{"id":13633273,"url":"https://github.com/ataumo/macos_hardening","last_synced_at":"2025-04-18T10:34:25.928Z","repository":{"id":41468793,"uuid":"382088950","full_name":"ataumo/macos_hardening","owner":"ataumo","description":"This is a macOS hardening to read or set security configuration.","archived":false,"fork":false,"pushed_at":"2023-09-18T16:49:52.000Z","size":1118,"stargazers_count":123,"open_issues_count":2,"forks_count":18,"subscribers_count":7,"default_branch":"main","last_synced_at":"2024-11-09T02:33:58.660Z","etag":null,"topics":["bash","hardening","macos","macos-hardening","macos-policies","macos-scripting","scripting"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ataumo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-07-01T16:07:33.000Z","updated_at":"2024-10-21T05:23:55.000Z","dependencies_parsed_at":"2024-08-01T23:37:16.426Z","dependency_job_id":null,"html_url":"https://github.com/ataumo/macos_hardening","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ataumo%2Fmacos_hardening","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ataumo%2Fmacos_hardening/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ataumo%2Fmacos_hardening/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ataumo%2Fmacos_hardening/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ataumo","download_url":"https://codeload.github.com/ataumo/macos_hardening/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249479054,"owners_count":21279187,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bash","hardening","macos","macos-hardening","macos-policies","macos-scripting","scripting"],"created_at":"2024-08-01T23:00:32.442Z","updated_at":"2025-04-18T10:34:25.623Z","avatar_url":"https://github.com/ataumo.png","language":"Shell","funding_links":[],"categories":["Uncategorized"],"sub_categories":["Uncategorized"],"readme":"# Welcome to the macOS Hardening project\n\n![Work in progress label](https://img.shields.io/badge/-Work%20in%20progress-yellow)\n[![CI](https://github.com/ataumo/macos_hardening/actions/workflows/lint.yml/badge.svg)](https://github.com/ataumo/macos_hardening/actions/workflows/lint.yml)\n\nThis project was inspired by\n- [beerisgood/macOS_Hardening](https://github.com/beerisgood/macOS_Hardening)\n- [ayethatsright/MacOS-Hardening-Script](https://github.com/ayethatsright/MacOS-Hardening-Script)\n- [herrbischoff/awesome-macos-command-line](https://github.com/herrbischoff/awesome-macos-command-line)\n- [MoeClub/Note](https://github.com/MoeClub/Note/blob/81a3651d81c871f2327c3312e090bdca3cabf915/MacInitial.sh)\n- [alichtman/stronghold](https://github.com/alichtman/stronghold/blob/master/stronghold.py)\n- [wazuh/cis_apple_macOS_10.13.yml](https://github.com/wazuh/wazuh-ruleset/blob/13925fbe0d0e27f012d3d3f3c492e4d420a104b4/sca/darwin/17/cis_apple_macOS_10.13.yml)\n- [mathiasbynens/dotfiles](https://github.com/mathiasbynens/dotfiles/blob/master/.macos)\n- [pathikrit/mac-setup-script](https://github.com/pathikrit/mac-setup-script/blob/master/defaults.sh)\n\n**(Thanks for your good work !)**\n\nAlso, project structure is based on [HardeningKitty](https://github.com/0x6d69636b/windows_hardening) work and, because Windows and macOS are like cats and dogs, this project is called _HardeningPuppy_.\n\n## HardeningPuppy\n\n_HardeningPuppy_ supports hardening of a macOS system. The configuration of the system is retrieved and assessed using a finding list. In addition, the system can be hardened according to predefined values. _HardeningPuppy_ reads settings from the registry (`defaults` command) and uses other modules to read configurations outside the registry.\n\n### How to run\n\n1. Clone or download this repository\n2. Go to `macos_hardening`\n```bash\ncd macos_hardening\n```\n2. Run this command :\n```bash\n./puppy.sh\n```\n\n```\nusername@hostname ~/macos_hardening % ./puppy.sh\n\n\n ^. .^ \n (=°=) \n (n n )/ HardeningPuppy \n\n\n################################################################################\nUser name : username\nMode to apply : AUDIT\nHostname : hostname\nCSV File configuration : list.csv\n################################################################################\n\n################################################################################\nVerify all Apple provided software is current...\nYour software is up to date !\n################################################################################\n\n ID Name Actual Recommended\n--------------------------------------------------------------------------------\n[*] 07/26/21 16:14:07 Starting Category Updates\n------------Software Update\n[-] 1001 Automatically check new software updates 1 1\n[-] 1002 Automatically download new software updates 1 1\n.\n.\n.\n\n--------------------------------------------------------------------------------\n[*] 07/26/21 16:14:07 Starting Category Login/Logout\n------------Sleep\n[/] 2000 AC display sleep timer 0 5\n[/] 2001 Battery display sleep timer 0 2\n------------Screen Saver\n[X] 2100 Enable prompt for a password on screen saver 0 1\n[X] 2101 Set password delay 0 \n.\n.\n.