[HN Gopher] Hardening macOS (2018)
___________________________________________________________________
Hardening macOS (2018)
Author : nomoreplease
Score : 111 points
Date : 2021-05-06 19:05 UTC (3 hours ago)
(HTM) web link (blog.bejarano.io)
(TXT) w3m dump (blog.bejarano.io)
| fnord77 wrote:
| that's a lot of work. How about some sort of script to do all
| this?
| memco wrote:
| Here's a somewhat dated example of such a setup:
| https://github.com/memco/dotfiles. Basically, you just need the
| install.sh if all you care about is macOS preferences, but you
| can also add in something like the brewfile so that you can
| also install your apps. My brewfile leverages MAS so that I can
| install stuff from the app store in addition to what's
| available via brew. I haven't automated app preferences, but
| macOS and apps are just a clone, `./install.sh && brew bundle
| --file Brewfile` away.
| [deleted]
| ttul wrote:
| Frankly, if all you do is create a separate administrator user,
| leaving your day to day account as standard, and enable disk
| encryption, you're going to be so much more secure than the
| default target.
|
| Encryption is super important because it secures your data in
| case your machine is stolen. There is an active market for
| identity data from stolen hard disks; don't be that victim. It
| sucks.
| kccqzy wrote:
| I've done this for several years now. I also value this
| approach for psychological reasons: whenever you do need to
| perform some sysadmin action, you invariably need to type the
| password for the admin account rather than your usual login or
| unlock password. This different password is enough to make me
| pause and think whether this administrative action is really
| worth doing.
| dmix wrote:
| > Encryption is super important because it secures your data in
| case your machine is stolen.
|
| If your machine is stolen and off*
|
| I always turn my computer(s) and phone off before entering
| airports and other similar areas. They can ask me before
| Cellebriting them.
|
| Not that I've ever done anything wrong, it's just for the
| ethics of it all. Privacy is critically important.
| burlesona wrote:
| Also, I've witnessed first hand someone come into a cafe I
| where I was working, walk up to another person who was on
| their laptop, snatch the open laptop as the person was typing
| on it, and bolt out into a waiting getaway car. That laptop
| was fully open and logged into everything.
|
| This is obviously a rare case but it just goes to show that
| you can have pretty darn good security and there are still
| attack vectors that you won't be hardened against.
| codetrotter wrote:
| I've been thinking it'd be neat to have a program running
| that watches the web camera continuously and if you look
| away from the screen then it locks the computer after 1
| minute. And if you disappear from the image it locks it
| immediately.
|
| This would also immediately lock the computer in the case
| of someone snatching it from you, even though the main use
| case I had in mind is just for falling asleep and for
| leaving the room.
|
| Dunno if it'd drain too much battery. Also having the
| camera active indicator led glow all the time would be
| annoying. And it would also mean that you unfortunately no
| longer know if other software on your computer is recording
| your face while you are sitting there.
| ccheney wrote:
| Perhaps tie into bluetooth instead. If your Watch or
| iPhone goes out of range, lock the machine.
| 0x6A75616E wrote:
| BetterTouchTool has a "Bluetooth LE device moved away"..
| Maybe that can detect Apple Watch moving away, and then
| lock or even shut down the computer..
|
| EDIT: Confirmed. This works. In a few minutes, I was able
| to set it up so that if my watch moves about a meter away
| from the mac, it'll lock the screen. It supports any
| Bluetooth LE device.
| poorman wrote:
| Perhaps an accelerometer for when it's snatched quickly.
| toxik wrote:
| Should actually be pretty easy to implement
| finnh wrote:
| Unlox app does this - its primary feature is to use
| FaceID on an iPhone to unlock a mac, but it also has an
| AutoLock feature if said phone goes out of bluetooth
| range. The signal level threshold is configurable so you
| can keep it on a pretty short leash.
|
| (no relation, just a happy customer)
| cdubzzz wrote:
| That is intriguing -- but I don't love the "enter your
| computer password in the app" part. Can it be configured
| to _not_ do that -- i.e. only do the "AutoLock" part?
