Hardening macOS

You can get most of the way to hardening to CIS level 1 picking more up-to-date fork of these <a href="https:&#x2F;&#x2F;github.com&#x2F;jamf&#x2F;CIS-for-macOS-Catalina-CP" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;jamf&#x2F;CIS-for-macOS-Catalina-CP</a>.<p>FWIW, CIS level 1 will mean people get locked out of their machines very frequently. Complex 15 character passwords with 3 retries from memory. So you need a half-decent MDM to unlock quickly. There is no half-decent MDM out there. Only shit ones but workable like Jamf.<p>Also the username does&#x27;t get auto-populated on login so the typo can be in username but the user assumes it is with password. Very fast way to get lock outs.<p>To pass a full security review you might want to play with Google Santa. But that is intense.<p>Also disabling things like AirDrop and biometric unlock is a productivity inhibitor.<p>Disabling Bonjour can cause strange problems for some people (e.g. using Reflector 4).<p>Basically I hate my mac that is hardened all the way so have a second machine (Mac Studio Ultra) in a more secure location that is less hardened and more pleasant to work with.

&gt; <i>The advanced stuff</i><p>&gt; <i>For the security enthusiast, who wants to go the extra mile.</i><p>&gt; 16. Use a password manager<p>Hard disagree. Using a decent password manager ought to be considered one of the <i>baby steps</i> of online security.

I&#x27;m somewhat surprised that using an HSM like a YubiKey or NitroKey isn&#x27;t on there. Mac OS has had pretty solid support for smartcards and tokens for a very long time now, improving significantly in the last 5 or so generations. Even for Macs with biometrics keys can still be useful in a multiuser environment or for the convenience of not needing to reach for the Touch ID (and be limited to an Apple keyboard). Login becomes a matter of just plugging in the key and entering the PIN. Most system authentication and sudo by default as well. Makes it much more convenient to have a long good password, though unfortunately FileVault (and 1Password is also a shitty, glaring example here) remains an outlier. Can disable automatic login following use of FV just fine though, and having it for system auth is still good. And it&#x27;s another option (and one that can be backed up physically) for websites as webauthn spreads.<p>It costs money but it&#x27;s not technical to work with either. Hopefully the day comes when password managers are effectively obsolete because we finally finally <i>FINALLY</i> give up on the ludicrous practice of using symmetric information for 3rd party authentication.

&gt; <i>Enable Terminal secure keyboard entry</i><p>&gt; <i>Why? To prevent other apps from snooping on what you type.</i><p>&gt; <i>How? Go to Terminal.app &gt; Menu bar &gt; Terminal, click “Secure Keyboard Entry”.</i><p>I wasn’t aware of this setting. Seems like it should be enabled by default.

Coincidentally, NIST published the SP 800-219, Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP)[1], a few days ago. NIST hosts all you need to verify as well as enforce several compliance requirements in their official GitHub repo [2]. The following baselines are supported for macOS Monterey:<p>- NIST SP 800-53r5 Low, Moderate, and High - DISA-STIG - NIST 800-171 - CNSSI-1253 - CIS macOS Benchmarks Level 1 and 2 - CIS Critical Security Controls Version 8<p>If you&#x27;ve been following the project closely you&#x27;ll notice that rules that were originally written as shell scripts are going away in favor of config profiles.<p>[1] <a href="https:&#x2F;&#x2F;csrc.nist.gov&#x2F;publications&#x2F;detail&#x2F;sp&#x2F;800-219&#x2F;final" rel="nofollow">https:&#x2F;&#x2F;csrc.nist.gov&#x2F;publications&#x2F;detail&#x2F;sp&#x2F;800-219&#x2F;final</a> [2] <a href="https:&#x2F;&#x2F;github.com&#x2F;usnistgov&#x2F;macos_security" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;usnistgov&#x2F;macos_security</a>

I&#x27;d keep Guest access for desktop usage enabled, mainly for asset recovery. A Guest user can be restricted to internet browsing which makes a poorly informed thief likely to connect the device to the internet, allowing for FMI to ping the (approximate) location and do a remote wipe. You can still leave guest access for other facilities off while keeping this on.<p>The question would become a matter of &quot;is recovery part of security&quot;?

&gt; Reconsider the risks of browser extensions<p>This is underrated. There are many, many browser extensions I would love to use, but I will never install. If it&#x27;s from Google or Apple or a company I pay money to, I will install it. Or if it&#x27;s uBlock Origin or Privacy Badger. Otherwise, I just don&#x27;t trust that a future update after the sale of the extension won&#x27;t turn evil.

&gt; Install and configure Google’s Santa.<p>Interesting, I&#x27;d never heard of this before. &quot;A binary authorization system for macOS&quot;. Open source.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;google&#x2F;santa" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;google&#x2F;santa</a>

&gt;Enable automatic software updates<p>This is one I&#x27;m always torn about.<p>There are countless iOS and Android apps that forever ruined by future updates. And unless you have the older version lying around (ipa&#x2F;apk) then you can never downgrade. I experienced similar with MacOS apps too and generally on other OSes as well. I&#x27;m okay with automatic software updates for the OS but for general standalone apps not so much.

I like how they recount the &quot;secure, not private&quot; mantra at the top of the page. MacOS has a funny threat model: it&#x27;s obviously not a very private machine, but the security measures like filesystem sandboxing and SIP go a long way towards... well, making your Mac more like an iPhone. This is good for defending against smaller, petty actors (identity theft, phishers, stray keyloggers, etc.), but it does very little to defend against the <i>actually</i> scary stuff like government surveillance, first-party data collection or foreign threat actors.<p>So, a lot of you are probably rearing up to write me a 5000-word response essay about how unreasonable it is to expect MacOS to compete with Team Red from around the world. I know. No operating system will ever be perfect.<p>...but on the flip side, MacOS&#x27; security concessions really don&#x27;t seem to protect the user, from where I&#x27;m standing. Apple has made it so that trusting their OS means trusting them, which frankly, I don&#x27;t. Apple is part of PRISM. Apple put iCloud in Chinese government datacenters. Maybe that Chinese data is encrypted-on-disk (eg. secure), but the fact that the Chinese government has the decryption keys certainly doesn&#x27;t make it very private. With any degree of likelihood, that&#x27;s already happening in most first-world countries too.

Looking at that list one starts to wonder, wouldn&#x27;t it be easier not to turn the computer on, not to buy at all?! : D<p>Isn&#x27;t this just mental that you are a hairline away of peril if you do not do a twentysomething steps massaging every inch of the system right away?! : )

missing the most important one: use a non-administrator account as a daily driver

I&#x27;ve never heard of the &quot;Steven Black DNS list&quot;. Is it legit and valuable?

Is doing a fresh install of the OS still necessary in 2022?

drduh’s macOS Security and Privacy Guide is linked in that article and I found it to be a good quick read.<p>Some of its suggestions like use Tor are out of date.