browser by navigating to a non-secure HTTP page and accepting a redirect to the captive portal login interface (after disabling any custom proxy or DNS settings).

$ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active -bool false

Also see Apple's secret "wispr" request, How to disable the captive portal window in Mac OS Lion and An undocumented change to Captive Network Assistant settings in OS X 10.10 Yosemite.

Certificate authorities

macOS comes with over 200 root authority certificates installed from for-profit corporations like Apple, Verisign, Thawte, Digicert and government agencies from China, Japan, Netherlands, U.S., and more! These Certificate Authorities (CAs) are capable of issuing SSL/TLS certificates for any domain, code signing certificates, etc.

For more information, see Certification Authority Trust Tracker, Analysis of the HTTPS certificate ecosystem (pdf), and You Won’t Be Needing These Any More: On Removing Unused Certificates From Trust Stores (pdf).

Inspect system root certificates in Keychain Access, under the System Roots tab or by using the security command line tool and /System/Library/Keychains/SystemRootCertificates.keychain file.

Disable certificate authorities through Keychain Access by marking them as Never Trust and closing the window:

A certificate authority certificate

The risk of a man in the middle attack in which a coerced or compromised certificate authority trusted by your system issues a fake/rogue SSL certificate is quite low, but still possible.

OpenSSL

Note This section may be out of date.

The version of OpenSSL in Sierra is 0.9.8zh which is not current. It doesn't support TLS 1.1 or newer, elliptic curve ciphers, and more.

Since Apple's official supported TLS library on macOS is Secure Transport, OpenSSL deprecated is considered deprecated (according to the Cryptographic Services Guide. Apple's version of OpenSSL may also have patches which may surprise you.

If you're going to use OpenSSL on your Mac, download and install a recent version of OpenSSL with brew install openssl. Note, linking brew to be used in favor of /usr/bin/openssl may interfere with built-in software. See issue #39.

Compare the TLS protocol and cipher between the homebrew version and the system version of OpenSSL:

$ ~/homebrew/bin/openssl version; echo | ~/homebrew/bin/openssl s_client -connect github.com:443 2>&1 | grep -A2 SSL-Session
OpenSSL 1.0.2j  26 Sep 2016
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256

$ /usr/bin/openssl version; echo | /usr/bin/openssl s_client -connect github.com:443 2>&1 | grep -A2 SSL-Session
OpenSSL 0.9.8zh 14 Jan 2016
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA

See also Comparison of TLS implementations, How's My SSL and Qualys SSL Labs Tools.

Curl

The version of Curl which comes with macOS uses Secure Transport for SSL/TLS validation.

If you prefer to use OpenSSL, install with brew install curl --with-openssl and ensure it's the default with brew link --force curl

Download drduh/config/curlrc or see the man page:

$ curl -o ~/.curlrc https://raw.githubusercontent.com/drduh/config/master/curlrc

Web

Privoxy

Consider using Privoxy as a local proxy to filter Web browsing traffic.

Note macOS proxy settings are not universal; apps and services may not honor system proxy settings. Ensure the application you wish to proxy is correctly configured and manually verify connections don't leak. Additionally, it may be possible to configure the pf firewall to transparently proxy all traffic.

A signed installation package for privoxy can be downloaded from silvester.org.uk or Sourceforge. The signed package is more secure than the Homebrew version, and attracts full support from the Privoxy project.

Alternatively, install and start privoxy using Homebrew:

$ brew install privoxy

$ brew services start privoxy

By default, privoxy listens on localhost, TCP port 8118.

Set the system HTTP proxy for your active network interface 127.0.0.1 and 8118 (This can be done through System Preferences > Network > Advanced > Proxies):

$ sudo networksetup -setwebproxy "Wi-Fi" 127.0.0.1 8118

(Optional) Set the system HTTPS proxy, which still allows for domain name filtering, with:

$ sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 8118

Confirm the proxy is set:

$ scutil --proxy
<dictionary> {
  ExceptionsList : <array> {
    0 : *.local
    1 : 169.254/16
  }
  FTPPassive : 1
  HTTPEnable : 1
  HTTPPort : 8118
  HTTPProxy : 127.0.0.1
}

Visit http://p.p/ in a browser, or with Curl:

$ ALL_PROXY=127.0.0.1:8118 curl -I http://p.p/
HTTP/1.1 200 OK
Content-Length: 2401
Content-Type: text/html
Cache-Control: no-cache

Privoxy already comes with many good rules, however you can also write your own.

Download drduh/config/privoxy/config and drduh/config/privoxy/user.action to get started:

$ curl -o homebrew/etc/privoxy/config https://raw.githubusercontent.com/drduh/config/master/privoxy/config

$ curl -o homebrew/etc/privoxy/user.action https://raw.githubusercontent.com/drduh/config/master/privoxy/user.action

Restart Privoxy and verify traffic is blocked or redirected:

$ sudo brew services restart privoxy

$ ALL_PROXY=127.0.0.1:8118 curl ads.foo.com/ -IL
HTTP/1.1 403 Request blocked by Privoxy
Content-Type: image/gif
Content-Length: 64
Cache-Control: no-cache

$ ALL_PROXY=127.0.0.1:8118 curl imgur.com/ -IL
HTTP/1.1 302 Local Redirect from Privoxy
Location: https://imgur.com/
Content-Length: 0

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8

You can replace ad images with pictures of kittens, for example, by starting a local Web server and redirecting blocked requests to localhost.

Browser

The Web browser poses the largest security and privacy risk, as its fundamental job is to download and execute untrusted code from the Internet. This is an important statement. The unique use case of Web Browsers of operation in hostile environments, has forced them to adopt certain impressive security features. The cornerstone of Web Browser security is the Same Origin Policy (SOP). In a few words, SOP prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model (DOM). If SOP is compromised, the security of the whole Web Browser is compromised.

The best tip to ensure secure browsing regardless your choice of Web Browser is proper security hygiene. The majority of Web Browser exploits require social engineering attacks to achieve native code execution. Always be mindful of the links you click and be extra careful when websites ask you to download and install software. 99% percent of the time that software is malware.

Another important consideration about Web Browser security is Web Extensions. Web Extensions greatly increase the attack surface of the Web Browser. This is an issue that plagues Firefox and Chrome alike. Luckily, Web Extensions can only access specific browser APIs that are being governed by their manifest. That means we can quickly audit their behavior and remove them if they request access to information they shouldn't (why would an Ad blocker require camera access?). In the interest of security, it is best to limit your use of Web Extensions.

Mozilla Firefox, Google Chrome, Safari, and Tor Browser are covered in this guide. Each Web Browser offers certain benefits and drawbacks regarding their security and privacy. It is best to make an informed choice and not necessarily commit to only one.

Firefox

Mozilla Firefox is an excellent browser as well as being completely open source. Currently, Firefox is in a renaissance period. It replaces major parts of its infrastructure and code base under projects Quantum and Photon. Part of the Quantum project is to replace C++ code with Rust. Rust is a systems programming language with a focus on security and thread safety. It is expected that Rust adoption will greatly improve the overall security posture of Firefox.

Firefox offers a similar security model to Chrome: it has a bug bounty program, although it is not a lucrative as Chrome's. Firefox follows a six-week release cycle similar to Chrome. See discussion in issues #2 and #90 for more information about certain differences in Firefox and Chrome.

Firefox supports user-supplied configuration files. See drduh/config/user.js, pyllyukko/user.js and ghacksuserjs/ghacks-user.js for recommended preferences and hardening measures. Also see NoScript, an extension which allows whitelist-based, pre-emptive script blocking.

Firefox is focused on user privacy. It supports tracking protection in Private Browsing mode. The tracking protection can be enabled for the default account, although it may break the browsing experience on some websites. Another feature for added privacy unique to Firefox is Containers, similar to Chrome profiles.

