A simple bash script to automated the majority of NIST hardening requirements for standalone MacOS
I've made this script available to save others time. It's based on the DRAFT NIST Special Publication 800-179 "Guide to securing macOS 10.12"
It doesn't currently include every hardening requirement but I aim to add them in the near future.
It's been wrote so each hardening control is included as a separate item to make it easier for people to comment out any controls they don't want to apply.
To run the script:
Copy it to the Mac, open a terminal, go to the directory where the file is stored and run:
sudo bash hardening_script.sh
Whilst the script is running you will be asked to provide the following information:
- A hostname for the machine
- A firmware (BIOS) password
Hardening Check:
To audit the state of the hardening of a machine, you can run the 'hardening_check.sh' script on the machine. To run the script:
Copy it to the Mac, open a terminal, go to the directory where the file is stored and run:
sudo bash hardening_check.sh
The script currently applies the following hardening/applies the following settings (I will link these back to the specific NIST requirement in the near future):
- Sets a user defined hostname
- Prevents users from logging in with iCloud (removes the iCloud login prompt)
- Disables the infrared receiver
- Disables Bluetooth
- Enables automatic updates
- Turns off the password hints
- Sets the screenlock timeout to 5 minutes
- Enables the Firewall
- Sets a firmware password
- Confirms that System Integrity Protection is enabled (it is by default. If it's been turned off you can only enable it through recovery mode so it can't be scripted)
- Enables GateKeeper
- Sets the system and userwide umask to 022
- Stops sending diagnostic information to Apple
- Adds a logon banner (this should be edited to say whatever you need it to say)
- Disables console logon from the logon screen
- Restricts sudo to a single command
- Removes the list of users from the logon screen
- Disables Siri
- Turns on file extentions which are hidden by default
- Prevents other applications from intercepting text typed in to the terminal
- Prevents downloaded signed software from receiving incoming connections
- Enables packetfilter (pf)
- Configures firewall to block apple file server packets
- Configures firewall to block Bonjour packets
- Configures firewall to block finger
- Configures firewall to block FTP
- Configures firewall to block HTTP
- Configures firewall to block ICMP
- Configures firewall to block IMAP
- Configures firewall to block IMAPS
- Configures firewall to block iTunes Sharing
- Configures firewall to block mDNSResponder
- Configures firewall to block NFS
- Configures firewall to block Optical Sharing
- Configures firewall to block POP3
- Configures firewall to block POP3S
- Configures firewall to block Printer Sharing
- Configures firewall to block Remote Apple Events
- Configures firewall to block Screen Sharing
- Configures firewall to block SMB
- Configures firewall to block SMTP
- Configures firewall to block SSH
- Configures firewall to block Telnet
- Configures firewall to block TFTP
- Configures firewall to block UUCP
- Prevents any action when a blank CD is inserted
- Prevents any action when a blank DVD is inserted
- Prevents any action when a music CD is inserted
- Prevents any action when a picture CD is inserted
- Prevents any action when a video DVD is inserted
- Disables the SMB file sharing daemon
- Prevents the computer from broadcasting bonjour service advertisements
- Disables the NFS server daemon
- Disables the public key authentication mechanism for SSH
- Prevents root login via SSH
- Sets the number of 'client alive messages' (that can be sent before disconnecting the client) to 4
- Reboots to ensure the settings take effect