| kgermino wrote:
| I believe windows has/had a setting where you could
| automatically log out if a bluetooth device was
| disconnected. I'm not sure how hard it'd be to do
| something like that on a Mac but maybe I should look into
| it. I think "if my watch disappears, lock the screen"
| would be simple enough.
| gotstad wrote:
| It has this setting and defaults to using your phone as
| the proximity device. Not sure why else I should BT pair
| my phone with my PC.
| bombcar wrote:
| I was thinking something tied to the accerometer - I know
| laptops used to have those when they had spinning disk.
| Sudden movement locks the screen.
| xvector wrote:
| When I was in college, someone did this with my phone.
| Luckily, they gave it back a minute later - perhaps because
| I made a ruckus, and perhaps because they felt bad about
| robbing a student, who knows.
|
| Still, it made me pretty uncomfortable using devices in
| public after that. For all the effort we put into
| cybersecurity, our measures are trivially defeated by a
| common thug. Even YubiKeys securing all your accounts
| wouldn't do much to protect you from this.
| acdha wrote:
| > If your machine is stolen and off*
|
| Locked. macOS has used the IOMMU to block access to RAM from
| external devices for many years and on the newer Macs you'd
| need to compromise the T2 as well.
| outime wrote:
| >Not that I've ever done anything wrong, ...
|
| When you see that people need to write this disclaimer even
| on this website it feels like the privacy ship has long
| sailed.
| ilikepi wrote:
| >> Encryption is super important because it secures your data
| in case your machine is stolen.
|
| > If your machine is stolen and off*
|
| It's possible to configure macOS to wipe FileVault keys from
| memory when transitioning to a hibernation state. Assuming
| this works as designed, it might help in a snatch-and-grab
| situation if the thief closed the lid of the laptop. I would
| assume competent LEAs would take measures to keep their
| target's machine awake however.
| KLVTZ wrote:
| Somewhat related:
|
| I always find myself clearing the drive in order to install the
| latest macOS. Perhaps psychological, but it always gives me a
| fresh starting point that is benefited by an implicit boost in
| performance. While it does require some time for setup, and much
| of what I do is manual, I never regret it --almost like spring
| cleaning.
| mulmen wrote:
| Maybe I am getting old but I find "starting fresh" to be
| extremely expensive. I recently had to do this with my work
| MacBook which cannot restore from Time Machine for... reasons.
|
| I don't know what settings I changed six months or a year or
| four years ago. I just know that my mouse should scroll that
| way, not this way. Time Machine makes sure these settings
| persist between disasters so I don't generally try to track
| them. Historically upgrades maintained the settings where they
| make sense. Over time my environment adapted to my preference.
|
| But with the recent more drastic changes in Big Sur (and my
| fresh start) I find myself constantly having to re-learn really
| basic things like how to manage notifications. What used to be
| one click is three, or gestures that used to do one thing (drag
| right to dismiss) now do something unexpected (dismiss _all_
| notifications for an app). I don't know how much of this is a
| setting and how much is just new behavior.
|
| It has been an infuriating experience. I don't even know how to
| use my computer and I feel powerless. I also have very little
| motivation to learn the "new" way because I know it will just
| change again in a year. So the time I invest now will be
| wasted.
|
| It's extremely demoralizing. One of the hardest things I do
| during the day is try to navigate my desktop environment. I
| have an adversarial relationship with my MacBook. There's very
| little cognitive energy left to do my actual job. I don't feel
| like it is improving, my computer is just in my way.
| Pokepokalypse wrote:
| I used to do this on a weekly basis with my Windows desktops
| (95, 98, NT, XP, and 7 was the last one I bothered with). I
| used various tools to automate this process, (nLite was a
| good one), and wrote scripts to perform application setup
| (back in the bad old days before chocolatey).
|
| This had huge benefits in terms of maintaining a very
| performant Windows desktop.
