{"id":13411160,"url":"https://github.com/drduh/macOS-Security-and-Privacy-Guide","last_synced_at":"2025-03-14T16:34:06.129Z","repository":{"id":37617535,"uuid":"41654081","full_name":"drduh/macOS-Security-and-Privacy-Guide","owner":"drduh","description":"Guide to securing and improving privacy on macOS","archived":false,"fork":false,"pushed_at":"2024-07-30T04:55:23.000Z","size":1936,"stargazers_count":21115,"open_issues_count":3,"forks_count":1440,"subscribers_count":686,"default_branch":"master","last_synced_at":"2024-08-06T00:17:26.480Z","etag":null,"topics":["apple","disk-encryption","dnscrypt-proxy","macbook-configuration","macbook-security","macos","macos-security","macos-setup","osx","privacy","security"],"latest_commit_sha":null,"homepage":"https://drduh.github.io/macOS-Security-and-Privacy-Guide/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/drduh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["drduh"]}},"created_at":"2015-08-31T03:36:35.000Z","updated_at":"2024-08-06T00:17:30.882Z","dependencies_parsed_at":"2023-10-16T14:11:59.238Z","dependency_job_id":"adcb5ced-e426-458d-bc95-43079e186277","html_url":"https://github.com/drduh/macOS-Security-and-Privacy-Guide","commit_stats":{"total_commits":428,"total_committers":100,"mean_commits":4.28,"dds":0.5911214953271028,"last_synced_commit":"1450e3a92f157e645d83d04943da6114216d0d83"},"previous_names":["drduh/os-x-security-and-privacy-guide"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drduh%2FmacOS-Security-and-Privacy-Guide","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drduh%2FmacOS-Security-and-Privacy-Guide/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drduh%2FmacOS-Security-and-Privacy-Guide/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drduh%2FmacOS-Security-and-Privacy-Guide/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/drduh","download_url":"https://codeload.github.com/drduh/macOS-Security-and-Privacy-Guide/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":221486919,"owners_count":16830966,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apple","disk-encryption","dnscrypt-proxy","macbook-configuration","macbook-security","macos","macos-security","macos-setup","osx","privacy","security"],"created_at":"2024-07-30T20:01:11.817Z","updated_at":"2025-03-14T16:34:06.075Z","avatar_url":"https://github.com/drduh.png","language":null,"readme":"This guide is a collection of techniques for improving the security and privacy of [Apple silicon](https://support.apple.com/116943) Mac computers running a [currently supported](https://support.apple.com/HT201222) version of macOS. **Using Macs with Intel CPUs leaves you open to [security vulnerabilities](https://github.com/axi0mX/ipwndfu?tab%253Dreadme-ov-file#checkm8) on the hardware level that Apple can't patch**. Apple silicon Macs are the minimum recommendation but as a general rule, newer chips are always more secure.\n\nThis guide is targeted to power users who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac.\n\nIf you're securing computers for an organization, use the [official NIST guidelines for macOS](https://github.com/usnistgov/macos_security).\n\nA system is only as secure as its administrator is capable of making it. There is no one single technology, software, nor technique to guarantee perfect computer security; a modern operating system and computer is very complex, and requires numerous incremental changes to meaningfully improve one's security and privacy posture.\n\nThis guide is provided on an 'as is' basis without any warranties of any kind. Only **you** are responsible if you break anything or get in any sort of trouble by following this guide.\n\nTo suggest an improvement, send a pull request or [open an issue](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues).\n\n- [Basics](#basics)\n- [Threat modeling](#threat-modeling)\n * [Identify assets](#identify-assets)\n * [Identify adversaries](#identify-adversaries)\n * [Identify capabilities](#identify-capabilities)\n * [Identify mitigations](#identify-mitigations)\n- [Hardware](#hardware)\n- [Installing macOS](#installing-macos)\n * [System activation](#system-activation)\n * [Apple Account](#apple-account)\n * [App Store](#app-store)\n * [Virtualization](#virtualization)\n- [First boot](#first-boot)\n- [Admin and user accounts](#admin-and-user-accounts)\n * [Caveats](#caveats)\n * [Setup](#setup)\n- [Firmware](#firmware)\n- [FileVault](#filevault)\n- [Lockdown Mode](#lockdown-mode)\n- [Firewall](#firewall)\n * [Application layer firewall](#application-layer-firewall)\n * [Third party firewalls](#third-party-firewalls)\n * [Kernel level packet filtering](#kernel-level-packet-filtering)\n- [Services](#services)\n- [Siri Suggestions and Spotlight](#siri-suggestions-and-spotlight)\n- [Homebrew](#homebrew)\n- [DNS](#dns)\n * [DNS profiles](#dns-profiles)\n * [Hosts file](#hosts-file)\n * [DNSCrypt](#dnscrypt)\n * [Dnsmasq](#dnsmasq)\n- [Certificate authorities](#certificate-authorities)\n- [Privoxy](#privoxy)\n- [Browser](#browser)\n * [Firefox](#firefox)\n * [Chrome](#chrome)\n * [Safari](#safari)\n * [Other browsers](#other-browsers)\n * [Web browser privacy](#web-browser-privacy)\n- [Tor](#tor)\n- [VPN](#vpn)\n- [PGP/GPG](#pgpgpg)\n- [Messengers](#messengers)\n * [XMPP](#xmpp)\n * [Signal](#signal)\n * [iMessage](#imessage)\n- [Viruses and malware](#viruses-and-malware)\n * [Downloading Software](#downloading-software)\n * [App Sandbox](#app-sandbox)\n * [Hardened Runtime](#hardened-runtime)\n * [Antivirus](#antivirus)\n * [Gatekeeper](#gatekeeper)\n- [System Integrity Protection](#system-integrity-protection)\n- [Metadata and artifacts](#metadata-and-artifacts)\n- [Passwords](#passwords)\n- [Backup](#backup)\n- [Wi-Fi](#wi-fi)\n- [SSH](#ssh)\n- [Physical access](#physical-access)\n- [System monitoring](#system-monitoring)\n * [OpenBSM audit](#openbsm-audit)\n * [DTrace](#dtrace)\n * [Execution](#execution)\n * [Network](#network)\n- [Binary authorization](#binary-authorization)\n- [Miscellaneous](#miscellaneous)\n- [Related software](#related-software)\n- [Additional resources](#additional-resources)\n\n# Basics\n\nGeneral security best practices apply:\n\n- Create a [threat model](#threat-modeling)\n * What are you trying to protect and from whom? Is your adversary a three letter agency, a nosy eavesdropper on the network, or a determined [APT](https://en.wikipedia.org/wiki/Advanced_persistent_threat) orchestrating a campaign against you?\n * Recognize threats and how to reduce attack surface against them.\n\n- Keep the system and software up to date\n * Patch the operating system and all installed software regularly.\n * macOS system updates can be completed in the [settings](https://support.apple.com/guide/mac-help/keep-your-mac-up-to-date-mchlpx1065) and set to automatically install. You can also use the `softwareupdate` command-line utility - neither requires registering an Apple account.\n * Subscribe to announcement mailing lists like [Apple security-announce](https://lists.apple.com/mailman/listinfo/security-announce).\n\n- Encrypt sensitive data\n * In addition to [FileVault](https://support.apple.com/guide/mac-help/protect-data-on-your-mac-with-filevault-mh11785) volume encryption, consider using the [built-in password manager](https://support.apple.com/105115) to protect passwords and other sensitive data.\n\n- Assure data availability\n * Create [regular backups](https://support.apple.com/104984) of your data and be ready to [restore from a backup](https://support.apple.com/102551) in case of compromise.\n * [Encrypt locally](https://support.apple.com/guide/mac-help/keep-your-time-machine-backup-disk-secure-mh21241) before copying backups to unencrypted external media or the \"cloud\"; alternatively, enable [end-to-end encryption](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) if your cloud provider supports it.\n * Verify backups by accessing them regularly.\n\n- Click carefully\n * Ultimately, the security of a system depends on the capabilities of its administrator.\n * Care should be taken when installing new software; only install from official sources that the developers indicate on their official website/github/etc.\n\n# Threat modeling\n\nThe first and most important step for security and privacy is to create a [threat model](https://www.owasp.org/index.php/Application_Threat_Modeling). You need to understand your adversaries in order to defend against them. Each person will have their own needs so everyone's threat model will be different. Threat models tend to evolve over time as our situation changes, so be sure to periodically reassess your threat model.\n\n## Identify assets\n\nThis is probably a lot of things: your phone, your laptop, passwords stored on your devices, internet browsing history, etc. Make a list starting with the most important assets to protect. You can put them in categories based on how important they are: public, sensitive, or secret.\n\n## Identify adversaries\n\nDefine whom you are defending against. Start by defining the motivation they might have to attack your assets. [Financial gain](https://www.verizon.com/business/resources/reports/dbir/) is a big motivator for many attackers, for example.\n\n## Identify capabilities\n\nIn order to counter your adversaries, you'll need to understand what they're capable of and what they're not capable of. Rank adversaries from totally unsophisticated to very advanced. For example, a common thief is not very sophisticated; they will likely be stopped by basic things like simply having a password and drive encryption on your device. A very advanced adversary like a state actor might require fully turning off your device when not in use to clear the keys from RAM and a long diceware password.\n\n## Identify mitigations\n\nNow is when you decide the best way to counter each threat. You might avoid writing passwords down on paper so your roommate can't find them or you might encrypt the drive on your computer so a thief can't get data from it. It's important to balance security and usability; every mitigation should counter some capability of your adversaries, otherwise you might be making your life inconvenient for little to no gain. If you can't think of any more capabilities your adversaries might have and you've implemented mitigations for them all, your work is done.\n\nHere's an example of the type of table you should make for each asset you want to protect:\n\nAdversary | Motivation | Capabilities | Mitigation\n-|-|-|-\nRoommate | See private chats or browsing history | Close proximity; can see screen or watch type in password | Use biometrics, use privacy screen, keep phone locked when not using it\nThief | Unlock phone and steal personal info and drain bank accounts, sell phone for money | Shoulder surf to see password, steal device when not looking while it's logged in | Keep phone in sight or on person at all times, keep locked when not in use, use biometrics to avoid typing password in public, use Find My or similar service to track/remotely disable stolen device\nCriminal | Financial | Social engineering, readily-available malware, password reuse, exploiting vulnerabilities | Use sandboxing, enable security features in OS, keep OS and all software updated and turn on automatic updates\nCorporation | User data marketing | Telemetry and behavioral data collection | Block network connections, reset unique identifiers, avoid adding payment data\nNation State/APT | Targeted surveillance | Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets | Use open source e2ee, use strong diceware passwords for devices, use hardware with secure element for secure encryption, shut down devices when not using them, software tripwire/honeypot/[canary tokens](https://canarytokens.org/)\n\nRead more about threat modeling [here](https://www.netmeister.org/blog/threat-model-101.html).\n\n# Hardware\n\nmacOS is most secure running on [Apple hardware](https://support.apple.com/guide/security/hardware-security-overview-secf020d1074/1/web/1) with Apple silicon. The newer the Mac, the better. Avoid hackintoshes and Macs that don't support the latest macOS, as Apple doesn't [patch all vulnerabilities](https://support.apple.com/guide/deployment/about-software-updates-depc4c80847a) in versions that aren't the most recent one.\n\nWhen you purchase your Mac, you might want to avoid it being linked back to you. Depending on your threat model, you should pay for it in cash in person rather than ordering online or purchasing with a credit/debit card, that way no identifying information can be linked back to your purchase.\n\nIf you want to use a wireless keyboard, mouse, headphones or other accessory, the most secure option is Apple ones since they will automatically be updated by your system. They also support the latest [Bluetooth features](https://support.apple.com/guide/security/bluetooth-security-sec82597d97e/web) like BLE Privacy which randomizes your Bluetooth hardware address to prevent tracking. With third party accessories, this isn't a guarantee.\n\n# Installing macOS\n\nThere are several ways to [install macOS](https://support.apple.com/102662). Choose your preferred method from the available options.\n\n **You should install the latest version of macOS that is compatible with your Mac**. More recent versions have security patches and other improvements that older versions lack.\n\n## System activation\n\nAs part of Apple's [theft prevention system](https://support.apple.com/102541), Apple silicon Macs will need to activate with Apple's servers every time you reinstall macOS to check against the database of stolen or activation-locked Macs.\n\nYou can read about exactly how this process works [here](https://support.apple.com/guide/security/localpolicy-signing-key-creation-management-sec1f90fbad1).