{"id":13815672,"url":"https://github.com/0xmachos/mOSL","last_synced_at":"2025-05-15T09:33:03.850Z","repository":{"id":53935097,"uuid":"134957619","full_name":"0xmachos/mOSL","owner":"0xmachos","description":"Bash script to audit and fix macOS Catalina (10.15.x) security settings","archived":true,"fork":false,"pushed_at":"2021-02-17T13:54:18.000Z","size":365,"stargazers_count":224,"open_issues_count":7,"forks_count":16,"subscribers_count":11,"default_branch":"master","last_synced_at":"2025-05-13T12:57:52.267Z","etag":null,"topics":["bash","macos","macos-catalina","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xmachos.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null}},"created_at":"2018-05-26T12:00:58.000Z","updated_at":"2025-01-09T23:04:56.000Z","dependencies_parsed_at":"2022-08-13T05:00:31.716Z","dependency_job_id":null,"html_url":"https://github.com/0xmachos/mOSL","commit_stats":null,"previous_names":[],"tags_count":41,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xmachos%2FmOSL","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xmachos%2FmOSL/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xmachos%2FmOSL/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xmachos%2FmOSL/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xmachos","download_url":"https://codeload.github.com/0xmachos/mOSL/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254314016,"owners_count":22050154,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bash","macos","macos-catalina","security-tools"],"created_at":"2024-08-04T04:03:51.459Z","updated_at":"2025-05-15T09:33:03.545Z","avatar_url":"https://github.com/0xmachos.png","language":"Shell","funding_links":[],"categories":["Shell","Operating Systems"],"sub_categories":["macOS/iOS"],"readme":"# macOS Lockdown (mOSL)\n![Shellcheck](https://github.com/0xmachos/mOSL/workflows/Shellcheck/badge.svg) [![GitHub Release](https://github-basic-badges.herokuapp.com/release/0xmachos/mOSL.svg)](https://github.com/0xmachos/mOSL/releases/latest)\n\nBash script to audit and fix macOS Catalina (`10.15.x`) security settings\n\nInspired by and based on [Lockdown](https://objective-see.com/products/lockdown.html) by [Patrick Wardle](https://twitter.com/patrickwardle) and [osxlockdown](https://github.com/SummitRoute/osxlockdown) by [Scott Piper](https://twitter.com/0xdabbad00https://twitter.com/0xdabbad00). \n\n## Warnings\n\n**mOSL is being rewritten in Swift and the Bash version will be deprecated.**. See: \"[The Future of mOSL](https://0xmachos.github.io/2019-09-21-The-Future-of-mOSL/)\".\n\n- **Always** run the [latest release](https://github.com/0xmachos/mOSL/releases/latest) **not** the code in `master`!\n- This script will **only ever** support the _latest_ macOS release  \n- This script requires your **password** to invoke some commands with `sudo`  \n\n\n## `brew`\n\ntap: [`0xmachos/homebrew-mosl`](https://github.com/0xmachos/homebrew-mosl)\n\nTo install mOSL via `brew` execute:\n\n```\nbrew tap 0xmachos/homebrew-mosl\nbrew install mosl\n```\n\nmOSL will then be available as: \n\n```\nLockdown\n```\n\n## Threat Model(ish) \n\nThe main goal is to enforce already secure defaults and apply more strict non-default options. \n\nIt aims to reduce attack surface but it is pragmatic in this pursuit. The author utilises Bluetooth for services such as Handoff so it is left enabled.\n\nThere is **no specific focus** on enhancing privacy. \n\nFinally, mOSL will not protect you from the [FSB](https://en.wikipedia.org/wiki/Federal_Security_Service), [MSS](https://en.wikipedia.org/wiki/Ministry_of_State_Security_(China)), [DGSE](https://en.wikipedia.org/wiki/Directorate-General_for_External_Security), or [FSM](https://en.wikipedia.org/wiki/Flying_Spaghetti_Monster).