.macos_hardening

#!/usr/bin/env bash
#
# MacOs Hardening:
#
#  - Ensure FileVault is enabled
#  - Ensure firmware password is enabled
#  - Enforce Firewall settings
#  - Manage my Network locations:
#    * Automatic: follow DHCP instructions
#    * Public Network: Local DNS resolver + Tor
#    * Office: Local DNS resolver
#    * Home: follow DHCP instructions
#
# https://github.com/drduh/macOS-Security-and-Privacy-Guide

set -o errexit
set -o pipefail
set -o nounset

CURRENT_NETWORK_LOCATION="$(networksetup -getcurrentlocation)"

export CURRENT_NETWORK_LOCATION

function _clean() {
  sudo networksetup -switchtolocation "$CURRENT_NETWORK_LOCATION"
  sudo networksetup -setairportpower en0 on
  sudo networksetup -deletelocation 'tmp' || true
}

while true; do sudo -n true; sleep 60; kill -0 $$ || exit; done 2>/dev/null &

# Check FileVault status
if ! fdesetup status | grep -q 'FileVault is On.'; then
  # shellcheck disable=SC1003
  1>&2 echo '/!\ FileVault is not enabled /!\'
  exit 1
fi

# Check firmware password
if ! sudo firmwarepasswd -check | grep -q 'Password Enabled: Yes'; then
  # shellcheck disable=SC1003
  1>&2 echo '/!\ firmware password is not set /!\'
  exit 1
fi

# Enable the firewall
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on

# Enable logging
/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on

# Enable stealth mode
/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on

# Prevent built-in software as well as code-signed, downloaded software from
# being whitelisted automatically
/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned off
/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off

# Configure the firewall to block all incoming traffic
/usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on

sudo pkill -HUP socketfilterfw

# Captive portal
sudo defaults write \
  /Library/Preferences/SystemConfiguration/com.apple.captive.control Active \
  -bool false

# You may wish to enforce hibernation and evict FileVault keys from memory
# instead of traditional sleep to memory
sudo pmset -a destroyfvkeyonstandby 1
sudo pmset -a hibernatemode 25

# Shutdown Wi-Fi
sudo networksetup -setairportpower airport off

trap _clean INT TERM EXIT

# Create a tmp location, before generate 'Automatic' location
sudo networksetup -createlocation 'tmp' populate \
 || sudo networksetup -switchtolocation 'tmp'

# Automatic
sudo networksetup -deletelocation 'Automatic' || true
sudo networksetup -createlocation 'Automatic' populate
sudo networksetup -switchtolocation 'Automatic'

# Public Network
sudo networksetup -deletelocation 'Public Network' || true
sudo networksetup -createlocation 'Public Network' populate
sudo networksetup -switchtolocation 'Public Network'
sudo networksetup -setdnsservers Wi-Fi 127.0.0.1
sudo networksetup -setproxybypassdomains Wi-Fi 'localhost' '127.0.0.0/8' '172.16.0.0/12' '192.168.0.0/16' '169.254/16' '*.local' '*.home' '*.netflix.com' '*.youtube.com'
sudo networksetup -setsocksfirewallproxy Wi-Fi 127.0.0.1 9050
sudo networksetup -setsocksfirewallproxystate Wi-Fi on
sudo networksetup -setsearchdomains Wi-Fi Empty

# Office
sudo networksetup -deletelocation 'Office' || true
sudo networksetup -createlocation 'Office' populate
sudo networksetup -switchtolocation 'Office'
sudo networksetup -setdnsservers Wi-Fi 127.0.0.1
sudo networksetup -setsocksfirewallproxystate Wi-Fi off
sudo networksetup -setsearchdomains Wi-Fi Empty

# Home
sudo networksetup -deletelocation 'Home' || true
sudo networksetup -createlocation 'Home' populate
sudo networksetup -switchtolocation 'Home'
sudo networksetup -setdnsservers Wi-Fi Empty
sudo networksetup -setsocksfirewallproxy Wi-Fi Empty
sudo networksetup -setsocksfirewallproxystate Wi-Fi off
sudo networksetup -setsearchdomains Wi-Fi Empty