\n\n## Apple Account\n\nCreating an Apple Account is not required to use macOS. Making an Apple Account requires a phone number and it will by default sync a [lot of data](https://www.apple.com/legal/privacy/data/en/apple-id/) to iCloud, Apple's cloud storage service. You can [disable](https://support.apple.com/102651) the syncing later if you want or enable [end-to-end encryption](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web) for your iCloud data.\n\nYou can [control the data](https://support.apple.com/102283) associated with your Apple Account or completely delete it.\n\nAn Apple Account is required in order to access the App Store and use most Apple services like iCloud, Apple Music, etc.\n\n## App Store\n\nThe Mac App Store is a [curated](https://developer.apple.com/app-store/review/guidelines) repository of software that is required to utilize the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox/protecting_user_data_with_app_sandbox) and [Hardened Runtime](https://developer.apple.com/documentation/security/hardened_runtime), as well as offering automatic updates that integrate with your system.\n\nThe App Store offers the greatest security guarantees for software on macOS, but it requires you to log in with an Apple Account and Apple will be able to link your Apple Account to your downloaded apps.\n\n## Virtualization\n\nYou can easily run macOS natively in a virtual machine using [UTM](https://mac.getutm.app). It's free from their site but if you buy it from the App Store, you'll get automatic updates.\n\nFollow their [documentation](https://docs.getutm.app/guest-support/macos) to install a macOS VM with just a few clicks.\n\nAnother option is [VMware Fusion](https://www.vmware.com/products/fusion.html). You can read their [documentation](https://docs.vmware.com/en/VMware-Fusion/13/com.vmware.fusion.using.doc/GUID-474FC78E-4E77-42B7-A1C6-12C2F378C5B9.html) to see how to install a macOS VM.\n\n# First boot\n\nWhen macOS first starts, you'll be greeted by **Setup Assistant**.\n\nWhen creating the first account, use a [strong password](https://www.eff.org/dice) without a hint.\n\nIf you enter your real name at the account setup process, be aware that your computer's name and local hostname will comprise that name (e.g., *John Appleseed's MacBook*) and thus will appear on local networks and in various preference files.\n\nBoth should be verified and updated as needed in **System Settings \u003e About** or with the following commands after installation:\n\n```console\nsudo scutil --set ComputerName MacBook\nsudo scutil --set LocalHostName MacBook\n```\n\n# Admin and user accounts\n\nThe first user account is always an admin account. Admin accounts are members of the admin group and have access to `sudo`, which allows them to usurp other accounts, in particular root, and gives them effective control over the system. Any program that the admin executes can potentially obtain the same access, making this a security risk.\n\nUtilities like `sudo` have [weaknesses that can be exploited](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/) by concurrently running programs.\n\nIt is considered a best practice by [Apple](https://help.apple.com/machelp/mac/10.12/index.html#/mh11389) to use a separate standard account for day-to-day work and use the admin account for installations and system configuration.\n\nIt is not strictly required to ever log into the admin account via the macOS login screen. When a Terminal command requires administrator privileges, the system will prompt for authentication and Terminal then continues using those privileges. To that end, Apple provides some [recommendations](https://support.apple.com/HT203998) for hiding the admin account and its home directory. This can be an elegant solution to avoid having a visible 'ghost' account.\n\n## Caveats\n\n* Only administrators can install applications in `/Applications` (local directory). Finder and Installer will prompt a standard user with an authentication dialog. Many applications can be installed in `~/Applications` instead (the directory can be created). As a rule of thumb: applications that do not require admin access – or do not complain about not being installed in `/Applications` – should be installed in the user directory, the rest in the local directory. Mac App Store applications are still installed in `/Applications` and require no additional authentication.\n* `sudo` is not available in shells of the standard user, which requires using `su` or `login` to enter a shell of the admin account. This can make some maneuvers trickier and requires some basic experience with command-line interfaces.\n* System Preferences and several system utilities (e.g. Wi-Fi Diagnostics) will require root privileges for full functionality. Many panels in System Preferences are locked and need to be unlocked separately by clicking on the lock icon. Some applications will simply prompt for authentication upon opening, others must be opened by an admin account directly to get access to all functions (e.g. Console).\n* There are third-party applications that will not work correctly because they assume that the user account is an admin. These programs may have to be executed by logging into the admin account, or by using the `open` utility.\n* See additional discussion in [issue 167](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/167).\n\n## Setup\n\nAccounts can be created and managed in System Preferences. On settled systems, it is generally easier to create a second admin account and then demote the first account. This avoids data migration. Newly installed systems can also just add a standard account.\n\nDemoting an account can be done either from the the new admin account in System Preferences – the other account must be logged out – or by executing these commands (it may not be necessary to execute both, see [issue 179](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/179)):\n\n```console\nsudo dscl . -delete /Groups/admin GroupMembership \u003cusername\u003e\nsudo dscl . -delete /Groups/admin GroupMembers \u003cGeneratedUID\u003e\n```\n\nTo find the **GeneratedUID** of an account:\n\n```console\ndscl . -read /Users/\u003cusername\u003e GeneratedUID\n```\n\nSee also [this post](https://superuser.com/a/395738) for more information about how macOS determines group membership.\n\n# Firmware\n\nYou should check that firmware security settings are set to [Full Security](https://support.apple.com/guide/mac-help/mchl768f7291/mac) to prevent tampering with your OS. This is the default setting.\n\n# FileVault\n\nAll Mac models with Apple silicon are encrypted by default. Enabling [FileVault](https://support.apple.com/guide/mac-help/mh11785/mac) makes it so that you need to enter a password in order to access the data on your drive. The EFF has a guide on generating [strong but memorable passwords](https://www.eff.org/dice).\n\nYour FileVault password also acts as a [firmware password](https://support.apple.com/en-us/102384) that will prevent people that don't know it from booting from anything other than the designated startup disk, accessing [Recovery](https://support.apple.com/guide/mac-help/macos-recovery-a-mac-apple-silicon-mchl82829c17/15.0/mac/15.0#mchl5abfbb29), and [reviving](https://support.apple.com/en-us/108900) it with DFU mode.\n\nFileVault will ask you to set a recovery key in case you forget your password. Keep this key stored somewhere safe. You'll have the option use your iCloud account to unlock your disk; however, anyone with access to your iCloud account will be able to unlock it as well.\n\n# Lockdown Mode\n\nmacOS offers [Lockdown Mode](https://support.apple.com/105120), a security feature that disables several features across the OS, significantly reducing attack surface for attackers while keeping the OS usable. You can read about exactly what is disabled and decide for yourself if it is acceptable to you.\n\nWhen Lockdown Mode is on, you can disable it per site in Safari on trusted sites.\n\n# Firewall\n\nThere are several types of firewalls available for macOS.\n\n## Application layer firewall\n\nBuilt-in, basic firewall which blocks **incoming** connections only. This firewall does not have the ability to monitor, nor block **outgoing** connections.\n\nIt can be controlled by the **Firewall** tab of **Network** in **System Settings**, or with the following commands.\n\nEnable the firewall with logging and stealth mode:\n\n```console\nsudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on\n\nsudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on\n\nsudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on\n```\n\nComputer hackers scan networks so they can attempt to identify computers to attack. You can prevent your computer from responding to some of these scans by using **stealth mode**. When stealth mode is enabled, your computer does not respond to ICMP ping requests, and does not answer to connection attempts from a closed TCP or UDP port. This makes it more difficult for attackers to find your computer.\n\nTo prevent *built-in software* as well as *code-signed, downloaded software from being whitelisted automatically*:\n\n```console\nsudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned off\n\nsudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off\n```\n\nApplications that are signed by a valid certificate authority are automatically added to the list of allowed apps, rather than prompting the user to authorize them. Apps included in macOS are signed by Apple and are allowed to receive incoming connections when this setting is enabled. For example, since iTunes is already signed by Apple, it is automatically allowed to receive incoming connections through the firewall.\n\nIf you run an unsigned app that is not listed in the firewall list, a dialog appears with options to Allow or Deny connections for the app. If you choose \"Allow\", macOS signs the application and automatically adds it to the firewall list. If you choose \"Deny\", macOS adds it to the list but denies incoming connections intended for this app.\n\nAfter interacting with `socketfilterfw`, restart the process by sending a line hangup signal:\n\n```console\nsudo pkill -HUP socketfilterfw\n```\n\n## Third party firewalls\n\nPrograms such as [Little Snitch](https://www.obdev.at/products/littlesnitch/index.html), [Radio Silence](https://radiosilenceapp.com/), and [LuLu](https://objective-see.com/products/lulu.html) provide a good balance of usability and security.\n\nThese programs are capable of monitoring and blocking **incoming** and **outgoing** network connections. However, they may require the use of a closed source [system extension](https://support.apple.com/HT210999).\n\nIf the number of choices of allowing/blocking network connections is overwhelming, use **Silent Mode** with connections allowed, then periodically check the configuration to gain understanding of applications and what they are doing.\n\nIt is worth noting that these firewalls can be bypassed by programs running as **root** or through [OS vulnerabilities](https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf) (pdf), but they are still worth having - just don't expect absolute protection. However, some malware actually [deletes itself](https://www.cnet.com/how-to/how-to-remove-the-flashback-malware-from-os-x/) and doesn't execute if Little Snitch, or other security software, is installed.\n\n## Kernel level packet filtering\n\nA highly customizable, powerful, but also most complicated firewall exists in the kernel. It can be controlled with `pfctl` and various configuration files.\n\npf can also be controlled with a GUI application such as [Murus](https://www.murusfirewall.com/).\n\nThere are many books and articles on the subject of pf firewall. Here's is just one example of blocking traffic by IP address.\n\nAdd the following into a file called `pf.rules`:\n\n```\nwifi = \"en0\"\nether = \"en7\"\nset block-policy drop\nset fingerprints \"/etc/pf.os\"\nset ruleset-optimization basic\nset skip on lo0\nscrub in all no-df\ntable \u003cblocklist\u003e persist\nblock in log\nblock in log quick from no-route to any\nblock log on $wifi from { \u003cblocklist\u003e } to any\nblock log on $wifi from any to { \u003cblocklist\u003e }\nantispoof quick for { $wifi $ether }\npass out proto tcp from { $wifi $ether } to any keep state\npass out proto udp from { $wifi $ether } to any keep state\npass out proto icmp from $wifi to any keep state\n```\n\nThen use the following commands to manipulate the firewall:\n\n* `sudo pfctl -e -f pf.rules` to enable the firewall and load the configuration\n* `sudo pfctl -d` to disable the firewall\n* `sudo pfctl -t blocklist -T add 1.2.3.4` to add an IP address to the blocklist\n* `sudo pfctl -t blocklist -T show` to view the blocklist\n* `sudo ifconfig pflog0 create` to create an interface for logging\n* `sudo tcpdump -ni pflog0` to view filtered packets\n\nUnless you're already familiar with packet filtering, spending too much time configuring pf is not recommended. It is also probably unnecessary if your Mac is behind a [NAT](https://www.grc.com/nat/nat.htm) on a private home network.\n\nIt is possible to use the pf firewall to block network access to entire ranges of network addresses, for example to a whole organization:\n\nQuery [Merit RADb](https://www.radb.net/) for the list of networks in use by an autonomous system, like [Facebook](https://ipinfo.io/AS32934):\n\n```console\nwhois -h whois.radb.net '!gAS32934'\n```\n\nCopy and paste the list of networks returned into the blocklist command:\n\n```console\nsudo pfctl -t blocklist -T add 31.13.24.0/21 31.13.64.0/24 157.240.0.0/16\n```\n\nConfirm the addresses were added:\n\n```console\n$ sudo pfctl -t blocklist -T show\nNo ALTQ support in kernel\nALTQ related functions disabled\n 31.13.24.0/21\n 31.13.64.0/24\n 157.240.0.0/16\n```\n\nConfirm network traffic is blocked to those addresses (DNS requests will still work):\n\n```console\n$ dig a +short facebook.com\n157.240.2.35\n\n$ curl --connect-timeout 5 -I http://facebook.com/\n* Trying 157.240.2.35...