Previous versions of Firefox used a Web Extension SDK that was quite invasive and offered immense freedom to developers. Sadly, that freedom also introduced a number of vulnerabilities in Firefox that greatly affected its users. You can find more information about vulnerabilities introduced by Firefox's legacy extensions in this paper (pdf). Currently, Firefox only supports Web Extensions through the Web Extension Api, which is very similar to Chrome's.

Submission of Web Extensions in Firefox is free. Web Extensions in Firefox most of the time are open source, although certain Web Extensions are proprietary.

Note Similar to Chrome and Safari, Firefox allows account sync across multiple devices. While stored login passwords are encrypted, Firefox does not require a password to reveal their plain text format. Firefox only displays as yes/no prompt. This is an important security issue. Keep that in mind if you sign in to your Firefox account from devices that do not belong to you and leave them unattended. The issue has been raised among the Firefox community and hopefully will be resolved in the coming versions.

See drduh/config/firefox.user.js for additional Firefox configuration options to improve security and privacy.

Chrome

Google Chrome is based on the open source Chromium project with certain proprietary components:

  • Automatic updates with GoogleSoftwareUpdateDaemon.
  • Usage tracking and crash reporting, which can be disabled through Chrome's settings.
  • Chrome Web Store.
  • Adobe Flash Plugin - supports a Pepper API version of Adobe Flash which gets updated automatically with Chrome.
  • Media Codec support - adds support for proprietary codecs.
  • Chrome PDF viewer.
  • Non-optional tracking. Google Chrome installer includes a randomly generated token. The token is sent to Google after the installation completes in order to measure the success rate. The RLZ identifier stores information – in the form of encoded strings – like the source of chrome download and installation week. It doesn’t include any personal information and it’s used to measure the effectiveness of a promotional campaign. Chrome downloaded from Google’s website doesn’t have the RLZ identifier. The source code to decode the strings is made open by Google.

Chrome offers account sync between multiple devices. Part of the sync data are stored website credentials. The login passwords are encrypted and in order to access them, a user's Google account password is required. You can use your Google account to sign to your Chrome customized settings from other devices while retaining your the security of your passwords.

Chrome's Web store for extensions requires a 5 dollar lifetime fee in order to submit extensions. The low cost allows the development of many quality Open Source Web Extensions that do not aim to monetize through usage.

Chrome has the largest share of global usage and is the preferred target platform for the majority of developers. Major technologies are based on Chrome's Open Source components, such as node.js which uses Chrome's V8 Engine and the Electron framework, which is based on Chromium and node.js. Chrome's vast user base makes it the most attractive target for threat actors and security researchers. Despite under constants attacks, Chrome has retained an impressive security track record over the years. This is not a small feat.

Chrome offers separate profiles, sandboxing, frequent updates (including Flash, although you should disable it - see below), and carries impressive credentials. In addition, Google offers a very lucrative bounty program for reporting vulnerabilities along with its own Project Zero. This means that a large number of highly talented and motivated people are constantly auditing Chrome's code base.

Create separate Chrome profiles to reduce XSS risk and compartmentalize cookies/identities. In each profile, either disable Javascript in Chrome settings and manually whitelist allowed origins - or use uBlock Origin to manage Javascript and/or disable third-party scripts/frames. Also install HTTPSEverywhere to upgrade insecure connections.

Change the default search engine from Google to reduce additional tracking.

Disable DNS prefetching (see also DNS Prefetching and Its Privacy Implications (pdf)). Note that Chrome may attempt to resolve DNS using Google's 8.8.8.8 and 8.8.4.4 public nameservers.

Read Chromium Security and Chromium Privacy for more detailed, technical information.

Read Google's privacy policy and learn which Google services collect personal information. Users can opt-out of services and see what type of information Google has stored in account settings.

Safari

Safari is the default Web browser of macOS. It is also the most optimized browser for reducing battery use. Safari, like Chrome, has both Open Source and proprietary components. Safari is based on the open source Web Engine WebKit, which is ubiquitous among the macOS ecosystem. WebKit is used by Apple apps such as Mail, iTunes, iBooks, and the App Store. Chrome's Blink engine is a fork of WebKit and both engines share a number of similarities.

Safari supports certain unique features that benefit user security and privacy. Content blockers enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory user, security, and privacy. Safari 11 introduced an Intelligent Tracking Prevention system. This feature automatically removes tracking data stored in Safari after a period of non-interaction by the user from the tracker's website.

Similar to Chrome and Firefox, Safari offers an invite only bounty program for bug reporting to a select number of security researchers. The bounty program was announced during Apple's presentation at BlackHat 2016.

Web Extensions in Safari have an additional option to use native code in the Safari's sandbox environment, in addition to Web Extension APIs. Web Extensions in Safari are also distributed through Apple's App store. App store submission comes with the added benefit of Web Extension code being audited by Apple. On the other hand App store submission comes at a steep cost. Yearly developer subscription fee costs 100 USD (in contrast to Chrome's 5 dollar lifetime fee and Firefox's free submission). The high cost is prohibitive for the majority of Open Source developers. As a result, Safari has very few extensions to choose from. However, you should keep the high cost in mind when installing extensions. It is expected that most Web Extensions will have some way of monetizing usage in order to cover developer costs. Be wary of Web Extensions whose source code is not open.

Safari syncs user preferences and saved passwords with iCloud Keychain. In order to be viewed in plain text, a user must input the account password of the current device. This means that users can sync data across devices with added security.

Safari follows a slower release cycle than Chrome and Firefox (3-4 minor releases, 1 major release, per year). Newer features are slower to be adopted to the stable channel. Although security updates in Safari are handled independent of the stable release schedule and issued automatically through the App store. The Safari channel that follows a six-week release cycle (similar to as Chrome and Firefox) is called Safari Technology Preview and it is the recommended option instead of the stable channel of Safari.

An excellent open source ad blocker for Safari that fully leverages content blockers is dgraham/Ka-Block. See also el1t/uBlock-Safari to disable hyperlink auditing beacons.

Other Web browsers

Many Chromium-derived browsers are not recommended. They are usually closed source, poorly maintained, have bugs, and make dubious claims to protect privacy. See The Private Life of Chromium Browsers.

Other miscellaneous browsers, such as Brave, are not evaluated in this guide, so are neither recommended nor actively discouraged from use.

Web browsers and privacy

All Web Browsers retain certain information about our browsing habits. That information is used for a number of reasons. One of them is to improve the overall performance of the Web Browser. Most Web Browsers offer prediction services to resolve typos or URL redirections, store analytics data of browsing patterns, crash reports and black listing of known malicious servers. Those options can be turned on and off from each Web browser's settings panel.

Since Web browsers execute untrusted code from the server, it is important to understand what type of information can be accessed. The Navigator interface gives access to information about the Web Browser's user agent. Those include information such as the operating system, Web sites' permissions, and the device's battery level. For more information about security conscious browsing and what type of information is being "leaked" by your browser, see HowTo: Privacy & Security Conscious Browsing, browserleaks.com and EFF Panopticlick.

To hinder third party trackers, it is recommended to disable third-party cookies in Web browser settings. A third party cookie is a cookie associated with a file requested by a different domain than the one the user is currently viewing. Most of the time third-party cookies are used to create browsing profiles by tracking a user's movement on the web. Disabling third-party cookies prevents HTTP responses and scripts from other domains from setting cookies. Moreover, cookies are removed from requests to domains that are not the document origin domain, so cookies are only sent to the current site that is being viewed.

Also be aware of WebRTC, which may reveal your local or public (if connected to VPN) IP address(es). In Firefox and Chrome/Chromium this can be disabled with extensions such as uBlock Origin and rentamob/WebRTC-Leak-Prevent. Disabling WebRTC in Safari is only possible with a system hack.

Plugins

Adobe Flash, Oracle Java, Adobe Reader, Microsoft Silverlight (Netflix now works with HTML5) and other plugins are security risks and should not be installed.

If they are necessary, only use them in a disposable virtual machine and subscribe to security announcements to make sure you're always patched.