|
| Then, I also baked-in my security configurations with another
| set of scripts. So it was always in a consistent
| configuration, (even if I had to "temporarily" disable
| something that was blocking me or broke something, I could
| always return to my "known-good-configuration").
|
| I've also done the same with my linux systems.
|
| Mac OS X has always been curiously resistant to full
| automation, however. I know some people have done it; but
| there's something about this ecosystem that makes it very
| difficult; and I kind of think that's by-design, (to thwart
| the hackintosh people).
|
| I think it would be extremely valuable to be able to do this
| on Mac OS X; because customizing the OS is central to being
| able to get a good productive user-experience (especially for
| power-users), and I'm often stymied trying to accomplish this
| in a repeatable manner, on Mac OS X.
| hesk wrote:
| I can relate. I went through a clean install recently because
| my last was about 5 years ago and I wanted to start fresh
| instead of installing from a Time Machine backup.
|
| I had a checklist from last time in my notes and remembered
| that it only took a few hours and then the system was set.
|
| This time it took much longer. Maybe because I went from
| Mojave to Big Sur in one go.
|
| So now I've started a small project where I automate as much
| as possible, using defaults and/or Plistbuddy to edit macOS
| configuration settings, install dotfiles using GNU stow,
| profiles for network settings, and just copying files around.
| D13Fd wrote:
| Honestly that is kind of weird.
|
| I just re-imaged my Macbook Pro laptop this week, to
| completely remove some super invasive exam-taking software
| that I had to install for a licensing exam.
|
| The whole thing was very painless. I keep all of my data in
| one folder. I copied that folder, and copied some preferences
| for apps that don't sync to a folder (e.g., VS Code) to an
| external SSD.
|
| I booted into recovery mode, wiped the disk, and re-installed
| Mac OS. Then I copied my folder back and re-did my settings.
|
| The whole thing took a couple of hours, although a lot of
| that was babysitting the installs etc. while doing other
| things. I definitely wouldn't put it into the "extremely
| expensive" bucket in terms of time spent.
| mulmen wrote:
| The expense comes in having to re-learn basic actions or go
| find a setting. My job takes longer to perform now because
| I have to stop and re-learn simple things that used to be
| instinctive, such as dismissing notifications and looking
| at icons or changing the direction my mouse scrolls.
| fossuser wrote:
| This is very 'unhacker' advice, but I generally learn to
| love defaults.
|
| I also think a lot about sane defaults when working
| on/deploying software to customers myself. I choose what
| systems to use in part based on how good the defaults
| are.
|
| The closer you are to accepting defaults the easier your
| life is. Obviously there are exceptions, but things like
| mouse scroll direction? Just learn to love the new one.
| Jiocus wrote:
| "The wise warrior avoids the battle." - Sun Tzu
|
| Sounds hacker to me.
| glhaynes wrote:
| Some other advantages:
|
| - Things might be less likely to break. Certainly the
| default settings are the most likely to have a test case
| associated with them. How likely is it that there's a
| test case around the unique combination of the 35
| parameters you've configured that are relevant to the
| particular operation you're attempting?
|
| - It may be better. A number of times I've heard of some
| odd default and thought "that's obviously wrong" but
| given it a chance and learned to like it. Definitely
| change things that really are important to you, but
| vendors often put a lot of effort into making good
| defaults.
|
| - If you're a developer, a less configured system is more
| likely to be similar to what an average user uses, giving
| you a more similar experience to them.
| mulmen wrote:
| I guess I didn't explain myself well. "Starting fresh"
| can mean two things.
|
| 1) Adapting to a new system that has changes outside your
| control. This is the case of a major version update in
| MacOS.
|
| 2) Reverting to default settings and re-configuring the
| environment.
|
| In the case of 1 I am disrupted because I have to learn
| new ways to do what I could already do before.
|
| In the case of 2 I am disrupted because I have to repeat
| configuration I already performed.
