From 5b891b9a689d533749d58b8c6f8bb2d33065a33d Mon Sep 17 00:00:00 2001 From: Matthew Riley Date: Mon, 15 May 2017 11:35:41 -0600 Subject: [PATCH 001/476] Add 10.12.5 Hashes --- InstallESD_Hashes.csv | 1 + 1 file changed, 1 insertion(+) diff --git a/InstallESD_Hashes.csv b/InstallESD_Hashes.csv index a5f8b636..08c83b3d 100644 --- a/InstallESD_Hashes.csv +++ b/InstallESD_Hashes.csv @@ -16,3 +16,4 @@ Version,Build,SHA-256,SHA-1 10.12.2,16C68,6e8ccda1849bb49b1acf75f455019fe327adb47c676dbff018ea811c2456dcce,94f9e8f7ae2540dee6fe3465f60fc037e2547d16 10.12.3,16D32,75a288fe6efc0591f757baf08305270f1b843b54cfb66fe6b257049400a0d6e9,77d354ec06df0d0acc37c105ae524ba96948142b 10.12.4,16E195,30319aeae18c3277919c59fe678201553f5a11022d6966b67a43422996391181,30b9245f7c7608c40bbdf4d4a74f3ab84dbac716 +10.12.5,16F73,dae2d71921a737d41df8f00379b7c04653bd35ed8db0f38313f8d86eb7f39f88,51df126965433187403987c9d74d95c26cba9266 From edb6c6c7783a331891619024c4564c5b5e102067 Mon Sep 17 00:00:00 2001 From: tetov Date: Wed, 24 May 2017 00:58:54 +0200 Subject: [PATCH 002/476] Changes to reflect gnupg 2.1.x 1. brew install gnupg is enough to install latest. 2. keyserver option 'ca-cert-file' is obsolete (see https://github.com/riseupnet/riseup_help/issues/294 for more details) 3. keyserver-option debug and keyserver-options verbose are deprecated 4. Also removed duplicate line --- README.md | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/README.md b/README.md index fa40433b..50312b02 100755 --- a/README.md +++ b/README.md @@ -1060,7 +1060,7 @@ PGP is a standard for encrypting email end to end. That means only the chosen re **GPG** is used to verify signatures of software you download and install, as well as [symmetrically](https://en.wikipedia.org/wiki/Symmetric-key_algorithm) or [asymmetrically](https://en.wikipedia.org/wiki/Public-key_cryptography) encrypt files and text. -Install from Homebrew with `brew install gnupg2`. +Install from Homebrew with `brew install gnupg`. If you prefer a graphical application, download and install [GPG Suite](https://gpgtools.org/). @@ -1070,10 +1070,6 @@ Here are several [recommended options](https://github.com/drduh/config/blob/mast auto-key-locate keyserver keyserver hkps://hkps.pool.sks-keyservers.net keyserver-options no-honor-keyserver-url -keyserver-options ca-cert-file=/etc/sks-keyservers.netCA.pem -keyserver-options no-honor-keyserver-url -keyserver-options debug -keyserver-options verbose personal-cipher-preferences AES256 AES192 AES CAST5 personal-digest-preferences SHA512 SHA384 SHA256 SHA224 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed @@ -1089,13 +1085,6 @@ list-options show-uid-validity verify-options show-uid-validity with-fingerprint ``` - -Install the keyservers [CA certificate](https://sks-keyservers.net/verify_tls.php): - - $ curl -O https://sks-keyservers.net/sks-keyservers.netCA.pem - - $ sudo mv sks-keyservers.netCA.pem /etc - These settings will configure GnuPG to use SSL when fetching new keys and prefer strong cryptographic primitives. See also [ioerror/duraconf/configs/gnupg/gpg.conf](https://github.com/ioerror/duraconf/blob/master/configs/gnupg/gpg.conf). You should also take some time to read [OpenPGP Best Practices](https://help.riseup.net/en/security/message-security/openpgp/best-practices). From f2bf6d063b00ab1343597dd761ed438cced81dbc Mon Sep 17 00:00:00 2001 From: juanjonol Date: Thu, 27 Jul 2017 14:08:50 +0200 Subject: [PATCH 003/476] Added 10.12.6 hashes --- InstallESD_Hashes.csv | 1 + 1 file changed, 1 insertion(+) diff --git a/InstallESD_Hashes.csv b/InstallESD_Hashes.csv index 08c83b3d..dc5b62f5 100644 --- a/InstallESD_Hashes.csv +++ b/InstallESD_Hashes.csv @@ -17,3 +17,4 @@ Version,Build,SHA-256,SHA-1 10.12.3,16D32,75a288fe6efc0591f757baf08305270f1b843b54cfb66fe6b257049400a0d6e9,77d354ec06df0d0acc37c105ae524ba96948142b 10.12.4,16E195,30319aeae18c3277919c59fe678201553f5a11022d6966b67a43422996391181,30b9245f7c7608c40bbdf4d4a74f3ab84dbac716 10.12.5,16F73,dae2d71921a737d41df8f00379b7c04653bd35ed8db0f38313f8d86eb7f39f88,51df126965433187403987c9d74d95c26cba9266 +10.12.6,16G29,d93efaaaa9d029b52ac1985043fabf0e6c8d5015841e7338f96ed9e162538b2c,b53c36706eef6e0e15c1f76ef51d1b552705fc75 From 10c266e0f54682b3f68d3a352972f12137c45b11 Mon Sep 17 00:00:00 2001 From: Mark Wadham Date: Thu, 17 Aug 2017 09:06:28 +0100 Subject: [PATCH 004/476] added a mention of CylancePROTECT as the exploit mitigation features are pretty cool. --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 50312b02..3f13897b 100755 --- a/README.md +++ b/README.md @@ -1266,6 +1266,8 @@ See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sop Therefore, the best anti-virus is **Common Sense 2017**. See more discussion in [issue #44](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/44). +CylancePROTECT may be worth running for the exploit mitigation features and (when locked down) is much harder to locally bypass than traditional AV, but it's effectiveness at detecting malware on MacOS is questionable. + Local privilege escalation bugs are plenty on macOS, so always be careful when downloading and running untrusted programs or trusted programs from third party websites or downloaded over HTTP ([example](http://arstechnica.com/security/2015/08/0-day-bug-in-fully-patched-os-x-comes-under-active-exploit-to-hijack-macs/)). Have a look at [The Safe Mac](http://www.thesafemac.com/) for past and current Mac security news. From 597e8c3978babdd5f0f8adc6fe92a7c44b3f86d1 Mon Sep 17 00:00:00 2001 From: Peter Ansell Date: Fri, 18 Aug 2017 11:48:18 +1000 Subject: [PATCH 005/476] Remove defunct Little Flocker reference Little Flocker went away when its author joined Apple and sold Little Flocker off to F-Secure where it is undergoing redesign, but not useful for this guide at this point. https://www.imore.com/little-flocker-getting-dumbed-down-good-all-mac-users --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 50312b02..e6801bca 100755 --- a/README.md +++ b/README.md @@ -1258,7 +1258,7 @@ Some malware comes bundled with both legitimate software, such as the [Java bund See [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) and [Malware Persistence on OS X Yosemite](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite) to learn about how garden-variety malware functions. -You could periodically run a tool like [Knock Knock](https://github.com/synack/knockknock) to examine persistent applications (e.g. scripts, binaries). But by then, it is probably too late. Maybe applications such as [Block Block](https://objective-see.com/products/blockblock.html) and [Ostiarius](https://objective-see.com/products/ostiarius.html) will help. See warnings and caveats in [issue #90](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/90) first, however. Using an application such as [Little Flocker](https://www.littleflocker.com/) can also protect parts of the filesystem from unauthorized writes similar to how Little Snitch protects the network (note, however, the software is still in beta and should be [used with caution](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/pull/128)). +You could periodically run a tool like [Knock Knock](https://github.com/synack/knockknock) to examine persistent applications (e.g. scripts, binaries). But by then, it is probably too late. Maybe applications such as [Block Block](https://objective-see.com/products/blockblock.html) and [Ostiarius](https://objective-see.com/products/ostiarius.html) will help. See warnings and caveats in [issue #90](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/90) first, however. **Anti-virus** programs are a double-edged sword -- not useful for **advanced** users and will likely increase attack surface against sophisticated threats, however possibly useful for catching "garden variety" malware on **novice** users' Macs. There is also the additional processing overhead to consider. From f2ccf95d2ca270f7c4cbb7625ba850d33db499f7 Mon Sep 17 00:00:00 2001 From: drduh Date: Fri, 25 Aug 2017 10:57:31 -0700 Subject: [PATCH 006/476] Fix #230 --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e6801bca..2c196f3a 100755 --- a/README.md +++ b/README.md @@ -387,7 +387,7 @@ FileVault encryption protects data at rest and hardens (but [not always prevents With much of the cryptographic operations happening [efficiently in hardware](https://software.intel.com/en-us/articles/intel-advanced-encryption-standard-aes-instructions-set/), the performance penalty for FileVault is not noticeable. -The security of FileVault greatly depends on the pseudo random number generator (PRNG). +Like all cryptosystems, the security of FileVault greatly depends on the quality of the pseudo random number generator (PRNG). > The random device implements the Yarrow pseudo random number generator algorithm and maintains its entropy pool. Additional entropy is fed to the generator regularly by the SecurityServer daemon from random jitter measurements of the kernel. @@ -395,7 +395,9 @@ The security of FileVault greatly depends on the pseudo random number generator See `man 4 random` for more information. -The PRNG can be manually seeded with entropy by writing to /dev/random **before** enabling FileVault. This can be done by simply using the Mac for a little while before activating FileVault. +Turning on FileVault in System Preferences **after** installing macOS, rather than creating an encrypted partition for the installation first, is [more secure](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/230), because more PRNG entropy is available then. + +Additionally, the PRNG can be manually seeded with entropy by writing to /dev/random **before** enabling FileVault. This can be done by simply using the Mac for a little while before activating FileVault. To manually seed entropy *before* enabling FileVault: From 8895d4f5817fb34f3d0c1f09362f844e603fed3c Mon Sep 17 00:00:00 2001 From: drduh Date: Fri, 25 Aug 2017 11:05:55 -0700 Subject: [PATCH 007/476] Mention proxy not universal. Fix #233 --- README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 2c196f3a..0171d35a 100755 --- a/README.md +++ b/README.md @@ -915,7 +915,9 @@ ipv4 Consider using [Privoxy](http://www.privoxy.org/) as a local proxy to filter Web browsing traffic. -A signed installation package for privoxy can be downloaded from [silvester.org.uk](http://silvester.org.uk/privoxy/OSX/) or [Sourceforge](http://sourceforge.net/projects/ijbswa/files/Macintosh%20%28OS%20X%29/). The signed package is [more secure](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/65) than the Homebrew version, and attracts full support from the Privoxy project. +**Note** macOS proxy settings are not universal; apps and services may or may not honor system proxy settings. Ensure the app you wish to proxy is correctly configured and manually verify connections don't leak. Additionally, it may be possible to configure the *pf* firewall to transparently proxy all traffic. + +A signed installation package for privoxy can be downloaded from [silvester.org.uk](https://silvester.org.uk/privoxy/OSX/) or [Sourceforge](https://sourceforge.net/projects/ijbswa/files/Macintosh%20%28OS%20X%29/). The signed package is [more secure](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/65) than the Homebrew version, and attracts full support from the Privoxy project. Alternatively, install and start privoxy using Homebrew: @@ -925,11 +927,11 @@ Alternatively, install and start privoxy using Homebrew: By default, privoxy listens on local TCP port 8118. -Set the system **http** proxy for your active network interface `127.0.0.1` and `8118` (This can be done through **System Preferences > Network > Advanced > Proxies**): +Set the system **HTTP** proxy for your active network interface `127.0.0.1` and `8118` (This can be done through **System Preferences > Network > Advanced > Proxies**): $ sudo networksetup -setwebproxy "Wi-Fi" 127.0.0.1 8118 -**(Optional)** Set the system **https** proxy, which still allows for domain name filtering, with: +**(Optional)** Set the system **HTTPS** proxy, which still allows for domain name filtering, with: $ sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 8118 From 8a1ddd23dc3d1d061cee9957d3c908986300c4cd Mon Sep 17 00:00:00 2001 From: drduh Date: Fri, 25 Aug 2017 17:55:03 -0700 Subject: [PATCH 008/476] Use spctl/pkgutil to verify signatures. Fix #235. --- README.md | 56 +++++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 48 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 0171d35a..d3c0d267 100755 --- a/README.md +++ b/README.md @@ -131,7 +131,25 @@ The simplest way is to boot into [Recovery Mode](https://support.apple.com/en-us Another way is to download **macOS Sierra** from the [App Store](https://itunes.apple.com/us/app/macos-sierra/id1127487414) or some other place and create a custom, installable system image. -The macOS Sierra installer application is [code signed](https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW6), which should be verified to make sure you received a legitimate copy, using the `codesign` command: +The macOS Sierra installer application is [code signed](https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW6), which should be verified to make sure you received a legitimate copy, using the `spctl -a -v` or `pkgutil --check-signature` commands: + +``` +$ pkgutil --check-signature /Applications/Install\ macOS\ Sierra.app +Package "Install macOS Sierra.app": + Status: signed by a certificate trusted by Mac OS X + Certificate Chain: + 1. Apple Mac OS Application Signing + SHA1 fingerprint: B9 3B DA AA F1 A8 84 6B 34 BA 32 33 26 35 CB 2B 84 85 3D A8 + ----------------------------------------------------------------------------- + 2. Apple Worldwide Developer Relations Certification Authority + SHA1 fingerprint: FF 67 97 79 3A 3C D7 98 DC 5B 2A BE F5 6F 73 ED C9 F8 3A 64 + ----------------------------------------------------------------------------- + 3. Apple Root CA + SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60 + +``` + +You may also use the `codesign` command to examine an application's code signature: ``` $ codesign -dvv /Applications/Install\ macOS\ Sierra.app @@ -1174,27 +1192,49 @@ $ hdiutil mount TorBrowser-6.0.5-osx64_en-US.dmg $ cp -rv /Volumes/Tor\ Browser/TorBrowser.app /Applications ``` -It is also possible to verify the Tor application's code signature was made by with The Tor Project's Apple developer ID **MADPSAYN6T**: +Verify the Tor application's code signature was made by with The Tor Project's Apple developer ID **MADPSAYN6T**, using the `spctl -a -v` and/or `pkgutil --check-signature` commands: + +``` +$ spctl -a -vv /Applications/TorBrowser.app +/Applications/TorBrowser.app: accepted +source=Developer ID +origin=Developer ID Application: The Tor Project, Inc (MADPSAYN6T) + +$ pkgutil --check-signature /Applications/TorBrowser.app +Package "TorBrowser.app": + Status: signed by a certificate trusted by Mac OS X + Certificate Chain: + 1. Developer ID Application: The Tor Project, Inc (MADPSAYN6T) + SHA1 fingerprint: 95 80 54 F1 54 66 F3 9C C2 D8 27 7A 29 21 D9 61 11 93 B3 E8 + ----------------------------------------------------------------------------- + 2. Developer ID Certification Authority + SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86 + ----------------------------------------------------------------------------- + 3. Apple Root CA + SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60 +``` + +You may also use the `codesign` command to examine an application's code signature: ``` $ codesign -dvv /Applications/TorBrowser.app Executable=/Applications/TorBrowser.app/Contents/MacOS/firefox -Identifier=org.mozilla.tor browser +Identifier=org.torproject.torbrowser Format=app bundle with Mach-O thin (x86_64) -CodeDirectory v=20200 size=247 flags=0x0(none) hashes=5+3 location=embedded +CodeDirectory v=20200 size=249 flags=0x0(none) hashes=5+3 location=embedded Library validation warning=OS X SDK version before 10.9 does not support Library Validation Signature size=4247 Authority=Developer ID Application: The Tor Project, Inc (MADPSAYN6T) Authority=Developer ID Certification Authority Authority=Apple Root CA -Signed Time=Nov 30, 2016, 10:40:34 AM -Info.plist entries=21 +Signed Time=Aug 7, 2017, 1:43:17 AM +Info.plist entries=22 TeamIdentifier=MADPSAYN6T Sealed Resources version=2 rules=12 files=130 -Internal requirements count=1 size=184 +Internal requirements count=1 size=188 ``` -To view certificate details, extract it with `codesign` and decode it with `openssl`: +To view full certificate details, extract them with `codesign` and decode it with `openssl`: ``` $ codesign -d --extract-certificates /Applications/TorBrowser.app From ba88e455ca3fa4b6fa9106f5499a31960b6bef1d Mon Sep 17 00:00:00 2001 From: Mark Wadham Date: Sat, 26 Aug 2017 11:36:44 +0100 Subject: [PATCH 009/476] updated Cylance description with a link to their whitepaper, a better description of the memory protection features and links to two resellers who offer single licenses. --- README.md | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 3f13897b..f2c38125 100755 --- a/README.md +++ b/README.md @@ -1266,7 +1266,32 @@ See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sop Therefore, the best anti-virus is **Common Sense 2017**. See more discussion in [issue #44](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/44). -CylancePROTECT may be worth running for the exploit mitigation features and (when locked down) is much harder to locally bypass than traditional AV, but it's effectiveness at detecting malware on MacOS is questionable. +CylancePROTECT may be worth running for the exploit mitigation features and (when locked down) is much harder to locally bypass than traditional AV, but it's effectiveness at detecting malware on MacOS is questionable. It's core feature is an algorithm derived from a machine-learning process which aims to identify malware based on various characteristics of a binary executable. Cylance have a [whitepaper](https://www.cylance.com/content/dam/cylance/pdfs/data_sheets/CylancePROTECT.pdf) with information about how it works. Single licenses are available from third party resellers such as [Cyberforce](https://cybrforce.com) or [Malware Managed](https://www.malwaremanaged.com). On MacOS it complements Apple's built-in XProtect by continuously vmmap'ing the memory of active processes to watch for patterns that indicate bad things happening. At the time of writing it is able to detect and block the following list of events, all of which can be controlled via the Cylance console: + +Exploitation: + + - Stack pivot + - Stack protect + - Overwrite code + - RAM scraping + - Malicious payload + +Process injection: + + - Remote allocation of memory + - Remote mapping of memory + - Remote write to memory + - Remote write PE to memory + - Remote overwrite code + - Remote unmap of memory + - Remote thread creation + - Remote APC scheduled + - DYLD injection (MacOS only) + +Escalation: + + - LSASS read + - Zero allocate Local privilege escalation bugs are plenty on macOS, so always be careful when downloading and running untrusted programs or trusted programs from third party websites or downloaded over HTTP ([example](http://arstechnica.com/security/2015/08/0-day-bug-in-fully-patched-os-x-comes-under-active-exploit-to-hijack-macs/)). From 9fbcea5739e1a95ffbc6b302f67342ecad246463 Mon Sep 17 00:00:00 2001 From: or3stis Date: Sat, 26 Aug 2017 11:48:41 +0100 Subject: [PATCH 010/476] update web browser section --- README.md | 90 ++++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 76 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index d3c0d267..425f2cc8 100755 --- a/README.md +++ b/README.md @@ -816,7 +816,7 @@ This can also be done using Homebrew, by installing `gnu-sed` and using the `gse By default, the `resolvers-list` will point to the dnscrypt version specific resolvers file. When dnscrypt is updated, this version may no longer exist, and if it does, may point to an outdated file. This can be fixed by changing the resolvers file in `homebrew.mxcl.dnscrypt-proxy.plist` (found earlier using find) to the symlinked version in `/usr/local/share`: --resolvers-list=/usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv - + Below the line: /usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy @@ -1028,19 +1028,34 @@ Content-Type: text/html; charset=utf-8 You can replace ad images with pictures of kittens, for example, by starting the a local Web server and [redirecting blocked requests](https://www.privoxy.org/user-manual/actions-file.html#SET-IMAGE-BLOCKER) to localhost. -### Browser +### Browser### Browser -The Web browser poses the largest security and privacy risk, as its fundamental job is to download and execute untrusted code from the Internet. +The Web browser poses the largest security and privacy risk, as its fundamental job is to download and execute untrusted code from the Internet. This is an important statement. The unique use of Web Browsers has forced them to adopt certain impressive security features. The cornerstone of Web Browser security is the Same Origin Policy ([SOP](https://en.wikipedia.org/wiki/Same-origin_policy)). In a few words, SOP prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model (DOM). The best tip to ensure secure browsing regardless your choice of Web Browser is proper security hygiene. The majority of Web Browser exploits require social engineering attacks to achieve native code execution. Always be mindful of the links you click and be extra careful when websites ask you to download and install external software. 99% percent of the time that software is malware. -Use [Google Chrome](https://www.google.com/chrome/browser/desktop/) for most of your browsing. It offers [separate profiles](https://www.chromium.org/user-experience/multi-profiles), [good sandboxing](https://www.chromium.org/developers/design-documents/sandbox), [frequent updates](http://googlechromereleases.blogspot.com/) (including Flash, although you should disable it - see below), and carries [impressive credentials](https://www.chromium.org/Home/chromium-security/brag-sheet). +Another important consideration about Web Browser security is Web Extensions. Web Extensions greatly increase the attack surface of the Web Browser. This is an issue that plagues Firefox and [Chrome](https://encrypted.