\n* TCP_NODELAY set\n* Connection timed out after 5002 milliseconds\n* Closing connection 0\ncurl: (28) Connection timed out after 5002 milliseconds\n\n$ sudo tcpdump -tqni pflog0 'host 157.240.2.35'\nIP 192.168.1.1.62771 \u003e 157.240.2.35.80: tcp 0\nIP 192.168.1.1.62771 \u003e 157.240.2.35.80: tcp 0\nIP 192.168.1.1.62771 \u003e 157.240.2.35.80: tcp 0\nIP 192.168.1.1.62771 \u003e 157.240.2.35.80: tcp 0\nIP 192.168.1.1.162771 \u003e 157.240.2.35.80: tcp 0\n```\n\nOutgoing TCP SYN packets are blocked, so a TCP connection is not established and thus a Web site is effectively blocked at the IP layer.\n\nSee [drduh/config/scripts/pf-blocklist.sh](https://github.com/drduh/config/blob/master/scripts/pf-blocklist.sh) for more inspiration.\n\n# Services\n\nServices on macOS are managed by **launchd**. See [launchd.info](https://launchd.info).\n\nYou can manage and see more information about software that runs at login in [System Settings](https://support.apple.com/guide/mac-help/change-login-items-settings-mtusr003). You can see installed System, Quick Look, Finder, and other extensions in [System Settings](https://support.apple.com/guide/mac-help/change-extensions-settings-mchl8baf92fe) as well.\n\n* Use `launchctl list` to view running user agents\n* Use `sudo launchctl list` to view running system daemons\n* Specify the service name to examine it, e.g. `launchctl list com.apple.Maps.mapspushd`\n* Use `defaults read` to examine job plists in `/System/Library/LaunchDaemons` and `/System/Library/LaunchAgents`\n* Use `man` and `strings` to find out more about what an agent/daemon does\n\nFor example, to learn what a system launch daemon or agent does, start with:\n\n```console\ndefaults read /System/Library/LaunchDaemons/com.apple.apsd.plist\n```\n\nLook at the `Program` or `ProgramArguments` section to see which binary is run, in this case `apsd`. To find more information about that, look at the man page with `man apsd`\n\n**Note** System services are protected by SIP, don't disable SIP just to tinker with system services as SIP is an integral part of security on macOS. Disabling system services could cause breakage and unstable behavior!\n\nTo view the status of services:\n\n```console\nfind /var/db/com.apple.xpc.launchd/ -type f -print -exec defaults read {} \\; 2\u003e/dev/null\n```\n\nAnnotated lists of launch daemons and agents, the respective program executed, and the programs' hash sums are included in this repository.\n\nRead more about launchd and where login items can be found on [Apple's website](https://support.apple.com/guide/terminal/script-management-with-launchd-apdc6c1077b-5d5d-4d35-9c19-60f2397b2369).\n\n# Siri Suggestions and Spotlight\n\nApple is moving to on-device processing for a lot of Siri functions, but some info is still sent to Apple when you use Siri Suggestions or Spotlight. You can read Apple's [Privacy Policy](https://www.apple.com/legal/privacy/data/en/siri-suggestions-search/) to see exactly what is sent and how to disable it.\n\n# Homebrew\n\nIf your program isn't available through the App Store you can consider using [Homebrew](https://brew.sh/).\n\n**Important!** Homebrew asks you to grant “App Management” (or “Full Disk Access”) permission to your terminal. This is a bad idea, as it would make you vulnerable to these attacks again: any non-sandboxed application can execute code with the TCC permissions of your terminal by adding a malicious command to (e.g.) ~/.zshrc. Granting “App Management” or “Full Disk Access” to your terminal should be considered the same as disabling TCC completely.\n\nRemember to periodically run `brew upgrade` on trusted and secure networks to download and install software updates. To get information on a package before installation, run `brew info \u003cpackage\u003e` and check its formula online. You may also wish to enable [additional security options](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/138), such as `HOMEBREW_NO_INSECURE_REDIRECT=1`\n\nAccording to [Homebrew's Anonymous Analytics](https://docs.brew.sh/Analytics), Homebrew gathers anonymous analytics and reports these to a self-hosted InfluxDB instance.\nTo opt out of Homebrew's analytics, you can set `export HOMEBREW_NO_ANALYTICS=1` in your environment or shell rc file, or use `brew analytics off`\n\n\n# DNS\n\n## DNS profiles\n\nmacOS 11 introduced \"DNS configuration profiles\" to configure encrypted DNS, filter domains and use DNSSEC.\n\nDNS profiles [can be created](https://dns.notjakob.com/) or obtained from providers such as [Quad9](https://docs.quad9.net/Setup_Guides/MacOS/Big_Sur_and_later_(Encrypted)/#download-profile), [AdGuard](https://adguard-dns.io/en/public-dns.html) and [NextDNS](https://nextdns.io/).\n\n## Hosts file\n\nUse the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) to block known malware, advertising or otherwise unwanted domains.\n\nEdit the hosts file as root, for example with `sudo vi /etc/hosts`\n\nTo block a domain by `A` record, append any one of the following lines to `/etc/hosts`:\n\n```\n0 example.com\n0.0.0.0 example.com\n127.0.0.1 example.com\n```\n\n**Note** IPv6 uses the `AAAA` DNS record type, rather than `A` record type, so you may also want to block those connections by *also* including `::1 example.com` entries, like shown [here](https://someonewhocares.org/hosts/ipv6/).\n\nThere are many lists of domains available online which you can paste in, just make sure each line starts with `0`, `0.0.0.0`, `127.0.0.1`, and the line `127.0.0.1 localhost` is included.\n\nHere are some popular and useful hosts lists:\n\n* [Sinfonietta/hostfiles](https://github.com/Sinfonietta/hostfiles)\n* [StevenBlack/hosts](https://github.com/StevenBlack/hosts)\n* [someonewhocares.org](https://someonewhocares.org/hosts/zero/hosts)\n\nAppend a list of hosts with `tee`:\n\n```console\ncurl https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | sudo tee -a /etc/hosts\n```\n\nIf you're using a firewall like [Little Snitch](#third-party-firewalls), you could use the [StevenBlack/hosts](https://github.com/StevenBlack/hosts) importing the rules from [leohidalgo/little-snitch---rule-groups](https://github.com/leohidalgo/little-snitch---rule-groups) repository, these rules are updated every 12 hours from the [StevenBlack/hosts](https://github.com/StevenBlack/hosts) repository.\n\n## DNSCrypt\n\nTo encrypt DNS traffic, consider using [DNSCrypt/dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy). Used in combination with dnsmasq and DNSSEC, the integrity of DNS traffic can be significantly improved.\n\nInstall DNSCrypt from Homebrew and follow the instructions to configure and start `dnscrypt-proxy`:\n\n```console\nbrew install dnscrypt-proxy\n```\n\nIf using in combination with Dnsmasq, find the file `homebrew.mxcl.dnscrypt-proxy.plist` by running\n\n```console\nbrew info dnscrypt-proxy\n```\n\nwhich will show a location like `/usr/local/etc/dnscrypt-proxy.toml`\n\nOpen it in a text editor, find the line starting with `listen_addresses =` and edit that line to use DNScrypt on a port other than 53, like 5355:\n\n```\nlisten_addresses = ['127.0.0.1:5355', '[::1]:5355']\n```\n\nStart DNSCrypt:\n\n```console\nsudo brew services restart dnscrypt-proxy\n```\n\nConfirm DNSCrypt is running:\n\n```console\n$ sudo lsof +c 15 -Pni UDP:5355\nCOMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME\ndnscrypt-proxy 15244 nobody 7u IPv4 0x1337f85ff9f8beef 0t0 UDP 127.0.0.1:5355\ndnscrypt-proxy 15244 nobody 10u IPv6 0x1337f85ff9f8beef 0t0 UDP [::1]:5355\ndnscrypt-proxy 15244 nobody 12u IPv4 0x1337f85ff9f8beef 0t0 UDP 127.0.0.1:5355\ndnscrypt-proxy 15244 nobody 14u IPv6 0x1337f85ff9f8beef 0t0 UDP [::1]:5355\n```\n\n\u003e By default, dnscrypt-proxy runs on localhost (127.0.0.1), port 53, balancing traffic across a set of resolvers. If you would like to change these settings, you will have to edit the configuration file: $HOMEBREW_PREFIX/etc/dnscrypt-proxy.toml\n\n**Note** Applications and programs may resolve DNS using their own provided servers. If dnscrypt-proxy is used, it is possible to disable all other, non-dnscrypt DNS traffic with the following pf rules:\n\n```shell\nblock drop quick on !lo0 proto udp from any to any port = 53\nblock drop quick on !lo0 proto tcp from any to any port = 53\n```\n\nSee also [What is a DNS leak](https://dnsleaktest.com/what-is-a-dns-leak.html) and [ipv6-test.com](http://ipv6-test.com/)\n\n## Dnsmasq\n\nAmong other features, [dnsmasq](https://www.thekelleys.org.uk/dnsmasq/doc.html) is able to cache replies, prevent upstream queries for unqualified names, and block entire top-level domains.\n\nUse in combination with DNSCrypt to additionally encrypt DNS traffic.\n\nIf you don't wish to use DNSCrypt, you should at least use DNS [not provided](https://bcn.boulder.co.us/~neal/ietf/verisign-abuse.html) [by your ISP](https://hackercodex.com/guide/how-to-stop-isp-dns-server-hijacking/). Two popular alternatives are [Google DNS](https://developers.google.com/speed/public-dns/) and [OpenDNS](https://www.opendns.com/home-internet-security/).\n\n**Optional** [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity. All answers from DNSSEC protected zones are digitally signed. The signed records are authenticated via a chain of trust, starting with a set of verified public keys for the DNS root-zone. The current root-zone trust anchors may be downloaded [from IANA website](https://www.iana.org/dnssec/files). There are a number of resources on DNSSEC, but probably the best one is [dnssec.net website](https://www.dnssec.net).\n\nInstall Dnsmasq:\n\n```console\nbrew install dnsmasq --with-dnssec\n```\n\nDownload and edit [drduh/config/dnsmasq.conf](https://github.com/drduh/config/blob/master/dnsmasq.conf) or the default configuration file.\n\nSee [drduh/config/domains](https://github.com/drduh/config/tree/master/domains) for appendable examples on blocking services by domains.\n\nInstall and start the program (sudo is required to bind to [privileged port](https://unix.stackexchange.com/questions/16564/why-are-the-first-1024-ports-restricted-to-the-root-user-only) 53):\n\n```console\nsudo brew services start dnsmasq\n```\n\nTo set dnsmasq as the local DNS server, open **System Preferences** \u003e **Network** and select the active interface, then the **DNS** tab, select **+** and add `127.0.0.1`, or use:\n\n```console\nsudo networksetup -setdnsservers \"Wi-Fi\" 127.0.0.1\n```\n\nConfirm Dnsmasq is configured:\n\n```console\n$ scutil --dns | head\nDNS configuration\n\nresolver #1\n search domain[0] : whatever\n nameserver[0] : 127.0.0.1\n flags : Request A records, Request AAAA records\n reach : 0x00030002 (Reachable,Local Address,Directly Reachable Address)\n\n$ networksetup -getdnsservers \"Wi-Fi\"\n127.0.0.1\n```\n\n**Note** Some VPN software overrides DNS settings on connect. See [issue 24](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/24) and [drduh/config/scripts/macos-dns.sh](https://github.com/drduh/config/blob/master/scripts/macos-dns.sh).\n\n**Optional** Test DNSSEC validation for signed zones - the reply should have `NOERROR` status and contain `ad` flag:\n\n```console\n$ dig +dnssec icann.org | head\n;; -\u003e\u003eHEADER\u003c\u003c- opcode: QUERY, status: NOERROR, id: 47039\n;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1\n```\n\nTest DNSSEC validation fails for zones that are signed improperly - the reply should have `SERVFAIL` status:\n\n```console\n$ dig www.dnssec-failed.org | head\n;; -\u003e\u003eHEADER\u003c\u003c- opcode: QUERY, status: SERVFAIL, id: 15190\n;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n```\n\n# Certificate authorities\n\nmacOS comes with [over 100](https://support.apple.com/103723) root authority certificates installed from corporations like Apple, Verisign, Thawte, Digicert and government agencies from China, Japan, Netherlands, U.S., and more! These Certificate Authorities (CAs) are capable of issuing TLS certificates for any domain, code signing certificates, etc. Apple [blocks these certificates](https://support.apple.com/103247#blocked) when a CA proves to be untrustworthy. They also have [strict requirements](https://www.apple.com/certificateauthority/ca_program.html) that trusted CAs have to meet.\n\nFor more information, see the [CA/Browser Forum's website](https://cabforum.org/resources/browser-os-info/).\n\nInspect system root certificates in **Keychain Access**, under the **System Roots** tab or by using the `security` command line tool and `/System/Library/Keychains/SystemRootCertificates.keychain` file.\n\nYou can manually disable certificate authorities through Keychain Access by marking them as **Never Trust** and closing the window:\n\n\u003cimg width=\"450\" alt=\"A certificate authority certificate\" src=\"https://cloud.githubusercontent.com/assets/12475110/19222972/6b7aabac-8e32-11e6-8efe-5d3219575a98.png\"\u003e\n\n**Warning:** This will cause your browser to give a warning when you visit a site using certificates signed by these CAs and may cause breakage in other software. Don't distrust Apple root certificates or it will cause lots of breakage in macOS!\n\nThe risk of a [man in the middle](https://wikipedia.org/wiki/Man-in-the-middle_attack) attack in which a coerced or compromised certificate authority trusted by your system issues a fake/rogue TLS certificate is quite low, but still [possible](https://wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates).\n\n# Privoxy\n\nConsider using [Privoxy](https://www.privoxy.org/) as a local proxy to filter Web traffic.\n\nInstall and start privoxy using Homebrew:\n\n```console\nbrew install privoxy\n\nbrew services start privoxy\n```\n\nAlternatively, a signed installation package for Privoxy is available from [their website](https://www.privoxy.org/sf-download-mirror/Macintosh%20%28OS%20X%29/) or [Sourceforge](https://sourceforge.net/projects/ijbswa/files/Macintosh%20%28OS%20X%29/). The signed package is [more secure](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/65) than the Homebrew version and receives support from the Privoxy project.