|
| The context of this thread is choosing 2 on a regular
| basis just for the sake of doing it. By choosing to
| always accept defaults you are effectively maintaining a
| stable system, which is the opposite of what the second
| situation advocates.
| fossuser wrote:
| 1 is just the cost of living in a world that isn't
| static.
|
| 2 is what I'm suggesting to mostly avoid if you can.
| mulmen wrote:
| I'm sorry, I guess I am just missing the point you are
| trying to make.
| Pokepokalypse wrote:
| >This is very 'unhacker' advice, but I generally learn to
| love defaults
|
| There's a lot of wisdom in this advice: the more time you
| spend messing with settings to customize the UX; the less
| repeatable this configuration is, and the harder it is to
| get a new system back up and running.
|
| Also: what's "hacker" is working on many many different
| systems, and being able to at least minimally adapt to
| each different system's set of defaults, so you can
| remain productive. (and for me, this means absolutely
| forgetting all about one platform's take on hot-keys,
| shortcuts, and setting up aliases).
|
| Mouse-scroll direction? I can't abide the "reverse"
| (scroll down to go up), and that's one thing I'm not ever
| going to let slide on a new system.
| [deleted]
| jorl17 wrote:
| I have churned through three macs since 2012 and have never
| once installed fresh. Time machine has helped me move between
| them. At one point I had to temporarily move back to an old
| one while the other one was being fixed, and I did the exact
| same thing (I experienced some hiccups with brew packages
| that were no longer compatible due to missing CPU
| optimizations on the old mac).
|
| I periodically clean my mac, though. Remove stale
| configuration files, cleanup apps, etc. I also have a bunch
| of stuff written down, as well as scripts, to help with
| installing new macs (to help my friends reinstall theirs).
|
| I'm very nitpicky about configurations and apps. I've got
| dozens of apps and micro-apps I use. which are very modified.
| These include the typical BetterTouchTool, Alfred,
| Amphetamine, but also smaller apps like Audio Balance. My
| terminal is heavily customized, both in terms of iTerm 2
| settings, but also in terms of my zsh config, custom
| commands, etc.
|
| I'm sure I'd be able re-create my environment within days,
| but these would be very rough days....and time machine just
| works! I don't need anything else.
| dnh44 wrote:
| With Big Sur I finally did my first fresh install of macOS
| since Jaguar (10.2). It took me an entire weekend and while
| it's nice to have a clean out I think I'll just do a time
| machine restore when I finally get an M1 Mac.
| bayindirh wrote:
| > Maybe I am getting old but I find "starting fresh" to be
| extremely expensive.
|
| I used to think like that, then I got a new mirrorless
| camera, which has a ton of settings with a menu which it
| feels like an open world. Then, I stopped worrying about
| setting things the way exactly I want. Instead, I started to
| change things I dislike.
|
| This brings two advantages from my point of view. First, it
| doesn't feel overwhelming; two, it's really a smooth way of
| learning new things or relearning things in _the new way_.
|
| I also run a micro server on a SBC. I fed up with the Ubuntu
| installation running on it and decided to migrate to Debian.
| I got two-three essential files (basically fstab, dnsmasq
| config files), and nuked the card. It was running in less
| than 15 minutes. I made a lot of small changes after that,
| but it was much smoother and nicer. Since I was not in a
| rush, I made the changes calmly and enthusiastically. Now,
| that thing works 10x better than Ubuntu.
|
| No need to rush, just solve a single thing in one go, and you
| won't believe how far you can go in very short time.
|
| Of course, this is my two cents and YMMV.
| mulmen wrote:
| Ok but it sounds like your new camera is actually better.
| My new MacOS is just the same, or slightly worse. The
| changes in Big Sur don't solve any problems I actually
| have. Notifications are just more fiddly. Common actions
| are no longer prominently available, they are hidden behind
| hovers and tiny buttons, or simply gone. The interface uses
| more space and provides less information.
| bayindirh wrote:
| Strange. I'm using macOS for ~12 years now and Big Sur is
| not worse for me.
