#!/usr/bin/env bash # # MacOs Hardening: # # - Ensure FileVault is enabled # - Ensure firmware password is enabled # - Enforce Firewall settings # - Manage my Network locations: # * Automatic: follow DHCP instructions # * Public Network: Local DNS resolver + Tor # * Office: Local DNS resolver # * Home: follow DHCP instructions # # https://github.com/drduh/macOS-Security-and-Privacy-Guide set -o errexit set -o pipefail set -o nounset CURRENT_NETWORK_LOCATION="$(networksetup -getcurrentlocation)" export CURRENT_NETWORK_LOCATION function _clean() { sudo networksetup -switchtolocation "$CURRENT_NETWORK_LOCATION" sudo networksetup -setairportpower en0 on sudo networksetup -deletelocation 'tmp' || true } while true; do sudo -n true; sleep 60; kill -0 $$ || exit; done 2>/dev/null & # Check FileVault status if ! fdesetup status | grep -q 'FileVault is On.'; then # shellcheck disable=SC1003 1>&2 echo '/!\ FileVault is not enabled /!\' exit 1 fi # Check firmware password if ! sudo firmwarepasswd -check | grep -q 'Password Enabled: Yes'; then # shellcheck disable=SC1003 1>&2 echo '/!\ firmware password is not set /!\' exit 1 fi # Enable the firewall /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on # Enable logging /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on # Enable stealth mode /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on # Prevent built-in software as well as code-signed, downloaded software from # being whitelisted automatically /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned off /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off # Configure the firewall to block all incoming traffic /usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on sudo pkill -HUP socketfilterfw # Captive portal sudo defaults write \ /Library/Preferences/SystemConfiguration/com.apple.captive.control Active \ -bool false # You may wish to enforce hibernation and evict FileVault keys from memory # instead of traditional sleep to memory sudo pmset -a destroyfvkeyonstandby 1 sudo pmset -a hibernatemode 25 # Shutdown Wi-Fi sudo networksetup -setairportpower airport off trap _clean INT TERM EXIT # Create a tmp location, before generate 'Automatic' location sudo networksetup -createlocation 'tmp' populate \ || sudo networksetup -switchtolocation 'tmp' # Automatic sudo networksetup -deletelocation 'Automatic' || true sudo networksetup -createlocation 'Automatic' populate sudo networksetup -switchtolocation 'Automatic' # Public Network sudo networksetup -deletelocation 'Public Network' || true sudo networksetup -createlocation 'Public Network' populate sudo networksetup -switchtolocation 'Public Network' sudo networksetup -setdnsservers Wi-Fi 127.0.0.1 sudo networksetup -setproxybypassdomains Wi-Fi 'localhost' '127.0.0.0/8' '172.16.0.0/12' '192.168.0.0/16' '169.254/16' '*.local' '*.home' '*.netflix.com' '*.youtube.com' sudo networksetup -setsocksfirewallproxy Wi-Fi 127.0.0.1 9050 sudo networksetup -setsocksfirewallproxystate Wi-Fi on sudo networksetup -setsearchdomains Wi-Fi Empty # Office sudo networksetup -deletelocation 'Office' || true sudo networksetup -createlocation 'Office' populate sudo networksetup -switchtolocation 'Office' sudo networksetup -setdnsservers Wi-Fi 127.0.0.1 sudo networksetup -setsocksfirewallproxystate Wi-Fi off sudo networksetup -setsearchdomains Wi-Fi Empty # Home sudo networksetup -deletelocation 'Home' || true sudo networksetup -createlocation 'Home' populate sudo networksetup -switchtolocation 'Home' sudo networksetup -setdnsservers Wi-Fi Empty sudo networksetup -setsocksfirewallproxy Wi-Fi Empty sudo networksetup -setsocksfirewallproxystate Wi-Fi off sudo networksetup -setsearchdomains Wi-Fi Empty