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&ved=0ahUKEwitnsiktvTVAhWpAsAKHUa1B3EQFggyMAI&url=https:%2F%2Fcourses.csail.mit.edu%2F6.857%2F2016%2Ffiles%2F24.pdf&usg=AFQjCNHZLw9aoHFwPTt020U56MLjRhNMlQ) alike. Luckily, Web Extensions can only access specific browser APIs that are being governed by their manifest. That means we can quickly audit their behavior and remove them if they request access to information they shouldn't (why would an Ad blocker require camera access?). In the interest of security, it is best to limit your use of Web Extensions. -Chrome also comes with a great [PDF viewer](http://0xdabbad00.com/2013/01/13/most-secure-pdf-viewer-chrome-pdf-viewer/). +[Google Chrome](https://www.google.com/chrome/browser/desktop/) , [Firefox](https://www.mozilla.org/en-US/firefox/new/) and [Safari](https://www.apple.com/safari/) are the Web Browsers that are being covered in this guide. Each Web Browser offers certain benefits and drawbacks regarding their security and privacy. It is best to make an informed choice before committing to one. -If you don't want to use Chrome, [Firefox](https://www.mozilla.org/en-US/firefox/new/) is an excellent browser as well. Or simply use both. See discussion in issues [#2](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/2), [#90](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/90). +#### Chrome -If using Firefox, see [TheCreeper/PrivacyFox](https://github.com/TheCreeper/PrivacyFox) for recommended privacy preferences. Also be sure to check out [NoScript](https://noscript.net/) for Mozilla-based browsers, which allows whitelist-based, pre-emptive script blocking. +[Google Chrome](https://www.google.com/chrome/browser/desktop/) is based on the Open Source [Chromium project](http://www.chromium.org/Home) with certain proprietary components. The proprietary components are the [following](https://fossbytes.com/difference-google-chrome-vs-chromium-browser/): + 1. Automatic updates through the GoogleSoftwareUpdateDaemon. + 1. Usage tracking and crash reporting, which can be disabled through Chrome's settings. + 1. Chrome Web Store + 1. Non-optional tracking. Google Chrome installer includes a randomly generated token. The token is sent to Google after the installation completes in order to measure the success rate. Google also uses the RLZ identifier to track a user while performing Google searches using the address bar. The RLZ identifier stores information – in the form of encoded strings – like the source of chrome download and installation week. It doesn’t include any personal information and it’s used to measure the effectiveness of a promotional campaign. Chrome downloaded from Google’s website doesn’t have the RLZ identifier. The source code to decode the strings is made open by Google. + 1. Adobe Flash Plugin. Google Chrome supports a Pepper API version of Adobe Flash which gets updated automatically with Chrome. + 1. Media Codec support. Adds support for proprietary codecs. + 1. Chrome's [PDF viewer](http://0xdabbad00.com/2013/01/13/most-secure-pdf-viewer-chrome-pdf-viewer/). + +Chrome offers [separate profiles](https://www.chromium.org/user-experience/multi-profiles), [sandboxing](https://www.chromium.org/developers/design-documents/sandbox), [frequent updates](http://googlechromereleases.blogspot.com/) (including Flash, although you should disable it - see below), and carries [impressive credentials](https://www.chromium.org/Home/chromium-security/brag-sheet). In addition, Google offers a very lucrative [bounty](https://www.google.com/about/appsecurity/chrome-rewards/) program for reporting vulnerabilities along with its own [Project Zero](googleprojectzero.blogspot.com). This means that a large number of highly talented and motivated people are constantly auditing Chrome's code base. + +Chrome offers account sync between multiple devices. Part of the sync data that are saved website logins. The login passwords are encrypted and in order to access them, a user's Google account password is required. You can use your Google account to sign to your Chrome customized settings from other devices while retaining your password security. + +Chrome's Web store for extensions requires a [$5 dollar lifetime fee](https://developer.chrome.com/webstore/publish#pay-the-developer-signup-fee) in order to submit extensions. The low cost allows the development of many quality open source Web Extensions that do not aim to monetize through usage. -Create at least three profiles, one for browsing **trusted** Web sites (email, banking), another for **mostly trusted** Web sites (link aggregators, news sites), and a third for a completely **cookie-less** and **script-less** experience. +Chrome has the largest share of global usage and is the preferred platform for the majority of developers. Major technologies are based on Chrome's open source components, such as [node.js](https://nodejs.org/en/) which uses [Chrome's V8](https://developers.google.com/v8/) Engine and the [Electron](https://electron.atom.io/) framework, which is based on Chromium and node.js. Chrome's vast user base makes it the most attractive target for threat actors. Despite under constants attacks, Chrome has retained an impressive security posture that Chrome has retained over the years. This is not a small feat. + +To improve your privacy and security posture, create at least three profiles, one for browsing **trusted** Web sites (email, banking), another for **mostly trusted** Web sites (link aggregators, news sites), and a third for a completely **cookie-less** and **script-less** experience. * One profile **without cookies or Javascript** enabled (e.g., turned off in `chrome://settings/content`) which should be the preferred profile to visiting untrusted Web sites. However, many pages will not load at all without Javascript enabled. @@ -1048,23 +1063,70 @@ Create at least three profiles, one for browsing **trusted** Web sites (email, b * One or more profile(s) for secure and trusted browsing needs, such as banking and email only. -The idea is to separate and compartmentalize data, so that an exploit or privacy violation in one "session" does not necessarily affect data in another. +The idea is to separate and compartmentalize data so that an exploit or privacy violation in one "session" does not necessarily affect data in another. In each profile, visit `chrome://plugins/` and disable **Adobe Flash Player**. If you must use Flash, visit `chrome://settings/contents` to enable **Let me choose when to run plugin content**, under the Plugins section (also known as *click-to-play*). +[Incognito](https://support.google.com/chrome/answer/7440301) mode in Chrome, by default, disables extensions, since extensions such as Ad blocker have access to Chrome's network requests. Moreover, while in Incognito mode, Chrome does not use data from previous sessions. Incognito mode is another option if you want to access sensitive information without setting up separate profiles. + Take some time to read through [Chromium Security](https://www.chromium.org/Home/chromium-security) and [Chromium Privacy](https://www.chromium.org/Home/chromium-privacy). -For example you may wish to disable [DNS prefetching](https://www.chromium.org/developers/design-documents/dns-prefetching) (see also [DNS Prefetching and Its Privacy Implications](https://www.usenix.org/legacy/event/leet10/tech/full_papers/Krishnan.pdf) (pdf)). +For example, you may wish to disable [DNS prefetching](https://www.chromium.org/developers/design-documents/dns-prefetching) (see also [DNS Prefetching and Its Privacy Implications](https://www.usenix.org/legacy/event/leet10/tech/full_papers/Krishnan.pdf) (pdf)). -Also be aware of [WebRTC](https://en.wikipedia.org/wiki/WebRTC#Concerns), which may reveal your local or public (if connected to VPN) IP address(es). This can be disabled with extensions such as [uBlock Origin](https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address) and [rentamob/WebRTC-Leak-Prevent](https://github.com/rentamob/WebRTC-Leak-Prevent). +It is best to remember that Google is an advertising company and its major source of revenue is [AdSense](https://www.google.com/adsense/start/#/?modal_active=none). It makes perfect sense that an advertising company would leverage its services to maximize its profit. That means that using [Google services](https://www.google.com/services/#?modal_active=none) will store certain personal information. Google is quite open on the data it stores and how they are being used. Users can opt out from many of those services and see what type of information Google has stored from their [account settings](https://myaccount.google.com/privacy?pli=1). -Many Chromium-derived browsers are not recommended. They are usually [closed source](http://yro.slashdot.org/comments.pl?sid=4176879&cid=44774943), [poorly maintained](https://plus.google.com/+JustinSchuh/posts/69qw9wZVH8z), [have bugs](https://code.google.com/p/google-security-research/issues/detail?id=679), and make dubious claims to protect privacy. See [The Private Life of Chromium Browsers](http://thesimplecomputer.info/the-private-life-of-chromium-browsers). +#### Firefox + +[Firefox](https://www.mozilla.org/en-US/firefox/new/) is an excellent browser as well as being completely open source. Currently, Firefox is in a renaissance period. It replaces major parts of its infrastructure and code base under projects [Quantum](https://wiki.mozilla.org/Quantum) and [Photon](https://wiki.mozilla.org/Firefox/Photon/Updates). Part of the Quantum project is to replace C++ code with [Rust](https://www.rust-lang.org/en-US/). Rust is a systems programming with a focus on security and thread safety. It is expected that Rust usage will greatly improve the overall security posture of Firefox. + +Firefox offers a similar security model to Chrome. It offers +[bounty](https://www.mozilla.org/en-US/security/bug-bounty/) program, although it is not a lucrative as Chrome's. Firefox follows a six-week release cycle same as Chrome. + +See discussion in issues [#2](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/2), [#90](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/90) for more information about certain differences in Firefox and Chrome. + +If using Firefox, see [TheCreeper/PrivacyFox](https://github.com/TheCreeper/PrivacyFox) for recommended privacy preferences. Also be sure to check out [NoScript](https://noscript.net/) for Mozilla-based browsers, which allows whitelist-based, pre-emptive script blocking. + +Firefox is focussed on user privacy. It supports [tracking protection](https://developer.mozilla.org/en-US/Firefox/Privacy/Tracking_Protection) during Private browsing by default. The tracking protection can be enabled for the default account, although it may break the browsing experience on some websites. Another feature for added privacy unique to Firefox is [Containers](https://testpilot.firefox.com/experiments/containers). Containers let you create profiles in Firefox for different activities, such as online shopping, travel planning, or checking work email. Containers store cookies separately, you can log into the same site with a different account in each Container, and online trackers can’t connect your browsing in one container to another. + +Previous versions of Firefox used a [Web Extension SDK](https://developer.mozilla.org/en-US/Add-ons/Legacy_add_ons) that was quite invasive and offered immense freedom to developers. Sadly, that freedom also introduced a number of vulnerabilities in Firefox that greatly affected its users. Currently, Firefox only supports Web Extension through the [Web Extension Api](https://developer.mozilla.org/en-US/Add-ons/WebExtensions), which is very similar to Chrome's. + +Submission of Web Extensions is Firefox is free. -Safari is not recommended. The code is a mess and [security](https://nakedsecurity.sophos.com/2014/02/24/anatomy-of-a-goto-fail-apples-ssl-bug-explained-plus-an-unofficial-patch/) [vulnerabilities](https://vimeo.com/144872861) are frequent, and slower to patch (see [discussion on Hacker News](https://news.ycombinator.com/item?id=10150038)). Security does [not appear](https://discussions.apple.com/thread/5128209) to be a priority for Safari. If you do use it, at least [disable](https://thoughtsviewsopinions.wordpress.com/2013/04/26/how-to-stop-downloaded-files-opening-automatically/) the **Open "safe" files after downloading** option in Preferences, and be aware of other [privacy nuances](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/93). +An important security consideration about Firefox. Similar to Chrome and Safari, Firefox allows account sync across multiple devices. While stored login passwords are encrypted, Firefox does not require a password to reveal their text format. Firefox only displays as yes/no prompt. This is an important security issue. Keep that in mind if you sign in to your Firefox account from devices that do not belong to you and leave them unattended. The [issue](https://bugzilla.mozilla.org/show_bug.cgi?id=1393493) has been raised among the Firefox community and hopefully will be resolved in the coming versions. + +#### Safari + +[Safari](https://www.apple.com/safari/) is the default Web Browser of macOs. It is also the best browser regarding battery performance. Safari, like Chrome, has both open source and proprietary components. Safari is based on the open source Web Engine [WebKit](https://en.wikipedia.org/wiki/WebKit), which is ubiquitous among the macOs ecosystem. WebKit is used by Apple apps such as Mail, iTunes, iBooks, and App store. Chrome's [Blink](https://www.chromium.org/blink) engine is a fork of WebKit and both engines share a number of similarities. + +Safari supports certain unique features that benefit user security and privacy. [Content blockers](https://webkit.org/blog/3476/content-blockers-first-look/) enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory user, security, and privacy. Safari 11 will introduce an [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/) system. This feature will automatically remove tracking data stored in Safari after a period noninteraction by the user from the tracker's website. + +Safari offers a [bounty program](https://developer.apple.com/bug-reporting/) for bug reporting, that offers substantial rewards to security researchers. + +Web Extensions in Safari have an additional option to use native code in the Web Browsers sandbox environment, in addition to Web Extension API. Web Extensions in Safari are also distributed through Apple's App store. Apple store submission comes with the added benefit of Web Extension code being audited by Apple. On the other hand App store submission comes at a steep cost. Yearly [developer subscription](https://developer.apple.com/support/compare-memberships/) fee costs $100. The high cost is prohibitive for the majority of open source developers. As a result, Safari has very few extensions to choose from. However, you should keep the high cost in mind when installing extensions. It is expected that most Web Extensions will have some way of monetizing usage in order to cover developer costs. On a side note, some Safari extensions are open source and freely available. Be extra grateful to those developers. + +Safari syncs user's preferences and stored logins through iCloud. Stored passwords are encrypted and in order to be viewed in plain text, a user must input the password of the current device. This means that users can sync data across devices with added security. + +Safari follows a slower release cycle than Chrome and Firefox (3-4 minor releases, 1 major release, per year). Newer features are slower to be adopted to the stable channel. Although security updates in Safari are handled independent of the stable update release and issued automatically through the App store. The Safari channel that follows a six-week release cycle (same as Chrome and Firefox) is called [Safari Technology Preview](https://developer.apple.com/safari/technology-preview/) and it the recommended option for instead of Safari. + +An excellent open source ad blocker for Safari that fully leverages Content blockers is [Ka-Block](http://kablock.com/). Ka-Block is focussed on user privacy. The only time the extension makes a network connection is when a new version of the extension is released. You can view the extension repository [here](https://github.com/dgraham/Ka-Block). + +#### Other Web Browsers + +Many Chromium-derived browsers are not recommended. They are usually [closed source](http://yro.slashdot.org/comments.pl?sid=4176879&cid=44774943), [poorly maintained](https://plus.google.com/+JustinSchuh/posts/69qw9wZVH8z), [have bugs](https://code.google.com/p/google-security-research/issues/detail?id=679), and make dubious claims to protect privacy. See [The Private Life of Chromium Browsers](http://thesimplecomputer.info/the-private-life-of-chromium-browsers). Other miscellaneous browsers, such as [Brave](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/94), are not evaluated in this guide, so are neither recommended nor actively discouraged from use. -For more information about security conscious browsing, see [HowTo: Privacy & Security Conscious Browsing](https://gist.github.com/atcuno/3425484ac5cce5298932), [browserleaks.com](https://www.browserleaks.com/) and [EFF Panopticlick](https://panopticlick.eff.org/). +#### Web Browsers and Privacy + +All Web Browsers retain certain information about our browsing habits. This is used for a number of reasons. One of them is to improve the overall performance of the Web Browser. Most Web Browser offer predictions services to resolve typos and URL redirections, store analytics data of browsing patterns, crash reports and black listing of known malicious servers. Those options can be turned on and off from each Web Browser's settings panel. + +Since Web Browser executes untrusted code from the server, it is important to understand what type of information can be accessed. The [Navigator]() interface gives access to information about the Web Browsers user agent. Those include information such as the operating system, Websites' permissions, and the device's battery level. For more information about security conscious browsing and what type of information is being "leaked" by your browser, see [HowTo: Privacy & Security Conscious Browsing](https://gist.github.com/atcuno/3425484ac5cce5298932), [browserleaks.com](https://www.browserleaks.com/) and [EFF Panopticlick](https://panopticlick.eff.org/). + +Disable third-party cookies from your Web Browser settings. + +A great step to improve privacy is to replace your default search engine to [duckduckgo](https://duckduckgo.com/), which is committed to user privacy. Moreover, it offers some unique features, such color Themes and direct site search through the use of [bangs](https://duckduckgo.com/bang). + +Also be aware of [WebRTC](https://en.wikipedia.org/wiki/WebRTC#Concerns), which may reveal your local or public (if connected to VPN) IP address(es). This can be disabled with extensions such as [uBlock Origin](https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address) and [rentamob/WebRTC-Leak-Prevent](https://github.com/rentamob/WebRTC-Leak-Prevent). ### Plugins From 2e4913ebde63bed027613eab4566a209844606f4 Mon Sep 17 00:00:00 2001 From: or3stis Date: Sat, 26 Aug 2017 11:50:30 +0100 Subject: [PATCH 011/476] wrong heading --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 425f2cc8..0f837294 100755 --- a/README.md +++ b/README.md @@ -1028,7 +1028,7 @@ Content-Type: text/html; charset=utf-8 You can replace ad images with pictures of kittens, for example, by starting the a local Web server and [redirecting blocked requests](https://www.privoxy.org/user-manual/actions-file.html#SET-IMAGE-BLOCKER) to localhost. -### Browser### Browser +### Browser The Web browser poses the largest security and privacy risk, as its fundamental job is to download and execute untrusted code from the Internet. This is an important statement. The unique use of Web Browsers has forced them to adopt certain impressive security features. The cornerstone of Web Browser security is the Same Origin Policy ([SOP](https://en.wikipedia.org/wiki/Same-origin_policy)). In a few words, SOP prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model (DOM). The best tip to ensure secure browsing regardless your choice of Web Browser is proper security hygiene. The majority of Web Browser exploits require social engineering attacks to achieve native code execution. Always be mindful of the links you click and be extra careful when websites ask you to download and install external software. 99% percent of the time that software is malware. From d5a2a03ce6e96c7881642a1266f36fb73ea6f6ba Mon Sep 17 00:00:00 2001 From: or3stis Date: Sat, 26 Aug 2017 11:55:45 +0100 Subject: [PATCH 012/476] change macOs -> macOS --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0f837294..04db0faa 100755 --- a/README.md +++ b/README.md @@ -1096,7 +1096,7 @@ An important security consideration about Firefox. Similar to Chrome and Safari, #### Safari -[Safari](https://www.apple.com/safari/) is the default Web Browser of macOs. It is also the best browser regarding battery performance. Safari, like Chrome, has both open source and proprietary components. Safari is based on the open source Web Engine [WebKit](https://en.wikipedia.org/wiki/WebKit), which is ubiquitous among the macOs ecosystem. WebKit is used by Apple apps such as Mail, iTunes, iBooks, and App store. Chrome's [Blink](https://www.chromium.org/blink) engine is a fork of WebKit and both engines share a number of similarities. +[Safari](https://www.apple.com/safari/) is the default Web Browser of macOS. It is also the best browser regarding battery performance. Safari, like Chrome, has both open source and proprietary components. Safari is based on the open source Web Engine [WebKit](https://en.wikipedia.org/wiki/WebKit), which is ubiquitous among the macOS ecosystem. WebKit is used by Apple apps such as Mail, iTunes, iBooks, and App store. Chrome's [Blink](https://www.chromium.org/blink) engine is a fork of WebKit and both engines share a number of similarities. Safari supports certain unique features that benefit user security and privacy. [Content blockers](https://webkit.org/blog/3476/content-blockers-first-look/) enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory user, security, and privacy. Safari 11 will introduce an [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/) system. This feature will automatically remove tracking data stored in Safari after a period noninteraction by the user from the tracker's website. From b638b695e61bea2cba9bf0b8057fca1a0dda1b2b Mon Sep 17 00:00:00 2001 From: or3stis Date: Sat, 26 Aug 2017 12:04:57 +0100 Subject: [PATCH 013/476] clarify SOP statement --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 04db0faa..ab444dcd 100755 --- a/README.md +++ b/README.md @@ -1030,7 +1030,9 @@ You can replace ad images with pictures of kittens, for example, by starting the ### Browser -The Web browser poses the largest security and privacy risk, as its fundamental job is to download and execute untrusted code from the Internet. This is an important statement. The unique use of Web Browsers has forced them to adopt certain impressive security features. The cornerstone of Web Browser security is the Same Origin Policy ([SOP](https://en.wikipedia.org/wiki/Same-origin_policy)). In a few words, SOP prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model (DOM). The best tip to ensure secure browsing regardless your choice of Web Browser is proper security hygiene. The majority of Web Browser exploits require social engineering attacks to achieve native code execution. Always be mindful of the links you click and be extra careful when websites ask you to download and install external software. 