\n\nBy default, Privoxy listens on local TCP port 8118.\n\nSet the system **HTTP** proxy for the active network interface `127.0.0.1` and `8118`:\n\n```console\nsudo networksetup -setwebproxy \"Wi-Fi\" 127.0.0.1 8118\n```\n\nSet the system **HTTPS** proxy:\n\n```console\nsudo networksetup -setsecurewebproxy \"Wi-Fi\" 127.0.0.1 8118\n```\n\nThis can also be done through **System Preferences \u003e Network \u003e Advanced \u003e Proxies**\n\nConfirm the proxy is set:\n\n```console\n$ scutil --proxy\n\u003cdictionary\u003e {\n ExceptionsList : \u003carray\u003e {\n 0 : *.local\n 1 : 169.254/16\n }\n FTPPassive : 1\n HTTPEnable : 1\n HTTPPort : 8118\n HTTPProxy : 127.0.0.1\n}\n```\n\nAlthough most Web traffic today is encrypted, Privoxy is still useful for filtering by domain name patterns, and for upgrading insecure HTTP requests.\n\nFor example, the following rules block all traffic, except to `.net` and `github.com` and all `apple` domains:\n\n```console\n{ +block{all} }\n.\n\n{ -block }\n.apple.\n.github.com\n.net\n```\n\nOr to just block Facebook domains, for example:\n\n```console\n{ +block{facebook} }\n.facebook*.\n.fb.\n.fbcdn*.\n.fbinfra.\n.fbsbx.\n.fbsv.\n.fburl.\n.tfbnw.\n.thefacebook.\nfb*.akamaihd.net\n```\n\nWildcards are also supported.\n\nSee [drduh/config/privoxy/config](https://github.com/drduh/config/blob/master/privoxy/config) and [drduh/config/privoxy/user.action](https://github.com/drduh/config/blob/master/privoxy/user.action) for additional Privoxy examples. Privoxy does **not** need to be restarted after editing `user.action` filter rules.\n\nTo verify traffic is blocked or redirected, use curl or the Privoxy interface available at \u003chttp://p.p\u003e in the browser:\n\n```console\nALL_PROXY=127.0.0.1:8118 curl example.com -IL | head\n\nHTTP/1.1 403 Request blocked by Privoxy\nContent-Length: 9001\nContent-Type: text/html\nCache-Control: no-cache\nPragma: no-cache\n\nALL_PROXY=127.0.0.1:8118 curl github.com -IL | head\nHTTP/1.1 302 Local Redirect from Privoxy\nLocation: https://github.com/\nContent-Length: 0\n\nHTTP/1.1 200 Connection established\n\nHTTP/2 200\nserver: GitHub.com\n```\n\n**Note** macOS proxy settings are not universal; apps and services may not honor system proxy settings. Ensure the application you wish to proxy is correctly configured and verify connections don't leak. Additionally, *pf* can be configured to transparently proxy traffic on certain ports.\n\n# Browser\n\nThe Web browser likely poses the largest security and privacy risk, as its fundamental job is to download and execute untrusted code from the Internet.\n\nAn important property of modern browsers is the Same Origin Policy ([SOP](https://en.wikipedia.org/wiki/Same-origin_policy)) which prevents a malicious script on one page from obtaining access to sensitive data on another web page through the Document Object Model (DOM). If SOP is compromised, the security of the entire browser is compromised.\n\nMany browser exploits are based on social engineering as a means of gaining persistence. Always be mindful of opening untrusted sites and especially careful when downloading new software.\n\nAnother important consideration about browser security is extensions. This is an issue affecting Firefox and [Chrome](https://courses.csail.mit.edu/6.857/2016/files/24.pdf) alike. The use of browser extensions should be limited to only critically necessary ones published by trustworthy developers.\n\n[Mozilla Firefox](https://www.mozilla.org/firefox/new), [Google Chrome](https://www.google.com/chrome), [Safari](https://www.apple.com/safari), and [Tor Browser](https://www.torproject.org/download) are all recommended browsers for their own unique and individual purposes.\n\n## Firefox\n\n[Mozilla Firefox](https://www.mozilla.org/firefox/new) is a popular open source browser. Firefox replaced major parts of its infrastructure and code base under the projects [Quantum](https://wiki.mozilla.org/Quantum) and [Photon](https://wiki.mozilla.org/Firefox/Photon/Updates). Part of the Quantum project is to replace C++ code with [Rust](https://www.rust-lang.org). Rust is a systems programming language with a focus on security and thread safety. It is expected that Rust adoption will greatly improve the overall security posture of Firefox.\n\nFirefox offers a similar security model to Chrome: it has a [bug bounty program](https://www.mozilla.org/security/bug-bounty), although it is not as lucrative. Firefox follows a four-week release cycle.\n\nFirefox supports user-supplied configuration files. See [drduh/config/firefox.user.js](https://github.com/drduh/config/blob/master/firefox.user.js) and [arkenfox/user.js](https://github.com/arkenfox/user.js) for recommended preferences and hardening measures. Also see [NoScript](https://noscript.net), an extension which allows selective script blocking.\n\nFirefox [focuses on user privacy](https://www.mozilla.org/firefox/privacy). It supports [tracking protection](https://developer.mozilla.org/docs/Web/Privacy/Firefox_tracking_protection) in Private Browsing mode. The tracking protection can be enabled for the default account, although it may break the browsing experience on some websites. Firefox in Strict tracking protection mode will [randomize your fingerprint](https://support.mozilla.org/kb/firefox-protection-against-fingerprinting) to foil basic tracking scripts. Firefox offers separate user [profiles](https://support.mozilla.org/kb/profile-manager-create-remove-switch-firefox-profiles). You can separate your browsing inside a profile with [Multi-Account Containers](https://support.mozilla.org/kb/containers).\n\nFirefox only supports Web Extensions through the [Web Extension Api](https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions), which is very similar to Chrome. Submission of Web Extensions in Firefox is free. Web Extensions in Firefox most of the time are open source, although certain Web Extensions are proprietary.\n\n## Chrome\n\n[Google Chrome](https://www.google.com/chrome) is based on the open source [Chromium project](https://www.chromium.org) with certain [proprietary components](https://fossbytes.com/difference-google-chrome-vs-chromium-browser):\n\n* Automatic updates with GoogleSoftwareUpdateDaemon\n* Usage tracking and crash reporting, which can be disabled through Chrome's settings\n* Media Codec support for proprietary codecs\n* Chrome Web Store\n* PDF viewer\n* Non-optional tracking. Google Chrome installer includes a randomly generated token. The token is sent to Google after the installation completes in order to measure the success rate. The RLZ identifier stores information – in the form of encoded strings – like the source of chrome download and installation week. It doesn’t include any personal information and it’s used to measure the effectiveness of a promotional campaign. **Chrome downloaded from Google’s website doesn’t have the RLZ identifier**. The source code to decode the strings is made open by Google.\n\nChrome offers account sync between multiple devices. Part of the sync data includes credentials to Web sites. The data is encrypted with the account password.\n\nChrome's Web Store for extensions requires a [5 USD lifetime fee](https://developer.chrome.com/docs/webstore/register) in order to submit extensions. The low cost allows the development of many quality Open Source Web Extensions that do not aim to monetize through usage.\n\nChrome has the largest share of global usage and is the preferred target platform for the majority of developers. Major technologies are based on Chrome's Open Source components, such as [node.js](https://nodejs.org) which uses [Chrome's V8](https://developers.google.com/v8) Engine and the [Electron](https://electron.atom.io) framework, which is based on Chromium and node.js. Chrome's vast user base makes it the most attractive target for threat actors and security researchers. Despite constant attacks, Chrome has retained an impressive security track record over the years. This is not a small feat.\n\nChrome offers [separate profiles](https://www.chromium.org/user-experience/multi-profiles), [robust sandboxing](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md), [frequent updates](https://chromereleases.googleblog.com), and carries [impressive credentials](https://www.chromium.org/Home/chromium-security/brag-sheet). In addition, Google offers a very lucrative [bounty program](https://bughunters.google.com/about/rules/5745167867576320/chrome-vulnerability-reward-program-rules) for reporting vulnerabilities, along with its own [Project Zero](https://googleprojectzero.blogspot.com/) team. This means that a large number of highly talented and motivated people are constantly auditing and securing Chrome code.\n\nCreate separate Chrome profiles to reduce XSS risk and compartmentalize cookies/identities. In each profile, either disable Javascript in Chrome settings and configure allowed origins. You should also disable the V8 Optimizer for sites where you do use Javascript to further reduce attack surface. Go to **Settings** -\u003e **Privacy and security** -\u003e **Security** -\u003e **Manage v8 security** -\u003e **Don't allow sites to use the V8 optimizer**\n\nRead more about the benefits of disabling this [here](https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode).\n\nYou can block trackers with [uBlock Origin Lite](https://chromewebstore.google.com/detail/ublock-origin-lite/ddkjiahejlhfcafbddmgiahcphecmpfh).\n\nChange the default search engine from Google to reduce additional tracking.\n\nDisable [DNS prefetching](https://www.chromium.org/developers/design-documents/dns-prefetching) (see also [DNS Prefetching and Its Privacy Implications](https://www.usenix.org/legacy/event/leet10/tech/full_papers/Krishnan.pdf) (pdf)). Note that Chrome [may attempt](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/350) to resolve DNS using Google's `8.8.8.8` and `8.8.4.4` public nameservers.\n\nRead [Chromium Security](https://www.chromium.org/Home/chromium-security) and [Chromium Privacy](https://www.chromium.org/Home/chromium-privacy) for more information. Read [Google's privacy policy](https://policies.google.com/privacy) to understand how personal information is collected and used.\n\n## Safari\n\n[Safari](https://www.apple.com/safari) is the default browser on macOS. It is also the most optimized browser for reducing battery use. Safari, like Chrome, has both Open Source and proprietary components. Safari is based on the open source Web Engine [WebKit](https://webkit.org), which is ubiquitous among the macOS ecosystem. WebKit is used by Apple apps such as Mail, iTunes, iBooks, and the App Store. Chrome's [Blink](https://www.chromium.org/blink) engine is a fork of WebKit and both engines share a number of similarities.\n\nSafari supports certain unique features that benefit user security and privacy. [Content blockers](https://webkit.org/blog/3476/content-blockers-first-look) enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory use, security, and privacy. Safari 11 introduced [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention), which removes tracking data stored in Safari after a period of non-interaction by the user from the tracker's website. Safari can randomize your fingerprint to reduce tracking. Safari doesn't support certain features like WebUSB or the Battery API intentionally for security and privacy reasons. Private tabs in Safari have isolated cookies and cache that is destroyed when you close the tab. Safari also support Profiles which are equivalent to Firefox's Multi-Account Containers for separating cookies and browsing. Safari can be made significantly more secure with [lockdown mode](#lockdown-mode), which can be disabled per-site. Read more about [tracking prevention](https://webkit.org/tracking-prevention) in Safari.\n\nSafari offers an invite-only [bounty program](https://developer.apple.com/bug-reporting) for bug reporting to a select number of security researchers. The bounty program was announced during Apple's [presentation](https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf) at [BlackHat](https://www.blackhat.com/us-16/briefings.html#behind-the-scenes-of-ios-security) 2016.\n\nWeb Extensions in Safari have an additional option to use native code in the Safari's sandbox environment, in addition to Web Extension APIs. Web Extensions in Safari are also distributed through Apple's App store. App store submission comes with the added benefit of Web Extension code being audited by Apple. On the other hand App store submission comes at a steep cost. Yearly [developer subscription](https://developer.apple.com/support/compare-memberships) fee costs 100 USD (in contrast to Chrome's 5 USD fee and Firefox's free submission). The high cost is prohibitive for the majority of Open Source developers. As a result, Safari has very few extensions to choose from. However, you should keep the high cost in mind when installing extensions. It is expected that most Web Extensions will have some way of monetizing usage in order to cover developer costs. Be wary of Web Extensions whose source code is not open.\n\nSafari syncs user preferences and passwords with [iCloud Keychain](https://support.apple.com/HT202303). In order to be viewed in plain text, a user must input the account password of the current device. This means that users can sync data across devices with added security.\n\nSafari follows a slower release cycle than Chrome and Firefox (3-4 minor releases, 1 major release, per year). Newer features are slower to be adopted to the stable channel. Security updates in Safari are handled independent of the stable release schedule and are installed through the App Store.\n\nSee also [el1t/uBlock-Safari](https://github.com/el1t/uBlock-Safari/wiki/Disable-hyperlink-auditing-beacon) to disable hyperlink auditing beacons.