#!/bin/bash
# Disablebluetooth
sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0
sudo killall -HUP blued
# Display bluetooth icon
defaults write com.apple.systemuiserver menuExtras -array-add "/System/Library/CoreServices/Menu Extras/Bluetooth.menu"
# Define ntp server
sudo systemsetup -setnetworktimeserver <NTP server>
sudo systemsetup -setnetworktimeserver on
# Set time for screensaver
defaults -currentHost write com.apple.screensaver idleTime -int 1200
# Disable hotcorner
# Set sleep time
sudo pmset -c displaysleep 0
# Disable RAE
sudo systemsetup -setremoteappleevents off
# Disable wake for network access
sudo pmset -a womp 0
# Disable sleeping the computer when connected to power
sudo pmset -c sleep 0
# Enable Gatekeeper
sudo spctl --master-enable
# Firewall activation
# ICloud mask
mv /Sytem/Library/Preferences/Pane/icloud.prefpane
defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false
# Configure log
sed -i 's/rotate=seq compress file_max=5M/rotate=utc compress file_max=5M ttl=90/g' /etc/asl.conf
echo '> appfirewall.log mode=0640 format=bsd rotate=utc compress file_max=5M ttl=90' >> /etc/asl.conf
echo '* file /var/log/authd.log mode=0640 format=bsd rotate=utc compress file_max=5M ttl=90' >> /etc/asl.conf
# Activate auditd
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist
sed -i 's/lo,aa/lo,aa,ad,fd,fm,-all/g' /etc/security/audit_control file
# show wifi icon
# Stop useless service
sudo apachectl stop
sudo defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled -bool true
sudo -s launchctl unload -w /System/Library/LaunchDaemons/ftp.plist
sudo nfsd disable
rm /etc/export
# Change home right
chmod -R 700 /Users/$USERNAME
# Repair filesystem
echo 'diskutil repairPermissions /' >> /etc/periodic/weekly/999.filesystem
# Change timestamp for sudo command
echo '#!/bin/bash' > /etc/sudoers.d/timestamp.sh
echo 'Defaults timestamp_timeout=0' >> /etc/sudoers.d/timestamp.sh
# Hardening keychain
# Delete autologin
sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
# Ask for password after screensaver
defaults write com.apple.screensaver askForPassword -int 1
# Lock screensaver
sed -i 's/admin,//g' /etc/pam.d/screensaver