99% percent of the time that software is malware. +The Web browser poses the largest security and privacy risk, as its fundamental job is to download and execute untrusted code from the Internet. This is an important statement. The unique use case of Web Browsers of operation in hostile environments, has forced them to adopt certain impressive security features. The cornerstone of Web Browser security is the Same Origin Policy ([SOP](https://en.wikipedia.org/wiki/Same-origin_policy)). In a few words, SOP prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model (DOM). If SOP is compromised, the security of the whole Web Browser is compromised. + +The best tip to ensure secure browsing regardless your choice of Web Browser is proper security hygiene. The majority of Web Browser exploits require social engineering attacks to achieve native code execution. Always be mindful of the links you click and be extra careful when websites ask you to download and install external software. 99% percent of the time that software is malware. Another important consideration about Web Browser security is Web Extensions. Web Extensions greatly increase the attack surface of the Web Browser. This is an issue that plagues Firefox and [Chrome](https://encrypted.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&ved=0ahUKEwitnsiktvTVAhWpAsAKHUa1B3EQFggyMAI&url=https:%2F%2Fcourses.csail.mit.edu%2F6.857%2F2016%2Ffiles%2F24.pdf&usg=AFQjCNHZLw9aoHFwPTt020U56MLjRhNMlQ) alike. Luckily, Web Extensions can only access specific browser APIs that are being governed by their manifest. That means we can quickly audit their behavior and remove them if they request access to information they shouldn't (why would an Ad blocker require camera access?). In the interest of security, it is best to limit your use of Web Extensions. From e50db62f9b74d14cfcb20f11838b28b709f3ec81 Mon Sep 17 00:00:00 2001 From: or3stis Date: Sat, 26 Aug 2017 12:07:03 +0100 Subject: [PATCH 014/476] update table of contents --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index ab444dcd..807627f3 100755 --- a/README.md +++ b/README.md @@ -36,6 +36,9 @@ This guide is also available in [简体中文](https://github.com/xitu/macOS-Sec - [Web](#web) - [Privoxy](#privoxy) - [Browser](#browser) + - [Google Chrome](#google-chrome) + - [Firefox](#firefox) + - [Safari](#safari) - [Plugins](#plugins) - [PGP/GPG](#pgpgpg) - [OTR](#otr) @@ -1038,7 +1041,7 @@ Another important consideration about Web Browser security is Web Extensions. We [Google Chrome](https://www.google.com/chrome/browser/desktop/) , [Firefox](https://www.mozilla.org/en-US/firefox/new/) and [Safari](https://www.apple.com/safari/) are the Web Browsers that are being covered in this guide. Each Web Browser offers certain benefits and drawbacks regarding their security and privacy. It is best to make an informed choice before committing to one. -#### Chrome +#### Google Chrome [Google Chrome](https://www.google.com/chrome/browser/desktop/) is based on the Open Source [Chromium project](http://www.chromium.org/Home) with certain proprietary components. The proprietary components are the [following](https://fossbytes.com/difference-google-chrome-vs-chromium-browser/): 1. Automatic updates through the GoogleSoftwareUpdateDaemon. From ee0f7dd2f5bf71b5bdf5335137161a2775b9f49e Mon Sep 17 00:00:00 2001 From: or3stis Date: Sat, 26 Aug 2017 12:09:15 +0100 Subject: [PATCH 015/476] update table of contents --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 807627f3..d99f8022 100755 --- a/README.md +++ b/README.md @@ -39,6 +39,7 @@ This guide is also available in [简体中文](https://github.com/xitu/macOS-Sec - [Google Chrome](#google-chrome) - [Firefox](#firefox) - [Safari](#safari) + - [Web Browsers and Privacy](#web-browsers-and-privacy) - [Plugins](#plugins) - [PGP/GPG](#pgpgpg) - [OTR](#otr) From faa75c09c50dc776dc986532751e0a08ef0fece8 Mon Sep 17 00:00:00 2001 From: or3stis Date: Sat, 26 Aug 2017 12:10:22 +0100 Subject: [PATCH 016/476] typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d99f8022..55fb0c4b 100755 --- a/README.md +++ b/README.md @@ -1112,7 +1112,7 @@ Web Extensions in Safari have an additional option to use native code in the Web Safari syncs user's preferences and stored logins through iCloud. Stored passwords are encrypted and in order to be viewed in plain text, a user must input the password of the current device. This means that users can sync data across devices with added security. -Safari follows a slower release cycle than Chrome and Firefox (3-4 minor releases, 1 major release, per year). Newer features are slower to be adopted to the stable channel. Although security updates in Safari are handled independent of the stable update release and issued automatically through the App store. The Safari channel that follows a six-week release cycle (same as Chrome and Firefox) is called [Safari Technology Preview](https://developer.apple.com/safari/technology-preview/) and it the recommended option for instead of Safari. +Safari follows a slower release cycle than Chrome and Firefox (3-4 minor releases, 1 major release, per year). Newer features are slower to be adopted to the stable channel. Although security updates in Safari are handled independent of the stable update release and issued automatically through the App store. The Safari channel that follows a six-week release cycle (same as Chrome and Firefox) is called [Safari Technology Preview](https://developer.apple.com/safari/technology-preview/) and it the recommended option instead of Safari. An excellent open source ad blocker for Safari that fully leverages Content blockers is [Ka-Block](http://kablock.com/). Ka-Block is focussed on user privacy. The only time the extension makes a network connection is when a new version of the extension is released. You can view the extension repository [here](https://github.com/dgraham/Ka-Block). From ab48f87a996ebbb4458d4a67bc5f1904f3d33d42 Mon Sep 17 00:00:00 2001 From: or3stis Date: Sat, 26 Aug 2017 15:13:12 +0100 Subject: [PATCH 017/476] typos and missing words --- README.md | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 55fb0c4b..9c399f62 100755 --- a/README.md +++ b/README.md @@ -1055,11 +1055,11 @@ Another important consideration about Web Browser security is Web Extensions. We Chrome offers [separate profiles](https://www.chromium.org/user-experience/multi-profiles), [sandboxing](https://www.chromium.org/developers/design-documents/sandbox), [frequent updates](http://googlechromereleases.blogspot.com/) (including Flash, although you should disable it - see below), and carries [impressive credentials](https://www.chromium.org/Home/chromium-security/brag-sheet). In addition, Google offers a very lucrative [bounty](https://www.google.com/about/appsecurity/chrome-rewards/) program for reporting vulnerabilities along with its own [Project Zero](googleprojectzero.blogspot.com). This means that a large number of highly talented and motivated people are constantly auditing Chrome's code base. -Chrome offers account sync between multiple devices. Part of the sync data that are saved website logins. The login passwords are encrypted and in order to access them, a user's Google account password is required. You can use your Google account to sign to your Chrome customized settings from other devices while retaining your password security. +Chrome offers account sync between multiple devices. Part of the sync data are stored website logins. The login passwords are encrypted and in order to access them, a user's Google account password is required. You can use your Google account to sign to your Chrome customized settings from other devices while retaining your the security of your passwords. -Chrome's Web store for extensions requires a [$5 dollar lifetime fee](https://developer.chrome.com/webstore/publish#pay-the-developer-signup-fee) in order to submit extensions. The low cost allows the development of many quality open source Web Extensions that do not aim to monetize through usage. +Chrome's Web store for extensions requires a [$5 dollar lifetime fee](https://developer.chrome.com/webstore/publish#pay-the-developer-signup-fee)in order to submit extensions. The low cost allows the development of many quality Open Source Web Extensions that do not aim to monetize through usage. -Chrome has the largest share of global usage and is the preferred platform for the majority of developers. Major technologies are based on Chrome's open source components, such as [node.js](https://nodejs.org/en/) which uses [Chrome's V8](https://developers.google.com/v8/) Engine and the [Electron](https://electron.atom.io/) framework, which is based on Chromium and node.js. Chrome's vast user base makes it the most attractive target for threat actors. Despite under constants attacks, Chrome has retained an impressive security posture that Chrome has retained over the years. This is not a small feat. +Chrome has the largest share of global usage and is the preferred target platform for the majority of developers. Major technologies are based on Chrome's Open Source components, such as [node.js](https://nodejs.org/en/) which uses [Chrome's V8](https://developers.google.com/v8/) Engine and the [Electron](https://electron.atom.io/) framework, which is based on Chromium and node.js. Chrome's vast user base makes it the most attractive target for threat actors. Despite under constants attacks, Chrome has retained an impressive security track record over the years. This is not a small feat. To improve your privacy and security posture, create at least three profiles, one for browsing **trusted** Web sites (email, banking), another for **mostly trusted** Web sites (link aggregators, news sites), and a third for a completely **cookie-less** and **script-less** experience. @@ -1073,17 +1073,17 @@ The idea is to separate and compartmentalize data so that an exploit or privacy In each profile, visit `chrome://plugins/` and disable **Adobe Flash Player**. If you must use Flash, visit `chrome://settings/contents` to enable **Let me choose when to run plugin content**, under the Plugins section (also known as *click-to-play*). -[Incognito](https://support.google.com/chrome/answer/7440301) mode in Chrome, by default, disables extensions, since extensions such as Ad blocker have access to Chrome's network requests. Moreover, while in Incognito mode, Chrome does not use data from previous sessions. Incognito mode is another option if you want to access sensitive information without setting up separate profiles. +[Incognito](https://support.google.com/chrome/answer/7440301) mode in Chrome disables extensions, since extensions such as Ad blockers have access to Chrome's network requests. Extensions have to be enabled manually. Moreover, while in Incognito mode, Chrome does not use session data from previous sessions. Incognito mode is another option if you want to access sensitive information without setting up separate profiles. Take some time to read through [Chromium Security](https://www.chromium.org/Home/chromium-security) and [Chromium Privacy](https://www.chromium.org/Home/chromium-privacy). For example, you may wish to disable [DNS prefetching](https://www.chromium.org/developers/design-documents/dns-prefetching) (see also [DNS Prefetching and Its Privacy Implications](https://www.usenix.org/legacy/event/leet10/tech/full_papers/Krishnan.pdf) (pdf)). -It is best to remember that Google is an advertising company and its major source of revenue is [AdSense](https://www.google.com/adsense/start/#/?modal_active=none). It makes perfect sense that an advertising company would leverage its services to maximize its profit. That means that using [Google services](https://www.google.com/services/#?modal_active=none) will store certain personal information. Google is quite open on the data it stores and how they are being used. Users can opt out from many of those services and see what type of information Google has stored from their [account settings](https://myaccount.google.com/privacy?pli=1). +It is best to remember that Google is an advertising company and its major source of revenue is [AdSense](https://www.google.com/adsense/start/#/?modal_active=none). It makes perfect sense that an advertising company would leverage its services to maximize its profit. That means that while using [Google services](https://www.google.com/services/#?modal_active=none) certain personal information are being stored. Google is quite open about the data it stores and how it used them. Users can opt out from many of those services and see what type of information Google has stored from their [account settings](https://myaccount.google.com/privacy?pli=1). #### Firefox -[Firefox](https://www.mozilla.org/en-US/firefox/new/) is an excellent browser as well as being completely open source. Currently, Firefox is in a renaissance period. It replaces major parts of its infrastructure and code base under projects [Quantum](https://wiki.mozilla.org/Quantum) and [Photon](https://wiki.mozilla.org/Firefox/Photon/Updates). Part of the Quantum project is to replace C++ code with [Rust](https://www.rust-lang.org/en-US/). Rust is a systems programming with a focus on security and thread safety. It is expected that Rust usage will greatly improve the overall security posture of Firefox. +[Firefox](https://www.mozilla.org/en-US/firefox/new/) is an excellent browser as well as being completely open source. Currently, Firefox is in a renaissance period. It replaces major parts of its infrastructure and code base under projects [Quantum](https://wiki.mozilla.org/Quantum) and [Photon](https://wiki.mozilla.org/Firefox/Photon/Updates). Part of the Quantum project is to replace C++ code with [Rust](https://www.rust-lang.org/en-US/). Rust is a systems programming with a focus on security and thread safety. It is expected that Rust adoption will greatly improve the overall security posture of Firefox. Firefox offers a similar security model to Chrome. It offers [bounty](https://www.mozilla.org/en-US/security/bug-bounty/) program, although it is not a lucrative as Chrome's. Firefox follows a six-week release cycle same as Chrome. @@ -1092,29 +1092,29 @@ See discussion in issues [#2](https://github.com/drduh/OS-X-Security-and-Privacy If using Firefox, see [TheCreeper/PrivacyFox](https://github.com/TheCreeper/PrivacyFox) for recommended privacy preferences. Also be sure to check out [NoScript](https://noscript.net/) for Mozilla-based browsers, which allows whitelist-based, pre-emptive script blocking. -Firefox is focussed on user privacy. It supports [tracking protection](https://developer.mozilla.org/en-US/Firefox/Privacy/Tracking_Protection) during Private browsing by default. The tracking protection can be enabled for the default account, although it may break the browsing experience on some websites. Another feature for added privacy unique to Firefox is [Containers](https://testpilot.firefox.com/experiments/containers). Containers let you create profiles in Firefox for different activities, such as online shopping, travel planning, or checking work email. Containers store cookies separately, you can log into the same site with a different account in each Container, and online trackers can’t connect your browsing in one container to another. +Firefox is focussed on user privacy. It supports [tracking protection](https://developer.mozilla.org/en-US/Firefox/Privacy/Tracking_Protection) during Private browsing by default. The tracking protection can be enabled for the default account, although it may break the browsing experience on some websites. Another feature for added privacy unique to Firefox is [Containers](https://testpilot.firefox.com/experiments/containers). Containers lets you create profiles in Firefox for different activities, such as online shopping, travel planning, or checking work email. Containers store cookies separately, you can log into the same site with a different account in each Container, and online trackers can’t connect your browsing in one container to another. -Previous versions of Firefox used a [Web Extension SDK](https://developer.mozilla.org/en-US/Add-ons/Legacy_add_ons) that was quite invasive and offered immense freedom to developers. Sadly, that freedom also introduced a number of vulnerabilities in Firefox that greatly affected its users. Currently, Firefox only supports Web Extension through the [Web Extension Api](https://developer.mozilla.org/en-US/Add-ons/WebExtensions), which is very similar to Chrome's. +Previous versions of Firefox used a [Web Extension SDK](https://developer.mozilla.org/en-US/Add-ons/Legacy_add_ons) that was quite invasive and offered immense freedom to developers. Sadly, that freedom also introduced a number of vulnerabilities in Firefox that greatly affected its users. Currently, Firefox only supports Web Extensions through the [Web Extension Api](https://developer.mozilla.org/en-US/Add-ons/WebExtensions), which is very similar to Chrome's. Submission of Web Extensions is Firefox is free. -An important security consideration about Firefox. Similar to Chrome and Safari, Firefox allows account sync across multiple devices. While stored login passwords are encrypted, Firefox does not require a password to reveal their text format. Firefox only displays as yes/no prompt. This is an important security issue. Keep that in mind if you sign in to your Firefox account from devices that do not belong to you and leave them unattended. The [issue](https://bugzilla.mozilla.org/show_bug.cgi?id=1393493) has been raised among the Firefox community and hopefully will be resolved in the coming versions. +**An important security consideration about Firefox**. Similar to Chrome and Safari, Firefox allows account sync across multiple devices. While stored login passwords are encrypted, Firefox does not require a password to reveal their plain text format. Firefox only displays as yes/no prompt. This is an important security issue. Keep that in mind if you sign in to your Firefox account from devices that do not belong to you and leave them unattended. The [issue](https://bugzilla.mozilla.org/show_bug.cgi?id=1393493) has been raised among the Firefox community and hopefully will be resolved in the coming versions. #### Safari -[Safari](https://www.apple.com/safari/) is the default Web Browser of macOS. It is also the best browser regarding battery performance. Safari, like Chrome, has both open source and proprietary components. Safari is based on the open source Web Engine [WebKit](https://en.wikipedia.org/wiki/WebKit), which is ubiquitous among the macOS ecosystem. WebKit is used by Apple apps such as Mail, iTunes, iBooks, and App store. Chrome's [Blink](https://www.chromium.org/blink) engine is a fork of WebKit and both engines share a number of similarities. +[Safari](https://www.apple.com/safari/) is the default Web Browser of macOS. It is also the best browser regarding battery performance. Safari, like Chrome, has both Open Source and proprietary components. Safari is based on the open source Web Engine [WebKit](https://en.wikipedia.org/wiki/WebKit), which is ubiquitous among the macOS ecosystem. WebKit is used by Apple apps such as Mail, iTunes, iBooks, and the App store. Chrome's [Blink](https://www.chromium.org/blink) engine is a fork of WebKit and both engines share a number of similarities. Safari supports certain unique features that benefit user security and privacy. [Content blockers](https://webkit.org/blog/3476/content-blockers-first-look/) enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory user, security, and privacy. Safari 11 will introduce an [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/) system. This feature will automatically remove tracking data stored in Safari after a period noninteraction by the user from the tracker's website. -Safari offers a [bounty program](https://developer.apple.com/bug-reporting/) for bug reporting, that offers substantial rewards to security researchers. +Similar to Chrome and Firefox, Safari offers a [bounty program](https://developer.apple.com/bug-reporting/) for bug reporting, that offers substantial rewards to security researchers. -Web Extensions in Safari have an additional option to use native code in the Web Browsers sandbox environment, in addition to Web Extension API. Web Extensions in Safari are also distributed through Apple's App store. Apple store submission comes with the added benefit of Web Extension code being audited by Apple. On the other hand App store submission comes at a steep cost. Yearly [developer subscription](https://developer.apple.com/support/compare-memberships/) fee costs $100. The high cost is prohibitive for the majority of open source developers. As a result, Safari has very few extensions to choose from. However, you should keep the high cost in mind when installing extensions. It is expected that most Web Extensions will have some way of monetizing usage in order to cover developer costs. On a side note, some Safari extensions are open source and freely available. Be extra grateful to those developers. +Web Extensions in Safari have an additional option to use native code in the Safari's sandbox environment, in addition to Web Extension APIs. Web Extensions in Safari are also distributed through Apple's App store. App store submission comes with the added benefit of Web Extension code being audited by Apple. On the other hand App store submission comes at a steep cost. Yearly [developer subscription](https://developer.apple.com/support/compare-memberships/) fee costs $100 (in contrast to Chrome's $5 lifetime fee and Firefox's free submission). The high cost is prohibitive for the majority of Open Source developers. As a result, Safari has very few extensions to choose from. However, you should keep the high cost in mind when installing extensions. It is expected that most Web Extensions will have some way of monetizing usage in order to cover developer costs. And be extra careful when the Web Extension's source code is not Open Source. On a side note, some Safari extensions are Open Source and freely available. Be grateful to those developers. -Safari syncs user's preferences and stored logins through iCloud. Stored passwords are encrypted and in order to be viewed in plain text, a user must input the password of the current device. This means that users can sync data across devices with added security. +Safari syncs user's preferences and stored logins through iCloud. Stored passwords are encrypted. In order to be viewed in plain text, a user must input the password of the