\n\n## Other browsers\n\nMany Chromium-derived browsers are not recommended. They are usually [closed source](https://yro.slashdot.org/comments.pl?sid=4176879\u0026cid=44774943), [poorly maintained](https://plus.google.com/+JustinSchuh/posts/69qw9wZVH8z), and make dubious claims to protect privacy.\n\nOther miscellaneous browsers, such as [Brave](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/94), are not evaluated in this guide, so are neither recommended nor actively discouraged from use.\n\n## Web browser privacy\n\nWeb browsers reveal information in several ways, for example through the [Navigator](https://developer.mozilla.org/en-US/docs/Web/API/Navigator) interface, which may include information such as the browser version, operating system, site permissions, and the device's battery level. Many websites also use [canvas fingerprinting](https://en.wikipedia.org/wiki/Canvas_fingerprinting) to uniquely identify users across sessions.\n\nFor more information about security conscious browsing and what data is sent by your browser, see [HowTo: Privacy \u0026 Security Conscious Browsing](https://gist.github.com/atcuno/3425484ac5cce5298932), [browserleaks.com](https://browserleaks.com/), [Am I Unique?](https://amiunique.org/fingerprint) and [EFF Cover Your Tracks](https://coveryourtracks.eff.org/) resources.\n\nTo hinder third party trackers, it is recommended to **disable third-party cookies** altogether. Safari, Firefox, and Chrome all block third party cookies by default. A third party cookie is a cookie associated with a file requested by a different domain than the one the user is currently viewing. Most of the time third-party cookies are used to create browsing profiles by tracking a user's movement on the web. Disabling third-party cookies prevents HTTP responses and scripts from other domains from setting cookies. Moreover, cookies are removed from requests to domains that are not the document origin domain, so cookies are only sent to the current site that is being viewed.\n\nAlso be aware of [WebRTC](https://en.wikipedia.org/wiki/WebRTC#Concerns), which may reveal your local or public (if connected to VPN) IP address(es). In Firefox and Chrome/Chromium this can be disabled with extensions such as [uBlock Origin](https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address). [Lockdown mode](#lockdown-mode) [disables WebRTC](https://www.sevarg.net/2022/07/20/ios16-lockdown-mode-browser-analysis) in Safari.\n\n# Tor\n\nTor is an anonymizing network which can be used for browsing the Web with additional privacy. Tor Browser is a modified version of Firefox with a proxy to access the Tor network.\n\nDownload Tor Browser from [Tor Project](https://www.torproject.org/download/).\n\nDo **not** attempt to configure other browsers or applications to use Tor as you may make a mistake which will compromise anonymity.\n\nDownload both the `dmg` and `asc` signature files, then verify the disk image has been signed by Tor developers:\n\n```console\n$ cd ~/Downloads\n\n$ file Tor*\nTorBrowser-8.0.4-osx64_en-US.dmg: bzip2 compressed data, block size = 900k\nTorBrowser-8.0.4-osx64_en-US.dmg.asc: PGP signature Signature (old)\n\n$ gpg Tor*asc\n[...]\ngpg: Can't check signature: No public key\n\n$ gpg --recv 0x4E2C6E8793298290\ngpg: key 0x4E2C6E8793298290: public key \"Tor Browser Developers (signing key) \u003ctorbrowser@torproject.org\u003e\" imported\ngpg: no ultimately trusted keys found\ngpg: Total number processed: 1\ngpg: imported: 1\n\n$ gpg --verify Tor*asc\ngpg: assuming signed data in 'TorBrowser-8.0.4-osx64_en-US.dmg'\ngpg: Signature made Mon Dec 10 07:16:22 2018 PST\ngpg: using RSA key 0xEB774491D9FF06E2\ngpg: Good signature from \"Tor Browser Developers (signing key) \u003ctorbrowser@torproject.org\u003e\" [unknown]\ngpg: WARNING: This key is not certified with a trusted signature!\ngpg: There is no indication that the signature belongs to the owner.\nPrimary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290\n Subkey fingerprint: 1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2\n```\n\nMake sure `Good signature from \"Tor Browser Developers (signing key) \u003ctorbrowser@torproject.org\u003e\"` appears in the output. The warning about the key not being certified is benign, as it has not yet been assigned trust.\n\nSee [How can I verify Tor Browser's signature?](https://support.torproject.org/tbb/how-to-verify-signature/) for more information.\n\nTo finish installing Tor Browser, open the disk image and drag the it into the Applications folder, or with:\n\n```console\nhdiutil mount TorBrowser-8.0.4-osx64_en-US.dmg\n\ncp -r /Volumes/Tor\\ Browser/Tor\\ Browser.app/ ~/Applications/\n\n```\n\nVerify the Tor application's code signature was made by with The Tor Project's Apple developer ID **MADPSAYN6T**, using the `spctl -a -v` and/or `pkgutil --check-signature` commands:\n\n```console\n$ spctl -a -vv ~/Applications/Tor\\ Browser.app\n/Users/drduh/Applications/Tor Browser.app: accepted\nsource=Developer ID\norigin=Developer ID Application: The Tor Project, Inc (MADPSAYN6T)\n\n$ pkgutil --check-signature ~/Applications/Tor\\ Browser.app\nPackage \"Tor Browser.app\":\n Status: signed by a certificate trusted by Mac OS X\n Certificate Chain:\n 1. Developer ID Application: The Tor Project, Inc (MADPSAYN6T)\n SHA1 fingerprint: 95 80 54 F1 54 66 F3 9C C2 D8 27 7A 29 21 D9 61 11 93 B3 E8\n -----------------------------------------------------------------------------\n 2. Developer ID Certification Authority\n SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86\n -----------------------------------------------------------------------------\n 3. Apple Root CA\n SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60\n```\n\nYou can also use the `codesign` command to examine an application's code signature:\n\n```console\n$ codesign -dvv ~/Applications/Tor\\ Browser.app\nExecutable=/Users/drduh/Applications/Tor Browser.app/Contents/MacOS/firefox\nIdentifier=org.torproject.torbrowser\nFormat=app bundle with Mach-O thin (x86_64)\nCodeDirectory v=20200 size=229 flags=0x0(none) hashes=4+3 location=embedded\nLibrary validation warning=OS X SDK version before 10.9 does not support Library Validation\nSignature size=4247\nAuthority=Developer ID Application: The Tor Project, Inc (MADPSAYN6T)\nAuthority=Developer ID Certification Authority\nAuthority=Apple Root CA\nSigned Time=Dec 10, 2018 at 12:18:45 AM\nInfo.plist entries=24\nTeamIdentifier=MADPSAYN6T\nSealed Resources version=2 rules=12 files=128\nInternal requirements count=1 size=188\n```\n\nTo view full certificate details for a signed application, extract them with `codesign` and decode it with `openssl`:\n\n```console\n$ codesign -d --extract-certificates ~/Applications/Tor\\ Browser.app\nExecutable=/Users/drduh/Applications/Tor Browser.app/Contents/MacOS/firefox\n\n$ file codesign*\ncodesign0: data\ncodesign1: data\ncodesign2: data\n\n$ openssl x509 -inform der -in codesign0 -subject -issuer -startdate -enddate -noout\nsubject= /UID=MADPSAYN6T/CN=Developer ID Application: The Tor Project, Inc (MADPSAYN6T)/OU=MADPSAYN6T/O=The Tor Project, Inc/C=US\nissuer= /CN=Developer ID Certification Authority/OU=Apple Certification Authority/O=Apple Inc./C=US\nnotBefore=Apr 12 22:40:13 2016 GMT\nnotAfter=Apr 13 22:40:13 2021 GMT\n\n$ openssl x509 -inform der -in codesign0 -fingerprint -noout\nSHA1 Fingerprint=95:80:54:F1:54:66:F3:9C:C2:D8:27:7A:29:21:D9:61:11:93:B3:E8\n\n$ openssl x509 -inform der -in codesign0 -fingerprint -sha256 -noout\nSHA256 Fingerprint=B5:0D:47:F0:3E:CB:42:B6:68:1C:6F:38:06:2B:C2:9F:41:FA:D6:54:F1:29:D3:E4:DD:9C:C7:49:35:FF:F5:D9\n```\n\nTor traffic is **encrypted** to the [exit node](https://en.wikipedia.org/wiki/Tor_(network)#Exit_node_eavesdropping) (i.e., cannot be read by a passive network eavesdropper), but Tor use **can** be identified - for example, TLS handshake \"hostnames\" will show up in plaintext:\n\n```console\n$ sudo tcpdump -An \"tcp\" | grep \"www\"\nlistening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes\n.............\". ...www.odezz26nvv7jeqz1xghzs.com.........\n.............#.!...www.bxbko3qi7vacgwyk4ggulh.com.........\n.6....m.....\u003e...:.........|../*\tZ....W....X=..6...C../....................................0...0..0.......'....F./0..\t*.H........0%1#0!..U....www.b6zazzahl3h3faf4x2.com0...160402000000Z..170317000000Z0'1%0#..U....www.tm3ddrghe22wgqna5u8g.net0..0..\n```\n\nSee [Tor Protocol Specification](https://spec.torproject.org/tor-spec/) and [Tor/TLSHistory](https://gitlab.torproject.org/legacy/trac/-/wikis/org/projects/Tor/TLSHistory) for more information.\n\nYou may wish to additionally obfuscate Tor traffic using a [pluggable transport](https://tb-manual.torproject.org/circumvention/).\n\nThis can be done by setting up your own [Tor relay](https://support.torproject.org/relay-operators/) or finding an existing private or [public bridge](https://bridges.torproject.org/) to serve as an obfuscating entry node.\n\nFor extra security, use Tor inside a [VirtualBox](https://www.virtualbox.org/wiki/Downloads) or [VMware](https://www.vmware.com/products/fusion.html) virtualized [GNU/Linux](https://www.brianlinkletter.com/2012/10/installing-debian-linux-in-a-virtualbox-virtual-machine/) or [OpenBSD](https://www.openbsd.org/faq/faq4.html) instance.\n\nFinally, remember the Tor network provides [anonymity](https://www.privateinternetaccess.com/blog/2013/10/how-does-privacy-differ-from-anonymity-and-why-are-both-important/), which is not necessarily synonymous with privacy. The Tor network does not guarantee protection against a global observer capable of traffic analysis and correlation. See also [Seeking Anonymity in an Internet Panopticon](https://bford.info/pub/net/panopticon-cacm.pdf) (pdf) and [Traffic Correlation on Tor by Realistic Adversaries](https://www.ohmygodel.com/publications/usersrouted-ccs13.pdf) (pdf).\n\nAlso see [Invisible Internet Project (I2P)](https://geti2p.net/en/about/intro) and its [Tor comparison](https://geti2p.net/en/comparison/tor).\n\n# VPN\n\nWhen choosing a VPN service or setting up your own, be sure to research the protocols, key exchange algorithms, authentication mechanisms, and type of encryption being used. Some protocols, such as [PPTP](https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security), should be avoided in favor of [OpenVPN](https://en.wikipedia.org/wiki/OpenVPN) or Linux-based [Wireguard](https://www.wireguard.com/) [on a Linux VM](https://github.com/mrash/Wireguard-macOS-LinuxVM) or via a set of [cross platform tools](https://www.wireguard.com/xplatform/).\n\nSome clients may send traffic over the next available interface when VPN is interrupted or disconnected. See [scy/8122924](https://gist.github.com/scy/8122924) for an example on how to allow traffic only over VPN.\n\nThere is an updated guide to setting up an IPSec VPN on a virtual machine ([hwdsl2/setup-ipsec-vpn](https://github.com/hwdsl2/setup-ipsec-vpn)) or a docker container ([hwdsl2/docker-ipsec-vpn-server](https://github.com/hwdsl2/docker-ipsec-vpn-server)).\n\nIt may be worthwhile to consider the geographical location of the VPN provider. See further discussion in [issue 114](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/114).\n\nAlso see this [technical overview](https://blog.timac.org/2018/0717-macos-vpn-architecture/) of the macOS built-in VPN L2TP/IPSec and IKEv2 client.\n\n# PGP/GPG\n\nPGP is a standard for signing and encrypting data (especially email) end-to-end, so only the sender and recipient can access it.\n\nGPG, or **GNU Privacy Guard**, is a GPL-licensed open source program compliant with the PGP standard.\n\nGPG is used to verify signatures of software you download and install, as well as [symmetrically](https://en.wikipedia.org/wiki/Symmetric-key_algorithm) or [asymmetrically](https://en.wikipedia.org/wiki/Public-key_cryptography) encrypt files and text.\n\nInstall from Homebrew with `brew install gnupg`.\n\nIf you prefer a graphical application, download and install [GPG Suite](https://gpgtools.org/).\n\nDownload [drduh/config/gpg.conf](https://github.com/drduh/config/blob/master/gpg.conf) to use recommended settings:\n\n```console\ncurl -o ~/.gnupg/gpg.conf https://raw.githubusercontent.com/drduh/config/master/gpg.conf\n```\n\nSee [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) to securely generate and store GPG keys.\n\nRead [online](https://alexcabal.com/creating-the-perfect-gpg-keypair/) [guides](https://security.stackexchange.com/questions/31594/what-is-a-good-general-purpose-gnupg-key-setup) and [practice](https://help.riseup.net/en/security/message-security/openpgp/best-practices) encrypting and decrypting email to yourself and your friends. Get them interested in this stuff!\n\n# Messengers\n\n## XMPP\n\nXMPP is an [open standard](https://xmpp.org/extensions) developed by the [IETF](https://www.ietf.org) that allows for cross-platform federated messaging. There are many options for [clients](https://xmpp.org/getting-started). Consider using one of the browser-based clients to take advantage of your browser's sandbox.\n\nDepending on the provider, you might not need anything other than a username and password to set up your account.\n\nXMPP isn't E2EE by default, you'll need to use [OMEMO](https://omemo.top) encryption, so make sure your client supports it.\n\n## Signal\n\n[Signal](https://www.signal.org) is an advanced E2EE messenger whose [double-ratchet](https://signal.org/docs/specifications/doubleratchet/) protocol is used by countless other messengers including WhatsApp, Google Messages, and Facebook Messenger.\n\nSignal requires a phone number to sign up and you'll need to install it on your phone first before you can use it on desktop.\n\n## iMessage\n\niMessage is Apple's first party messenger. It requires an [Apple Account](#apple-account) in order to use it.\n\nMake sure to enable [Contact Key Verification](https://support.apple.com/118246) and verify with anyone you message to ensure that you're messaging the right person.