|
| I'm not trying to say you're wrong. On the contrary,
| since I don't use macOS that deeply (I'm a Linux guy
| mainly), not feeling the change for worse is intriguing
| for me.
| Pokepokalypse wrote:
| >Notifications are just more fiddly.
|
| OMG - I hate the new notifications. Dismissing them is a
| very expensive task. Almost makes me want to disable
| notifications altogether.
| mtmail wrote:
| I keep a file listing software I installed and my usual
| settings I need to set. Some 30 packages, including UI tools.
| The homebrew package installer supports a 'Brewfile' which will
| install everything in one step.
| https://thoughtbot.com/blog/brewfile-a-gemfile-but-for-homeb...
| [deleted]
| mixmastamyk wrote:
| Got a newer Mac from work and upgraded it to Big Sur--Big
| mistake. If I hadn't installed Little Snitch from a
| recommendation here I'd have not known it runs _dozens_ of chatty
| network services by default with no way to disable them. Many
| communicating and uploading metrics to services like icloud and
| local bonjour, whether you use them or not.
|
| Not only that, but with the system volume is read only, so there
| is no obvious way to disable them from running without defeating
| other security. Any tips to disable these easily on the latest
| OS?
|
| All in all for company that touts privacy, I found it all a bit
| shocking really.
| Klonoar wrote:
| Much of what you're attributing to Big Sur existed in Catalina.
| smoldesu wrote:
| That's always been one of my biggest gripes with Apple. Their
| security theater was particularly convincing for a while, but
| in recent years it's been going downhill, hard. The T2 chip was
| dedicated hardware for a prng generator, the "secure enclave"
| is based on technology that has been cracked for years, and
| their team actively ignores security researchers who report
| vulnerabilities to them. It's definitely one of the deciding
| factors keeping me on Linux.
| aaomidi wrote:
| This is how the OCSP standard works.
|
| It needs to be chatty.
| sneak wrote:
| The OS is extremely chatty even without OCSP.
| sneak wrote:
| Here's documentation of all of the stuff it talks to, if
| anyone's curious:
|
| https://sneak.berlin/20210202/macos-11.2-network-privacy/
|
| (pcaps linked in the post, too.)
| satysin wrote:
| Discussion from the last time this was posted in 2018 -
| https://news.ycombinator.com/item?id=18099835
|
| Also the macOS Security and Privacy Guide may be of interest
|
| https://github.com/drduh/macOS-Security-and-Privacy-Guide
|
| as discussed on HN last year
| https://news.ycombinator.com/item?id=24242890
| Pokepokalypse wrote:
| Also there's this: https://dl.dod.cyber.mil/wp-
| content/uploads/stigs/zip/U_Appl...
| codetrotter wrote:
| Expired certificate
| dmix wrote:
| NSA released a now older OSX hardening PDF, still lots of
| relevant stuff:
|
| https://cirka.net/wiki/_media/macosx_hardening_tips.pdf
|
| And NIST did a long form one as well for macOS Sierra (10.2)
|
| https://csrc.nist.gov/CSRC/media/Publications/sp/800-179/rev...
|
| Hardening operating systems is extremely difficult, I put a ton
| of research into it, but making it harder for APTs is always
| valuable. Linux with GRSecurity used to be the gold standard. Not
| sure what is now.
|
| I noticed a lot of "zero days" or vulnerbilities target specific
| versions of popular software so there may be plenty of security
| in obscurity just based on the nature of the hacking business.
| And there's a huge shadowy hacking business if you weren't aware.
|
| And as a side note one thing I learned from grugq is that
| managing your identity online is worth 10 fold than any of this
| hardening business. Creating fake identities with real back
| stories and linkedin pages etc. That sort of thing. But that
| getting a little deep into the "shadowy arts" of the infosec
| world.
