OS-X-Security-And-Privacy-Guide
Total Page:16
File Type:pdf, Size:1020Kb
OS-X-Security-and-Privacy-Guide Latest commit a158350 a day ago drduh Clean up browsing and plugins sections. Warn about Tor global panopti… … Describe a few more services, and suggest 'Yosemite-Stop-Launch'. 14F27_launchd.csv 13 days ago Fix #… 15B42_launchd.csv Add 10.11.1 services csv. 18 days ago InstallESD_Hashes.cs Add list of InstallESD hashes. 20 days ago v 2 months LICENSE Initial commit ago Clean up browsing and plugins sections. Warn about Tor global README.md a day ago panopti… read_launch_plists.py Uniform program name, rename csv to build number. 18 days ago README.md This is a collection of thoughts on securing a modern Apple Mac computer using OS !".!! #$l Capitan#% as well as steps to improving online pri&acy. This guide is targeted to 'power users( who wish to adopt enterprise)standard security% but is also suitable for novice users with an interest in improving their pri&acy and security on a Mac. There is no security sil&er bullet. A system is only as secure as its administrator is capable of making it. + am not responsible if you break a Mac by following any of these steps. +f you wish to ma*e a correction or impro&ement% please send a pull re,uest or open an issue. -asics .reparing OS +nstalling OS o /eco&ery partition 0irst boot 0ull disk encryption 0irmware password 0irewall o Application layer firewall o Third party solutions o 2ernel le&el packet filtering Ser&ices Spotlight Suggestions 3omebrew 45S o 3osts file o dnsmasq o dnscrypt Capti&e portal Certificate authorities OpenSSL Curl 3TT. Web browsing .lugins .6.76.6 OT/ Tor 8.5 8iruses and malware System +ntegrity .rotection 6ate*eeper and protect .asswords -ackup Wi)0i SS3 .hysical access System monitoring o Open Source Monitoring Tools o Open-SM Audit o 4Trace o 5etwor* Miscellaneous Additional resources Basics The standard best security practices apply. Create a threat model o What are you trying to protect and from whom9 +s your ad&ersary a three letter agency :if so% you may want to consider using Open-S4 instead;% a nosy ea&esdropper on the networ*% or determined apt orchestrating a campaign against you9 o Study and recogni<e the threat and your attack surface. 2eep the system up to date o .atch% patch% patch your system and software. o Subscribe to announcement mailing lists :e.g.% Apple security)announce; for programs you use often. $ncrypt sensiti&e data o +n addition to full disk encryption% create one or many encrypted containers to store passwords, *eys and personal documents. o This will mitigate damage in case of compromise and data exfiltration. 0re,uent backups o Create regular backups of your data and be ready to reimage in case of compromise. o Always encrypt before copying backups to external media or the #cloud#. Click carefully o >ltimately% the security of the system can be reduced to its administrator. o Care should be ta*en when installing new software. Always prefer free and open source software :which OS is not;. Preparing OS X There are se&eral ways to install a fresh copy of OS . The simplest way is to boot into /eco&ery Mode by holding Command and R *eys at boot. A system image can be downloaded and applied directly from Apple. 3owe&er% this way e=poses the computer?s serial number and other identifying information to Apple o&er plain !""P. Another way is to download OS X E# $apitan %&.%%.% from the App Store or some other place and create a custom% installable system image. The application is code signed% which should be &erified to ma*e sure you recei&ed a legitimate copy. $ codesign -dvv /Applications/Install\ OS\ X\ El\ Capitan.app Executable=/Applications/Install OS X El Capitan.app/Contents/MacOS/InstallAssistant Identifier=com.apple.InstallAssistant.ElCapitan Format=bundle with Mach-O thin (x86_64) CodeDirectory v=20200 size=280 flags=0x200(kill) hashes=4+5 location=embedded Signature size=4169 Authority=Apple Mac OS Application Signing Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Info.plist entries=31 TeamIdentifier=K36BKF7T3D Sealed Resources version=2 rules=8 files=151 Internal requirements count=1 size=124 OS installers can be made with the createinstallmedia utility included in Install OS X El Capitan.app/Contents/Resources/. See Create a bootable installer for OS @osemite% or run the utility without arguments to see how it wor*s. +f you?d li*e to do it the manua# way% you will need to find the file InstallESD.dmg% which is insideInstall OS X El Capitan.app. /ight click, select Sho' Pac(a e $ontents and navigate to $ontents ) SharedSupport to findInstallESD.DMG. @ou can &erify the following cryptographic hashes to ensure you ha&e the same% authentic copy by using a command