See Hacking Team Flash Zero-Day, Java Trojan BackDoor.Flashback, Acrobat Reader: Security Vulnerabilities, and Angling for Silverlight Exploits for examples.

Tor

Tor is an anonymizing proxy which can be used for browsing the Web.

Download Tor Browser from Tor Project.

Do not attempt to configure other browsers or applications to use Tor as you may make a mistake which will compromise anonymity.

Download both the dmg and asc signature files, then verify the disk image has been signed by Tor developers:

$ cd ~/Downloads

$ file Tor*
TorBrowser-8.0.4-osx64_en-US.dmg:     bzip2 compressed data, block size = 900k
TorBrowser-8.0.4-osx64_en-US.dmg.asc: PGP signature Signature (old)

$ gpg Tor*asc
[...]
gpg: Can't check signature: No public key

$ gpg --recv 0x4E2C6E8793298290
gpg: key 0x4E2C6E8793298290: public key "Tor Browser Developers (signing key) <torbrowser@torproject.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

$ gpg --verify Tor*asc
gpg: assuming signed data in 'TorBrowser-8.0.4-osx64_en-US.dmg'
gpg: Signature made Mon Dec 10 07:16:22 2018 PST
gpg:                using RSA key 0xEB774491D9FF06E2
gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
     Subkey fingerprint: 1107 75B5 D101 FB36 BC6C  911B EB77 4491 D9FF 06E2

Make sure Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>" appears in the output. The warning about the key not being certified is benign, as it has not yet been manually assigned trust.

See How to verify signatures for packages for more information.

To finish installing Tor Browser, open the disk image and drag the it into the Applications folder, or with:

$ hdiutil mount TorBrowser-8.0.4-osx64_en-US.dmg

$ cp -r /Volumes/Tor\ Browser/Tor\ Browser.app/ ~/Applications/

Verify the Tor application's code signature was made by with The Tor Project's Apple developer ID MADPSAYN6T, using the spctl -a -v and/or pkgutil --check-signature commands:

$ spctl -a -vv ~/Applications/Tor\ Browser.app
/Users/drduh/Applications/Tor Browser.app: accepted
source=Developer ID
origin=Developer ID Application: The Tor Project, Inc (MADPSAYN6T)

$ pkgutil --check-signature ~/Applications/Tor\ Browser.app
Package "Tor Browser.app":
   Status: signed by a certificate trusted by Mac OS X
   Certificate Chain:
    1. Developer ID Application: The Tor Project, Inc (MADPSAYN6T)
       SHA1 fingerprint: 95 80 54 F1 54 66 F3 9C C2 D8 27 7A 29 21 D9 61 11 93 B3 E8
       -----------------------------------------------------------------------------
    2. Developer ID Certification Authority
       SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86
       -----------------------------------------------------------------------------
    3. Apple Root CA
       SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60

You can also use the codesign command to examine an application's code signature:

$ codesign -dvv ~/Applications/Tor\ Browser.app
Executable=/Users/drduh/Applications/Tor Browser.app/Contents/MacOS/firefox
Identifier=org.torproject.torbrowser
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=229 flags=0x0(none) hashes=4+3 location=embedded
Library validation warning=OS X SDK version before 10.9 does not support Library Validation
Signature size=4247
Authority=Developer ID Application: The Tor Project, Inc (MADPSAYN6T)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=Dec 10, 2018 at 12:18:45 AM
Info.plist entries=24
TeamIdentifier=MADPSAYN6T
Sealed Resources version=2 rules=12 files=128
Internal requirements count=1 size=188

To view full certificate details for a signed application, extract them with codesign and decode it with openssl:

$ codesign -d --extract-certificates ~/Applications/Tor\ Browser.app
Executable=/Users/drduh/Applications/Tor Browser.app/Contents/MacOS/firefox

$ file codesign*
codesign0: data
codesign1: data
codesign2: data

$ openssl x509 -inform der -in codesign0 -subject -issuer -startdate -enddate -noout
subject= /UID=MADPSAYN6T/CN=Developer ID Application: The Tor Project, Inc (MADPSAYN6T)/OU=MADPSAYN6T/O=The Tor Project, Inc/C=US
issuer= /CN=Developer ID Certification Authority/OU=Apple Certification Authority/O=Apple Inc./C=US
notBefore=Apr 12 22:40:13 2016 GMT
notAfter=Apr 13 22:40:13 2021 GMT

$ openssl x509 -inform der -in codesign0  -fingerprint -noout
SHA1 Fingerprint=95:80:54:F1:54:66:F3:9C:C2:D8:27:7A:29:21:D9:61:11:93:B3:E8

$ openssl x509 -inform der -in codesign0 -fingerprint -sha256 -noout
SHA256 Fingerprint=B5:0D:47:F0:3E:CB:42:B6:68:1C:6F:38:06:2B:C2:9F:41:FA:D6:54:F1:29:D3:E4:DD:9C:C7:49:35:FF:F5:D9

Tor traffic is encrypted to the exit node (i.e., cannot be read by a passive network eavesdropper), but Tor use can be identified - for example, TLS handshake "hostnames" will show up in plaintext:

$ sudo tcpdump -An "tcp" | grep "www"
listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
.............". ...www.odezz26nvv7jeqz1xghzs.com.........
.............#.!...www.bxbko3qi7vacgwyk4ggulh.com.........
.6....m.....>...:.........|../*	Z....W....X=..6...C../....................................0...0..0.......'....F./0..	*.H........0%1#0!..U....www.b6zazzahl3h3faf4x2.com0...160402000000Z..170317000000Z0'1%0#..U....www.tm3ddrghe22wgqna5u8g.net0..0..

See Tor Protocol Specification and Tor/TLSHistory for more information.

You may wish to additionally obfuscate Tor traffic using a pluggable transport, such as Yawning/obfs4proxy or SRI-CSL/stegotorus.

This can be done by setting up your own Tor relay or finding an existing private or public bridge to serve as an obfuscating entry node.

For extra security, use Tor inside a VirtualBox or VMware virtualized GNU/Linux or BSD machine.

Finally, remember the Tor network provides anonymity, which is not necessarily synonymous with privacy. The Tor network does not guarantee protection against a global observer capable of traffic analysis and correlation. See also Seeking Anonymity in an Internet Panopticon (pdf) and Traffic Correlation on Tor by Realistic Adversaries (pdf).

Also see Invisible Internet Project (I2P) and its Tor comparison.

VPN

Unencrypted network traffic is being actively monitored and possibly tampered with. Encrypted traffic still exposes connection metadata and could be used to infer behavior or specific actions.

It is a good idea to use a VPN with outgoing network traffic (not split tunnel) together with a trustworthy provider. drduh/Debian-Privacy-Server-Guide is one of many available guides for setting up a personal VPN server.

Don't just blindly sign up for a VPN service without understanding the full implications and how your traffic will be routed. If you don't understand how the VPN works or are not familiar with the software used, you are probably better off without it.

When choosing a VPN service or setting up your own, be sure to research the protocols, key exchange algorithms, authentication mechanisms, and type of encryption being used. Some protocols, such as PPTP, should be avoided in favor of OpenVPN or Linux-based Wireguard on a Linux VM or via a set of cross platform tools.

Some clients may send traffic over the next available interface when VPN is interrupted or disconnected. See scy/8122924 for an example on how to allow traffic only over VPN.

Another set of scripts to lock down your system so it will only access the internet via a VPN can be found as part of the Voodoo Privacy project - sarfata/voodooprivacy and there is an updated guide to setting up an IPSec VPN on a virtual machine (hwdsl2/setup-ipsec-vpn) or a docker container (hwdsl2/docker-ipsec-vpn-server).

It may be worthwhile to consider the geographical location of the VPN provider. See further discussion in issue #114.

Also see this technical overview of the macOS built-in VPN L2TP/IPSec and IKEv2 client.

Other open source OpenVPN clients/GUI: Eddie, Pritunl are not evaluated in this guide, so are neither recommended nor actively discouraged from use.