| Wowfunhappy wrote:
| > NSA released a now older OSX hardening PDF, still lots of
| relevant stuff:
|
| > Disable Unnecessary Services: The following services can be
| found in /System/Library/ LaunchDaemons. Unless needed for the
| purpose shown in the second column, disable each service using
| the command below, which needs the full path specified: sudo
| launchctl unload -w PathToPlistFile
|
| Today, you can't do that unless you disable, well, a different
| security setting.
| comboy wrote:
| And then you just
|
| brew install this-will-solve-my problem
|
| with 782 dependencies.
| tingletech wrote:
| 2018
| sarsway wrote:
| Is there any good solution to choosing the admin password? I
| always hear a strong password is recommended, but this becomes
| very annoying very fast since you have to type it in quite often,
| and password managers can't help you here.
| bayindirh wrote:
| mangle a longish sentence in your head and pepper it with
| typos, punctuation and numbers.
|
| e.g.: h0arseSt@br3bg#terYC0rt5d!t
| calmaro34 wrote:
| funnily enough now h0arseSt@br3bg#terYC0rt5d!t is a terrible
| password to use ;)
| bayindirh wrote:
| Doesn't matter. It's already a variation of a well known
| password anyway. :)
| betterq wrote:
| _horse staple battery correct_? Now I have to change my
| password!
| bayindirh wrote:
| Yep! :)
|
| Go, change it. _Run!_
| stevewillows wrote:
| lyrics with spaces work well. e.g. 'God only knows what I'd be
| without you'
| comboy wrote:
| This is a terrible advice. Especially using lyrics.
|
| If you like typing sentences use some unlikely ones,
| preferably personal because people suck at coming up with
| random stuff.
|
| If you just throw some random thing in these lyrics like "God
| only knows WOOP i'd be without you" it would make it much
| stronger, but lyrics are like the thing where you would start
| building your brute forcer from and also.. how private are
| you about music that you listen to? I openly broadcast it.
| stevewillows wrote:
| I got this from samyk, actually. I wouldn't use iconic
| lyrics like this and you don't have to use a full line or
| even a natural ending. You don't even have to use lyrics
| from a band you particularly enjoy -- just something longer
| and easier to remember.
| rurp wrote:
| I like diceware passwords, a random set of common words, for
| this, often with a few random characters thrown in. It's still
| long, but I find them to be faster to type and memorize than
| random characters.
| ryankrage77 wrote:
| I use this bash one-liner < /dev/urandom tr
| -cd "[:print:]" | tr -d '[]<>(),~.\;\: \\/\`\|\{\}\'\"\' | head
| -c 8; echo
|
| Generates 8 random characters excluding punctuation that is
| often not allowed in passwords. You can change `head -c 8` to
| the desired length of the password. If you get something
| difficult to type, just generate another one.
| tokamak-teapot wrote:
| For sudo you can use the fingerprint reader if you configure
| pam to allow it
| Ashanmaril wrote:
| The most strong password is p@ssw0rd, I use that one for
| everything
| [deleted]
| pmw wrote:
| I built https://phrase.shop for creating secure _yet memorable_
| passphrases.
| wishinghand wrote:
| Would a thumb print reader be viable in this case? Can those
| provide arbitrary strings? I'd still store the password in a
| manager in case that device breaks.
| floatingatoll wrote:
| Some of these are good advice if you prioritize security over
| usability, as some legitimately need to do. Some of these have
| nothing at all to do with "Hardening macOS" and will have no
| measurable effect on security whatsoever, especially when state
| attackers are excluded from consideration (as the page itself
| states). Why are these things mixed together into a single guide?
|
| Or, to present one specific example of this mixed-messages issue:
|
| How precisely does the listed step "Disable Crash Reporter"
| harden macOS against being attacked, when nation-states are
| excluded from consideration?
| klodolph wrote:
| This is a nice starting point. It seems like it was written from
| someone who's fairly paranoid (not trying to judge the value or
| correctness of paranoia, here), which means that it's not too
| hard to customize it--if you are less paranoid, skip some of
| these steps.
___________________________________________________________________
(page generated 2021-05-06 23:01 UTC)