\n\nYou can use iMessage with either a [phone number or an email](https://support.apple.com/108758#help), so pick one that you're comfortable with your contacts seeing.\n\n**Note:** By default, iCloud backup is enabled which stores copies of your message encryption keys on [Apple's servers](https://support.apple.com/102651) without E2EE. Either [disable iCloud backup](https://support.apple.com/guide/icloud/view-and-manage-backups-mm122d3ef202/1.0/icloud/1.0) or enable [Advanced Data Protection](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) to prevent this. Also remember to tell your messaging partner/s to do the same!\n\n# Viruses and malware\n\nThere is an [ever-increasing](https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html) amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software!\n\nSome malware comes bundled with both legitimate software, such as the [Java bundling Ask Toolbar](https://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/), and some with illegitimate software, such as [Mac.BackDoor.iWorm](https://docs.google.com/document/d/1YOfXRUQJgMjJSLBSoLiUaSZfiaS_vU3aG4Bvjmz6Dxs/edit?pli=1) bundled with pirated programs.\n\nSee [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) and [Malware Persistence on OS X Yosemite](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite) to learn about how garden-variety malware functions.\n\nSubscribe to updates at the [Malwarebytes Blog](https://blog.malwarebytes.com/) for current Mac security news.\n\nAlso check out [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html) malware for macOS: [root installation for MacOS](https://github.com/hackedteam/vector-macos-root), [Support driver for Mac Agent](https://github.com/hackedteam/driver-macos) and [RCS Agent for Mac](https://github.com/hackedteam/core-macos), which is a good example of advanced malware with capabilities to hide from userland (e.g., `ps`, `ls`). For more, see [A Brief Analysis of an RCS Implant Installer](https://objective-see.com/blog/blog_0x0D.html) and [reverse.put.as](https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/)\n\n## Downloading Software\n\nOnly running programs from the App Store or that are [Notarized](https://support.apple.com/guide/security/app-code-signing-process-sec3ad8e6e53/web) by Apple will help mitigate malware. Apple performs an automated scan on notarized apps for malware. App Store apps undergo a [review](https://developer.apple.com/app-store/review/guidelines/) process to catch malware.\n\nOtherwise, get programs from trusted sources like directly from the developer's website or GitHub. Always make sure that your browser/terminal is using HTTPS when downloading any program.\n\nYou should also avoid programs that ask for lots of permissions and third party closed source programs. Open source code allows anyone to audit and examine the code for security/privacy issues.\n\n## App Sandbox\n\nCheck if a program uses the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox/protecting_user_data_with_app_sandbox) before running it by running the following command:\n\n```console\ncodesign -dvvv --entitlements - \u003cpath to your app\u003e\n```\n\nIf the App Sandbox is enabled, you will see\n\n```console\n [Key] com.apple.security.app-sandbox\n [Value]\n [Bool] true\n```\n\nAlternatively, you can check while the app is running by opening Activity Monitor and adding the \"Sandbox\" column.\n\nAll App Store apps are required to use the App Sandbox.\n\n**Note:** Browsers like Google Chrome use their own [sandbox](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md) so they don't use the App Sandbox.\n\n## Hardened Runtime\n\nCheck if a program uses the [Hardened Runtime](https://developer.apple.com/documentation/security/hardened_runtime) before running it using the following command:\n\n```console\ncodesign --display --verbose /path/to/bundle.app\n```\n\nIf Hardened Runtime is enabled, you will see `flags=0x10000(runtime)`. The \"runtime\" means Hardened Runtime is enabled. There might be other flags, but the runtime flag is what we're looking for here.\n\nYou can enable a column in Activity Monitor called \"Restricted\" which is a flag that prevents programs from injecting code via macOS's [dynamic linker](https://pewpewthespells.com/blog/blocking_code_injection_on_ios_and_os_x.html). Ideally, this should say \"Yes\".\n\nNotarized apps are required to use the Hardened Runtime.\n\n## Antivirus\n\nTo scan an application with multiple AV products and examine its behavior, upload it to [VirusTotal](https://www.virustotal.com/#/home/upload) before running it.\n\nmacOS comes with a built-in AV program called [XProtect](https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8). XProtect automatically runs in the background and updates its signatures that it uses to detect malware without you having to do anything. If it detects malware already running, it will work to remove and mitigate it just like any other AV program.\n\nApplications such as [BlockBlock](https://objective-see.com/products/blockblock.html) or [maclaunch.sh](https://github.com/hazcod/maclaunch) might help prevent persistent malware.\n\nLocally installed **Anti-virus** programs are generally a double-edged sword: they may catch \"garden variety\" malware, but also may increase the attack surface for sophisticated adversaries due to their privileged operating mode. They also typically phone home to send samples in order to catch the newest malware. This can be a privacy concern.\n\nSee [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sophailv2.pdf) (pdf), [Analysis and Exploitation of an ESET Vulnerability](https://googleprojectzero.blogspot.ro/2015/06/analysis-and-exploitation-of-eset.html), [Popular Security Software Came Under Relentless NSA and GCHQ Attacks](https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/), and [How Israel Caught Russian Hackers Scouring the World for U.S. Secrets](https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html).\n\n## Gatekeeper\n\n**Gatekeeper** tries to prevent non-notarized apps from running.\n\nIf you try to run an app that isn't notarized, Gatekeeper will give you a warning. This can be easily bypassed if you go to **Privacy \u0026 Security**, scroll down to the bottom and click **Open** on your app. Then Gatekeeper will allow you to run it.\n\nGatekeeper doesn't cover all binaries, only apps so be careful when running other file types.\n\n# System Integrity Protection\n\nTo verify SIP is enabled, use the command `csrutil status`, which should return: `System Integrity Protection status: enabled.` Otherwise, [enable SIP](https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection) through Recovery Mode.\n\n# Metadata and artifacts\n\nmacOS attaches metadata ([APFS extended attributes](https://en.wikipedia.org/wiki/Extended_file_attributes#OS_X)) to downloaded files, which can be viewed with the `mdls` and `xattr` commands:\n\n```console\n$ ls -l@ ~/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg\n-rw-r--r--@ 1 drduh staff 63M Jan 1 12:00 TorBrowser-8.0.4-osx64_en-US.dmg\n\tcom.apple.metadata:kMDItemWhereFroms\t 46B\n\tcom.apple.quarantine\t 57B\n\n$ mdls ~/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg\nkMDItemContentCreationDate = 2019-01-01 00:00:00 +0000\nkMDItemContentCreationDate_Ranking = 2019-01-01 00:00:00 +0000\nkMDItemContentModificationDate = 2019-01-01 00:00:00 +0000\nkMDItemContentType = \"com.apple.disk-image-udif\"\nkMDItemContentTypeTree = (\n \"public.archive\",\n \"public.item\",\n \"public.data\",\n \"public.disk-image\",\n \"com.apple.disk-image\",\n \"com.apple.disk-image-udif\"\n)\nkMDItemDateAdded = 2019-01-01 00:00:00 +0000\nkMDItemDateAdded_Ranking = 2019-01-01 00:00:00 +0000\nkMDItemDisplayName = \"TorBrowser-8.0.4-osx64_en-US.dmg\"\nkMDItemFSContentChangeDate = 2019-01-01 00:00:00 +0000\nkMDItemFSCreationDate = 2019-01-01 00:00:00 +0000\nkMDItemFSCreatorCode = \"\"\nkMDItemFSFinderFlags = 0\nkMDItemFSHasCustomIcon = (null)\nkMDItemFSInvisible = 0\nkMDItemFSIsExtensionHidden = 0\nkMDItemFSIsStationery = (null)\nkMDItemFSLabel = 0\nkMDItemFSName = \"TorBrowser-8.0.4-osx64_en-US.dmg\"\nkMDItemFSNodeCount = (null)\nkMDItemFSOwnerGroupID = 5000\nkMDItemFSOwnerUserID = 501\nkMDItemFSSize = 65840402\nkMDItemFSTypeCode = \"\"\nkMDItemInterestingDate_Ranking = 2019-01-01 00:00:00 +0000\nkMDItemKind = \"Disk Image\"\nkMDItemWhereFroms = (\n \"https://dist.torproject.org/torbrowser/8.0.4/TorBrowser-8.0.4-osx64_en-US.dmg\",\n \"https://www.torproject.org/projects/torbrowser.html.en\"\n)\n\n$ xattr -l ~/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg\ncom.apple.metadata:kMDItemWhereFroms:\n00000000  62 70 6C 69 73 74 30 30 A2 01 02 5F 10 4D 68 74  |bplist00..._.Mht|\n00000010  74 70 73 3A 2F 2F 64 69 73 74 2E 74 6F 72 70 72  |tps://dist.torpr|\n00000020  6F 6A 65 63 74 2E 6F 72 67 2F 74 6F 72 62 72 6F  |oject.org/torbro|\n[...]\ncom.apple.quarantine: 0081;58519ffa;Google Chrome.app;1F032CAB-F5A1-4D92-84EB-CBECA971B7BC\n```\n\nMetadata attributes can also be removed with the `-d` flag:\n\n```console\nxattr -d com.apple.metadata:kMDItemWhereFroms ~/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg\n\nxattr -d com.apple.quarantine ~/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg\n\nxattr -l ~/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg\n```\n\nOther metadata and artifacts may be found in the directories including, but not limited to, `~/Library/Preferences/`, `~/Library/Containers/\u003cAPP\u003e/Data/Library/Preferences`, `/Library/Preferences`, some of which is detailed below.\n\n`~/Library/Preferences/com.apple.sidebarlists.plist` contains historical list of volumes attached. To clear it, use the command `/usr/libexec/PlistBuddy -c \"delete :systemitems:VolumesList\" ~/Library/Preferences/com.apple.sidebarlists.plist`\n\n`/Library/Preferences/com.apple.Bluetooth.plist` contains Bluetooth metadata, including device history. If Bluetooth is not used, the metadata can be cleared with:\n\n```console\nsudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist DeviceCache\nsudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist IDSPairedDevices\nsudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist PANDevices\nsudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist PANInterfaces\nsudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist SCOAudioDevices\n```\n\n`/var/spool/cups` contains the CUPS printer job cache. To clear it, use the commands:\n\n```console\nsudo rm -rfv /var/spool/cups/c0*\nsudo rm -rfv /var/spool/cups/tmp/*\nsudo rm -rfv /var/spool/cups/cache/job.cache*\n```\n\nTo clear the list of iOS devices connected, use:\n\n```console\nsudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist \"conn:128:Last Connect\"\nsudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist Devices\nsudo defaults delete /Library/Preferences/com.apple.iPod.plist \"conn:128:Last Connect\"\nsudo defaults delete /Library/Preferences/com.apple.iPod.plist Devices\nsudo rm -rfv /var/db/lockdown/*\n```\n\nQuicklook thumbnail data can be cleared using the `qlmanage -r cache` command, but this writes to the file `resetreason` in the Quicklook directories, and states that the Quicklook cache was manually cleared. Disable the thumbnail cache with `qlmanage -r disablecache`\n\nIt can also be cleared by getting the directory names with `getconf DARWIN_USER_CACHE_DIR` and `sudo getconf DARWIN_USER_CACHE_DIR`, then removing them:\n\n```console\nrm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive\nrm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite\nrm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-shm\nrm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-wal\nrm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/resetreason\nrm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.data\n```\n\nSimilarly, for the root user:\n\n```console\nsudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandler\nsudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive\nsudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite\nsudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-shm\nsudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-wal\nsudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/resetreason\nsudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.data\nsudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandler\n```\n\nAlso see ['quicklook' cache may leak encrypted data](https://objective-see.com/blog/blog_0x30.html).