PGP/GPG

PGP is a standard for encrypting email end to end. That means only the chosen recipients can decrypt a message, unlike regular email which is read and forever archived by providers.

GPG, or GNU Privacy Guard, is a GPL-licensed open source program compliant with the PGP standard.

GPG is used to verify signatures of software you download and install, as well as symmetrically or asymmetrically encrypt files and text.

Install from Homebrew with brew install gnupg.

If you prefer a graphical application, download and install GPG Suite.

Download drduh/config/gpg.conf to use recommended settings:

$ curl -o ~/.gnupg/gpg.conf https://raw.githubusercontent.com/drduh/config/master/gpg.conf

See drduh/YubiKey-Guide to securely generate and store GPG keys.

Read online guides and practice encrypting and decrypting email to yourself and your friends. Get them interested in this stuff!

OTR

OTR stands for off-the-record and is a cryptographic protocol for encrypting and authenticating conversations over instant messaging.

You can use OTR on top of any existing XMPP chat service, even Google Hangouts (which only encrypts conversations between users and the server using TLS).

The first time you start a conversation with someone new, you'll be asked to verify their public key fingerprint. Make sure to do this in person or by some other secure means (e.g. GPG encrypted mail).

A popular macOS GUI client for XMPP and other chat protocols is Adium.

Other XMPP clients include profanity and agl/xmpp-client. Another relatively new XMPP chat client is CoyIM, it's focused and security and has built-in support for OTR and Tor.

If you want to know how OTR works, read the paper Off-the-Record Communication, or, Why Not To Use PGP (pdf)

Viruses and malware

There is an ever-increasing amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software!

Some malware comes bundled with both legitimate software, such as the Java bundling Ask Toolbar, and some with illegitimate software, such as Mac.BackDoor.iWorm bundled with pirated programs. Malwarebytes Anti-Malware for Mac is an excellent program for ridding oneself of "garden-variety" malware and other "crapware".

See Methods of malware persistence on Mac OS X (pdf) and Malware Persistence on OS X Yosemite to learn about how garden-variety malware functions.

You could periodically run a tool like Knock Knock to examine persistent applications (e.g. scripts, binaries). But by then, it is probably too late. Maybe applications such as Block Block and Ostiarius will help. See warnings and caveats in issue #90 first, however. An open-source alternative could be maclaunch.sh.

Anti-virus programs are a double-edged sword -- not so useful for advanced users and will likely increase attack surface against sophisticated threats; however possibly useful for catching "garden variety" malware on novice users' Macs. There is also the additional processing overhead to consider when using "active" scanning features.

See Sophail: Applied attacks against Antivirus (pdf), Analysis and Exploitation of an ESET Vulnerability, a trivial Avast RCE, Popular Security Software Came Under Relentless NSA and GCHQ Attacks, How Israel Caught Russian Hackers Scouring the World for U.S. Secrets and AVG: "Web TuneUP" extension multiple critical vulnerabilities.

Therefore, the best anti-virus is Common Sense 2020. See discussion in issue #44.

Local privilege escalation bugs are plenty on macOS, so always be careful when downloading and running untrusted programs or trusted programs from third party websites or downloaded over HTTP (example).

Subscribe to updates at The Safe Mac and Malwarebytes Blog for current Mac security news.

To scan an application with multiple AV products and examine its behavior, upload it to VirusTotal.

Also check out Hacking Team malware for macOS: root installation for MacOS, Support driver for Mac Agent and RCS Agent for Mac, which is a good example of advanced malware with capabilities to hide from userland (e.g., ps, ls). For more, see A Brief Analysis of an RCS Implant Installer and reverse.put.as

System Integrity Protection

System Integrity Protection (SIP) is a security feature since OS X 10.11 "El Capitan". It is enabled by default, but can be disabled, which may be necessary to change some system settings, such as deleting root certificate authorities or unloading certain launch daemons. Keep this feature on, as it is by default.

From What's New in OS X 10.11:

A new security policy that applies to every running process, including privileged code and code that runs out of the sandbox. The policy extends additional protections to components on disk and at run-time, only allowing system binaries to be modified by the system installer and software updates. Code injection and runtime attachments to system binaries are no longer permitted.

Also see What is the “rootless” feature in El Capitan, really?

Some MacBook hardware has shipped with SIP disabled. To verify SIP is enabled, use the command csrutil status, which should return: System Integrity Protection status: enabled. Otherwise, enable SIP through Recovery Mode.

Gatekeeper and XProtect

Gatekeeper and the quarantine system try to prevent unsigned or "bad" programs and files from running and opening.

XProtect prevents the execution of known bad files and outdated plugin versions, but does nothing to cleanup or stop existing malware.

Both offer trivial protection against common risks and are fine at default settings.

See also Mac Malware Guide : How does Mac OS X protect me? and Gatekeeper, XProtect and the Quarantine attribute.

Note Quarantine stores information about downloaded files in ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2, which may pose a privacy risk. To examine the file, simply use strings or the following command:

$ echo 'SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, ' \
  'LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent;' | \
  sqlite3 /Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2

See here for more information.

To permanently disable this feature, clear the file and make it immutable:

$ :>~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2

$ sudo chflags schg ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2

Metadata and artifacts

macOS attaches metadata (HFS+ extended attributes) to downloaded files, which can be viewed with the mdls and xattr commands:

$ ls -l@ ~/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg
-rw-r--r--@ 1 drduh staff 63M Jan 1 12:00 TorBrowser-8.0.4-osx64_en-US.dmg
	com.apple.metadata:kMDItemWhereFroms	  46B
	com.apple.quarantine	  57B

$ mdls ~/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg
kMDItemContentCreationDate         = 2019-01-01 00:00:00 +0000
kMDItemContentCreationDate_Ranking = 2019-01-01 00:00:00 +0000
kMDItemContentModificationDate     = 2019-01-01 00:00:00 +0000
kMDItemContentType                 = "com.apple.disk-image-udif"
kMDItemContentTypeTree             = (
    "public.archive",
    "public.item",
    "public.data",
    "public.disk-image",
    "com.apple.disk-image",
    "com.apple.disk-image-udif"
)
kMDItemDateAdded                   = 2019-01-01 00:00:00 +0000
kMDItemDateAdded_Ranking           = 2019-01-01 00:00:00 +0000
kMDItemDisplayName                 = "TorBrowser-8.0.4-osx64_en-US.dmg"
kMDItemFSContentChangeDate         = 2019-01-01 00:00:00 +0000
kMDItemFSCreationDate              = 2019-01-01 00:00:00 +0000
kMDItemFSCreatorCode               = ""
kMDItemFSFinderFlags               = 0
kMDItemFSHasCustomIcon             = (null)
kMDItemFSInvisible                 = 0
kMDItemFSIsExtensionHidden         = 0
kMDItemFSIsStationery              = (null)
kMDItemFSLabel                     = 0
kMDItemFSName                      = "TorBrowser-8.0.4-osx64_en-US.dmg"
kMDItemFSNodeCount                 = (null)
kMDItemFSOwnerGroupID              = 5000
kMDItemFSOwnerUserID               = 501
kMDItemFSSize                      = 65840402
kMDItemFSTypeCode                  = ""
kMDItemInterestingDate_Ranking     = 2019-01-01 00:00:00 +0000
kMDItemKind                        = "Disk Image"
kMDItemWhereFroms                  = (
    "https://dist.torproject.org/torbrowser/8.0.4/TorBrowser-8.0.4-osx64_en-US.dmg",
    "https://www.torproject.org/projects/torbrowser.html.en"
)

$ xattr -l ~/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg
com.apple.metadata:kMDItemWhereFroms:
00000000  62 70 6C 69 73 74 30 30 A2 01 02 5F 10 4D 68 74  |bplist00..._.Mht|
00000010  74 70 73 3A 2F 2F 64 69 73 74 2E 74 6F 72 70 72  |tps://dist.torpr|
00000020  6F 6A 65 63 74 2E 6F 72 67 2F 74 6F 72 62 72 6F  |oject.org/torbro|
[...]
com.apple.quarantine: 0081;58519ffa;Google Chrome.app;1F032CAB-F5A1-4D92-84EB-CBECA971B7BC

Metadata attributes can also be removed with the -d flag:

$ xattr -d com.apple.metadata:kMDItemWhereFroms ~/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg

$ xattr -d com.apple.quarantine ~/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg

$ xattr -l ~/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg
[No output expected]

Other metadata and artifacts may be found in the directories including, but not limited to, ~/Library/Preferences/, ~/Library/Containers/<APP>/Data/Library/Preferences, /Library/Preferences, some of which is detailed below.