current device. This means that users can sync data across devices with added security. -Safari follows a slower release cycle than Chrome and Firefox (3-4 minor releases, 1 major release, per year). Newer features are slower to be adopted to the stable channel. Although security updates in Safari are handled independent of the stable update release and issued automatically through the App store. The Safari channel that follows a six-week release cycle (same as Chrome and Firefox) is called [Safari Technology Preview](https://developer.apple.com/safari/technology-preview/) and it the recommended option instead of Safari. +Safari follows a slower release cycle than Chrome and Firefox (3-4 minor releases, 1 major release, per year). Newer features are slower to be adopted to the stable channel. Although security updates in Safari are handled independent of the stable release schedule and issued automatically through the App store. The Safari channel that follows a six-week release cycle (same as Chrome and Firefox) is called [Safari Technology Preview](https://developer.apple.com/safari/technology-preview/) and it is the recommended option instead of Safari. -An excellent open source ad blocker for Safari that fully leverages Content blockers is [Ka-Block](http://kablock.com/). Ka-Block is focussed on user privacy. The only time the extension makes a network connection is when a new version of the extension is released. You can view the extension repository [here](https://github.com/dgraham/Ka-Block). +An excellent open source ad blocker for Safari that fully leverages Content blockers is [Ka-Block](http://kablock.com/). Ka-Block is focussed on user privacy. The only time the extension makes a network connection is when a new version of the extension is released. You can view the extension's repository [here](https://github.com/dgraham/Ka-Block). #### Other Web Browsers @@ -1124,13 +1124,13 @@ Other miscellaneous browsers, such as [Brave](https://github.com/drduh/OS-X-Secu #### Web Browsers and Privacy -All Web Browsers retain certain information about our browsing habits. This is used for a number of reasons. One of them is to improve the overall performance of the Web Browser. Most Web Browser offer predictions services to resolve typos and URL redirections, store analytics data of browsing patterns, crash reports and black listing of known malicious servers. Those options can be turned on and off from each Web Browser's settings panel. +All Web Browsers retain certain information about our browsing habits. That information is used for a number of reasons. One of them is to improve the overall performance of the Web Browser. Most Web Browsers offer predictions services to resolve typos or URL redirections, store analytics data of browsing patterns, crash reports and black listing of known malicious servers. Those options can be turned on and off from each Web Browser's settings panel. -Since Web Browser executes untrusted code from the server, it is important to understand what type of information can be accessed. The [Navigator]() interface gives access to information about the Web Browsers user agent. Those include information such as the operating system, Websites' permissions, and the device's battery level. For more information about security conscious browsing and what type of information is being "leaked" by your browser, see [HowTo: Privacy & Security Conscious Browsing](https://gist.github.com/atcuno/3425484ac5cce5298932), [browserleaks.com](https://www.browserleaks.com/) and [EFF Panopticlick](https://panopticlick.eff.org/). +Since Web Browser executes untrusted code from the server, it is important to understand what type of information can be accessed. The [Navigator](https://developer.mozilla.org/en-US/docs/Web/API/Navigator) interface gives access to information about the Web Browsers user agent. Those include information such as the operating system, Websites' permissions, and the device's battery level. For more information about security conscious browsing and what type of information is being "leaked" by your browser, see [HowTo: Privacy & Security Conscious Browsing](https://gist.github.com/atcuno/3425484ac5cce5298932), [browserleaks.com](https://www.browserleaks.com/) and [EFF Panopticlick](https://panopticlick.eff.org/). Disable third-party cookies from your Web Browser settings. -A great step to improve privacy is to replace your default search engine to [duckduckgo](https://duckduckgo.com/), which is committed to user privacy. Moreover, it offers some unique features, such color Themes and direct site search through the use of [bangs](https://duckduckgo.com/bang). +A great step to improve privacy is to replace your default search engine to [duckduckgo](https://duckduckgo.com/), which is committed to user privacy. Moreover, it offers some unique features, such as color Themes and direct site search through the use of [bangs](https://duckduckgo.com/bang). Also be aware of [WebRTC](https://en.wikipedia.org/wiki/WebRTC#Concerns), which may reveal your local or public (if connected to VPN) IP address(es). This can be disabled with extensions such as [uBlock Origin](https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address) and [rentamob/WebRTC-Leak-Prevent](https://github.com/rentamob/WebRTC-Leak-Prevent). From a6067649877e4a9112bfe34677d73b733c2b0755 Mon Sep 17 00:00:00 2001 From: or3stis Date: Sat, 26 Aug 2017 16:26:25 +0100 Subject: [PATCH 018/476] clarification about chrome itemizer --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9c399f62..288080ae 100755 --- a/README.md +++ b/README.md @@ -1048,7 +1048,7 @@ Another important consideration about Web Browser security is Web Extensions. We 1. Automatic updates through the GoogleSoftwareUpdateDaemon. 1. Usage tracking and crash reporting, which can be disabled through Chrome's settings. 1. Chrome Web Store - 1. Non-optional tracking. Google Chrome installer includes a randomly generated token. The token is sent to Google after the installation completes in order to measure the success rate. Google also uses the RLZ identifier to track a user while performing Google searches using the address bar. The RLZ identifier stores information – in the form of encoded strings – like the source of chrome download and installation week. It doesn’t include any personal information and it’s used to measure the effectiveness of a promotional campaign. Chrome downloaded from Google’s website doesn’t have the RLZ identifier. The source code to decode the strings is made open by Google. + 1. Non-optional tracking. Google Chrome installer includes a randomly generated token. The token is sent to Google after the installation completes in order to measure the success rate. The RLZ identifier stores information – in the form of encoded strings – like the source of chrome download and installation week. It doesn’t include any personal information and it’s used to measure the effectiveness of a promotional campaign. **Chrome downloaded from Google’s website doesn’t have the RLZ identifier**. The source code to decode the strings is made open by Google. 1. Adobe Flash Plugin. Google Chrome supports a Pepper API version of Adobe Flash which gets updated automatically with Chrome. 1. Media Codec support. Adds support for proprietary codecs. 1. Chrome's [PDF viewer](http://0xdabbad00.com/2013/01/13/most-secure-pdf-viewer-chrome-pdf-viewer/). From f8c1b7e4256cc3ffe878ad34928cc80e2affd37a Mon Sep 17 00:00:00 2001 From: or3stis Date: Sat, 26 Aug 2017 16:28:52 +0100 Subject: [PATCH 019/476] clarification on firefox web extensions --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 288080ae..0e151799 100755 --- a/README.md +++ b/README.md @@ -1096,7 +1096,7 @@ Firefox is focussed on user privacy. It supports [tracking protection](https://d Previous versions of Firefox used a [Web Extension SDK](https://developer.mozilla.org/en-US/Add-ons/Legacy_add_ons) that was quite invasive and offered immense freedom to developers. Sadly, that freedom also introduced a number of vulnerabilities in Firefox that greatly affected its users. Currently, Firefox only supports Web Extensions through the [Web Extension Api](https://developer.mozilla.org/en-US/Add-ons/WebExtensions), which is very similar to Chrome's. -Submission of Web Extensions is Firefox is free. +Submission of Web Extensions is Firefox is free. Web Extensions is Firefox most of the time are Open Source, although certain Web Extensions are proprietary. **An important security consideration about Firefox**. Similar to Chrome and Safari, Firefox allows account sync across multiple devices. While stored login passwords are encrypted, Firefox does not require a password to reveal their plain text format. Firefox only displays as yes/no prompt. This is an important security issue. Keep that in mind if you sign in to your Firefox account from devices that do not belong to you and leave them unattended. The [issue](https://bugzilla.mozilla.org/show_bug.cgi?id=1393493) has been raised among the Firefox community and hopefully will be resolved in the coming versions. From 91c1cf2192c9ab844140ec61dc9299041f4d1c81 Mon Sep 17 00:00:00 2001 From: or3stis Date: Sat, 26 Aug 2017 16:29:56 +0100 Subject: [PATCH 020/476] missing word --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0e151799..a51741f8 100755 --- a/README.md +++ b/README.md @@ -1112,7 +1112,7 @@ Web Extensions in Safari have an additional option to use native code in the Saf Safari syncs user's preferences and stored logins through iCloud. Stored passwords are encrypted. In order to be viewed in plain text, a user must input the password of the current device. This means that users can sync data across devices with added security. -Safari follows a slower release cycle than Chrome and Firefox (3-4 minor releases, 1 major release, per year). Newer features are slower to be adopted to the stable channel. Although security updates in Safari are handled independent of the stable release schedule and issued automatically through the App store. The Safari channel that follows a six-week release cycle (same as Chrome and Firefox) is called [Safari Technology Preview](https://developer.apple.com/safari/technology-preview/) and it is the recommended option instead of Safari. +Safari follows a slower release cycle than Chrome and Firefox (3-4 minor releases, 1 major release, per year). Newer features are slower to be adopted to the stable channel. Although security updates in Safari are handled independent of the stable release schedule and issued automatically through the App store. The Safari channel that follows a six-week release cycle (same as Chrome and Firefox) is called [Safari Technology Preview](https://developer.apple.com/safari/technology-preview/) and it is the recommended option instead of the stable channel of Safari. An excellent open source ad blocker for Safari that fully leverages Content blockers is [Ka-Block](http://kablock.com/). Ka-Block is focussed on user privacy. The only time the extension makes a network connection is when a new version of the extension is released. You can view the extension's repository [here](https://github.com/dgraham/Ka-Block). From f6f9f2a00fc42f2d197b0fc6b84eef18b20c5745 Mon Sep 17 00:00:00 2001 From: or3stis Date: Mon, 28 Aug 2017 17:27:57 +0100 Subject: [PATCH 021/476] addressing @ansell comments --- README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index a51741f8..a391eabd 100755 --- a/README.md +++ b/README.md @@ -1036,9 +1036,9 @@ You can replace ad images with pictures of kittens, for example, by starting the The Web browser poses the largest security and privacy risk, as its fundamental job is to download and execute untrusted code from the Internet. This is an important statement. The unique use case of Web Browsers of operation in hostile environments, has forced them to adopt certain impressive security features. The cornerstone of Web Browser security is the Same Origin Policy ([SOP](https://en.wikipedia.org/wiki/Same-origin_policy)). In a few words, SOP prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model (DOM). If SOP is compromised, the security of the whole Web Browser is compromised. -The best tip to ensure secure browsing regardless your choice of Web Browser is proper security hygiene. The majority of Web Browser exploits require social engineering attacks to achieve native code execution. Always be mindful of the links you click and be extra careful when websites ask you to download and install external software. 99% percent of the time that software is malware. +The best tip to ensure secure browsing regardless your choice of Web Browser is proper security hygiene. The majority of Web Browser exploits require social engineering attacks to achieve native code execution. Always be mindful of the links you click and be extra careful when websites ask you to download and install software. 99% percent of the time that software is malware. -Another important consideration about Web Browser security is Web Extensions. Web Extensions greatly increase the attack surface of the Web Browser. This is an issue that plagues Firefox and [Chrome](https://encrypted.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&ved=0ahUKEwitnsiktvTVAhWpAsAKHUa1B3EQFggyMAI&url=https:%2F%2Fcourses.csail.mit.edu%2F6.857%2F2016%2Ffiles%2F24.pdf&usg=AFQjCNHZLw9aoHFwPTt020U56MLjRhNMlQ) alike. Luckily, Web Extensions can only access specific browser APIs that are being governed by their manifest. That means we can quickly audit their behavior and remove them if they request access to information they shouldn't (why would an Ad blocker require camera access?). In the interest of security, it is best to limit your use of Web Extensions. +Another important consideration about Web Browser security is Web Extensions. Web Extensions greatly increase the attack surface of the Web Browser. This is an issue that plagues Firefox and [Chrome](https://courses.csail.mit.edu/6.857/2016/files/24.pdf) alike. Luckily, Web Extensions can only access specific browser APIs that are being governed by their manifest. That means we can quickly audit their behavior and remove them if they request access to information they shouldn't (why would an Ad blocker require camera access?). In the interest of security, it is best to limit your use of Web Extensions. [Google Chrome](https://www.google.com/chrome/browser/desktop/) , [Firefox](https://www.mozilla.org/en-US/firefox/new/) and [Safari](https://www.apple.com/safari/) are the Web Browsers that are being covered in this guide. Each Web Browser offers certain benefits and drawbacks regarding their security and privacy. It is best to make an informed choice before committing to one. @@ -1079,14 +1079,14 @@ Take some time to read through [Chromium Security](https://www.chromium.org/Home For example, you may wish to disable [DNS prefetching](https://www.chromium.org/developers/design-documents/dns-prefetching) (see also [DNS Prefetching and Its Privacy Implications](https://www.usenix.org/legacy/event/leet10/tech/full_papers/Krishnan.pdf) (pdf)). -It is best to remember that Google is an advertising company and its major source of revenue is [AdSense](https://www.google.com/adsense/start/#/?modal_active=none). It makes perfect sense that an advertising company would leverage its services to maximize its profit. That means that while using [Google services](https://www.google.com/services/#?modal_active=none) certain personal information are being stored. Google is quite open about the data it stores and how it used them. Users can opt out from many of those services and see what type of information Google has stored from their [account settings](https://myaccount.google.com/privacy?pli=1). +It is best to remember that Google is an advertising company and its major source of revenue is AdSense. It makes sense that an advertising company would leverage its services to collect [information](https://www.google.com/policies/privacy/#infocollect) and [use](https://www.google.com/policies/privacy/#infouse) that information to maximize its profit. That means that while using [Google services](https://www.google.com/services/#?modal_active=none) certain personal information are being stored. Google is open about the data it stores and how it used them. Users can opt out from many of those services and see what type of information Google has stored from their [account settings](https://myaccount.google.com/privacy?pli=1). #### Firefox -[Firefox](https://www.mozilla.org/en-US/firefox/new/) is an excellent browser as well as being completely open source. Currently, Firefox is in a renaissance period. It replaces major parts of its infrastructure and code base under projects [Quantum](https://wiki.mozilla.org/Quantum) and [Photon](https://wiki.mozilla.org/Firefox/Photon/Updates). Part of the Quantum project is to replace C++ code with [Rust](https://www.rust-lang.org/en-US/). Rust is a systems programming with a focus on security and thread safety. It is expected that Rust adoption will greatly improve the overall security posture of Firefox. +[Firefox](https://www.mozilla.org/en-US/firefox/new/) is an excellent browser as well as being completely open source. Currently, Firefox is in a renaissance period. It replaces major parts of its infrastructure and code base under projects [Quantum](https://wiki.mozilla.org/Quantum) and [Photon](https://wiki.mozilla.org/Firefox/Photon/Updates). Part of the Quantum project is to replace C++ code with [Rust](https://www.rust-lang.org/en-US/). Rust is a systems programming language with a focus on security and thread safety. It is expected that Rust adoption will greatly improve the overall security posture of Firefox. Firefox offers a similar security model to Chrome. It offers -[bounty](https://www.mozilla.org/en-US/security/bug-bounty/) program, although it is not a lucrative as Chrome's. Firefox follows a six-week release cycle same as Chrome. +[bounty](https://www.mozilla.org/en-US/security/bug-bounty/) program, although it is not a lucrative as Chrome's. Firefox follows a six-week release cycle similar to Chrome. See discussion in issues [#2](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/2), [#90](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/90) for more information about certain differences in Firefox and Chrome. @@ -1094,9 +1094,9 @@ If using Firefox, see [TheCreeper/PrivacyFox](https://github.com/TheCreeper/Priv Firefox is focussed on user privacy. It supports [tracking protection](https://developer.mozilla.org/en-US/Firefox/Privacy/Tracking_Protection) during Private browsing by default. The tracking protection can be enabled for the default account, although it may break the browsing experience on some websites. Another feature for added privacy unique to Firefox is [Containers](https://testpilot.firefox.com/experiments/containers). Containers lets you create profiles in Firefox for different activities, such as online shopping, travel planning, or checking work email. Containers store cookies separately, you can log into the same site with a different account in each Container, and online trackers can’t connect your browsing in one container to another. -Previous versions of Firefox used a [Web Extension SDK](https://developer.mozilla.org/en-US/Add-ons/Legacy_add_ons) that was quite invasive and offered immense freedom to developers. Sadly, that freedom also introduced a number of vulnerabilities in Firefox that greatly affected its users. Currently, Firefox only supports Web Extensions through the [Web Extension Api](https://developer.mozilla.org/en-US/Add-ons/WebExtensions), which is very similar to Chrome's. +Previous versions of Firefox used a [Web Extension SDK](https://developer.mozilla.org/en-US/Add-ons/Legacy_add_ons) that was quite invasive and offered immense freedom to developers. Sadly, that freedom also introduced a number of vulnerabilities in Firefox that greatly affected its users. You can find more information about vulnerabilities introduced by Firefox's legacy extensions in this [paper](https://www.exploit-db.com/docs/24541.pdf). Currently, Firefox only supports Web Extensions through the [Web Extension Api](https://developer.mozilla.org/en-US/Add-ons/WebExtensions), which is very similar to Chrome's. -Submission of Web Extensions is Firefox is free. Web Extensions is Firefox most of the time are Open Source, although certain Web Extensions are proprietary. +Submission of Web Extensions is Firefox is free. Web Extensions in Firefox most of the time are Open Source, although certain Web Extensions are proprietary. **An important security consideration about Firefox**. Similar to Chrome and Safari, Firefox allows account sync across multiple devices. While stored login passwords are encrypted, Firefox does not require a password to reveal their plain text format. Firefox only displays as yes/no prompt. This is an important security issue. Keep that in mind if you sign in to your Firefox account from devices that do not belong to you and leave them unattended. The [issue](https://bugzilla.mozilla.org/show_bug.cgi?id=1393493) has been raised among the Firefox community and hopefully will be resolved in the coming versions. @@ -1104,7 +1104,7 @@ Submission of Web Extensions is Firefox is free. Web Extensions is Firefox most [Safari](https://www.apple.com/safari/) is the default Web Browser of macOS. It is also the best browser regarding battery performance. Safari, like Chrome, has both Open Source and proprietary components. Safari is based on the open source Web Engine [WebKit](https://en.wikipedia.org/wiki/WebKit), which is ubiquitous among the macOS ecosystem. WebKit is used by Apple apps such as Mail, iTunes, iBooks, and the App store. Chrome's [Blink](https://www.chromium.org/blink) engine is a fork of WebKit and both engines share a number of similarities. -Safari supports certain unique features that benefit user security and privacy. [Content blockers](https://webkit.org/blog/3476/content-blockers-first-look/) enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory user, security, and privacy. Safari 11 will introduce an [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/) system. This feature will automatically remove tracking data stored in Safari after a period noninteraction by the user from the tracker's website. +Safari supports certain unique features that benefit user security and privacy. [Content blockers](https://webkit.org/blog/3476/content-blockers-first-look/) enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory user, security, and privacy. Safari 11 will introduce an [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/) system. This feature will automatically remove tracking data stored in Safari after a period of non-interaction by the user from the tracker's website. Similar to Chrome and Firefox, Safari offers a [bounty program](https://developer.apple.com/bug-reporting/) for