\n\n## `Full Disk Access` Permission\n\nIn macOS Mojave and later certain application data is protected by the OS. For example, if `Example.app` wishes to access `Contacts.app` data `Example.app` must be given explicit permission via `System Preferences \u003e Security \u0026 Privacy \u003e Privacy`. However some application data cannot be accessed via a specific permission. Access to this data requires the `Full Disk Access` permission. \n\nmOSL requires that `Terminal.app` be given the `Full Disk Access` permission. It needs this permission to audit/fix the following settings: \n\n- `disable mail remote content`\n- `disable_auto_open_safe_downloads`\n\nThese are *currently* the **only** settings which require `Full Disk Access`.\n\nIt is not possible to programatically get or prompt for this permission, it must be manually given by the user.\n\nTo give `Terminal.app` `Full Disk Access`:\n\n```\nSystem Preferences \u003e Security \u0026 Privacy \u003e Privacy \u003e Full Disk Access \u003e Add Terminal.app\n```\n\nOnce you are done with mOSL you can revoke `Full Disk Access` for `Terminal.app`. There's a small checkbox next to `Terminal` which you can uncheck to revoke the premssion without entirely removing `Terminal.app` from the list.  \n\nMore info on macOS's new permission model:\n\n- [`Working with Mojave’s Privacy Protection`](https://eclecticlight.co/2018/09/06/working-with-mojaves-privacy-protection/) by [Howard Oakley](https://twitter.com/howardnoakley)\n- [`TCC Round Up`](https://carlashley.com/2018/09/28/tcc-round-up/) by [Carl Ashley](https://twitter.com/carlashleyphoto)\n- WWDC 2018 Session 702 [`Your Apps and the Future of macOS Security`](https://developer.apple.com/videos/play/wwdc2018/702/)\n\n## Verification\n\nThe executable `Lockdown` file can be verified with [Minisign](https://jedisct1.github.io/minisign/):\n```\nminisign -Vm Lockdown -P RWTiYbJbLl7q6uQ70l1XCvGExizUgEBNDPH0m/1yMimcsfgh542+RDPU\n```\nInstall via [brew](https://brew.sh/): `brew install minisign`\n\n## Usage\n\n```\n$ ./Lockdown \n\n  Audit or Fix macOS security settings🔒🍎\n\n  Usage: ./Lockdown [list | audit {setting_index} | fix {setting_index} | debug]\n\n    list         - List settings that can be audited/ fixed\n    audit        - Audit the status of all or chosen setting(s) (Does NOT change settings)\n    fix          - Attempt to fix all or chosen setting(s) (Does change settings)\n\n    fix-force    - Same as 'fix' however bypasses user confirmation prompt\n                   (Can be used to invoke Lockdown from other scripts)\n\n    debug        - Print debug info for troubleshooting\n\n```\n\n## Settings\n\nSee [`Commands.md`](https://github.com/0xmachos/mOSL/blob/master/Commands.md) for a easy to read list of commands used to `audit`/ `fix` the below settings.\n\nSettings that can be audited/ fixed:\n```\n  [0] enable automatic system updates\n  [1] enable automatic app store updates\n  [2] enable gatekeeper\n  [3] enable firewall\n  [4] enable admin password preferences\n  [5] enable terminal secure entry\n  [6] enable sip\n  [7] enable filevault\n  [8] disable firewall builin software\n  [9] disable firewall downloaded signed\n  [10] disable ipv6\n  [11] disable mail remote content\n  [12] disable remote apple events\n  [13] disable remote login\n  [14] disable auto open safe downloads\n  [15] set airdrop contacts only\n  [16] set appstore update check daily\n  [17] set firmware password\n  [18] check kext loading consent\n  [19] check efi integrity\n  [20] check if standard user\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xmachos%2FmOSL","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xmachos%2FmOSL","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xmachos%2FmOSL/lists"}