~/Library/Preferences/com.apple.sidebarlists.plist contains historical list of volumes attached. To clear it, use the command /usr/libexec/PlistBuddy -c "delete :systemitems:VolumesList" ~/Library/Preferences/com.apple.sidebarlists.plist

/Library/Preferences/com.apple.Bluetooth.plist contains Bluetooth metadata, including device history. If Bluetooth is not used, the metadata can be cleared with:

$ sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist DeviceCache
$ sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist IDSPairedDevices
$ sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist PANDevices
$ sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist PANInterfaces
$ sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist SCOAudioDevices

/var/spool/cups contains the CUPS printer job cache. To clear it, use the commands:

$ sudo rm -rfv /var/spool/cups/c0*
$ sudo rm -rfv /var/spool/cups/tmp/*
$ sudo rm -rfv /var/spool/cups/cache/job.cache*

To clear the list of iOS devices connected, use:

$ sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect"
$ sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist Devices
$ sudo defaults delete /Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect"
$ sudo defaults delete /Library/Preferences/com.apple.iPod.plist Devices
$ sudo rm -rfv /var/db/lockdown/*

Quicklook thumbnail data can be cleared using the qlmanage -r cache command, but this writes to the file resetreason in the Quicklook directories, and states that the Quicklook cache was manually cleared. Disable the thumbnail cache with qlmanage -r disablecache

It can also be manually cleared by getting the directory names with getconf DARWIN_USER_CACHE_DIR and sudo getconf DARWIN_USER_CACHE_DIR, then removing them:

$ rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive
$ rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite
$ rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-shm
$ rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-wal
$ rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/resetreason
$ rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.data

Similarly, for the root user:

$ sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandler
$ sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive
$ sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite
$ sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-shm
$ sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-wal
$ sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/resetreason
$ sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.data
$ sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandler

Also see 'quicklook' cache may leak encrypted data.

To clear Finder preferences:

$ defaults delete ~/Library/Preferences/com.apple.finder.plist FXDesktopVolumePositions
$ defaults delete ~/Library/Preferences/com.apple.finder.plist FXRecentFolders
$ defaults delete ~/Library/Preferences/com.apple.finder.plist RecentMoveAndCopyDestinations
$ defaults delete ~/Library/Preferences/com.apple.finder.plist RecentSearches
$ defaults delete ~/Library/Preferences/com.apple.finder.plist SGTRecentFileSearches

Additional diagnostic files may be found in the following directories - but caution should be taken before removing any, as it may break logging or cause other issues:

/var/db/CoreDuet/
/var/db/diagnostics/
/var/db/systemstats/
/var/db/uuidtext/
/var/log/DiagnosticMessages/

macOS stored preferred Wi-Fi data (including credentials) in NVRAM. To clear it, use the following commands:

$ sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:current-network
$ sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-networks
$ sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-count

macOS may collect sensitive information about what you type, even if user dictionary and suggestions are off. To remove them, and prevent them from being created again, use the following commands:

$ rm -rfv "~/Library/LanguageModeling/*" "~/Library/Spelling/*" "~/Library/Suggestions/*"
$ chmod -R 000 ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions
$ chflags -R uchg ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions

QuickLook application support metadata can be cleared and locked with the following commands:

$ rm -rfv "~/Library/Application Support/Quick Look/*"
$ chmod -R 000 "~/Library/Application Support/Quick Look"
$ chflags -R uchg "~/Library/Application Support/Quick Look"

Document revision metadata is stored in /.DocumentRevisions-V100 and can be cleared and locked with the following commands - caution should be taken as this may break some core Apple applications:

$ sudo rm -rfv /.DocumentRevisions-V100/*
$ sudo chmod -R 000 /.DocumentRevisions-V100
$ sudo chflags -R uchg /.DocumentRevisions-V100

Saved application state metadata may be cleared and locked with the following commands:

$ rm -rfv "~/Library/Saved Application State/*"
$ rm -rfv "~/Library/Containers/<APPNAME>/Saved Application State"
$ chmod -R 000 "~/Library/Saved Application State/"
$ chmod -R 000 "~/Library/Containers/<APPNAME>/Saved Application State"
$ chflags -R uchg "~/Library/Saved Application State/"
$ chflags -R uchg "~/Library/Containers/<APPNAME>/Saved Application State"

Autosave metadata can be cleared and locked with the following commands:

$ rm -rfv "~/Library/Containers/<APP>/Data/Library/Autosave Information"
$ rm -rfv "~/Library/Autosave Information"
$ chmod -R 000 "~/Library/Containers/<APP>/Data/Library/Autosave Information"
$ chmod -R 000 "~/Library/Autosave Information"
$ chflags -R uchg "~/Library/Containers/<APP>/Data/Library/Autosave Information"
$ chflags -R uchg "~/Library/Autosave Information"

The Siri analytics database, which is created even if the Siri launch agent disabled, can be cleared and locked with the following commands:

$ rm -rfv ~/Library/Assistant/SiriAnalytics.db
$ chmod -R 000 ~/Library/Assistant/SiriAnalytics.db
$ chflags -R uchg ~/Library/Assistant/SiriAnalytics.db

~/Library/Preferences/com.apple.iTunes.plist contains iTunes metadata. Recent iTunes search data may be cleared with the following command:

$ defaults delete ~/Library/Preferences/com.apple.iTunes.plist recentSearches

If you do not use Apple ID-linked services, the following keys may be cleared, too, using the following commands:

$ defaults delete ~/Library/Preferences/com.apple.iTunes.plist StoreUserInfo
$ defaults delete ~/Library/Preferences/com.apple.iTunes.plist WirelessBuddyID

All media played in QuickTime Player can be found in:

~/Library/Containers/com.apple.QuickTimePlayerX/Data/Library/Preferences/com.apple.QuickTimePlayerX.plist

Additional metadata may exist in the following files:

~/Library/Containers/com.apple.appstore/Data/Library/Preferences/com.apple.commerce.knownclients.plist
~/Library/Preferences/com.apple.commerce.plist
~/Library/Preferences/com.apple.QuickTimePlayerX.plist

Passwords

Generate strong passwords with several programs or directly from /dev/urandom:

$ openssl rand -base64 30
qb8ZWbUU2Ri3FOAPY/1wKSFAJwMXmpQM4mZU4YbO

$ gpg --gen-random -a 0 90 | fold -w 40
3e+kfHOvovHVXxZYPgu+OOWQ1g1ttbljr+kNGv7f
loD//RsjUXYGIjfPM/bT0itsoEstyGLVUsFns8wP
zYM8VRBga+TsnxWrS7lWKfH1uvVPowzkq9kXCdvJ

$ LANG=C tr -dc 'A-F0-9' < /dev/urandom | fold -w 40 | head -n 5
45D0371481EE5E5A5C1F68EA59E69F9CA52CB321
A30B37A00302643921F205621B145E7EAF520164
B6EF38A2DA1D0586D20105502AFFF0468EA5F16A
029D6EA9F76CD64D3356E342EA154BEFEBE23387
07F468F0569579A0A06471247CABC4F4C1386E24