\n\n--------------------------------------------------------------------------------\n[*] 07/26/21 16:14:08 Starting Category Cache\n------------Disable Content Caching\n[-] 7000 Disable Content Caching deactivate deactivate\n\n#################################### SCORE #####################################\n\ntotal points : 216\npoints archived : 140\nScore : 4.24 / 6\n```\n\n### Usages\n\n1. Status Mode : To just read a configuration.\n```bash\n./puppy.sh -s\n```\n\n2. Audit Mode : It will read and audit a configuration with colors.\n - Color code :\n - `Purple` : Appears when a policy with `High` severity is not set to the recommended value.\n - `Red` : Appears when a policy with `Medium` severity is not set to the recommended value.\n - `Yellow` : It's when a policy with `Low` severity is not set to the recommended value. It can be ignored.\n```bash\n./puppy.sh -a\n```\n\u003e You can skip Software Update verification with `-skipu`.\n\n3. Hardening Mode : This function will apply all policies with `Automatically` assessment status.\n```bash\n./puppy.sh -H\n```\n\u003e Hardening Mode will ask your confirmation.\n\n4. Backup option : You can save your configuration in csv file before the Hardening Mode.\n```bash\n./puppy.sh -b\n```\n\n## Documentation\n\n### Apple Documentation\n\nFor setting preferences throught `plist` files (Registry method with `defaults` command), I use this [Apple documentation](https://developer.apple.com/documentation/devicemanagement/profile-specific_payload_keys).\n\n### CIS Apple macOS Benchmark\n\nThis project is mainly based on [CIS Apple macOS 11.0 Benchmark v1.2.0](https://downloads.cisecurity.org/#/)\n\n#### Profile Definitions\n\n1. Level 1 : Items in this profile intend to:\n - be practical and prudent;\n - provide a clear security benefit; and\n - not inhibit the utility of the technology beyond acceptable means.\n\n2. Level 2 : This profile extends the \"Level 1\" profile. Items in this profile exhibit one or more of\nthe following characteristics:\n - are intended for environments or use cases where security is paramount\n - acts as defense in depth measure\n - may negatively inhibit the utility or performance of the technology.\n\n\n## List of policies\n\nBefore, you have to login to your iCloud account\n\nThis Hardening depends on a list :\n\n- Updates\n\n - [1000] Verify all Apple provided software is current\n - Software Update\n - [1001] Automatically check new software updates\n - [1002] Automatically download new software updates\n - [1003] Enable system data files update install\n - [1004] Enable security updates install\n - [1005] Automatically install macOS updates\n - AppStore\n - [1100] Automatically keep apps up to date from app store\n- Login\n\n - Sleep\n - [2000] AC display sleep timer\n - [2001] Battery display sleep timer\n - Screen saver\n - [2100] Enable prompt for a password on screen saver\n - [2101] Set password delay\n - [2102] Set inactivity interval for the screen saver\n - Secure screen saver corners\n - [2103:1] Secure screen saver corners (top-left)\n - [2103:2] Secure screen saver corners (bottom-left)\n - [2103:3] Secure screen saver corners (top-right)\n - [2103:4] Secure screen saver corners (bottom-right)\n - Policy Banner\n - [2200] Enable Policy Banner\n - Logout\n - [2300] Set Logout delay\n - Windows text\n - [2400] Set Login Window Text\n - Automatic login\n - [2500] Disable automatic login\n - Console\n - [2600] Disable console logon from the logon screen\n - Remote Login\n - [2700] Disable Remote Login\n- User Preferences\n\n - iCloud\n - [3000] Disable the iCloud password for local accounts\n - [3001] Enable Find my mac\n - Bluetooth\n - [3100] Disable Bluetooth\n - [3101] Show Bluetooth status in menu bar\n - Finder\n - [3200] Show hidden files in Finder\n - [3201] Display all file extensions\n - [3202] Show status bar\n - Safari\n - [3300] Disable the automatic run of safe files in Safari\n - [3301] Don't send search queries to Apple\n - [3302] Enable suppress search suggestions\n - Date and Time\n - [3400] Set time and date automatically\n - Sharing\n - [3500] Remote Apple Events\n - [3501] Internet Sharing\n - [3502] Screen Sharing\n - [3503] File Sharing\n- Protections\n\n - Systeme intergrity protection\n - [4000] Enable Systeme intergrity protection\n - Gatekeeper\n - [4100] Enable Gatekeeper\n- Encryption\n\n - FileVault\n - [5000] Enable FileVault\n- Network\n\n - Firewall\n - [6000] Enable Firewall\n - [6001] Enable logging\n - [6002] Enable Stealth Mode\n - [6003] Disable automatic software whitelisting\n - [6004] Disable automatic signed software whitelisting\n - [6005] Disable captive portal\n - Remote Management\n - [6100] Disable remote management\n - [6101] Disable \"Wake for network access\"\n\n\n## Details of policies\n\nFor more details about policies read [POLICIES.md](https://github.com/ataumo/macos_hardening/blob/main/POLICIES.md)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fataumo%2Fmacos_hardening","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fataumo%2Fmacos_hardening","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fataumo%2Fmacos_hardening/lists"}