HOW TO: Easily Audit and Fix macOS Security Settings

Every once in a while, everybody is publishing the same old new content with steps you need to take in order to harden your macOS installation. And you follow along and ask yourself if there isn’t a simpler way to do this. After all this is a Mac, everything just works, and everything happens on the fly, and macOS is the most advanced OS in the world and all that bullshit.

Luckily, there is a simpler way to do this, with minimal interaction. But you’ll have to use the terminal. Don’t worry, it’s pretty painless. Check it out below…

Option #1 – Stronghold

NOTE: Stronghold is a bit outdated, but seems to work fine. If it doesen’t go for option #2. You can use both anyway…

1. Make sure you have the latest version of python installed on your Mac. At the time of this writing the latest version is 3.8.2. To check your version open up a terminal and type python3 --version

1.1 If you have an older version, the easiest way to update is via Homebrew ( click on Homebrew to learn how to install and use it ). Once Homebrew is installed, updating python is at easy as typing brew install python3

NOTE: Homebrew will update you to  Python 3.7.7 which is just fine for Stronghold

2. Now, you can install Stronghold with pip3 install stronghold --user. NOTE: pip defaults to installing Python packages to a system directory, and requires root access. --user makes pip install packages in your home directory instead, which doesn’t require any special privileges.

3. Allow Terminal.app full disk access. You can do that in System Preferences > Security & Privacy > Privacy > Full Disk Access > Add Terminal.app. When you’re done with Stronghold, you can revoke access, and re-enable it when you need it again.

4. That’s it. Now you can run “Stronghold” by executing this command stronghold in the Terminal.app.

Here’s what Stronghold can configure for you:

  1. Firewall
    • Turn on Firewall? ( This helps protect your Mac from being attacked over the internet.)
    • Turn on logging? ( If there IS an infection, logs are useful for determining the source. )
    • Turn on stealth mode? ( Your Mac will not respond to ICMP ping requests or connection attempts from closed TCP and UDP networks )
  2. General System Protection
    • Enable Gatekeeper? ( Defend against malware by enforcing code signing and verifying downloaded applications before allowing them to run )
    • Prevent automatic software whitelisting? ( Both built-in and downloaded software will require user approval for whitelisting )
    • Disable Captive Portal Assistant and force login through browser on untrusted networks? ( Captive Portal Assistant could be triggered and direct you to a malicious site WITHOUT any user interaction )
  3. User Metadata Storage
    • Clear language modeling metadata? ( This includes user spelling, typing and suggestion data )
    • Disable language modeling data collection?
    • Clear QuickLook metadata?
    • Clear Downloads metadata?
    • Disable metadata collection from Downloads?
    • Clear SiriAnalytics database?
  4. User Safety
    • Lock Mac as soon as screen saver starts?
    • Display all file extensions? ( This prevents malware from disguising itself as another file type )
    • Disable saving documents to the cloud by default? ( This prevents sensitive documents from being unintentionally stored on the cloud )
    • Show hidden files in Finder? ( you can set this to “No” as you can easily toggle hidden files with a simple keyboard shortcut )
    • Disable printer sharing? ( Offers redundancy in case the Firewall was not configured )

Learn more about Stronghold here.

 

Option #2 – Lockdown

NOTE: If you’re on macOS Mojave or Catalina, and for some reason option #1 won’t work for you, here’s another option you can try: Lockdown.

1. Install Homebrew ( link at option #1 ) if not installed already.

2. brew tap 0xmachos/homebrew-mosl

 

3. brew install mosl

 

4. Allow Terminal full disk access. See option #1.

5. Usage:


    list         - List settings that can be audited/ fixed
    audit        - Audit the status of all or chosen setting(s) (Does NOT change settings)
    fix          - Attempt to fix all or chosen setting(s) (Does change settings)

    fix-force    - Same as 'fix' however bypasses user confirmation prompt
                   (Can be used to invoke Lockdown from other scripts)

    debug        - Print debug info for troubleshooting

 

6. Examples:

  • to list all options run lockdown list
  • to audit your macOS run lockdown audit
  • to fix all settings run lockdown fix
  • to fix just a specific setting run lockdown fix settings_number ( i.e to enable firewall run lockdown fix 3 )

 

Learn more about Lockdown here.