$ tr -dc '[:alnum:]' < /dev/urandom | fold -w 40 | head -n5
zmj8S0iuxud8y8YHjzdg7Hefu6U1KAYBiLl3aE8v
nCNpuMkWohTjQHntTzbiLQJG5zLzEHWSWaYSwjtm
R2L6M909S3ih852IkJqQFMDawCiHcpPBxlllAPrt
aZOXKVUmxhzQwVSYb6nqAbGTVMFSJOLf094bFZAb
HfgwSNlkVBXwIPQST6E6x6vDNCCasMLSSOoTUfSK

$ tr -dc '[:lower:]' < /dev/urandom | fold -w 40 | head -n5
gfvkanntxutzwxficgvavbwdvttexdezdftvvtmn
lgrsuiugwkqbtbkyggcbpbqlynwbiyxzlabstqcf
ufctdlsbyonkowzpmotxiksnsbwdzkjrjsupoqvr
hjwibdjxtmuvqricljayzkgdfztcmapsgwsubggr
bjstlmvwjczakgeetkbmwbjnidbeaerhaonpkacg

$ tr -dc '[:upper:]' < /dev/urandom | fold -w 40 | head -n5
EUHZMAOBOLNFXUNNDSTLJTPDCPVQBPUEQOLRZUQZ
HVNVKBEPAAYMXRCGVCNEZLFHNUYMRYPTWPWOOZVM
TAHEUPQJTSYQVJVYSKLURESMKWEZONXLUDHWQODB
PRDITWMAXXZLTRXEEOGOSGAWUXYDGDRJYRHUWICM
VHERIQBLBPHSIUZSGYZRDHTNAPUGJMRODIKBWZRJ

$ tr -dc '[:graph:]' < /dev/urandom | fold -w 40 | head -n5
n\T2|zUz:\C,@z9!#p3!B/[t6m:B94}q&t(^)Ol~
J%MMDbAgGdP}zrSQO!3mrP3$w!.[Ng_xx-_[C<3g
^)6V&*<2"ZOgU.mBd]iInvFKiT<dq~y\O[cdDK`V
+RE]UYPIf3:StX`y#w,.iG~g"urD)'FnDIFI_q^)
6?HRillpgvvFDBAr4[:H{^oAL<`Em7$roF=2w;1~

You can also generate passwords, even memorable ones, using Keychain Access password assistant, or a command line equivalent like anders/pwgen.

Keychains are encrypted with a PBKDF2 derived key and are a pretty safe place to store credentials. See also Breaking into the OS X keychain. Also be aware that Keychain does not encrypt the names corresponding to password entries.

Alternatively, you can manage an encrypted passwords file yourself with GnuPG (see drduh/Purse and drduh/pwd.sh for example).

In addition to passwords, ensure eligible online accounts, such as GitHub, Google accounts, banking, have two factor authentication enabled.

Yubikey offers affordable hardware tokens. See drduh/YubiKey-Guide and trmm.net/Yubikey. One of two Yubikey's slots can also be programmed to emit a long, static password (which can be used in combination with a short, memorized password, for example).

In Addition to Login and other PAMs, you can use Yubikey to secure your login and sudo, here is a pdf guide from Yubico. Yubikey are a bit pricey, there is cheaper alternative, but not as capable, U2F Zero. Here is a great guide to set it up

Backup

Always encrypt files locally before backing them up to external media or online services.

One way is to use a symmetric cipher with GPG and a password of your choosing. Files can also be encrypted to a public key with GPG, with the private key stored on YubiKey.

To compress and encrypt a directory:

$ tar zcvf - ~/Downloads | gpg -c > ~/Desktop/backup-$(date +%F-%H%M).tar.gz.gpg
tar: Removing leading '/' from member names
a Users/drduh/Downloads
a Users/drduh/Downloads/.DS_Store
a Users/drduh/Downloads/.localized
a Users/drduh/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg.asc
a Users/drduh/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg

To decrypt and decompress the directory:

$ gpg -o ~/Desktop/decrypted-backup.tar.gz -d ~/Desktop/backup-2015-01-01-0000.tar.gz.gpg
gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase

$ tar zxvf ~/Desktop/decrypted-backup.tar.gz
tar: Removing leading '/' from member names
x Users/drduh/._Downloads
x Users/drduh/Downloads/
x Users/drduh/Downloads/._.DS_Store
x Users/drduh/Downloads/.DS_Store
x Users/drduh/Downloads/.localized
x Users/drduh/Downloads/._TorBrowser-8.0.4-osx64_en-US.dmg.asc
x Users/drduh/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg.asc
x Users/drduh/Downloads/._TorBrowser-8.0.4-osx64_en-US.dmg
x Users/drduh/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg

You can also create and use encrypted volumes using Disk Utility or hdiutil:

$ hdiutil create ~/Desktop/encrypted.dmg -encryption -size 50M -volname "secretStuff" -fs JHFS+
Enter a new password to secure "encrypted.dmg":
Re-enter new password:
....................................
Created: /Users/drduh/Desktop/encrypted.img

$ hdiutil mount ~/Desktop/encrypted.dmg
Enter password to access "encrypted.dmg":
[...]
/Volumes/secretStuff

$ cp -v ~/Documents/passwords.txt /Volumes/secretStuff
[...]

$ hdiutil eject /Volumes/secretStuff
"disk4" unmounted.
"disk4" ejected.

With hdiutil you are also able to add the option -type SPARSE-BUNDLE. With these sparse bundles you may achieve faster backups because after the first run, the updated information and some padding needs to be transferred.

A simple way to synchronize this encrypted folder to another server is using rsync:

rsync --recursive --times --progress --delete --verbose --stats MyEncryptedDrive.sparsebundle user@server:/path/to/backup

See also the following applications and services: Tresorit, SpiderOak, Arq, Espionage, and restic.

Wi-Fi

macOS remembers access points it has connected to. Like all wireless devices, the Mac will broadcast all access point names it remembers (e.g., MyHomeNetwork) each time it looks for a network, such as when waking from sleep.

This is a privacy risk, so remove networks from the list in System Preferences > Network > Advanced when they are no longer needed.

Also see Signals from the Crowd: Uncovering Social Relationships through Smartphone Probes (pdf) and Wi-Fi told me everything about you (pdf).

Saved Wi-Fi information (SSID, last connection, etc.) can be found in:

/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist

You may want to spoof the MAC address of the network card before connecting to new and untrusted wireless networks to mitigate passive fingerprinting:

$ sudo ifconfig en0 ether $(openssl rand -hex 6 | sed 's%\(..\)%\1:%g; s%.$%%')

macOS stores Wi-Fi SSIDs and passwords in NVRAM in order for Recovery Mode to access the Internet. Be sure to either clear NVRAM or de-authenticate your Mac from your Apple account, which will clear the NVRAM, before passing a Mac along. Resetting the SMC will clear some of the NVRAM, but not all.

Note MAC addresses will reset to hardware defaults on each boot.

Finally, WEP protection on wireless networks is not secure and you should only connect to WPA2 protected networks when possible.

SSH

For outgoing SSH connections, use hardware or password-protected keys, set up remote hosts and consider hashing them for added privacy. See drduh/config/ssh_config for recommended client options.

You can also use ssh to create an encrypted tunnel to send traffic through, similar to a VPN.

For example, to use Privoxy running on a remote host port 8118:

$ ssh -C -L 5555:127.0.0.1:8118 you@remote-host.tld

$ sudo networksetup -setwebproxy "Wi-Fi" 127.0.0.1 5555

$ sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 5555

Or to use an ssh connection as a SOCKS proxy:

$ ssh -NCD 3000 you@remote-host.tld

By default, macOS does not have sshd or Remote Login enabled.

To enable sshd and allow incoming ssh connections:

$ sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist

Or use the System Preferences > Sharing menu.

If enabling sshd, be sure to disable password authentication and consider further hardening your configuration. See drduh/config/sshd_config for recommended options.