bug reporting, that offers substantial rewards to security researchers. @@ -1112,7 +1112,7 @@ Web Extensions in Safari have an additional option to use native code in the Saf Safari syncs user's preferences and stored logins through iCloud. Stored passwords are encrypted. In order to be viewed in plain text, a user must input the password of the current device. This means that users can sync data across devices with added security. -Safari follows a slower release cycle than Chrome and Firefox (3-4 minor releases, 1 major release, per year). Newer features are slower to be adopted to the stable channel. Although security updates in Safari are handled independent of the stable release schedule and issued automatically through the App store. The Safari channel that follows a six-week release cycle (same as Chrome and Firefox) is called [Safari Technology Preview](https://developer.apple.com/safari/technology-preview/) and it is the recommended option instead of the stable channel of Safari. +Safari follows a slower release cycle than Chrome and Firefox (3-4 minor releases, 1 major release, per year). Newer features are slower to be adopted to the stable channel. Although security updates in Safari are handled independent of the stable release schedule and issued automatically through the App store. The Safari channel that follows a six-week release cycle (similar to as Chrome and Firefox) is called [Safari Technology Preview](https://developer.apple.com/safari/technology-preview/) and it is the recommended option instead of the stable channel of Safari. An excellent open source ad blocker for Safari that fully leverages Content blockers is [Ka-Block](http://kablock.com/). Ka-Block is focussed on user privacy. The only time the extension makes a network connection is when a new version of the extension is released. You can view the extension's repository [here](https://github.com/dgraham/Ka-Block). From d08bc53a280018020dbd269652533c658faddd05 Mon Sep 17 00:00:00 2001 From: Mark Wadham Date: Mon, 28 Aug 2017 19:19:34 +0100 Subject: [PATCH 022/476] removed the verbose list of memory protection features and added a note about the upcoming home/personal edition. --- README.md | 27 +-------------------------- 1 file changed, 1 insertion(+), 26 deletions(-) diff --git a/README.md b/README.md index f2c38125..c6aebdf7 100755 --- a/README.md +++ b/README.md @@ -1266,32 +1266,7 @@ See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sop Therefore, the best anti-virus is **Common Sense 2017**. See more discussion in [issue #44](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/44). -CylancePROTECT may be worth running for the exploit mitigation features and (when locked down) is much harder to locally bypass than traditional AV, but it's effectiveness at detecting malware on MacOS is questionable. It's core feature is an algorithm derived from a machine-learning process which aims to identify malware based on various characteristics of a binary executable. Cylance have a [whitepaper](https://www.cylance.com/content/dam/cylance/pdfs/data_sheets/CylancePROTECT.pdf) with information about how it works. Single licenses are available from third party resellers such as [Cyberforce](https://cybrforce.com) or [Malware Managed](https://www.malwaremanaged.com). On MacOS it complements Apple's built-in XProtect by continuously vmmap'ing the memory of active processes to watch for patterns that indicate bad things happening. At the time of writing it is able to detect and block the following list of events, all of which can be controlled via the Cylance console: - -Exploitation: - - - Stack pivot - - Stack protect - - Overwrite code - - RAM scraping - - Malicious payload - -Process injection: - - - Remote allocation of memory - - Remote mapping of memory - - Remote write to memory - - Remote write PE to memory - - Remote overwrite code - - Remote unmap of memory - - Remote thread creation - - Remote APC scheduled - - DYLD injection (MacOS only) - -Escalation: - - - LSASS read - - Zero allocate +CylancePROTECT may be worth running for the exploit mitigation features and (when locked down) is much harder to locally bypass than traditional AV, but it's effectiveness at detecting malware on MacOS is questionable. It's core feature is an algorithm derived from a machine-learning process which aims to identify malware based on various characteristics of a binary executable. Cylance have a [whitepaper](https://www.cylance.com/content/dam/cylance/pdfs/data_sheets/CylancePROTECT.pdf) with information about how it works. Single licenses are available from third party resellers such as [Cyberforce](https://cybrforce.com) or [Malware Managed](https://www.malwaremanaged.com) and there is also a home/personal edition in the works but it is currently only available for companies to make available to their employees. On MacOS it complements Apple's built-in XProtect by continuously vmmap'ing the memory of active processes to watch for patterns that indicate bad things happening. Local privilege escalation bugs are plenty on macOS, so always be careful when downloading and running untrusted programs or trusted programs from third party websites or downloaded over HTTP ([example](http://arstechnica.com/security/2015/08/0-day-bug-in-fully-patched-os-x-comes-under-active-exploit-to-hijack-macs/)). From 9c83fea45a6ad93aa7fba34ce364f701475c11b0 Mon Sep 17 00:00:00 2001 From: or3stis Date: Mon, 28 Aug 2017 19:24:32 +0100 Subject: [PATCH 023/476] change firefox bold sentence to "Note" --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index a391eabd..2a42b580 100755 --- a/README.md +++ b/README.md @@ -1098,7 +1098,7 @@ Previous versions of Firefox used a [Web Extension SDK](https://developer.mozill Submission of Web Extensions is Firefox is free. Web Extensions in Firefox most of the time are Open Source, although certain Web Extensions are proprietary. -**An important security consideration about Firefox**. Similar to Chrome and Safari, Firefox allows account sync across multiple devices. While stored login passwords are encrypted, Firefox does not require a password to reveal their plain text format. Firefox only displays as yes/no prompt. This is an important security issue. Keep that in mind if you sign in to your Firefox account from devices that do not belong to you and leave them unattended. The [issue](https://bugzilla.mozilla.org/show_bug.cgi?id=1393493) has been raised among the Firefox community and hopefully will be resolved in the coming versions. +**Note**. Similar to Chrome and Safari, Firefox allows account sync across multiple devices. While stored login passwords are encrypted, Firefox does not require a password to reveal their plain text format. Firefox only displays as yes/no prompt. This is an important security issue. Keep that in mind if you sign in to your Firefox account from devices that do not belong to you and leave them unattended. The [issue](https://bugzilla.mozilla.org/show_bug.cgi?id=1393493) has been raised among the Firefox community and hopefully will be resolved in the coming versions. #### Safari @@ -1106,7 +1106,7 @@ Submission of Web Extensions is Firefox is free. Web Extensions in Firefox most Safari supports certain unique features that benefit user security and privacy. [Content blockers](https://webkit.org/blog/3476/content-blockers-first-look/) enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory user, security, and privacy. Safari 11 will introduce an [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/) system. This feature will automatically remove tracking data stored in Safari after a period of non-interaction by the user from the tracker's website. -Similar to Chrome and Firefox, Safari offers a [bounty program](https://developer.apple.com/bug-reporting/) for bug reporting, that offers substantial rewards to security researchers. +Similar to Chrome and Firefox, Safari offers an invite only [bounty program](https://developer.apple.com/bug-reporting/) for bug reporting to select security researchers. Web Extensions in Safari have an additional option to use native code in the Safari's sandbox environment, in addition to Web Extension APIs. Web Extensions in Safari are also distributed through Apple's App store. App store submission comes with the added benefit of Web Extension code being audited by Apple. On the other hand App store submission comes at a steep cost. Yearly [developer subscription](https://developer.apple.com/support/compare-memberships/) fee costs $100 (in contrast to Chrome's $5 lifetime fee and Firefox's free submission). The high cost is prohibitive for the majority of Open Source developers. As a result, Safari has very few extensions to choose from. However, you should keep the high cost in mind when installing extensions. It is expected that most Web Extensions will have some way of monetizing usage in order to cover developer costs. And be extra careful when the Web Extension's source code is not Open Source. On a side note, some Safari extensions are Open Source and freely available. Be grateful to those developers. @@ -1126,7 +1126,7 @@ Other miscellaneous browsers, such as [Brave](https://github.com/drduh/OS-X-Secu All Web Browsers retain certain information about our browsing habits. That information is used for a number of reasons. One of them is to improve the overall performance of the Web Browser. Most Web Browsers offer predictions services to resolve typos or URL redirections, store analytics data of browsing patterns, crash reports and black listing of known malicious servers. Those options can be turned on and off from each Web Browser's settings panel. -Since Web Browser executes untrusted code from the server, it is important to understand what type of information can be accessed. The [Navigator](https://developer.mozilla.org/en-US/docs/Web/API/Navigator) interface gives access to information about the Web Browsers user agent. Those include information such as the operating system, Websites' permissions, and the device's battery level. For more information about security conscious browsing and what type of information is being "leaked" by your browser, see [HowTo: Privacy & Security Conscious Browsing](https://gist.github.com/atcuno/3425484ac5cce5298932), [browserleaks.com](https://www.browserleaks.com/) and [EFF Panopticlick](https://panopticlick.eff.org/). +Since Web Browsers execute untrusted code from the server, it is important to understand what type of information can be accessed. The [Navigator](https://developer.mozilla.org/en-US/docs/Web/API/Navigator) interface gives access to information about the Web Browsers user agent. Those include information such as the operating system, Websites' permissions, and the device's battery level. For more information about security conscious browsing and what type of information is being "leaked" by your browser, see [HowTo: Privacy & Security Conscious Browsing](https://gist.github.com/atcuno/3425484ac5cce5298932), [browserleaks.com](https://www.browserleaks.com/) and [EFF Panopticlick](https://panopticlick.eff.org/). Disable third-party cookies from your Web Browser settings. From 91c9d4f5290f1bcc13cd29881ab59495ca6341a8 Mon Sep 17 00:00:00 2001 From: or3stis Date: Mon, 28 Aug 2017 19:26:09 +0100 Subject: [PATCH 024/476] rephrase -> security posture of the browser --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2a42b580..835d3096 100755 --- a/README.md +++ b/README.md @@ -1061,7 +1061,7 @@ Chrome's Web store for extensions requires a [$5 dollar lifetime fee](https://de Chrome has the largest share of global usage and is the preferred target platform for the majority of developers. Major technologies are based on Chrome's Open Source components, such as [node.js](https://nodejs.org/en/) which uses [Chrome's V8](https://developers.google.com/v8/) Engine and the [Electron](https://electron.atom.io/) framework, which is based on Chromium and node.js. Chrome's vast user base makes it the most attractive target for threat actors. Despite under constants attacks, Chrome has retained an impressive security track record over the years. This is not a small feat. -To improve your privacy and security posture, create at least three profiles, one for browsing **trusted** Web sites (email, banking), another for **mostly trusted** Web sites (link aggregators, news sites), and a third for a completely **cookie-less** and **script-less** experience. +To improve the privacy and security posture of the browser, create at least three profiles, one for browsing **trusted** Web sites (email, banking), another for **mostly trusted** Web sites (link aggregators, news sites), and a third for a completely **cookie-less** and **script-less** experience. * One profile **without cookies or Javascript** enabled (e.g., turned off in `chrome://settings/content`) which should be the preferred profile to visiting untrusted Web sites. However, many pages will not load at all without Javascript enabled. From baf07f3f47fd7311c2aef121217eeb7457f0a947 Mon Sep 17 00:00:00 2001 From: or3stis Date: Mon, 28 Aug 2017 19:28:20 +0100 Subject: [PATCH 025/476] line 1062 - add "and security researchers" --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 835d3096..f4383b2f 100755 --- a/README.md +++ b/README.md @@ -1059,7 +1059,7 @@ Chrome offers account sync between multiple devices. Part of the sync data are s Chrome's Web store for extensions requires a [$5 dollar lifetime fee](https://developer.chrome.com/webstore/publish#pay-the-developer-signup-fee)in order to submit extensions. The low cost allows the development of many quality Open Source Web Extensions that do not aim to monetize through usage. -Chrome has the largest share of global usage and is the preferred target platform for the majority of developers. Major technologies are based on Chrome's Open Source components, such as [node.js](https://nodejs.org/en/) which uses [Chrome's V8](https://developers.google.com/v8/) Engine and the [Electron](https://electron.atom.io/) framework, which is based on Chromium and node.js. Chrome's vast user base makes it the most attractive target for threat actors. Despite under constants attacks, Chrome has retained an impressive security track record over the years. This is not a small feat. +Chrome has the largest share of global usage and is the preferred target platform for the majority of developers. Major technologies are based on Chrome's Open Source components, such as [node.js](https://nodejs.org/en/) which uses [Chrome's V8](https://developers.google.com/v8/) Engine and the [Electron](https://electron.atom.io/) framework, which is based on Chromium and node.js. Chrome's vast user base makes it the most attractive target for threat actors and security researchers. Despite under constants attacks, Chrome has retained an impressive security track record over the years. This is not a small feat. To improve the privacy and security posture of the browser, create at least three profiles, one for browsing **trusted** Web sites (email, banking), another for **mostly trusted** Web sites (link aggregators, news sites), and a third for a completely **cookie-less** and **script-less** experience. From 5f64ef210244079cf85511d956b3ac993223b1c1 Mon Sep 17 00:00:00 2001 From: or3stis Date: Mon, 28 Aug 2017 19:30:52 +0100 Subject: [PATCH 026/476] line 1060 - add space after the URL --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f4383b2f..08580053 100755 --- a/README.md +++ b/README.md @@ -1057,7 +1057,7 @@ Chrome offers [separate profiles](https://www.chromium.org/user-experience/multi Chrome offers account sync between multiple devices. Part of the sync data are stored website logins. The login passwords are encrypted and in order to access them, a user's Google account password is required. You can use your Google account to sign to your Chrome customized settings from other devices while retaining your the security of your passwords. -Chrome's Web store for extensions requires a [$5 dollar lifetime fee](https://developer.chrome.com/webstore/publish#pay-the-developer-signup-fee)in order to submit extensions. The low cost allows the development of many quality Open Source Web Extensions that do not aim to monetize through usage. +Chrome's Web store for extensions requires a [$5 dollar lifetime fee](https://developer.chrome.com/webstore/publish#pay-the-developer-signup-fee) in order to submit extensions. The low cost allows the development of many quality Open Source Web Extensions that do not aim to monetize through usage. Chrome has the largest share of global usage and is the preferred target platform for the majority of developers. Major technologies are based on Chrome's Open Source components, such as [node.js](https://nodejs.org/en/) which uses [Chrome's V8](https://developers.google.com/v8/) Engine and the [Electron](https://electron.atom.io/) framework, which is based on Chromium and node.js. Chrome's vast user base makes it the most attractive target for threat actors and security researchers. Despite under constants attacks, Chrome has retained an impressive security track record over the years. This is not a small feat. From 9cfe644b11c1cbcf42302f4ee11a6f1b323bf929 Mon Sep 17 00:00:00 2001 From: or3stis Date: Mon, 28 Aug 2017 19:36:00 +0100 Subject: [PATCH 027/476] update Apple's info about bounty program --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 08580053..216478ac 100755 --- a/README.md +++ b/README.md @@ -1106,7 +1106,7 @@ Submission of Web Extensions is Firefox is free. Web Extensions in Firefox most Safari supports certain unique features that benefit user security and privacy. [Content blockers](https://webkit.org/blog/3476/content-blockers-first-look/) enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory user, security, and privacy. Safari 11 will introduce an [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/) system. This feature will automatically remove tracking data stored in Safari after a period of non-interaction by the user from the tracker's website. -Similar to Chrome and Firefox, Safari offers an invite only [bounty program](https://developer.apple.com/bug-reporting/) for bug reporting to select security researchers. +Similar to Chrome and Firefox, Safari offers an invite only [bounty program](https://developer.apple.com/bug-reporting/) for bug reporting to a select number of security researchers. The bounty program was announced during Apple's [presentation](https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf) at [BlackHat](https://www.blackhat.com/us-16/briefings.html#behind-the-scenes-of-ios-security) 2016. Web Extensions in Safari have an additional option to use native code in the Safari's sandbox environment, in addition to Web Extension APIs. Web Extensions in Safari are also distributed through Apple's App store. App store submission comes with the added benefit of Web Extension code being audited by Apple. On the other hand App store submission comes at a steep cost. Yearly [developer subscription](https://developer.apple.com/support/compare-memberships/) fee costs $100 (in contrast to Chrome's $5 lifetime fee and Firefox's free submission). The high cost is prohibitive for the majority of Open Source developers. As a result, Safari has very few extensions to choose from. However, you should keep the high cost in mind when installing extensions. It is expected that most Web Extensions will have some way of monetizing usage in order to cover developer costs. And be extra careful when the Web Extension's source code is not Open Source. On a side note, some Safari extensions are Open Source and freely available. Be grateful to those developers. From f289655c8ee3ae7245b32e82713a79e575f61a1f Mon Sep 17 00:00:00 2001 From: or3stis Date: Mon, 28 Aug 2017 19:37:31 +0100 Subject: [PATCH 028/476] line 1105 - ..the most optimized browser for reducing battery use --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 216478ac..b185238f 100755 --- a/README.md +++ b/README.md @@ -1102,7 +1102,7 @@ Submission of Web Extensions is Firefox is free. Web Extensions in Firefox most #### Safari -[Safari](https://www.apple.com/safari/) is the default Web Browser of macOS. It is also the best browser regarding battery performance. Safari, like Chrome, has both Open Source and proprietary components. Safari is based on the open source Web Engine [WebKit](https://en.wikipedia.org/wiki/WebKit), which is ubiquitous among the macOS ecosystem. WebKit is used by Apple apps such as Mail, iTunes, iBooks, and the App store. Chrome's [Blink](https://www.chromium.org/blink) engine is a fork of WebKit and both engines share a number of similarities. +[Safari](https://www.apple.com/safari/) is the default Web Browser of macOS. It is also the most optimized browser for reducing battery use. Safari, like Chrome, has both Open Source and proprietary components. Safari is based on the open source Web Engine [WebKit](https://en.wikipedia.org/wiki/WebKit), which is ubiquitous among the macOS ecosystem. WebKit is used by Apple apps such as Mail, iTunes, iBooks, and the App store. Chrome's [Blink](https://www.chromium.org/blink) engine is a fork of WebKit and both engines share a number of similarities. Safari supports certain unique features that benefit user security and privacy. [Content blockers](https://webkit.org/blog/3476/content-blockers-first-look/) enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory user, security, and privacy. Safari 11 will introduce an [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/) system. This feature will automatically remove tracking data stored in Safari after a period of non-interaction by the user from the tracker's website. From c51cf0870edfa94088bd4cd529b3debab7a7d1ed Mon Sep 17 00:00:00 2001 From: or3stis Date: Mon, 28 Aug 2017 20:54:12 +0100 Subject: [PATCH 029/476] line 1065 - change project zero url --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b185238f..54aa357f 100755 --- a/README.md +++ b/README.md @@ -1053,7 +1053,7 @@ Another important consideration about Web Browser security is Web Extensions. We 1. Media Codec support. Adds support for proprietary codecs. 