\n\nTo clear Finder preferences:\n\n```console\ndefaults delete ~/Library/Preferences/com.apple.finder.plist FXDesktopVolumePositions\ndefaults delete ~/Library/Preferences/com.apple.finder.plist FXRecentFolders\ndefaults delete ~/Library/Preferences/com.apple.finder.plist RecentMoveAndCopyDestinations\ndefaults delete ~/Library/Preferences/com.apple.finder.plist RecentSearches\ndefaults delete ~/Library/Preferences/com.apple.finder.plist SGTRecentFileSearches\n```\n\nAdditional diagnostic files may be found in the following directories - but caution should be taken before removing any, as it may break logging or cause other issues:\n\n```\n/var/db/CoreDuet/\n/var/db/diagnostics/\n/var/db/systemstats/\n/var/db/uuidtext/\n/var/log/DiagnosticMessages/\n```\n\nmacOS stored preferred Wi-Fi data (including credentials) in NVRAM. To clear it, use the following commands:\n\n```console\nsudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:current-network\nsudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-networks\nsudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-count\n```\n\nmacOS may collect sensitive information about what you type, even if user dictionary and suggestions are off. To remove them, and prevent them from being created again, use the following commands:\n\n```console\nrm -rfv \"~/Library/LanguageModeling/*\" \"~/Library/Spelling/*\" \"~/Library/Suggestions/*\"\nchmod -R 000 ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions\nchflags -R uchg ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions\n```\n\nQuickLook application support metadata can be cleared and locked with the following commands:\n\n```console\nrm -rfv \"~/Library/Application Support/Quick Look/*\"\nchmod -R 000 \"~/Library/Application Support/Quick Look\"\nchflags -R uchg \"~/Library/Application Support/Quick Look\"\n```\n\nDocument revision metadata is stored in `/.DocumentRevisions-V100` and can be cleared and locked with the following commands - caution should be taken as this may break some core Apple applications:\n\n```console\nsudo rm -rfv /.DocumentRevisions-V100/*\nsudo chmod -R 000 /.DocumentRevisions-V100\nsudo chflags -R uchg /.DocumentRevisions-V100\n```\n\nSaved application state metadata may be cleared and locked with the following commands:\n\n```console\nrm -rfv ~/Library/Saved\\ Application\\ State/*\nrm -rfv ~/Library/Containers/\u003cAPPNAME\u003e/Data/Library/Saved\\ Application\\ State\nchmod -R 000 ~/Library/Saved\\ Application\\ State/\nchmod -R 000 ~/Library/Containers/\u003cAPPNAME\u003e/Data/Library/Saved\\ Application\\ State\nchflags -R uchg ~/Library/Saved\\ Application\\ State/\nchflags -R uchg ~/Library/Containers/\u003cAPPNAME\u003e/Data/Library/Saved\\ Application\\ State\n```\n\nAutosave metadata can be cleared and locked with the following commands:\n\n```console\nrm -rfv \"~/Library/Containers/\u003cAPP\u003e/Data/Library/Autosave Information\"\nrm -rfv \"~/Library/Autosave Information\"\nchmod -R 000 \"~/Library/Containers/\u003cAPP\u003e/Data/Library/Autosave Information\"\nchmod -R 000 \"~/Library/Autosave Information\"\nchflags -R uchg \"~/Library/Containers/\u003cAPP\u003e/Data/Library/Autosave Information\"\nchflags -R uchg \"~/Library/Autosave Information\"\n```\n\nThe Siri analytics database, which is created even if the Siri launch agent disabled, can be cleared and locked with the following commands:\n\n```console\nrm -rfv ~/Library/Assistant/SiriAnalytics.db\nchmod -R 000 ~/Library/Assistant/SiriAnalytics.db\nchflags -R uchg ~/Library/Assistant/SiriAnalytics.db\n```\n\n`~/Library/Preferences/com.apple.iTunes.plist` contains iTunes metadata. Recent iTunes search data may be cleared with the following command:\n\n```console\ndefaults delete ~/Library/Preferences/com.apple.iTunes.plist recentSearches\n```\n\nIf you do not use Apple Account-linked services, the following keys may be cleared, too, using the following commands:\n\n```console\ndefaults delete ~/Library/Preferences/com.apple.iTunes.plist StoreUserInfo\ndefaults delete ~/Library/Preferences/com.apple.iTunes.plist WirelessBuddyID\n```\n\nAll media played in QuickTime Player can be found in:\n\n```console\n~/Library/Containers/com.apple.QuickTimePlayerX/Data/Library/Preferences/com.apple.QuickTimePlayerX.plist\n```\n\nAdditional metadata may exist in the following files:\n\n```console\n~/Library/Containers/com.apple.appstore/Data/Library/Preferences/com.apple.commerce.knownclients.plist\n~/Library/Preferences/com.apple.commerce.plist\n~/Library/Preferences/com.apple.QuickTimePlayerX.plist\n```\n\n# Passwords\n\nGenerate strong passwords using [`urandom`](https://en.wikipedia.org/wiki//dev/random) and [`tr`](https://linux.die.net/man/1/tr):\n\n```console\ntr -dc '[:graph:]' \u003c /dev/urandom | fold -w 20 | head -1\n```\n\nThe password assistant in **Keychain Access** can also generate secure credentials.\n\nConsider using [Diceware](https://secure.research.vt.edu/diceware/) for memorable passwords.\n\nGnuPG can also be used to manage passwords and other encrypted files (see [drduh/Purse](https://github.com/drduh/Purse) and [drduh/pwd.sh](https://github.com/drduh/pwd.sh)).\n\nEnsure all eligible online accounts have [multi-factor authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication) enabled. The strongest form of multi-factor authentication is [WebAuthN](https://en.wikipedia.org/wiki/WebAuthn), followed by app-based authenticators, and SMS-based codes are weakest.\n\n[YubiKey](https://www.yubico.com/products/) is an affordable hardware token with WebAuthN support. It can also be used to store cryptographic keys for GnuPG encryption and SSH authentication - see [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide).\n\n# Backup\n\nEncrypt files locally before backing them up to external media or online services.\n\nIf your threat model allows it, you should follow the [3-2-1 backup model](https://www.cisa.gov/sites/default/files/publications/data_backup_options.pdf) as outlined by CISA. Keep 3 copies: the original and two backups. Keep backups on 2 different media types, e.g. on a local drive and cloud storage. Store 1 copy offsite. \n\n[Time Machine](https://support.apple.com/104984) is the built-in tool for handling backups on macOS. Get an external drive or network drive to back up to and [encrypt](https://support.apple.com/guide/mac-help/keep-your-time-machine-backup-disk-secure-mh21241) your backups.\n\nGnuPG can be used with a static password or public key (with the private key stored on [YubiKey](https://github.com/drduh/YubiKey-Guide)).\n\nCompress and encrypt a directory using with a password:\n\n```console\ntar zcvf - ~/Downloads | gpg -c \u003e ~/Desktop/backup-$(date +%F-%H%M).tar.gz.gpg\n```\n\nDecrypt and decompress the directory:\n\n```console\ngpg -o ~/Desktop/decrypted-backup.tar.gz -d ~/Desktop/backup-*.tar.gz.gpg\n\ntar zxvf ~/Desktop/decrypted-backup.tar.gz\n```\n\nEncrypted volumes can also be created using **Disk Utility** or `hdiutil`:\n\n```console\nhdiutil create ~/Desktop/encrypted.dmg -encryption -size 50M -volname \"secretStuff\"\n\nhdiutil mount ~/Desktop/encrypted.dmg\n\ncp -v ~/Documents/passwords.txt /Volumes/secretStuff\n\nhdiutil eject /Volumes/secretStuff\n```\n\nAdditional applications and services which offer backups include:\n\n* [Tresorit](https://www.tresorit.com)\n* [restic](https://restic.github.io)\n\n# Wi-Fi\n\nmacOS remembers access points it has connected to. Like all wireless devices, the Mac will broadcast all access point names it remembers (e.g., *MyHomeNetwork*) each time it looks for a network, such as when waking from sleep.\n\nThis is a privacy risk, so remove networks from the list in **System Preferences** \u003e **Network** \u003e **Advanced** when they are no longer needed.\n\nAlso see [Signals from the Crowd: Uncovering Social Relationships through Smartphone Probes](https://conferences.sigcomm.org/imc/2013/papers/imc148-barberaSP106.pdf) (pdf).\n\nSaved Wi-Fi information (SSID, last connection, etc.) can be found in `/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist`\n\nYou can have a different, [random MAC address](https://support.apple.com/en-gb/guide/mac-help/mchlb1cb3eb4/mac) for each network that rotates over time. This will help prevent you from being tracked across networks and on the same network over time.\n\nmacOS stores Wi-Fi SSIDs and passwords in NVRAM in order for Recovery Mode to access the Internet. Be sure to either clear NVRAM or de-authenticate your Mac from your Apple account, which will clear the NVRAM, before passing a Mac along. Resetting the SMC will clear some of the NVRAM, but not all.\n\nFinally, WEP protection on wireless networks is [not secure](http://www.howtogeek.com/167783/htg-explains-the-difference-between-wep-wpa-and-wpa2-wireless-encryption-and-why-it-matters/) and you should only connect to **WPA3** protected networks when possible.\n\n# SSH\n\nFor outgoing SSH connections, use hardware or password-protected keys, [set up](http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/) remote hosts and consider [hashing](http://nms.csail.mit.edu/projects/ssh/) them for added privacy. See [drduh/config/ssh_config](https://github.com/drduh/config/blob/master/ssh_config) for recommended client options.\n\nYou can also use ssh to create an [encrypted tunnel](http://blog.trackets.com/2014/05/17/ssh-tunnel-local-and-remote-port-forwarding-explained-with-examples.html) to send traffic through, similar to a VPN.\n\nFor example, to use Privoxy running on a remote host port 8118:\n\n```console\nssh -C -L 5555:127.0.0.1:8118 you@remote-host.tld\n\nsudo networksetup -setwebproxy \"Wi-Fi\" 127.0.0.1 5555\n\nsudo networksetup -setsecurewebproxy \"Wi-Fi\" 127.0.0.1 5555\n```\n\nOr to use an ssh connection as a [SOCKS proxy](https://www.mikeash.com/ssh_socks.html):\n\n```console\nssh -NCD 3000 you@remote-host.tld\n```\n\nBy default, macOS does **not** have sshd or *Remote Login* enabled.\n\nTo enable sshd and allow incoming ssh connections:\n\n```console\nsudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist\n```\n\nOr use the **System Preferences** \u003e **Sharing** menu.\n\nIf enabling sshd, be sure to disable password authentication and consider further [hardening](https://stribika.github.io/2015/01/04/secure-secure-shell.html) your configuration. See [drduh/config/sshd_config](https://github.com/drduh/config/blob/master/sshd_config) for recommended options.\n\nConfirm whether sshd is running:\n\n```console\nsudo lsof -Pni TCP:22\n```\n\n# Physical access\n\nKeep your Mac physically secure at all times and do not leave it unattended in public.\n\nA skilled attacker with unsupervised physical access could install a [hardware keylogger](https://trmm.net/Thunderstrike_31c3) to record all of your keystrokes. Using a Mac with a built-in keyboard or a bluetooth keyboard makes this more difficult as many off-the-shelf versions of this attack are designed to be plugged in between a USB keyboard and your computer.\n\nTo protect against physical theft during use, you can use an anti-forensic tool like [BusKill](https://github.com/buskill/buskill-app) or [swiftGuard](https://github.com/Lennolium/swiftGuard) (updated usbkill, with graphical user interface). All respond to USB events and can immediately shutdown your computer if your device is physically separated from you or an unauthorized device is connected.\n\nConsider purchasing a privacy screen/filter for use in public.\n\n[Nail polish](https://trmm.net/Glitter) and tamper-evidence seals can be applied to components to detect tampering.\n\n# System monitoring\n\n## OpenBSM audit\n\nmacOS has a powerful OpenBSM (Basic Security Module) auditing capability. You can use it to monitor process execution, network activity, and much more.\n\nTo tail audit logs, use the `praudit` utility:\n\n```console\n$ sudo praudit -l /dev/auditpipe\nheader,201,11,execve(2),0,Thu Sep 1 12:00:00 2015, + 195 msec,exec arg,/Applications/.evilapp/rootkit,path,/Applications/.evilapp/rootkit,path,/Applications/.evilapp/rootkit,attribute,100755,root,wheel,16777220,986535,0,subject,drduh,root,wheel,root,wheel,412,100005,50511731,0.0.0.0,return,success,0,trailer,201,\nheader,88,11,connect(2),0,Thu Sep 1 12:00:00 2015, + 238 msec,argument,1,0x5,fd,socket-inet,2,443,173.194.74.104,subject,drduh,root,wheel,root,wheel,326,100005,50331650,0.0.0.0,return,failure : Operation now in progress,4354967105,trailer,88\nheader,111,11,OpenSSH login,0,Thu Sep 1 12:00:00 2015, + 16 msec,subject_ex,drduh,drduh,staff,drduh,staff,404,404,49271,::1,text,successful login drduh,return,success,0,trailer,111,\n```\n\nSee the manual pages for `audit`, `praudit`, `audit_control` and other files in `/etc/security`\n\n**Note** although `man audit` says the `-s` flag will synchronize the audit configuration, it appears necessary to reboot for changes to take effect.\n\nSee articles on [ilostmynotes.blogspot.com](https://ilostmynotes.blogspot.com/2013/10/openbsm-auditd-on-os-x-these-are-logs.html) and [derflounder.wordpress.com](https://derflounder.wordpress.com/2012/01/30/openbsm-auditing-on-mac-os-x/) for more information.\n\n## DTrace\n\n**Note** [System Integrity Protection](https://github.com/drduh/macOS-Security-and-Privacy-Guide#system-integrity-protection) interferes with DTrace, so it is not possible to use it in recent macOS versions without disabling SIP.\n\n* `iosnoop` monitors disk I/O\n* `opensnoop` monitors file opens\n* `execsnoop` monitors execution of processes\n* `errinfo` monitors failed system calls\n* `dtruss` monitors all system calls\n\nSee `man -k dtrace` for more information.\n\n## Execution\n\n`ps -ef` lists information about all running processes.\n\nYou can also view processes with **Activity Monitor**.\n\n`launchctl list` and `sudo launchctl list` list loaded and running user and system launch daemons and agents.\n\n## Network\n\nList open network files:\n\n```console\nsudo lsof -Pni\n```\n\nList contents of various network-related data structures:\n\n```console\nsudo netstat -atln\n```\n\n[Wireshark](https://www.wireshark.org/) can be used from the command line with `tshark`.\n\nMonitor DNS queries and replies:\n\n```console\ntshark -Y \"dns.flags.response == 1\" -Tfields \\\n -e frame.time_delta \\\n -e dns.qry.name \\\n -e dns.a \\\n -Eseparator=,\n```\n\nMonitor HTTP requests and responses:\n\n```console\ntshark -Y \"http.request or http.response\" -Tfields \\\n -e ip.dst \\\n -e http.request.full_uri \\\n -e http.request.method \\\n -e http.response.code \\\n -e http.response.phrase \\\n -Eseparator=/s\n```\n\nMonitor x509 (SSL/TLS) certificates:\n\n```console\ntshark -Y \"ssl.handshake.certificate\" -Tfields \\\n -e ip.src \\\n -e x509sat.uTF8String \\\n -e x509sat.printableString \\\n -e x509sat.universalString \\\n -e x509sat.IA5String \\\n -e x509sat.teletexString \\\n -Eseparator=/s -Equote=d\n```\n\n# Binary authorization\n\n[google/santa](https://github.com/google/santa/) is a security software developed for Google's corporate Macintosh fleet and open sourced.\n\n\u003e Santa is a binary and file access authorization system for macOS. It consists of a system extension that monitors for executions, a daemon that makes execution decisions based on the contents of a local database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server.