Confirm whether sshd is running:

$ sudo lsof -Pni TCP:22

Physical access

Keep your Mac physically secure at all times. Don't leave it unattended in public spaces, such as hotels.

A skilled attacker with unsupervised physical access to your computer can infect the boot ROM to install a keylogger and steal your password, for example - see Thunderstrike.

A helpful tool is usbkill, which is an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer.

Consider purchasing a privacy filter for your screen to thwart shoulder surfers.

Superglues or epoxy resins can also be used to disable physical access to computer ports. Nail polish and tamper-evidence seals can be applied to components to detect tampering.

System monitoring

OpenBSM audit

macOS has a powerful OpenBSM (Basic Security Module) auditing capability. You can use it to monitor process execution, network activity, and much more.

To tail audit logs, use the praudit utility:

$ sudo praudit -l /dev/auditpipe
header,201,11,execve(2),0,Thu Sep  1 12:00:00 2015, + 195 msec,exec arg,/Applications/.evilapp/rootkit,path,/Applications/.evilapp/rootkit,path,/Applications/.evilapp/rootkit,attribute,100755,root,wheel,16777220,986535,0,subject,drduh,root,wheel,root,wheel,412,100005,50511731,0.0.0.0,return,success,0,trailer,201,
header,88,11,connect(2),0,Thu Sep  1 12:00:00 2015, + 238 msec,argument,1,0x5,fd,socket-inet,2,443,173.194.74.104,subject,drduh,root,wheel,root,wheel,326,100005,50331650,0.0.0.0,return,failure : Operation now in progress,4354967105,trailer,88
header,111,11,OpenSSH login,0,Thu Sep  1 12:00:00 2015, + 16 msec,subject_ex,drduh,drduh,staff,drduh,staff,404,404,49271,::1,text,successful login drduh,return,success,0,trailer,111,

See the manual pages for audit, praudit, audit_control and other files in /etc/security

Note although man audit says the -s flag will synchronize the audit configuration, it appears necessary to reboot for changes to take effect.

See articles on ilostmynotes.blogspot.com and derflounder.wordpress.com for more information.

DTrace

Note System Integrity Protection interferes with DTrace, so it is not possible to use it in recent macOS versions without disabling SIP.

  • iosnoop monitors disk I/O
  • opensnoop monitors file opens
  • execsnoop monitors execution of processes
  • errinfo monitors failed system calls
  • dtruss monitors all system calls

See man -k dtrace for more information.

Execution

ps -ef lists information about all running processes.

You can also view processes with Activity Monitor.

launchctl list and sudo launchctl list list loaded and running user and system launch daemons and agents.

Network

List open network files:

$ sudo lsof -Pni

List contents of various network-related data structures:

$ sudo netstat -atln

Wireshark can be used from the command line with tshark.

Monitor DNS queries and replies:

$ tshark -Y "dns.flags.response == 1" -Tfields \
  -e frame.time_delta \
  -e dns.qry.name \
  -e dns.a \
  -Eseparator=,

Monitor HTTP requests and responses:

$ tshark -Y "http.request or http.response" -Tfields \
  -e ip.dst \
  -e http.request.full_uri \
  -e http.request.method \
  -e http.response.code \
  -e http.response.phrase \
  -Eseparator=/s

Monitor x509 (SSL/TLS) certificates:

$ tshark -Y "ssl.handshake.certificate" -Tfields \
  -e ip.src \
  -e x509sat.uTF8String \
  -e x509sat.printableString \
  -e x509sat.universalString \
  -e x509sat.IA5String \
  -e x509sat.teletexString \
  -Eseparator=/s -Equote=d

Also see the simple networking monitoring application BonzaiThePenguin/Loading.

Binary Whitelisting

google/santa is a security software developed for Google's corporate Macintosh fleet and open sourced.

Santa is a binary whitelisting/blacklisting system for macOS. It consists of a kernel extension that monitors for executions, a userland daemon that makes execution decisions based on the contents of a SQLite database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server.

Santa uses the Kernel Authorization API to monitor and allow/disallow binaries from executing in the kernel. Binaries can be white- or black-listed by unique hash or signing developer certificate. Santa can be used to only allow trusted code execution, or to blacklist known malware from executing on a Mac, similar to Bit9 software for Windows.

Note Santa does not currently have a graphical user interface for managing rules. The following instructions are for advanced users only!

To install Santa, visit the Releases page and download the latest disk image, the mount it and install the contained package:

$ hdiutil mount ~/Downloads/santa-0.9.20.dmg

$ sudo installer -pkg /Volumes/santa-0.9.20/santa-0.9.20.pkg -tgt /

By default, Santa installs in "Monitor" mode (meaning, nothing gets blocked, only logged) and comes with two rules: one for Apple binaries and another for Santa software itself.

Verify Santa is running and its kernel module is loaded:

$ santactl status
>>> Daemon Info
  Mode                   | Monitor
  File Logging           | No
  Watchdog CPU Events    | 0  (Peak: 0.00%)
  Watchdog RAM Events    | 0  (Peak: 0.00MB)
>>> Kernel Info
  Kernel cache count     | 0
>>> Database Info
  Binary Rules           | 0
  Certificate Rules      | 2
  Events Pending Upload  | 0

$ ps -ef | grep "[s]anta"
    0   786     1   0 10:01AM ??         0:00.39 /Library/Extensions/santa-driver.kext/Contents/MacOS/santad --syslog

$ kextstat | grep santa
  119    0 0xffffff7f822ff000 0x6000     0x6000     com.google.santa-driver (0.9.14) 693D8E4D-3161-30E0-B83D-66A273CAE026 <5 4 3 1>

Create a blacklist rule to prevent iTunes from executing:

$ sudo santactl rule --blacklist --path /Applications/iTunes.app/
Added rule for SHA-256: e1365b51d2cb2c8562e7f1de36bfb3d5248de586f40b23a2ed641af2072225b3.

Try to launch iTunes - it will be blocked.

$ open /Applications/iTunes.app/
LSOpenURLsWithRole() failed with error -10810 for the file /Applications/iTunes.app.

Santa block dialog when attempting to run a blacklisted program

To remove the rule:

$ sudo santactl rule --remove --path /Applications/iTunes.app/
Removed rule for SHA-256: e1365b51d2cb2c8562e7f1de36bfb3d5248de586f40b23a2ed641af2072225b3.

Open iTunes:

$ open /Applications/iTunes.app/
[iTunes will open successfully]

Create a new, example C program:

$ cat <<EOF > foo.c
> #include <stdio.h>
> main() { printf("Hello World\n”); }
> EOF

Compile the program with GCC (requires installation of Xcode or command-line tools):

$ gcc -o foo foo.c

$ file foo
foo: Mach-O 64-bit executable x86_64

$ codesign -d foo
foo: code object is not signed at all

Run it:

$ ./foo
Hello World

Toggle Santa into "Lockdown" mode, which only allows whitelisted binaries to run:

$ sudo defaults write /var/db/santa/config.plist ClientMode -int 2

Try to run the unsigned binary:

$ ./foo
bash: ./foo: Operation not permitted

Santa

The following application has been blocked from executing
because its trustworthiness cannot be determined.

Path:       /Users/demouser/foo
Identifier: 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed
Parent:     bash (701)

To whitelist a specific binary, determine its SHA-256 sum:

$ santactl fileinfo /Users/demouser/foo
Path                 : /Users/demouser/foo
SHA-256              : 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed
SHA-1                : 4506f3a8c0a5abe4cacb98e6267549a4d8734d82
Type                 : Executable (x86-64)
Code-signed          : No
Rule                 : Blacklisted (Unknown)

Add a whitelist rule:

$ sudo santactl rule --whitelist --sha256 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed
Added rule for SHA-256: 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed.

Run it:

$ ./foo
Hello World

It's allowed and works!

