Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Hardening ====== ===== MacOS ===== <code> #!/bin/bash # Disablebluetooth sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0 sudo killall -HUP blued # Display bluetooth icon defaults write com.apple.systemuiserver menuExtras -array-add "/System/Library/CoreServices/Menu Extras/Bluetooth.menu" # Define ntp server sudo systemsetup -setnetworktimeserver <NTP server> sudo systemsetup -setnetworktimeserver on # Set time for screensaver defaults -currentHost write com.apple.screensaver idleTime -int 1200 # Disable hotcorner # Set sleep time sudo pmset -c displaysleep 0 # Disable RAE sudo systemsetup -setremoteappleevents off # Disable wake for network access sudo pmset -a womp 0 # Disable sleeping the computer when connected to power sudo pmset -c sleep 0 # Enable Gatekeeper sudo spctl --master-enable # Firewall activation # ICloud mask mv /Sytem/Library/Preferences/Pane/icloud.prefpane defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false # Configure log sed -i 's/rotate=seq compress file_max=5M/rotate=utc compress file_max=5M ttl=90/g' /etc/asl.conf echo '> appfirewall.log mode=0640 format=bsd rotate=utc compress file_max=5M ttl=90' >> /etc/asl.conf echo '* file /var/log/authd.log mode=0640 format=bsd rotate=utc compress file_max=5M ttl=90' >> /etc/asl.conf # Activate auditd sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist sed -i 's/lo,aa/lo,aa,ad,fd,fm,-all/g' /etc/security/audit_control file # show wifi icon # Stop useless service sudo apachectl stop sudo defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled -bool true sudo -s launchctl unload -w /System/Library/LaunchDaemons/ftp.plist sudo nfsd disable rm /etc/export # Change home right chmod -R 700 /Users/$USERNAME # Repair filesystem echo 'diskutil repairPermissions /' >> /etc/periodic/weekly/999.filesystem # Change timestamp for sudo command echo '#!/bin/bash' > /etc/sudoers.d/timestamp.sh echo 'Defaults timestamp_timeout=0' >> /etc/sudoers.d/timestamp.sh # Hardening keychain # Delete autologin sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser # Ask for password after screensaver defaults write com.apple.screensaver askForPassword -int 1 # Lock screensaver sed -i 's/admin,//g' /etc/pam.d/screensaver </code> utils/hardening.txt Last modified: 2024/10/14 20:59by 127.0.0.1