\n\nSanta uses the [Kernel Authorization API](https://developer.apple.com/library/content/technotes/tn2127/_index.html) to monitor and allow/disallow binaries from executing in the kernel. Binaries can be white- or black-listed by unique hash or signing developer certificate. Santa can be used to only allow trusted code execution, or to blacklist known malware from executing on a Mac, similar to Bit9 software for Windows.\n\n**Note** Santa does not currently have a graphical user interface for managing rules. The following instructions are for advanced users only!\n\nTo install Santa, visit the [Releases](https://github.com/google/santa/releases) page and download the latest disk image, the mount it and install the contained package:\n\n```console\nhdiutil mount ~/Downloads/santa-0.9.20.dmg\n\nsudo installer -pkg /Volumes/santa-0.9.20/santa-0.9.20.pkg -tgt /\n```\n\nBy default, Santa installs in \"Monitor\" mode (meaning, nothing gets blocked, only logged) and comes with two rules: one for Apple binaries and another for Santa software itself.\n\nVerify Santa is running and its kernel module is loaded:\n\n```console\n$ santactl status\n\u003e\u003e\u003e Daemon Info\n Mode | Monitor\n File Logging | No\n Watchdog CPU Events | 0 (Peak: 0.00%)\n Watchdog RAM Events | 0 (Peak: 0.00MB)\n\u003e\u003e\u003e Kernel Info\n Kernel cache count | 0\n\u003e\u003e\u003e Database Info\n Binary Rules | 0\n Certificate Rules | 2\n Events Pending Upload | 0\n\n$ ps -ef | grep \"[s]anta\"\n 0 786 1 0 10:01AM ?? 0:00.39 /Library/Extensions/santa-driver.kext/Contents/MacOS/santad --syslog\n\n$ kextstat | grep santa\n 119 0 0xffffff7f822ff000 0x6000 0x6000 com.google.santa-driver (0.9.14) 693D8E4D-3161-30E0-B83D-66A273CAE026 \u003c5 4 3 1\u003e\n```\n\nCreate a blacklist rule to prevent iTunes from executing:\n\n```console\n$ sudo santactl rule --blacklist --path /Applications/iTunes.app/\nAdded rule for SHA-256: e1365b51d2cb2c8562e7f1de36bfb3d5248de586f40b23a2ed641af2072225b3.\n```\n\nTry to launch iTunes - it will be blocked.\n\n```console\n$ open /Applications/iTunes.app/\nLSOpenURLsWithRole() failed with error -10810 for the file /Applications/iTunes.app.\n```\n\n\u003cimg width=\"450\" alt=\"Santa block dialog when attempting to run a blacklisted program\" src=\"https://cloud.githubusercontent.com/assets/12475110/21062284/14ddde88-be1e-11e6-8e9b-32f8a44c0cf6.png\"\u003e\n\nTo remove the rule:\n\n```console\n$ sudo santactl rule --remove --path /Applications/iTunes.app/\nRemoved rule for SHA-256: e1365b51d2cb2c8562e7f1de36bfb3d5248de586f40b23a2ed641af2072225b3.\n```\n\nOpen iTunes:\n\n```console\n$ open /Applications/iTunes.app/\n[iTunes will open successfully]\n```\n\nCreate a new, example C program:\n\n```console\n$ cat \u003c\u003cEOF \u003e foo.c\n\u003e #include \u003cstdio.h\u003e\n\u003e main() { printf(\"Hello World\\n”); }\n\u003e EOF\n```\n\nCompile the program with GCC (requires installation of Xcode or command-line tools):\n\n```console\n$ gcc -o foo foo.c\n\n$ file foo\nfoo: Mach-O 64-bit executable x86_64\n\n$ codesign -d foo\nfoo: code object is not signed at all\n```\n\nRun it:\n\n```console\n$ ./foo\nHello World\n```\n\nToggle Santa into \"Lockdown\" mode, which only allows authorized binaries to run:\n\n```console\n$ sudo defaults write /var/db/santa/config.plist ClientMode -int 2\n```\n\nTry to run the unsigned binary:\n\n```console\n$ ./foo\nbash: ./foo: Operation not permitted\n\nSanta\n\nThe following application has been blocked from executing\nbecause its trustworthiness cannot be determined.\n\nPath: /Users/demouser/foo\nIdentifier: 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed\nParent: bash (701)\n```\n\nTo authorize a binary, determine its SHA-256 sum:\n\n```console\n$ santactl fileinfo /Users/demouser/foo\nPath : /Users/demouser/foo\nSHA-256 : 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed\nSHA-1 : 4506f3a8c0a5abe4cacb98e6267549a4d8734d82\nType : Executable (x86-64)\nCode-signed : No\nRule : Blacklisted (Unknown)\n```\n\nAdd a new rule:\n\n```console\n$ sudo santactl rule --whitelist --sha256 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed\nAdded rule for SHA-256: 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed.\n```\n\nRun it:\n\n```console\n$ ./foo\nHello World\n```\n\nIt's allowed and works!\n\nApplications can also be allowed by developer certificate. For example, download and run Google Chrome - it will be blocked by Santa in \"Lockdown\" mode:\n\n```console\n$ curl -sO https://dl.google.com/chrome/mac/stable/GGRO/googlechrome.dmg\n\n$ hdiutil mount googlechrome.dmg\n\n$ cp -r /Volumes/Google\\ Chrome/Google\\ Chrome.app /Applications/\n\n$ open /Applications/Google\\ Chrome.app/\nLSOpenURLsWithRole() failed with error -10810 for the file /Applications/Google Chrome.app.\n```\n\nAuthorize the application by the developer certificate (first item in the Signing Chain):\n\n```console\n$ santactl fileinfo /Applications/Google\\ Chrome.app/\nPath : /Applications/Google Chrome.app/Contents/MacOS/Google Chrome\nSHA-256 : 0eb08224d427fb1d87d2276d911bbb6c4326ec9f74448a4d9a3cfce0c3413810\nSHA-1 : 9213cbc7dfaaf7580f3936a915faa56d40479f6a\nBundle Name : Google Chrome\nBundle Version : 2883.87\nBundle Version Str : 55.0.2883.87\nType : Executable (x86-64)\nCode-signed : Yes\nRule : Blacklisted (Unknown)\nSigning Chain:\n 1. SHA-256 : 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153\n SHA-1 : 85cee8254216185620ddc8851c7a9fc4dfe120ef\n Common Name : Developer ID Application: Google Inc.\n Organization : Google Inc.\n Organizational Unit : EQHXZ8M8AV\n Valid From : 2012/04/26 07:10:10 -0700\n Valid Until : 2017/04/27 07:10:10 -0700\n\n 2. SHA-256 : 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f\n SHA-1 : 3b166c3b7dc4b751c9fe2afab9135641e388e186\n Common Name : Developer ID Certification Authority\n Organization : Apple Inc.\n Organizational Unit : Apple Certification Authority\n Valid From : 2012/02/01 14:12:15 -0800\n Valid Until : 2027/02/01 14:12:15 -0800\n\n 3. SHA-256 : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024\n SHA-1 : 611e5b662c593a08ff58d14ae22452d198df6c60\n Common Name : Apple Root CA\n Organization : Apple Inc.\n Organizational Unit : Apple Certification Authority\n Valid From : 2006/04/25 14:40:36 -0700\n Valid Until : 2035/02/09 13:40:36 -0800\n```\n\nIn this case, `15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153` is the SHA-256 of Google’s Apple developer certificate (team ID EQHXZ8M8AV) - authorize it:\n\n```console\n$ sudo santactl rule --whitelist --certificate --sha256 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153\nAdded rule for SHA-256: 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153.\n```\n\nGoogle Chrome should now launch, and subsequent updates to the application will continue to work as long as the code signing certificate doesn’t change or expire.\n\nTo disable \"Lockdown\" mode:\n\n```console\nsudo defaults delete /var/db/santa/config.plist ClientMode\n```\n\nSee `/var/log/santa.log` to monitor ALLOW and DENY execution decisions.\n\nA log and configuration server for Santa is available in [Zentral](https://github.com/zentralopensource/zentral), an open source event monitoring solution and TLS server for osquery and Santa.\n\nZentral will support Santa in both MONITORING and LOCKDOWN operation mode. Clients need to be enrolled with a TLS connection to sync Santa Rules, all Santa events from endpoints are aggregated and logged back in Zentral. Santa events can trigger actions and notifications from within the Zentral Framework.\n\n**Note** Python, Bash and other interpreters are authorized (since they are signed by Apple's developer certificate), so Santa will not be able to block such scripts from executing. Thus, a potential non-binary program which disables Santa is a weakness (not vulnerability, since it is so by design) to take note of.\n\n# Miscellaneous\n\nDisable [Diagnostics \u0026 Usage Data](https://support.apple.com/guide/mac-help/share-analytics-information-mac-apple-mh27990).\n\nIf you want to play **music** or watch **videos**, use QuickTime Player, the built-in media player in macOS. It uses the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox/protecting_user_data_with_app_sandbox), [Hardened Runtime](https://developer.apple.com/documentation/xcode/configuring-the-hardened-runtime), and benefits from the [Signed System Volume](https://support.apple.com/guide/security/signed-system-volume-security-secd698747c9/web) as part of the base system.\n\nIf you want to use **torrents**, use [Transmission](https://transmissionbt.com/download/) which is free and open source (note: like all software, even open source projects, [malware may still find its way in](http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/)). You may also wish to use a block list to avoid peering with known bad hosts - see [Which is the best blocklist for Transmission](https://giuliomac.wordpress.com/2014/02/19/best-blocklist-for-transmission/) and [johntyree/3331662](https://gist.github.com/johntyree/3331662).\n\nManage [default file handlers](https://support.apple.com/guide/mac-help/choose-an-app-to-open-a-file-on-mac-mh35597).\n\nMonitor system logs with the **Console** application or `syslog -w` or `/usr/bin/log stream` commands.\n\nSet your screen to lock as soon as the screensaver starts:\n\n```console\ndefaults write com.apple.screensaver askForPassword -int 1\n\ndefaults write com.apple.screensaver askForPasswordDelay -int 0\n```\n\nExpose hidden files and Library folder in Finder:\n\n```console\ndefaults write com.apple.finder AppleShowAllFiles -bool true\n\nchflags nohidden ~/Library\n```\n\nShow all filename extensions (so that \"Evil.jpg.app\" cannot masquerade easily).\n\n```console\ndefaults write NSGlobalDomain AppleShowAllExtensions -bool true\n```\n\nDon't default to saving documents to iCloud:\n\n```console\ndefaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false\n```\n\nEnable [Secure Keyboard Entry](https://support.apple.com/guide/terminal/use-secure-keyboard-entry-trml109) in Terminal (unless you use [YubiKey](https://mig5.net/content/secure-keyboard-entry-os-x-blocks-interaction-yubikeys) or applications such as [TextExpander](https://smilesoftware.com/textexpander/secure-input)).\n\nDisable crash reporter (the dialog which appears after an application crashes and prompts to report the problem to Apple):\n\n```console\ndefaults write com.apple.CrashReporter DialogType none\n```\n\nDisable Bonjour multicast advertisements:\n\n**Warning:** This will cause problems with AirPlay and AirPrint!\n\n```console\nsudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES\n```\n\n[Disable Handoff](https://support.apple.com/guide/mac-help/change-airdrop-handoff-settings-mchl6a407f99) and [Bluetooth](https://support.apple.com/guide/mac-help/turn-bluetooth-on-or-off-blth1008) features, if they aren't necessary.\n\nCheck that your apps are sandboxed in [Activity Monitor](https://developer.apple.com/documentation/security/app_sandbox/protecting_user_data_with_app_sandbox#4098972).\n\nmacOS comes with this line in `/etc/sudoers`:\n\n```console\nDefaults env_keep += \"HOME MAIL\"\n```\n\nWhich stops sudo from changing the HOME variable when you elevate privileges. This means it will execute as root the zsh dotfiles in the non-root user's home directory when you run \"sudo zsh\". It is advisable to comment this line out to avoid a potentially easy way for malware or a local attacker to escalate privileges to root.\n\nIf you want to retain the convenience of the root user having a non-root user's home directory, you can append an export line to /var/root/.zshrc, e.g.:\n\n```console\nexport HOME=/Users/blah\n```\n\nSet a [custom umask](https://support.apple.com/101914):\n\n```console\nsudo launchctl config user umask 077\n```\n\nReboot, create a file in Finder and verify its permissions (macOS default allows 'group/other' read access):\n\n```console\n$ ls -ld umask*\ndrwx------ 2 kevin staff 64 Dec 4 12:27 umask_testing_dir\n-rw-------@ 1 kevin staff 2026566 Dec 4 12:28 umask_testing_file\n```\n\n# Related software\n\n* [CISOfy/lynis](https://github.com/CISOfy/lynis) - Cross-platform security auditing tool and assists with compliance testing and system hardening.\n* [Zentral](https://github.com/zentralopensource/zentral) - A log and configuration server for santa and osquery. Run audit and probes on inventory, events, logfiles, combine with point-in-time alerting. A full Framework and Django web server build on top of the elastic stack (formerly known as ELK stack).\n* [osquery](https://github.com/osquery/osquery) - Can be used to retrieve low level system information. Users can write SQL queries to retrieve system information.\n\n# Additional resources\n\n* [Apple Open Source](https://opensource.apple.com/)\n* [CIS Benchmarks](https://www.cisecurity.org/benchmark/apple_os/)\n* [EFF Surveillance Self-Defense Guide](https://ssd.eff.org/)\n* [iOS, The Future Of macOS, Freedom, Security And Privacy In An Increasingly Hostile Global Environment](https://gist.github.com/iosecure/357e724811fe04167332ef54e736670d)\n* [Patrick Wardle's Objective-See blog](https://objective-see.com/blog.html)\n* [Reverse Engineering macOS blog](https://reverse.put.as/)\n* [Reverse Engineering Resources](http://samdmarshall.com/re.html)\n* [The macOS Phishing Easy Button: AppleScript Dangers](https://duo.com/blog/the-macos-phishing-easy-button-applescript-dangers)\n* [iCloud security and privacy overview](https://support.apple.com/102651)\n","funding_links":["https://github.com/sponsors/drduh"],"categories":["Others","Misc","Guides","miscellaneous","Python","Uncategorized","Python (1887)","其他","macOS-based defenses","apple","Personal Security and Checklists","Security","macOS"],"sub_categories":["Uncategorized","网络服务_其他","Overlay and Virtual Private Networks (VPNs)","Secure OSes","Misc"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdrduh%2FmacOS-Security-and-Privacy-Guide","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdrduh%2FmacOS-Security-and-Privacy-Guide","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdrduh%2FmacOS-Security-and-Privacy-Guide/lists"}