Applications can also be whitelisted by developer certificate (so that new binary versions will not need to be manually whitelisted on each update). For example, download and run Google Chrome - it will be blocked by Santa in "Lockdown" mode:

$ curl -sO https://dl.google.com/chrome/mac/stable/GGRO/googlechrome.dmg

$ hdiutil mount googlechrome.dmg

$ cp -r /Volumes/Google\ Chrome/Google\ Chrome.app /Applications/

$ open /Applications/Google\ Chrome.app/
LSOpenURLsWithRole() failed with error -10810 for the file /Applications/Google Chrome.app.

Whitelist the application by its developer certificate (first item in the Signing Chain):

$ santactl fileinfo /Applications/Google\ Chrome.app/
Path                 : /Applications/Google Chrome.app/Contents/MacOS/Google Chrome
SHA-256              : 0eb08224d427fb1d87d2276d911bbb6c4326ec9f74448a4d9a3cfce0c3413810
SHA-1                : 9213cbc7dfaaf7580f3936a915faa56d40479f6a
Bundle Name          : Google Chrome
Bundle Version       : 2883.87
Bundle Version Str   : 55.0.2883.87
Type                 : Executable (x86-64)
Code-signed          : Yes
Rule                 : Blacklisted (Unknown)
Signing Chain:
     1. SHA-256             : 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153
        SHA-1               : 85cee8254216185620ddc8851c7a9fc4dfe120ef
        Common Name         : Developer ID Application: Google Inc.
        Organization        : Google Inc.
        Organizational Unit : EQHXZ8M8AV
        Valid From          : 2012/04/26 07:10:10 -0700
        Valid Until         : 2017/04/27 07:10:10 -0700

     2. SHA-256             : 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f
        SHA-1               : 3b166c3b7dc4b751c9fe2afab9135641e388e186
        Common Name         : Developer ID Certification Authority
        Organization        : Apple Inc.
        Organizational Unit : Apple Certification Authority
        Valid From          : 2012/02/01 14:12:15 -0800
        Valid Until         : 2027/02/01 14:12:15 -0800

     3. SHA-256             : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024
        SHA-1               : 611e5b662c593a08ff58d14ae22452d198df6c60
        Common Name         : Apple Root CA
        Organization        : Apple Inc.
        Organizational Unit : Apple Certification Authority
        Valid From          : 2006/04/25 14:40:36 -0700
        Valid Until         : 2035/02/09 13:40:36 -0800

In this case, 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153 is the SHA-256 of Google’s Apple developer certificate (team ID EQHXZ8M8AV). To whitelist it:

$ sudo santactl rule --whitelist --certificate --sha256 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153
Added rule for SHA-256: 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153.

Google Chrome should now launch, and subsequent updates to the application will continue to work as long as the code signing certificate doesn’t change or expire.

To disable "Lockdown" mode:

$ sudo defaults delete /var/db/santa/config.plist ClientMode

See /var/log/santa.log to monitor ALLOW and DENY execution decisions.

A log and configuration server for Santa is available in Zentral, an open source event monitoring solution and TLS server for osquery and Santa.

Zentral will support Santa in both MONITORING and LOCKDOWN operation mode. Clients need to be enrolled with a TLS connection to sync Santa Rules, all Santa events from endpoints are aggregated and logged back in Zentral. Santa events can trigger actions and notifications from within the Zentral Framework.

Note Python, Bash and other interpreters are whitelisted (since they are signed by Apple's developer certificate), so Santa will not be able to block such scripts from executing. Thus, a potential non-binary program which disables Santa is a weakness (not vulnerability, since it is so by design) to take note of.

Miscellaneous

Disable Diagnostics & Usage Data.

If you want to play music or watch videos, use VLC media player which is free and open source.

If you want to use torrents, use Transmission which is free and open source (note: like all software, even open source projects, malware may still find its way in). You may also wish to use a block list to avoid peering with known bad hosts - see Which is the best blocklist for Transmission and johntyree/3331662.

Manage default file handlers with duti, which can be installed with brew install duti. One reason to manage extensions is to prevent auto-mounting of remote file systems in Finder (see Protecting Yourself From Sparklegate). Here are several recommended file handlers to manage:

$ duti -s com.apple.Safari afp

$ duti -s com.apple.Safari ftp

$ duti -s com.apple.Safari nfs

$ duti -s com.apple.Safari smb

$ duti -s com.apple.TextEdit public.unix-executable

Monitor system logs with the Console application or syslog -w or /usr/bin/log stream commands.

In systems prior to macOS Sierra (10.12), enable the tty_tickets flag in /etc/sudoers to restrict the sudo session to the Terminal window/tab that started it. To do so, use sudo visudo and add the line Defaults tty_tickets.

Set your screen to lock as soon as the screensaver starts:

$ defaults write com.apple.screensaver askForPassword -int 1

$ defaults write com.apple.screensaver askForPasswordDelay -int 0

Expose hidden files and Library folder in Finder:

$ defaults write com.apple.finder AppleShowAllFiles -bool true

$ chflags nohidden ~/Library

Show all filename extensions (so that "Evil.jpg.app" cannot masquerade easily).

$ defaults write NSGlobalDomain AppleShowAllExtensions -bool true

Don't default to saving documents to iCloud:

$ defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false

Enable Secure Keyboard Entry in Terminal (unless you use YubiKey or applications such as TextExpander).

Disable crash reporter (the dialog which appears after an application crashes and prompts to report the problem to Apple):

$ defaults write com.apple.CrashReporter DialogType none

Disable Bonjour multicast advertisements:

$ sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES

Disable Handoff and Bluetooth features, if they aren't necessary.

Consider sandboxing your applications. See fG! Sandbox Guide (pdf) and s7ephen/OSX-Sandbox--Seatbelt--Profiles.

Did you know Apple has not shipped a computer with TPM since 2006?

macOS comes with this line in /etc/sudoers:

Defaults env_keep += "HOME MAIL"

Which stops sudo from changing the HOME variable when you elevate privileges. This means it will execute as root the bash dotfiles in the non-root user's home directory when you run "sudo bash". It is advisable to comment this line out to avoid a potentially easy way for malware or a local attacker to escalate privileges to root.

If you want to retain the convenience of the root user having a non-root user's home directory, you can append an export line to /var/root/.bashrc, e.g.:

export HOME=/Users/blah

Set a custom umask:

$ sudo launchctl config user umask 077

Reboot, create a file in Finder and verify its permissions (macOS default allows 'group/other' read access):

$ ls -ld umask*
drwx------  2 kevin  staff       64 Dec  4 12:27 umask_testing_dir
-rw-------@ 1 kevin  staff  2026566 Dec  4 12:28 umask_testing_file

Related software

  • CISOfy/lynis - Cross-platform security auditing tool and assists with compliance testing and system hardening.
  • Dylib Hijack Scanner - Scan for applications that are either susceptible to dylib hijacking or have been hijacked.
  • F-Secure XFENCE (formerly Little Flocker) - "Little Snitch for files"; prevents applications from accessing files.
  • Lockdown - Audits and remediates security configuration settings.
  • Zentral - A log and configuration server for santa and osquery. Run audit and probes on inventory, events, logfiles, combine with point-in-time alerting. A full Framework and Django web server build on top of the elastic stack (formerly known as ELK stack).
  • facebook/osquery - Can be used to retrieve low level system information. Users can write SQL queries to retrieve system information.
  • google/grr - Incident response framework focused on remote live forensics.
  • jipegit/OSXAuditor - Analyzes artifacts on a running system, such as quarantined files, Safari, Chrome and Firefox history, downloads, HTML5 databases and localstore, social media and email accounts, and Wi-Fi access point names.
  • kristovatlas/osx-config-check - Checks your OSX machine against various hardened configuration settings.
  • libyal/libfvde - Library to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes.
  • stronghold - Securely and easily configure your Mac from the terminal. Inspired by this guide.
  • yelp/osxcollector - Forensic evidence collection & analysis toolkit for OS X.
  • The Eclectic Light Company - Downloads - A collection of useful diagnostics and control applications and utilities for macOS.

Additional resources