1. Chrome's [PDF viewer](http://0xdabbad00.com/2013/01/13/most-secure-pdf-viewer-chrome-pdf-viewer/). -Chrome offers [separate profiles](https://www.chromium.org/user-experience/multi-profiles), [sandboxing](https://www.chromium.org/developers/design-documents/sandbox), [frequent updates](http://googlechromereleases.blogspot.com/) (including Flash, although you should disable it - see below), and carries [impressive credentials](https://www.chromium.org/Home/chromium-security/brag-sheet). In addition, Google offers a very lucrative [bounty](https://www.google.com/about/appsecurity/chrome-rewards/) program for reporting vulnerabilities along with its own [Project Zero](googleprojectzero.blogspot.com). This means that a large number of highly talented and motivated people are constantly auditing Chrome's code base. +Chrome offers [separate profiles](https://www.chromium.org/user-experience/multi-profiles), [sandboxing](https://www.chromium.org/developers/design-documents/sandbox), [frequent updates](http://googlechromereleases.blogspot.com/) (including Flash, although you should disable it - see below), and carries [impressive credentials](https://www.chromium.org/Home/chromium-security/brag-sheet). In addition, Google offers a very lucrative [bounty](https://www.google.com/about/appsecurity/chrome-rewards/) program for reporting vulnerabilities along with its own [Project Zero](https://googleprojectzero.blogspot.com). This means that a large number of highly talented and motivated people are constantly auditing Chrome's code base. Chrome offers account sync between multiple devices. Part of the sync data are stored website logins. The login passwords are encrypted and in order to access them, a user's Google account password is required. You can use your Google account to sign to your Chrome customized settings from other devices while retaining your the security of your passwords. From 2efcadb9fee1edb637afc728523a346a556138af Mon Sep 17 00:00:00 2001 From: or3stis Date: Tue, 29 Aug 2017 18:18:07 +0100 Subject: [PATCH 030/476] add links for icloud encryption --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 54aa357f..d6e309bf 100755 --- a/README.md +++ b/README.md @@ -1110,7 +1110,7 @@ Similar to Chrome and Firefox, Safari offers an invite only [bounty program](htt Web Extensions in Safari have an additional option to use native code in the Safari's sandbox environment, in addition to Web Extension APIs. Web Extensions in Safari are also distributed through Apple's App store. App store submission comes with the added benefit of Web Extension code being audited by Apple. On the other hand App store submission comes at a steep cost. Yearly [developer subscription](https://developer.apple.com/support/compare-memberships/) fee costs $100 (in contrast to Chrome's $5 lifetime fee and Firefox's free submission). The high cost is prohibitive for the majority of Open Source developers. As a result, Safari has very few extensions to choose from. However, you should keep the high cost in mind when installing extensions. It is expected that most Web Extensions will have some way of monetizing usage in order to cover developer costs. And be extra careful when the Web Extension's source code is not Open Source. On a side note, some Safari extensions are Open Source and freely available. Be grateful to those developers. -Safari syncs user's preferences and stored logins through iCloud. Stored passwords are encrypted. In order to be viewed in plain text, a user must input the password of the current device. This means that users can sync data across devices with added security. +Safari syncs user's preferences and stored logins through the iCloud Keychain. Stored passwords are [encrypted](https://support.apple.com/en-gb/HT202303) with 256-bit AES . In order to be viewed in plain text, a user must input the account password of the current device. This means that users can sync data across devices with added security. Safari follows a slower release cycle than Chrome and Firefox (3-4 minor releases, 1 major release, per year). Newer features are slower to be adopted to the stable channel. Although security updates in Safari are handled independent of the stable release schedule and issued automatically through the App store. The Safari channel that follows a six-week release cycle (similar to as Chrome and Firefox) is called [Safari Technology Preview](https://developer.apple.com/safari/technology-preview/) and it is the recommended option instead of the stable channel of Safari. From 5f10c7a8d72a53840f2645d22a7ed57889844942 Mon Sep 17 00:00:00 2001 From: or3stis Date: Tue, 29 Aug 2017 18:29:49 +0100 Subject: [PATCH 031/476] add third party cookie explenation --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d6e309bf..f878a820 100755 --- a/README.md +++ b/README.md @@ -1128,7 +1128,7 @@ All Web Browsers retain certain information about our browsing habits. That info Since Web Browsers execute untrusted code from the server, it is important to understand what type of information can be accessed. The [Navigator](https://developer.mozilla.org/en-US/docs/Web/API/Navigator) interface gives access to information about the Web Browsers user agent. Those include information such as the operating system, Websites' permissions, and the device's battery level. For more information about security conscious browsing and what type of information is being "leaked" by your browser, see [HowTo: Privacy & Security Conscious Browsing](https://gist.github.com/atcuno/3425484ac5cce5298932), [browserleaks.com](https://www.browserleaks.com/) and [EFF Panopticlick](https://panopticlick.eff.org/). -Disable third-party cookies from your Web Browser settings. +To hinder third party trackers, it is recommended to disable third-party cookies from your Web Browser settings. A third party cookie is a cookie associated with a file requested by different domain than the one the user is currently viewing. Most of the time third party are used to create browsing profiles by tracking a user's movement in the web. Disabling third-party cookies prevents HTTP responses and scripts from other domains from setting cookies. Moreover, cookies are removed from requests to domains that are not the document origin domain, so cookies are only sent to the current site that is being viewed. A great step to improve privacy is to replace your default search engine to [duckduckgo](https://duckduckgo.com/), which is committed to user privacy. Moreover, it offers some unique features, such as color Themes and direct site search through the use of [bangs](https://duckduckgo.com/bang). From 558d23958cb446c2c1296c7f32ec775316e420ab Mon Sep 17 00:00:00 2001 From: or3stis Date: Tue, 29 Aug 2017 18:30:44 +0100 Subject: [PATCH 032/476] :fire: remove duckduckgo recommendation --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index f878a820..f666e6ee 100755 --- a/README.md +++ b/README.md @@ -1130,8 +1130,6 @@ Since Web Browsers execute untrusted code from the server, it is important to un To hinder third party trackers, it is recommended to disable third-party cookies from your Web Browser settings. A third party cookie is a cookie associated with a file requested by different domain than the one the user is currently viewing. Most of the time third party are used to create browsing profiles by tracking a user's movement in the web. Disabling third-party cookies prevents HTTP responses and scripts from other domains from setting cookies. Moreover, cookies are removed from requests to domains that are not the document origin domain, so cookies are only sent to the current site that is being viewed. -A great step to improve privacy is to replace your default search engine to [duckduckgo](https://duckduckgo.com/), which is committed to user privacy. Moreover, it offers some unique features, such as color Themes and direct site search through the use of [bangs](https://duckduckgo.com/bang). - Also be aware of [WebRTC](https://en.wikipedia.org/wiki/WebRTC#Concerns), which may reveal your local or public (if connected to VPN) IP address(es). This can be disabled with extensions such as [uBlock Origin](https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address) and [rentamob/WebRTC-Leak-Prevent](https://github.com/rentamob/WebRTC-Leak-Prevent). ### Plugins From ed43628ab2af4a30c7e60765692dc39ccd1f1eee Mon Sep 17 00:00:00 2001 From: or3stis Date: Tue, 29 Aug 2017 18:32:02 +0100 Subject: [PATCH 033/476] fix typo in third party cookie section --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f666e6ee..f8aaa41f 100755 --- a/README.md +++ b/README.md @@ -1128,7 +1128,7 @@ All Web Browsers retain certain information about our browsing habits. That info Since Web Browsers execute untrusted code from the server, it is important to understand what type of information can be accessed. The [Navigator](https://developer.mozilla.org/en-US/docs/Web/API/Navigator) interface gives access to information about the Web Browsers user agent. Those include information such as the operating system, Websites' permissions, and the device's battery level. For more information about security conscious browsing and what type of information is being "leaked" by your browser, see [HowTo: Privacy & Security Conscious Browsing](https://gist.github.com/atcuno/3425484ac5cce5298932), [browserleaks.com](https://www.browserleaks.com/) and [EFF Panopticlick](https://panopticlick.eff.org/). -To hinder third party trackers, it is recommended to disable third-party cookies from your Web Browser settings. A third party cookie is a cookie associated with a file requested by different domain than the one the user is currently viewing. Most of the time third party are used to create browsing profiles by tracking a user's movement in the web. Disabling third-party cookies prevents HTTP responses and scripts from other domains from setting cookies. Moreover, cookies are removed from requests to domains that are not the document origin domain, so cookies are only sent to the current site that is being viewed. +To hinder third party trackers, it is recommended to disable third-party cookies from your Web Browser settings. A third party cookie is a cookie associated with a file requested by different domain than the one the user is currently viewing. Most of the time third party are used to create browsing profiles by tracking a user's movement on the web. Disabling third-party cookies prevents HTTP responses and scripts from other domains from setting cookies. Moreover, cookies are removed from requests to domains that are not the document origin domain, so cookies are only sent to the current site that is being viewed. Also be aware of [WebRTC](https://en.wikipedia.org/wiki/WebRTC#Concerns), which may reveal your local or public (if connected to VPN) IP address(es). This can be disabled with extensions such as [uBlock Origin](https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address) and [rentamob/WebRTC-Leak-Prevent](https://github.com/rentamob/WebRTC-Leak-Prevent). From e0f6b1ca023ef585a95dec233953110058958993 Mon Sep 17 00:00:00 2001 From: Stop-playing <30844501+Stop-playing@users.noreply.github.com> Date: Tue, 26 Sep 2017 14:36:24 -0700 Subject: [PATCH 034/476] Update README.md The current command ``` $egrep -ve "^#|^255.255.255|^0.0.0.0|^127.0.0.0|^0 " /etc/hosts ``` returns the following: ``` 127.0.0.1 localhost 127.0.0.1 localhost.localdomain 127.0.0.1 local ::1 localhost fe80::1%lo0 localhost ``` While this doesn't affect security in any way, it can be confusing to someone who is following the guide and expecting to see ``` ::1 localhost fe80::1%lo0 localhost ``` Thus, to prevent confusion the command should read ``` egrep -ve "^#|^255.255.255|^0.0.0.0|^127.0.0.1|^0 " /etc/hosts --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5542d897..ad91552a 100755 --- a/README.md +++ b/README.md @@ -665,7 +665,7 @@ $ curl "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" | sudo $ wc -l /etc/hosts 31998 -$ egrep -ve "^#|^255.255.255|^0.0.0.0|^127.0.0.0|^0 " /etc/hosts +$ egrep -ve "^#|^255.255.255|^0.0.0.0|^127.0.0.1|^0 " /etc/hosts ::1 localhost fe80::1%lo0 localhost [should not return any other IP addresses] From 4e077e6908b42f7710766ad26586fe571f7408de Mon Sep 17 00:00:00 2001 From: Peter Ansell Date: Wed, 11 Oct 2017 11:00:28 +1100 Subject: [PATCH 035/476] Add NYT article re Israel and Russia Kaspersky backdoor NYT article about Kaspersky indicates that AV are generic backdoors into systems, given their requirement for full privilege. Not modifying the "will likely increase attack surface" text, but probably useful to have a discussion about that part also with a view to changing it to a direct recommendation to avoid. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ad91552a..8649b1f0 100755 --- a/README.md +++ b/README.md @@ -1372,7 +1372,7 @@ You could periodically run a tool like [Knock Knock](https://github.com/synack/k **Anti-virus** programs are a double-edged sword -- not useful for **advanced** users and will likely increase attack surface against sophisticated threats, however possibly useful for catching "garden variety" malware on **novice** users' Macs. There is also the additional processing overhead to consider. -See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sophailv2.pdf) (pdf), [Analysis and Exploitation of an ESET Vulnerability](http://googleprojectzero.blogspot.ro/2015/06/analysis-and-exploitation-of-eset.html), [a trivial Avast RCE](https://code.google.com/p/google-security-research/issues/detail?id=546), [Popular Security Software Came Under Relentless NSA and GCHQ Attacks](https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/), and [AVG: "Web TuneUP" extension multiple critical vulnerabilities](https://code.google.com/p/google-security-research/issues/detail?id=675). +See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sophailv2.pdf) (pdf), [Analysis and Exploitation of an ESET Vulnerability](http://googleprojectzero.blogspot.ro/2015/06/analysis-and-exploitation-of-eset.html), [a trivial Avast RCE](https://code.google.com/p/google-security-research/issues/detail?id=546), [Popular Security Software Came Under Relentless NSA and GCHQ Attacks](https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/), [How Israel Caught Russian Hackers Scouring the World for U.S. Secrets](https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html) and [AVG: "Web TuneUP" extension multiple critical vulnerabilities](https://code.google.com/p/google-security-research/issues/detail?id=675). Therefore, the best anti-virus is **Common Sense 2017**. See more discussion in [issue #44](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/44). From b64ae6758db8f714f41080920128d73c8288dcc9 Mon Sep 17 00:00:00 2001 From: Mark Wadham Date: Thu, 19 Oct 2017 23:29:13 +0100 Subject: [PATCH 036/476] added a comment under Miscellaneous about the crazy macOS default sudo behaviour of not changing the HOME environment variable when you escalate. --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index 8649b1f0..5c20c9af 100755 --- a/README.md +++ b/README.md @@ -1994,6 +1994,15 @@ Consider [sandboxing](https://developer.apple.com/library/mac/documentation/Darw Did you know Apple has not shipped a computer with TPM since [2006](http://osxbook.com/book/bonus/chapter10/tpm/)? +MacOS comes with this line in /etc/sudoers: + +```` +Defaults env_keep += "HOME MAIL" +```` + +Which stops sudo from changing the HOME variable when you elevate privileges. This means it will execute as root the bash dotfiles in the non-root user's home directory when you run "sudo bash". It is adviseable to comment this line out to avoid a potentially easy way for malware or a local attacker to escalate privileges to root. + + ## Related software [Santa](https://github.com/google/santa/) - A binary whitelisting/blacklisting system for macOS. From 40be5d246ee0d6b578346c930713e515ae88ece6 Mon Sep 17 00:00:00 2001 From: Mark Wadham Date: Fri, 3 Nov 2017 09:00:17 +0000 Subject: [PATCH 037/476] added additional note about changing root's home path when sudo'ing in a secure way. --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 5c20c9af..ffbe0c55 100755 --- a/README.md +++ b/README.md @@ -2002,6 +2002,12 @@ Defaults env_keep += "HOME MAIL" Which stops sudo from changing the HOME variable when you elevate privileges. This means it will execute as root the bash dotfiles in the non-root user's home directory when you run "sudo bash". It is adviseable to comment this line out to avoid a potentially easy way for malware or a local attacker to escalate privileges to root. +If you want to retain the convenience of the root user having a non-root user's home directory, you can append an export line to /var/root/.bashrc, eg: + +```` +export HOME=/Users/blah +```` + ## Related software From e79089c110eb9de0472db161841fd5c3e5b2a2bf Mon Sep 17 00:00:00 2001 From: drduh Date: Thu, 23 Nov 2017 21:21:23 -0800 Subject: [PATCH 038/476] Update a few software versions, hashes --- README.md | 51 +++++++++++++++++++++++++-------------------------- 1 file changed, 25 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index 8649b1f0..eb3ae8ba 100755 --- a/README.md +++ b/README.md @@ -502,9 +502,9 @@ Programs such as [Little Snitch](https://www.obdev.at/products/littlesnitch/inde *Example of Little Snitch-monitored session* ``` -LittleSnitch-3.7.4.dmg -SHA-256: b0ce3519d72affbc7910c24c264efa94aa91c9ad9b1a905c52baa9769156ea22 -SHA-1: 868ad75623c60cb9ad428c7c1d3e5ae449a9033e +LittleSnitch-4.0.3.dmg +SHA-256: af93abb070cbac96cdda7e150668115c34447f2779dc707f8a79879c60f4c3bf +SHA-1: 63f1cf6c47def2774040b26add388068ae4b00f5 ``` These programs are capable of monitoring and blocking **incoming** and **outgoing** network connections. However, they may require the use of a closed source [kernel extension](https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/KernelProgramming/Extend/Extend.html). @@ -1189,17 +1189,15 @@ You can use OTR on top of any existing [XMPP](https://xmpp.org/about) chat servi The first time you start a conversation with someone new, you'll be asked to verify their public key fingerprint. Make sure to do this in person or by some other secure means (e.g. GPG encrypted mail). -A popular macOS GUI client for XMPP and other chat protocols is [Adium](https://adium.im/) - -Consider downloading the [beta version](https://beta.adium.im/) which uses OAuth2, making logging in to Google accounts [more](https://adium.im/blog/2015/04/) [secure](https://trac.adium.im/ticket/16161). +A popular macOS GUI client for XMPP and other chat protocols is [Adium](https://adium.im/). ``` -Adium_1.5.11b3.dmg -SHA-256: 999e1931a52dc327b3a6e8492ffa9df724a837c88ad9637a501be2e3b6710078 -SHA-1: ca804389412f9aeb7971ade6812f33ac739140e6 +Adium_1.5.10.4.dmg +SHA-256: 31fa3fd32b86dd3381b60e0d5aafbc2a9452036f0fb4963bffbc2a6c64a9458b +SHA-1: 8a674a642447839ea287aed528194e4fd32763b8 ``` -Remember to [disable logging](https://trac.adium.im/ticket/15722) for OTR chats with Adium. +Remember to [disable logging](https://trac.adium.im/ticket/15722) for off the record chats with Adium. A good console-based XMPP client is [profanity](http://www.profanity.im/), which can be installed with `brew install profanity` @@ -1218,32 +1216,33 @@ Do **not** attempt to configure other browsers or applications to use Tor as you Download both the `dmg` and `asc` signature files, then verify the disk image has been signed by Tor developers: ``` -$ cd Downloads +$ cd ~/Downloads $ file Tor* -TorBrowser-6.0.5-osx64_en-US.dmg: bzip2 compressed data, block size = 900k -TorBrowser-6.0.5-osx64_en-US.dmg.asc: PGP signature Signature (old) +TorBrowser-7.0.10-osx64_en-US.dmg: bzip2 compressed data, block size = 900k +TorBrowser-7.0.10-osx64_en-US.dmg.asc: PGP signature Signature (old) $ gpg Tor*asc -gpg: assuming signed data in `TorBrowser-6.0.5-osx64_en-US.dmg' -gpg: Signature made Fri Sep 16 07:51:52 2016 EDT using RSA key ID D40814E0 -gpg: Can't check signature: public key not found +gpg: assuming signed data in 'TorBrowser-7.0.10-osx64_en-US.dmg' +gpg: Signature made Thu Nov 9 08:58:11 2017 PST +gpg: using RSA key 0xD1483FA6C3C07136 +gpg: Can't check signature: No public key $ gpg --recv 0x4E2C6E8793298290 -gpg: requesting key 0x4E2C6E8793298290 from hkp server keys.gnupg.net gpg: key 0x4E2C6E8793298290: public key "Tor Browser Developers (signing key) " imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 -gpg: imported: 1 (RSA: 1) +gpg: imported: 1 -$ gpg Tor*asc -gpg: assuming signed data in 'TorBrowser-6.0.5-osx64_en-US.dmg' -gpg: Signature made Fri Sep 16 07:51:52 2016 EDT using RSA key ID D40814E0 +$ gpg --verify Tor*asc +gpg: assuming signed data in 'TorBrowser-7.0.10-osx64_en-US.dmg' +gpg: Signature made Thu Nov 9 08:58:11 2017 PST +gpg: using RSA key 0xD1483FA6C3C07136 gpg: Good signature from "Tor Browser Developers (signing key) " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290 - Subkey fingerprint: BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0 + Subkey fingerprint: A430 0A6B C93C 0877 A445 1486 D148 3FA6 C3C0 7136 ``` Make sure `Good signature from "Tor Browser Developers (signing key) "` appears in the output. The warning about the key not being certified is benign, as it has not yet been manually assigned trust. @@ -1253,7 +1252,7 @@ See [How to verify signatures for packages](https://www.torproject.org/docs/veri To finish installing Tor Browser, open the disk image and drag the it into the Applications folder, or with: ``` -$ hdiutil mount TorBrowser-6.0.5-osx64_en-US.dmg +$ hdiutil mount TorBrowser-7.0.10-osx64_en-US.dmg $ cp -rv /Volumes/Tor\ Browser/TorBrowser.app /Applications ``` @@ -1293,7 +1292,7 @@ Signature size=4247 Authority=Developer ID Application: The Tor Project, Inc (MADPSAYN6T) Authority=Developer ID Certification Authority Authority=Apple Root CA -Signed Time=Aug 7, 2017, 1:43:17 AM +Signed Time=Nov 9, 2017, 12:47:58 AM Info.plist entries=22 TeamIdentifier=MADPSAYN6T Sealed Resources version=2 rules=12 files=130 @@ -1737,9 +1736,9 @@ Santa uses the [Kernel Authorization API](https://developer.apple.com/library/co To install Santa, visit the [Releases](https://github.com/google/santa/releases) page and download the latest disk image, the mount it and install the contained package: ``` -$ hdiutil mount ~/Downloads/santa-0.9.14.dmg +$ hdiutil mount ~/Downloads/santa-0.9.20.dmg -$ sudo installer -pkg /Volumes/santa-0.9.14/santa-0.9.14.pkg -tgt / +$ sudo installer -pkg /Volumes/santa-0.9.20/santa-0.9.20.pkg -tgt / ``` By default, Santa installs in "Monitor" mode (meaning, nothing gets blocked, only logged) and comes with two rules: one for Apple binaries and another for Santa software itself. From ab915279a4ece41bfa2fcc9eba91194904a044cb Mon Sep 17 00:00:00 2001 From: drduh Date: Mon, 4 Dec 2017 13:39:00 -0800 Subject: [PATCH 039/476] Update intro, mention MacBook to fix #266 --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index eb3ae8ba..02cc2c4f 100755 --- a/README.md +++ b/README.md @@ -1,10 +1,10 @@ -This is a collection of thoughts on securing a modern Apple Mac computer using macOS (formerly *OS X*) 10.12 "Sierra", as well as steps to improving online privacy. +This guide is a collection of thoughts on and techniques for securing a modern Apple Mac computer ("MacBook") using macOS (formerly known as *OS X*) version 10.12 "Sierra", as well as steps to generally improving privacy. This guide is targeted to “power users” who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac. A system is only as secure as its administrator is capable of making it. There is no one single technology, software, nor technique to guarantee perfect computer security; a modern