li*e shasum -a256 InstallESD.dmg and so on. @ou can also 6oogle these hashes to ensure your copy is genuine and has not been tampered with. See InstallESD_Hashes.csv in this repository for previous &ersions. InstallESD.dmg (Build 15B42) SHA-256: 6275929722c35674fce90d2272d383d49696096e8626ee7f7900dd0334167a9a SHA-1: 306a080c07e293b6765ba950bab213572704acec Mount and install the operating system to a temporary ima e% or use the 6>+ appMager8alp7Auto4M6. hdiutil attach -noverify -mountpoint /tmp/installesd ./InstallESD.dmg hdiutil create -size 32g -type SPARSE -fs HFS+J -volname "OS X" -uid 0 -gid 80 -mode 1775 /tmp/output.sparseimage hdiutil attach -noverify -mountpoint /tmp/os -owners on /tmp/output.sparseimage sudo installer -pkg /tmp/installesd/Packages/OSInstall.mpkg -tgt /tmp/os This part will ta*e a while% so Aust be patient. @ou can tail -F /var/log/install.log to check progress. Optionally% install any other packages to the image% such as Wireshar*. hdiutil mount Wireshark\ 1.99.5\ Intel\ 64.dmg sudo installer -pkg /Volumes/Wireshark/Wireshark\ 1.99.5\ Intel\ 64.pkg -tgt /tmp/os hdiutil unmount /Volumes/Wireshark See Mager8alp7Auto4M67wiki7.ackages-Suitable)for)4eployment for ca&eats and check outchilcote7outset to instead processes packages and scripts at first boot. When you?re done% detach% con&ert and &erify the image. hdiutil detach /tmp/os hdiutil detach /tmp/installesd hdiutil convert -format UDZO /tmp/output.sparseimage -o elcap.dmg asr imagescan --source elcap.dmg 5ow% elcap.dmg is ready to be applied to one or multiple Macs. @ou can further customize the image to include premade users, applications and preferences to your liking. *nsta##ing OS X One way to install the OS image is using another Mac in Target 4isk Mode. +f you don?t ha&e another Mac, create a bootable >S- dri&e from the $l Capitan application bundle% and boot the Mac you wish to image to it by holding the Option *ey at boot. Alternati&ely% you could also create a second partition on your existing Mac and use that. +f you don?t ha&e an external dri&e or >S- stick to use% it?s possible to create a small partition with Dis( +ti#ity and use that. There are se&eral guides online on how to do this. To use "arget Dis( Mode% boot up the Mac you wish to image while holding T and connect it to another using 0irewire% Thunderbolt or >S-)C. /un diskutil list to identify the connected disk, usually /dev/disk2 Erase the disk to Journaled 30SC diskutil unmountDisk /dev/disk2 diskutil partitionDisk /dev/disk2 1 JHFS+ OSX 100% Restore the image to the new &olume sudo asr restore \ --source elcap.dmg \ --target /Volumes/OSX \ --erase --noverify \ --buffersize 4m Alternati&ely% open the Dis( +ti#ity application% erase the connected Mac's disk, then drag elcap.dmgin to restore it to the new partition. +f you?&e followed these steps correctly% the target Mac should now ha&e a new install of OS . +f you want to transfer any files, copy them to a folder li*e /Users/Shared on the mounted disk image% e.g. cp Xcode_6.1.1.dmg /Volumes/OS\ X/Users/Shared Recovery partition We?re not done yetD >nless you ha&e built the image with Auto4M6% or installed OS to a second partition on your Mac% you will need to create a reco&ery partition in order to use 0ile&ault full disk encryption. @ou can do so using Mager8alp7Create)/eco&ery).artition)+nstaller or by following these steps. 4ownload /eco&eryH4>pdate.dmg RecoveryHDUpdate.dmg SHA-256: f6a4f8ac25eaa6163aa33ac46d40f223f40e58ec0b6b9bf6ad96bdbfc771e12c SHA-1: 1ac3b7059ae0fcb2877d22375121d4e6920ae5ba Attach and e=pand the installation% then run it hdiutil attach RecoveryHDUpdate.dmg pkgutil --expand /Volumes/Mac\ OS\ X\ Lion\ Recovery\ HD\ Update/RecoveryHDUpdate.pkg /tmp/recovery hdiutil attach /tmp/recovery/RecoveryHDUpdate.pkg/RecoveryHDMeta.dmg /tmp/recovery/RecoveryHDUpdate.pkg/Scripts/Tools/dmtest ensureRecoveryPartition /Volumes/OS\ X/ /Volumes/Recovery\ HD\ Update/BaseSystem.dmg 0 0 /Volumes/Recovery\ HD\ Update/BaseSystem.chunklist Where /Volumes/OS\ X is the path to the target disk mode booted Mac. This will ta*e se&eral minutes. /un diskutil list again to ma*e sure Recovery !D now exists. Once you?re done% eAect the disk with hdiutil unmount /Volumes/OS\ X and power down the connected Mac. First boot On first boot% hold Command Option P and R *eys to clear 58/AM. Wait for the loud% obnoxious gong and *eep holding while the Mac reboots once. When OS first starts, you?ll be greeted by Setup Assistant. 4o not connect to networking yetE skip that part of the setup for now. When creating your account% use a strong password without a hint. 4on?t use your real name for your account as it?ll show up as So-and-so's Macbook through sharing services to local networ*s.