operating system and computer is very complex, and requires numerous incremental changes to meaningfully improve one's security and privacy posture. -I am **not** responsible if you break a Mac by following any of these steps. +This guide is provided on an 'as is' basis without any warranties of any kind. Only **you** are responsible if you break a Mac by following any of the steps herein. If you wish to make a correction or improvement, please send a pull request or [open an issue](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues). From 49759ba0352dc0cf5b602b6583a712e0f6fa878a Mon Sep 17 00:00:00 2001 From: Lucius Hu Date: Wed, 6 Dec 2017 20:51:39 -0500 Subject: [PATCH 040/476] Put dnscrypt-proxy section before dnsmasq to avoid network disconnection issue. Modified some file path in dnscrypt-proxy section since later version of Homebrew chose a different path. --- README.md | 194 +++++++++++++++++++++++++++++------------------------- 1 file changed, 103 insertions(+), 91 deletions(-) diff --git a/README.md b/README.md index 3c3a1315..83899272 100755 --- a/README.md +++ b/README.md @@ -1,9 +1,11 @@ -This is a collection of thoughts on securing a modern Apple Mac computer using macOS (formerly *OS X*) 10.12 "Sierra", as well as steps to improving online privacy. +This is a collection of thoughts on securing a modern Apple Mac computer using macOS (formerly *OS X*) 10.12 "Sierra", as well as steps to improving online privacy. Though certain configurations may still work on macOS 10.13 "High Sierra" (beta), this guide doesn't provide any guarantee on the compatibility for macOS 10.13. This guide is targeted to “power users” who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac. A system is only as secure as its administrator is capable of making it. There is no one single technology, software, nor technique to guarantee perfect computer security; a modern operating system and computer is very complex, and requires numerous incremental changes to meaningfully improve one's security and privacy posture. +Make sure you understand each changes you made to your system. The official manual/documentation are usually sufficient for readers to understnad the what each command/program is doing. + I am **not** responsible if you break a Mac by following any of these steps. If you wish to make a correction or improvement, please send a pull request or [open an issue](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues). @@ -26,9 +28,9 @@ This guide is also available in [简体中文](https://github.com/xitu/macOS-Sec - [Homebrew](#homebrew) - [DNS](#dns) - [Hosts file](#hosts-file) + - [DNSCrypt](#dnscrypt) - [Dnsmasq](#dnsmasq) - [Test DNSSEC validation](#test-dnssec-validation) - - [DNSCrypt](#dnscrypt) - [Captive portal](#captive-portal) - [Certificate authorities](#certificate-authorities) - [OpenSSL](#openssl) @@ -649,6 +651,85 @@ fe80::1%lo0 localhost See `man hosts` and [FreeBSD Configuration Files](https://www.freebsd.org/doc/handbook/configtuning-configfiles.html) for more information. +#### dnscrypt + +Use [dnscrypt](https://dnscrypt.org/) to encrypt DNS traffic to the provider of choice. In combination with Dnsmasq and DNSSEC, the security of both outbounding and inbounding dns traffic are strengthened. + +If you prefer a GUI application, see [alterstep/dnscrypt-osxclient](https://github.com/alterstep/dnscrypt-osxclient). Below are the guide for installation and configuration of the command-line DNSCrypt. + +Install DNSCrypt from Homebrew: + +``` +$ brew install dnscrypt-proxy +``` + +If using in combination with Dnsmasq, find the file `homebrew.mxcl.dnscrypt-proxy.plist` by running + +``` +$ brew info dnscrypt-proxy +``` +which will shows the location like "/usr/local/Cellar/dnscrypt-proxy/1.9.5_1" and `homebrew.mxcl.dnscrypt-proxy.plist` is in this folder. + +Edit it to have the line: + + --local-address=127.0.0.1:5355 + +Below the line: + + /usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy + +dnscrypt + +*Append a local-address line to use DNScrypt on a port other than 53, like 5355* + +This can also be done using Homebrew, by installing `gnu-sed` and using the `gsed` command: + + $ sudo gsed -i "/sbin\\/dnscrypt-proxy<\\/string>/a--local-address=127.0.0.1:5355<\\/string>\n" $(find ~/homebrew -name homebrew.mxcl.dnscrypt-proxy.plist) + +By default, the `resolvers-list` will point to the dnscrypt version specific resolvers file. When dnscrypt is updated, this version may no longer exist, and if it does, may point to an outdated file. This can be fixed by changing the resolvers file in `homebrew.mxcl.dnscrypt-proxy.plist` (found earlier using find) to the symlinked version in `/usr/local/share`: + + --resolvers-list=/usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv + +Below the line: + + /usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy + +Start DNSCrypt: + + $ sudo brew services restart dnscrypt-proxy + +Make sure DNSCrypt is running: + +``` +$ sudo lsof -Pni UDP:5355 +COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME +dnscrypt- 13415 nobody 6u IPv4 0x1773f85ff9f8bbef 0t0 UDP 127.0.0.1:5355 + +$ ps A | grep '[d]nscrypt' +13415 ?? Ss 13:57.21 /usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy --local-address=127.0.0.1:5355 --ephemeral-keys --resolvers-list=/usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv --resolver-name=d0wn-us-ns4 --user=nobody +``` + +> By default, dnscrypt-proxy runs on localhost (127.0.0.1), port 53, +and under the "nobody" user using the dnscrypt.eu-dk DNSCrypt-enabled +resolver. If you would like to change these settings, you will have to edit the plist file (e.g., --resolver-address, --provider-name, --provider-key, etc.) + +This can be accomplished by editing `homebrew.mxcl.dnscrypt-proxy.plist` + +You can run your own [dnscrypt server](https://github.com/Cofyc/dnscrypt-wrapper) (see also [drduh/Debian-Privacy-Server-Guide#dnscrypt](https://github.com/drduh/Debian-Privacy-Server-Guide#dnscrypt)) from a trusted location or use one of many [public servers](https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv) instead. + +Confirm outgoing DNS traffic is encrypted: + +``` +$ sudo tcpdump -qtni en0 +IP 10.8.8.8.59636 > 107.181.168.52: UDP, length 512 +IP 107.181.168.52 > 10.8.8.8.59636: UDP, length 368 + +$ dig +short -x 128.180.155.106.49321 +d0wn-us-ns4 +``` + +See also [What is a DNS leak](https://dnsleaktest.com/what-is-a-dns-leak.html), the [mDNSResponder manual page](https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/mDNSResponder.8.html) and [ipv6-test.com](http://ipv6-test.com/). + #### Dnsmasq Among other features, [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) is able to cache replies, prevent upstreaming queries for unqualified names, and block entire TLDs. @@ -661,13 +742,15 @@ If you don't wish to use DNSCrypt, you should at least use DNS [not provided](ht Install Dnsmasq (DNSSEC is optional): - $ brew install dnsmasq --with-dnssec - - $ cp ~/homebrew/opt/dnsmasq/dnsmasq.conf.example ~/homebrew/etc/dnsmasq.conf +``` +$ brew install dnsmasq --with-dnssec +$ cp ~/homebrew/opt/dnsmasq/dnsmasq.conf.example ~/homebrew/etc/dnsmasq.conf +``` Edit the configuration: - - $ vim ~/homebrew/etc/dnsmasq.conf +``` +$ vim ~/homebrew/etc/dnsmasq.conf +``` Examine all the options. Here are a few recommended settings to enable: @@ -675,17 +758,18 @@ Examine all the options. Here are a few recommended settings to enable: # Forward queries to DNSCrypt on localhost port 5355 server=127.0.0.1#5355 -# Uncomment to forward queries to Google Public DNS +# Uncomment to forward queries to Google Public DNS, if DNSCrypt is not used +# You may also use your own DNS server or other public DNS server you trust #server=8.8.8.8 # Never forward plain names domain-needed # Examples of blocking TLDs or subdomains -address=/.onion/0.0.0.0 -address=/.local/0.0.0.0 -address=/.mycoolnetwork/0.0.0.0 -address=/.facebook.com/0.0.0.0 +#address=/.onion/0.0.0.0 +#address=/.local/0.0.0.0 +#address=/.mycoolnetwork/0.0.0.0 +#address=/.facebook.com/0.0.0.0 # Never forward addresses in the non-routed address spaces bogus-priv @@ -709,6 +793,7 @@ log-facility=/var/log/dnsmasq.log #log-queries # Uncomment to enable DNSSEC +# The latest trust-anchor could be found on its official website #dnssec #trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 #dnssec-check-unsigned @@ -716,11 +801,15 @@ log-facility=/var/log/dnsmasq.log Install and start the program (sudo is required to bind to [privileged port](https://unix.stackexchange.com/questions/16564/why-are-the-first-1024-ports-restricted-to-the-root-user-only) 53): - $ sudo brew services start dnsmasq +``` +$ sudo brew services start dnsmasq +``` To set Dnsmasq as your local DNS server, open **System Preferences** > **Network** and select the active interface, then the **DNS** tab, select **+** and add `127.0.0.1`, or use: - $ sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1 +``` +$ sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1 +``` Make sure Dnsmasq is correctly configured: @@ -760,83 +849,6 @@ Reply should have `SERVFAIL` status. For instance, ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15190 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 -#### dnscrypt - -Use [dnscrypt](https://dnscrypt.org/) to encrypt DNS traffic to the provider of choice. - -If you prefer a GUI application, see [alterstep/dnscrypt-osxclient](https://github.com/alterstep/dnscrypt-osxclient). - -Install DNSCrypt from Homebrew: - - $ brew install dnscrypt-proxy - -If using in combination with Dnsmasq, find the file `homebrew.mxcl.dnscrypt-proxy.plist` - -``` -$ find ~/homebrew -name homebrew.mxcl.dnscrypt-proxy.plist -/Users/drduh/homebrew/Cellar/dnscrypt-proxy/1.7.0/homebrew.mxcl.dnscrypt-proxy.plist -``` - -Edit it to have the line: - - --local-address=127.0.0.1:5355 - -Below the line: - - /usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy - -dnscrypt - -*Append a local-address line to use DNScrypt on a port other than 53, like 5355* - -This can also be done using Homebrew, by installing `gnu-sed` and using the `gsed` command: - - $ sudo gsed -i "/sbin\\/dnscrypt-proxy<\\/string>/a--local-address=127.0.0.1:5355<\\/string>\n" $(find ~/homebrew -name homebrew.mxcl.dnscrypt-proxy.plist) - -By default, the `resolvers-list` will point to the dnscrypt version specific resolvers file. When dnscrypt is updated, this version may no longer exist, and if it does, may point to an outdated file. This can be fixed by changing the resolvers file in `homebrew.mxcl.dnscrypt-proxy.plist` (found earlier using find) to the symlinked version in `/usr/local/share`: - - --resolvers-list=/usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv - -Below the line: - - /usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy - -Start DNSCrypt: - - $ sudo brew services start dnscrypt-proxy - -Make sure DNSCrypt is running: - -``` -$ sudo lsof -Pni UDP:5355 -COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME -dnscrypt- 83 nobody 7u IPv4 0x1773f85ff9f8bbef 0t0 UDP 127.0.0.1:5355 - -$ ps A | grep '[d]nscrypt' - 83 ?? Ss 0:00.27 /Users/drduh/homebrew/opt/dnscrypt-proxy/sbin/dnscrypt-proxy --local-address=127.0.0.1:5355 --ephemeral-keys --resolvers-list=/Users/drduh/homebrew/opt/dnscrypt-proxy/share/dnscrypt-proxy/dnscrypt-resolvers.csv --resolver-name=dnscrypt.eu-dk --user=nobody -``` - -> By default, dnscrypt-proxy runs on localhost (127.0.0.1), port 53, -and under the "nobody" user using the dnscrypt.eu-dk DNSCrypt-enabled -resolver. If you would like to change these settings, you will have to edit the plist file (e.g., --resolver-address, --provider-name, --provider-key, etc.) - -This can be accomplished by editing `homebrew.mxcl.dnscrypt-proxy.plist` - -You can run your own [dnscrypt server](https://github.com/Cofyc/dnscrypt-wrapper) (see also [drduh/Debian-Privacy-Server-Guide#dnscrypt](https://github.com/drduh/Debian-Privacy-Server-Guide#dnscrypt)) from a trusted location or use one of many [public servers](https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv) instead. - -Confirm outgoing DNS traffic is encrypted: - -``` -$ sudo tcpdump -qtni en0 -IP 10.8.8.8.59636 > 77.66.84.233.443: UDP, length 512 -IP 77.66.84.233.443 > 10.8.8.8.59636: UDP, length 368 - -$ dig +short -x 77.66.84.233 -resolver2.dnscrypt.eu -``` - -See also [What is a DNS leak](https://dnsleaktest.com/what-is-a-dns-leak.html), the [mDNSResponder manual page](https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/mDNSResponder.8.html) and [ipv6-test.com](http://ipv6-test.com/). - ## Captive portal When macOS connects to new networks, it **probes** the network and launches a Captive Portal assistant utility if connectivity can't be determined. From 25c1b87129004c205f5120d1ca68a762a4ebc2d2 Mon Sep 17 00:00:00 2001 From: drduh Date: Fri, 22 Dec 2017 10:48:27 -0800 Subject: [PATCH 041/476] block orgs with pf, mention ipv6 hosts to fix #269 --- README.md | 68 +++++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 59 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 5b63df93..fdb0ff2c 100755 --- a/README.md +++ b/README.md @@ -523,7 +523,7 @@ pf can also be controlled with a GUI application such as [IceFloor](http://www.h There are many books and articles on the subject of pf firewall. Here's is just one example of blocking traffic by IP address. -Add the following into a file called `pf.rules`: +Add the following into a file called `pf.rules`, modifying `en0` to be your outbound network adapter: ``` set block-policy drop @@ -536,21 +536,67 @@ block in log block in log quick from no-route to any pass out proto tcp from any to any keep state pass out proto udp from any to any keep state +pass out proto icmp from any to any keep state block log on en0 from {} to any +block log on en0 from any to {} ``` -Use the following commands: +Then use the following commands to manipulate the firewall: * `sudo pfctl -e -f pf.rules` to enable the firewall * `sudo pfctl -d` to disable the firewall -* `sudo pfctl -t blocklist -T add 1.2.3.4` to add hosts to a blocklist +* `sudo pfctl -t blocklist -T add 1.2.3.4` to an IP address to the blocklist * `sudo pfctl -t blocklist -T show` to view the blocklist * `sudo ifconfig pflog0 create` to create an interface for logging -* `sudo tcpdump -ni pflog0` to dump the packets +* `sudo tcpdump -ni pflog0` to view the filtered packets. -Unless you're already familiar with packet filtering, spending too much time configuring pf is not recommended. It is also probably unnecessary if your Mac is behind a [NAT](https://www.grc.com/nat/nat.htm) on a secured home network, for example. +Unless you're already familiar with packet filtering, spending too much time configuring pf is not recommended. It is also probably unnecessary if your Mac is behind a [NAT](https://www.grc.com/nat/nat.htm) on a secure home network. -For an example of using pf to audit "phone home" behavior of user and system-level processes, see [fix-macosx/net-monitor](https://github.com/fix-macosx/net-monitor). +It is possible to use the pf firewall to block network access to entire ranges of network addresses, for example to a whole organization: + +Query [Merit RADb](http://www.radb.net/) for the list of networks in use by an autonomous system, like [Facebook](https://ipinfo.io/AS32934): + + $ whois -h whois.radb.net '!gAS32934' + +Copy and paste the list of networks returned into the blocklist command: + + $ sudo pfctl -t blocklist -T add 31.13.24.0/21 31.13.64.0/24 157.240.0.0/16 + +Confirm the addresses were added: + +```` +$ sudo pfctl -t blocklist -T show +No ALTQ support in kernel +ALTQ related functions disabled + 31.13.24.0/21 + 31.13.64.0/24 + 157.240.0.0/16 +```` + +Confirm network traffic is blocked to those addresses (note that DNS requests will still work): + +```` +$ dig a +short facebook.com +157.240.2.35 + +$ curl --connect-timeout 5 -I http://facebook.com/ +* Trying 157.240.2.35... +* TCP_NODELAY set +* Connection timed out after 5002 milliseconds +* Closing connection 0 +curl: (28) Connection timed out after 5002 milliseconds + +$ sudo tcpdump -tqni pflog0 'host 157.240.2.35' +IP 192.168.1.1.62771 > 157.240.2.35.80: tcp 0 +IP 192.168.1.1.62771 > 157.240.2.35.80: tcp 0 +IP 192.168.1.1.62771 > 157.240.2.35.80: tcp 0 +IP 192.168.1.1.62771 > 157.240.2.35.80: tcp 0 +IP 192.168.1.1.162771 > 157.240.2.35.80: tcp 0 +```` + +Outgoing TCP SYN packets are blocked, so a TCP connection is not established and thus a Web site is effectively blocked at the IP layer. + +To use pf to audit "phone home" behavior of user and system-level processes, see [fix-macosx/net-monitor](https://github.com/fix-macosx/net-monitor). ## Services @@ -653,19 +699,21 @@ Edit the hosts file as root, for example with `sudo vi /etc/hosts`. The hosts fi To block a domain, append `0 example.com` or `0.0.0.0 example.com` or `127.0.0.1 example.com` to `/etc/hosts` +**Note** IPv6 uses the `AAAA` DNS record type, rather than `A` record type, so you may also want to block those connections by *also* including `::1 example.com` entries, like shown [here](http://someonewhocares.org/hosts/ipv6/). + There are many lists of domains available online which you can paste in, just make sure each line starts with `0`, `0.0.0.0`, `127.0.0.1`, and the line `127.0.0.1 localhost` is included. For hosts lists, see [someonewhocares.org](http://someonewhocares.org/hosts/zero/hosts), [l1k/osxparanoia/blob/master/hosts](https://github.com/l1k/osxparanoia/blob/master/hosts), [StevenBlack/hosts](https://github.com/StevenBlack/hosts) and [gorhill/uMatrix/hosts-files.json](https://github.com/gorhill/uMatrix/blob/master/assets/umatrix/hosts-files.json). -To append a raw list: +To append a list of hosts from a list, use the `tee` command, then confirm by editing `/etc/hosts` or counting the number of lines in it: ``` $ curl "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" | sudo tee -a /etc/hosts $ wc -l /etc/hosts -31998 +47476 -$ egrep -ve "^#|^255.255.255|^0.0.0.0|^127.0.0.1|^0 " /etc/hosts +$ egrep -ve "^#|^255.255.255|^0.0.0.0|^127.0.0.1|^0 " /etc/hosts | sort | uniq | sort ::1 localhost fe80::1%lo0 localhost [should not return any other IP addresses] @@ -673,6 +721,8 @@ fe80::1%lo0 localhost See `man hosts` and [FreeBSD Configuration Files](https://www.freebsd.org/doc/handbook/configtuning-configfiles.html) for more information. +See the [dnsmasq](#dnsmasq) section of this guide for more hosts blocking options. + #### dnscrypt Use [dnscrypt](https://dnscrypt.org/) to encrypt DNS traffic to the provider of choice. In combination with Dnsmasq and DNSSEC, the security of both outbounding and inbounding dns traffic are strengthened. From d221716ed10b271234f0a2ada888787e4373fb56 Mon Sep 17 00:00:00 2001 From: drduh Date: Fri, 22 Dec 2017 10:59:13 -0800 Subject: [PATCH 042/476] Little Flocker is now F-Secure XFence, fix #260 --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index fdb0ff2c..e91a79e2 100755 --- a/README.md +++ b/README.md @@ -2067,7 +2067,6 @@ If you want to retain the convenience of the root user having a non-root user's export HOME=/Users/blah ```` - ## Related software [Santa](https://github.com/google/santa/) - A binary whitelisting/blacklisting system for macOS. @@ -2078,7 +2077,7 @@ export HOME=/Users/blah [Dylib Hijack Scanner](https://objective-see.com/products/dhs.html) - scan for applications that are either susceptible to dylib hijacking or have been hijacked. -[Little Flocker](https://www.littleflocker.com/) - "Little Snitch for files"; prevents applications from accessing files. +[F-Secure XFENCE](https://campaigns.f-secure.com/xfence/) (formerly [Little Flocker](https://github.com/drduh/macOS-Security-and-Privacy-Guide/pull/237)) - "Little Snitch for files"; prevents applications from accessing files. [facebook/osquery](https://github.com/facebook/osquery) - can be used to retrieve low level system information. Users can write SQL queries to retrieve system information. From 226c3164119ddee5226f887af6a639c2d9177535 Mon Sep 17 00:00:00 2001 From: drduh Date: Fri, 22 Dec 2017 11:08:56 -0800 Subject: [PATCH 043/476] Add more Additional resources, fix #254, fix #253 --- README.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/README.md b/README.md index e91a79e2..63def92f 100755 --- a/README.md +++ b/README.md @@ -2168,3 +2168,15 @@ export HOME=/Users/blah [Mac OS X and iOS Internals: To the Apple's Core by Jonathan Levin](https://www.amazon.com/Mac-OS-iOS-Internals-Apples/dp/1118057651) [Demystifying the i-Device NVMe NAND (New storage used by Apple)](http://ramtin-amin.fr/#nvmepcie) + +[The macOS Phishing Easy Button: AppleScript Dangers](https://duo.com/blog/the-macos-phishing-easy-button-applescript-dangers) + +[Over The Air - Vol. 2, Pt. 1: Exploiting The Wi-Fi Stack on Apple Devices](https://googleprojectzero.blogspot.com/2017/09/over-air-vol-2-pt-1-exploiting-wi-fi.html) + +[The Great DOM Fuzz-off of 2017](https://googleprojectzero.blogspot.be/2017/09/the-great-dom-fuzz-off-of-2017.html) + +[Remote code execution, git, and OS X](https://rachelbythebay.com/w/2016/04/17/unprotected/) + +[OSX.Pirrit Mac Adware Part III: The DaVinci Code](https://www.cybereason.com/blog/targetingedge-mac-os-x-pirrit-malware-adware-still-active) + +[How to make macOS Spotlight fuck the fuck off and do your bidding](https://m4.rkw.io/blog/how-to-make-macos-spotlight-fuck-the-fuck-off-and-do-your-bidding.html) From 48d0904db98645c8741301ae3b7261965ccc682a Mon Sep 17 00:00:00 2001 From: drduh Date: Fri, 22 Dec 2017 11:42:37 -0800 Subject: [PATCH 044/476] Add metadata and artifacts section, fix #250 --- README.md | 166 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 165 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 63def92f..9275ffc0 100755 --- a/README.md +++ b/README.md @@ -48,6 +48,7 @@ This guide is also available in [简体中文](https://github.com/xitu/macOS-Sec - [Viruses and malware](#viruses-and-malware) - [System Integrity Protection](#system-integrity-protection) - [Gatekeeper and XProtect](#gatekeeper-and-xprotect) +- [Metadata and artifacts](#metadata-and-artifacts) - [Passwords](#passwords) - [Backup](#backup) - [Wi-Fi](#wi-fi) @@ -1477,7 +1478,9 @@ To permanently disable this feature, [clear the file](https://superuser.com/ques $ sudo chflags schg ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 -Furthermore, macOS attaches metadata ([HFS+ extended attributes](https://en.wikipedia.org/wiki/Extended_file_attributes#OS_X)) to downloaded files, which can be viewed with the `mdls` and `xattr` commands: +## Metadata and artifacts + +macOS attaches metadata ([HFS+ extended attributes](https://en.wikipedia.org/wiki/Extended_file_attributes#OS_X)) to downloaded files, which can be viewed with the `mdls` and `xattr` commands: ``` $ ls -l@ ~/Downloads/TorBrowser-6.0.8-osx64_en-US.dmg @@ -1552,6 +1555,167 @@ $ xattr -l ~/Downloads/TorBrowser-6.0.5-osx64_en-US.dmg [No output after removal.] ``` +Other metadata and artifacts may be found in the directories including, but not limited to, `~/Library/Preferences/`, `~/Library/Containers//Data/Library/Preferences`, `/Library/Preferences`, some of which is detailed below. + +`~/Library/Preferences/com.apple.sidebarlists.plist` contains historical list of volumes attached. To clear it, use the command `/usr/libexec/PlistBuddy -c "delete :systemitems:VolumesList" ~/Library/Preferences/com.apple.sidebarlists.plist` + +`/Library/Preferences/com.apple.Bluetooth.plist` contains Bluetooth metadata, including device history. If Bluetooth is not used, the metadata can be cleared with: + +```` +sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist DeviceCache +sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist IDSPairedDevices +sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist PANDevices +sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist PANInterfaces +sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist SCOAudioDevices +```` + +`/var/spool/cups` contains the CUPS printer job cache. To clear it, use the commands: + +```` +sudo rm -rfv /var/spool/cups/c0* +sudo rm -rfv /var/spool/cups/tmp/* +sudo rm -rfv /var/spool/cups/cache/job.cache* +```` + +To clear the list of iOS devices connected, use: + +```` +sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect" +sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist Devices +sudo defaults delete /Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect" +sudo defaults delete /Library/Preferences/com.apple.iPod.plist Devices +sudo rm -rfv /var/db/lockdown/* +```` + +QuickLook thumbnail data can be cleared using the `qlmanage -r cache` command, but this writes to the file `resetreason` in the Quicklook directories, and states that the Quicklook cache was manually cleared. It can also be manually cleared by getting the directory names with `getconf DARWIN_USER_CACHE_DIR` and `sudo getconf DARWIN_USER_CACHE_DIR`, then removing them: + +```` +rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive +rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite +rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-shm +rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-wal +rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/resetreason +rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.data +```` + +Similarly, for the root user: + +```` +sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandler +sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive +sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite +sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-shm +sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-wal +sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/resetreason +sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.data +sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandler +```` + +To clear Finder preferences: + +```` +defaults delete ~/Library/Preferences/com.apple.finder.plist FXDesktopVolumePositions +defaults delete ~/Library/Preferences/com.apple.finder.plist FXRecentFolders +defaults delete ~/Library/Preferences/com.apple.finder.plist RecentMoveAndCopyDestinations +defaults delete ~/Library/Preferences/com.apple.finder.plist RecentSearches +defaults delete ~/Library/Preferences/com.apple.finder.plist SGTRecentFileSearches +```` + +Additional diagnostic files may be found in the following directories - but caution should be taken before removing any, as it may break logging or cause other issues: + +```` +/var/db/CoreDuet/ +/var/db/diagnostics/ +/var/db/systemstats/ +/var/db/uuidtext/ +/var/log/DiagnosticMessages/ +```` + +macOS stored preferred Wi-Fi data (including credentials) in nvram. To clear it, use the following commands: + +```` +sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:current-network +sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-networks +sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-count +```` + +macOS may collect sensitive information about what you type, even if user dictionary and suggestions are off. To remove them, and prevent them from being created again, use the following commands: + +```` +rm -rfv "~/Library/LanguageModeling/*" "~/Library/Spelling/*" "~/Library/Suggestions/*" +chmod -R 000 ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions +chflags -R uchg ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions +```` + +QuickLook application support metadata can be cleared and locked with the following commands: + +```` +rm -rfv "~/Library/Application Support/Quick Look/*" +chmod -R 000 "~/Library/Application Support/Quick Look" +chflags -R uchg "~/Library/Application Support/Quick Look" +```` + +Document revision metadata is stored in `/.DocumentRevisions-V100` and can be cleared and locked with the following commands - caution should be taken as this may break some core Apple applications: + +```` +sudo rm -rfv /.DocumentRevisions-V100/* +sudo chmod -R 000 /.DocumentRevisions-V100 +sudo chflags -R uchg /.DocumentRevisions-V100 +```` + +Saved application state metadata may be cleared and locked with the following commands: + +```` +rm -rfv "~/Library/Saved Application State/*" +rm -rfv "~/Library/Containers//Saved Application State" +chmod -R 000 "~/Library/Saved Application State/" +chmod -R 000 "~/Library/Containers//Saved Application State" +chflags -R uchg "~/Library/Saved Application State/" +chflags -R uchg "~/Library/Containers//Saved Application State" +```` + +Autosave metadata can be cleared and locked with the following commands: + +```` +rm -rfv "~/Library/Containers//Data/Library/Autosave Information" +rm -rfv "~/Library/Autosave Information" +chmod -R 000 "~/Library/Containers//Data/Library/Autosave Information" +chmod -R 000 "~/Library/Autosave Information" +chflags -R uchg "~/Library/Containers//Data/Library/Autosave Information" +chflags -R uchg "~/Library/Autosave Information" +```` + +The Siri analytics database, which is created even if the Siri launch agent disabled, can be cleared and locked with the following commands: + +```` +rm -rfv ~/Library/Assistant/SiriAnalytics.db +chmod -R 000 ~/Library/Assistant/SiriAnalytics.db +chflags -R uchg ~/Library/Assistant/SiriAnalytics.db +```` + +`~/Library/Preferences/com.apple.iTunes.plist` contains iTunes metadata. Recent iTunes search data may be cleared with the following command: + +```` +defaults delete ~/Library/Preferences/com.apple.iTunes.plist recentSearches +```` + +If you do not use Apple ID-linked services, the following keys may be cleared, too, using the following commands: + +```` +defaults delete ~/Library/Preferences/com.apple.iTunes.plist StoreUserInfo +defaults delete ~/Library/Preferences/com.apple.iTunes.plist WirelessBuddyID +```` + +`~/Library/Containers/com.apple.QuickTimePlayerX/Data/Library/Preferences/com.apple.QuickTimePlayerX.plist` contains all media played in QuickTime Player. + +Additional metadata may exist in the following files: + +```` +~/Library/Containers/com.apple.appstore/Data/Library/Preferences/com.apple.commerce.knownclients.plist +~/Library/Preferences/com.apple.commerce.plist +~/Library/Preferences/com.apple.QuickTimePlayerX.plist +```` + ## Passwords You can generate strong passwords with OpenSSL: From 053f04ba52d0a8dbeace77e8574fdf6cb486f4cc Mon Sep 17 00:00:00 2001 From: drduh Date: Fri, 5 Jan 2018 11:31:49 -0800 Subject: [PATCH 045/476] Note on blocking non-dnscrypt dns --- README.md | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 9275ffc0..663b6e0f 100755 --- a/README.md +++ b/README.md @@ -662,7 +662,7 @@ $ curl -O https://fix-macosx.com/fix-macosx.py $ less fix-macosx.py -$ /usr/bin/python fix-macosx.py +$ python fix-macosx.py All done. Make sure to log out (and back in) for the changes to take effect. ``` @@ -741,7 +741,8 @@ If using in combination with Dnsmasq, find the file `homebrew.mxcl.dnscrypt-prox ``` $ brew info dnscrypt-proxy ``` -which will shows the location like "/usr/local/Cellar/dnscrypt-proxy/1.9.5_1" and `homebrew.mxcl.dnscrypt-proxy.plist` is in this folder. + +which will shows the location like `/usr/local/Cellar/dnscrypt-proxy/1.9.5_1` and `homebrew.mxcl.dnscrypt-proxy.plist` is in this folder. Edit it to have the line: @@ -801,6 +802,15 @@ $ dig +short -x 128.180.155.106.49321 d0wn-us-ns4 ``` +dnscrypt-proxy also has the capability to blacklist domains, including the use of wildcards. See the [Sample configuration file for dnscrypt-proxy](https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-proxy.conf) for the options. + +**Note** Applications and programs may resolve DNS using their own provided servers. If dnscrypt-proxy is used, it is possible to disable all other, non-dnscrypt DNS traffic with the following pf rules: + +```` +block drop quick on !lo0 proto udp from any to any port = 53 +block drop quick on !lo0 proto tcp from any to any port = 53 +```` + See also [What is a DNS leak](https://dnsleaktest.com/what-is-a-dns-leak.html), the [mDNSResponder manual page](https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/mDNSResponder.8.html) and [ipv6-test.com](http://ipv6-test.com/). #### Dnsmasq @@ -834,8 +844,9 @@ server=127.0.0.1#5355 # Uncomment to forward queries to Google Public DNS, if DNSCrypt is not used # You may also use your own DNS server or other public DNS server you trust #server=8.8.8.8 +#server=8.8.4.4 -# Never forward plain names +# Never forward plain (local) names domain-needed # Examples of blocking TLDs or subdomains @@ -843,6 +854,7 @@ domain-needed #address=/.local/0.0.0.0 #address=/.mycoolnetwork/0.0.0.0 #address=/.facebook.com/0.0.0.0 +#address=/.push.apple.com/0.0.0.0 # Never forward addresses in the non-routed address spaces bogus-priv @@ -862,11 +874,13 @@ log-async log-dhcp log-facility=/var/log/dnsmasq.log -# Uncomment to log all queries +# Log all queries #log-queries -# Uncomment to enable DNSSEC -# The latest trust-anchor could be found on its official website +# Path to list of additional hosts +#addn-hosts=/etc/blacklist + +# Enable DNSSEC (see https://www.iana.org/dnssec/files) #dnssec #trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 #dnssec-check-unsigned From 05f8763f0005294f1d64966f11ab78cd51a2bd0e Mon Sep 17 00:00:00 2001 From: drduh Date: Mon, 8 Jan 2018 11:10:54 -0800 Subject: [PATCH 046/476] Add 10.13.2 (17C88) hashes --- InstallESD_Hashes.csv | 1 + 1 file changed, 1 insertion(+) diff --git a/InstallESD_Hashes.csv b/InstallESD_Hashes.csv index dc5b62f5..36f10235 100644 --- a/InstallESD_Hashes.csv +++ b/InstallESD_Hashes.csv @@ -18,3 +18,4 @@ Version,Build,SHA-256,SHA-1 10.12.4,16E195,30319aeae18c3277919c59fe678201553f5a11022d6966b67a43422996391181,30b9245f7c7608c40bbdf4d4a74f3ab84dbac716 10.12.5,16F73,dae2d71921a737d41df8f00379b7c04653bd35ed8db0f38313f8d86eb7f39f88,51df126965433187403987c9d74d95c26cba9266 10.12.6,16G29,d93efaaaa9d029b52ac1985043fabf0e6c8d5015841e7338f96ed9e162538b2c,b53c36706eef6e0e15c1f76ef51d1b552705fc75 +10.13.2,17C88,a016570e65a70e23462efdddd845d3a1a5a7cc39aa770a0052af16e3d5f2ac4f,49e336085247331ea6033ebd3598a827caa6596e From e6fcf54ec8bc2062900d16034f09ba8dab94eed6 Mon Sep 17 00:00:00 2001 From: drduh Date: Mon, 8 Jan 2018 14:33:24 -0800 Subject: [PATCH 047/476] Recommend two Firefox user.js repos. Fix #246. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 663b6e0f..0ac87a16 100755 --- a/README.md +++ b/README.md @@ -1165,7 +1165,7 @@ Firefox offers a similar security model to Chrome. It offers See discussion in issues [#2](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/2), [#90](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/90) for more information about certain differences in Firefox and Chrome. -If using Firefox, see [TheCreeper/PrivacyFox](https://github.com/TheCreeper/PrivacyFox) for recommended privacy preferences. Also be sure to check out [NoScript](https://noscript.net/) for Mozilla-based browsers, which allows whitelist-based, pre-emptive script blocking. +If using Firefox, see [TheCreeper/PrivacyFox](https://github.com/TheCreeper/PrivacyFox), [pyllyukko/user.js](https://github.com/pyllyukko/user.js) and [ghacksuserjs/ghacks-user.js](https://github.com/ghacksuserjs/ghacks-user.js/) for recommended privacy preferences and other hardening measures. Also be sure to check out [NoScript](https://noscript.net/) for Mozilla-based browsers, which allows whitelist-based, pre-emptive script blocking. Firefox is focussed on user privacy. It supports [tracking protection](https://developer.mozilla.org/en-US/Firefox/Privacy/Tracking_Protection) during Private browsing by default. The tracking protection can be enabled for the default account, although it may break the browsing experience on some websites. Another feature for added privacy unique to Firefox is [Containers](https://testpilot.firefox.com/experiments/containers). Containers lets you create profiles in Firefox for different activities, such as online shopping, travel planning, or checking work email. Containers store cookies separately, you can log into the same site with a different account in each Container, and online trackers can’t connect your browsing in one container to another. From 1c1839aed63c4105e544b2afe5cc27efe8f1337c Mon Sep 17 00:00:00 2001 From: drduh Date: Sat, 20 Jan 2018 15:27:28 -0800 Subject: [PATCH 048/476] Updated virtualization instructions, wording nits --- README.md | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 0ac87a16..94d95e01 100755 --- a/README.md +++ b/README.md @@ -176,7 +176,7 @@ macOS installers can be made with the `createinstallmedia` utility included in ` **Note** Apple's installer [does not appear to work](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/120) across OS versions. If you want to build a 10.12 image, for example, the following steps must be run on a 10.12 machine! -To create a **bootable USB macOS installer**, mount a USB drive, and erase and partition it, then use the `createinstallmedia` utility: +To create a **bootable USB installer**, mount a USB drive, and erase and partition it, then use the `createinstallmedia` utility: ``` $ diskutil list @@ -198,7 +198,7 @@ Copy complete. Done. ``` -To create a custom, installable image which can be [restored](https://en.wikipedia.org/wiki/Apple_Software_Restore) to a Mac, you will need to find the file `InstallESD.dmg`, which is also inside `Install macOS Sierra.app`. +To create a **custom installable image** which can be [restored](https://en.wikipedia.org/wiki/Apple_Software_Restore) to a Mac, you will need to find the file `InstallESD.dmg`, which is also inside `Install macOS Sierra.app`. With Finder, right click on the app, select **Show Package Contents** and navigate to **Contents** > **SharedSupport** to find the file `InstallESD.dmg`. @@ -220,7 +220,7 @@ To create the image, use [MagerValp/AutoDMG](https://github.com/MagerValp/AutoDM This part will take a while, so be patient. You can `tail -F /var/log/install.log` in another Terminal window to check progress. -**(Optional)** Install additional software, such as [Wireshark](https://www.wireshark.org/download.html): +**(Optional)** Install additional software, for example [Wireshark](https://www.wireshark.org/download.html): $ hdiutil attach Wireshark\ 2.2.0\ Intel\ 64.dmg @@ -240,7 +240,7 @@ When you're done, detach, convert and verify the image: $ asr imagescan --source ~/sierra.dmg -Now `sierra.dmg` is ready to be applied to one or multiple Macs. One could futher customize the image to include premade users, applications, preferences, etc. +Now `sierra.dmg` is ready to be applied to one or many Macs. One could futher customize the image to include premade users, applications, preferences, etc. This image can be installed using another Mac in [Target Disk Mode](https://support.apple.com/en-us/HT201462) or from a bootable USB installer. @@ -307,18 +307,20 @@ Once you're done, eject the disk with `hdiutil unmount /Volumes/macOS` and power To install macOS as a virtual machine (vm) using [VMware Fusion](https://www.vmware.com/products/fusion.html), follow the instructions above to create an image. You will **not** need to download and create a recovery partition manually. ``` -VMware-Fusion-8.5.6-5234762.dmg -SHA-256: 57a879095c9fcce0066bea0d3c203571689fb53205915fda156c0d742f7c7ad2 -SHA-1: b7315d00a7c92dbad280d0f01f42dd8b56d96040 +VMware-Fusion-10.1.0-7370838.dmg +SHA-256: 5e968c5f88eb929740115374e0162779cbccd0383bc70e7bc52a0a680bf8fe2b +SHA-1: ef694e2bba7205253d5fde6e68e8ba78fad82952 ``` -For the Installation Method, select *Install OS X from the recovery partition*. Customize any memory or CPU requirements and complete setup. The guest vm should boot into [Recovery Mode](https://support.apple.com/en-us/HT201314) by default. +For the Installation Method, select *Install macOS from the recovery partition*. Customize any memory or CPU requirements and complete setup. The guest vm should boot into [Recovery Mode](https://support.apple.com/en-us/HT201314) by default. -In Recovery Mode, select a language, then Utilities > Terminal from the menubar. +**Note** If the virtual machine does not boot due to a kernel panic, adjust the memory and process resource settings. + +In Recovery Mode, select a language, then select Utilities > Terminal from the menubar. In the guest vm, type `ifconfig | grep inet` - you should see a private address like `172.16.34.129` -On the host Mac, type `ifconfig | grep inet` - you should see a private gateway address like `172.16.34.1` +On the host Mac, type `ifconfig | grep inet` - you should see a private gateway address like `172.16.34.1`. From the host Mac, you should be able to `ping 172.16.34.129` or the equivalent guest vm address. From the host Mac, serve the installable image to the guest vm by editing `/etc/apache2/httpd.conf` and adding the following line to the top (using the gateway address assigned to the host Mac and port 80): @@ -348,7 +350,7 @@ From the guest VM, install the disk image to the volume over the local network u When it's finished, stop the Apache Web server on the host Mac by pressing `Control` `C` at the `sudo httpd -X` window and remove the image copy with `sudo rm /Library/WebServer/Documents/sierra.dmg` -In the guest vm, select *Startup Disk* from the top-left corner Apple menu, select the hard drive and restart. You may wish to disable the Network Adapter in VMware for the initial guest vm boot. +In the guest vm, select *Startup Disk* from the menubar top-left, select the hard drive and restart. You may wish to disable the Network Adapter in VMware to configure the guest vm initially. Take and Restore from saved guest vm snapshots before and after attempting risky browsing, for example, or use a guest vm to install and operate questionable software. @@ -365,12 +367,11 @@ When creating your account, use a [strong password](http://www.explainxkcd.com/w If you enter your real name at the account setup process, be aware that your [computer's name and local hostname](https://support.apple.com/kb/PH18720) will comprise that name (e.g., *John Appleseed's MacBook*) and thus will appear on local networks and in various preference files. You can change them both in **System Preferences > Sharing** or with the following commands: $ sudo scutil --set ComputerName your_computer_name - $ sudo scutil --set LocalHostName your_hostname ## Admin and standard user accounts -The first user account is always an admin account. Admin accounts are members of the admin group and have access to `sudo`, which allows them to usurp other accounts, in particular root, and gives them effective control over the system. Any program that the admin executes can potentially obtain the same access, making this a security risk. Utilities like `sudo` have [weaknesses that can be exploited](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/) by concurrently running programs and many panes in System Preferences are [unlocked by default](http://csrc.nist.gov/publications/drafts/800-179/sp800_179_draft.pdf) [p. 61–62] for admin accounts. It is considered a best practice by [Apple](https://help.apple.com/machelp/mac/10.12/index.html#/mh11389) and [others](http://csrc.nist.gov/publications/drafts/800-179/sp800_179_draft.pdf) [p. 41–42] to use a separate standard account for day-to-day work and use the admin account for installations and system configuration. +The first user account is always an admin account. Admin accounts are members of the admin group and have access to `sudo`, which allows them to usurp other accounts, in particular root, and gives them effective control over the system. Any program that the admin executes can potentially obtain the same access, making this a security risk. Utilities like `sudo` have [weaknesses that can be exploited](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/) by concurrently running programs and many panes in System Preferences are [unlocked by default](http://csrc.nist.gov/publications/drafts/800-179/sp800_179_draft.pdf) (pdf) (p. 61–62) for admin accounts. It is considered a best practice by [Apple](https://help.apple.com/machelp/mac/10.12/index.html#/mh11389) and [others](http://csrc.nist.gov/publications/drafts/800-179/sp800_179_draft.pdf) (pdf) (p. 41–42) to use a separate standard account for day-to-day work and use the admin account for installations and system configuration. It is not strictly required to ever log into the admin account via the macOS login screen. The system will prompt for authentication when required and Terminal can do the rest. To that end, Apple provides some [recommendations](https://support.apple.com/HT203998) for hiding the admin account and its home directory. This can be an elegant solution to avoid having a visible 'ghost' account. The admin account can also be [removed from FileVault](http://apple.stackexchange.com/a/94373). @@ -390,7 +391,6 @@ Accounts can be created and managed in System Preferences. On settled systems, i ``` $ sudo dscl . -delete /Groups/admin GroupMembership - $ sudo dscl . -delete /Groups/admin GroupMembers ``` @@ -503,9 +503,9 @@ Programs such as [Little Snitch](https://www.obdev.at/products/littlesnitch/inde *Example of Little Snitch-monitored session* ``` -LittleSnitch-4.0.3.dmg -SHA-256: af93abb070cbac96cdda7e150668115c34447f2779dc707f8a79879c60f4c3bf -SHA-1: 63f1cf6c47def2774040b26add388068ae4b00f5 +LittleSnitch-4.0.5.dmg +SHA-256: a954a269596c9a8e9efb3efadf843a6ae419fe218145c5b8d877e2acb0692981 +SHA-1: f642900c9c4f82a0fec38a0c826133e54cfbc0dc ``` These programs are capable of monitoring and blocking **incoming** and **outgoing** network connections. However, they may require the use of a closed source [kernel extension](https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/KernelProgramming/Extend/Extend.html). @@ -666,7 +666,7 @@ $ python fix-macosx.py All done. Make sure to log out (and back in) for the changes to take effect. ``` -Speaking of Microsoft, you may want to see just for fun. +For comparison, also see ## Homebrew @@ -724,9 +724,9 @@ See `man hosts` and [FreeBSD Configuration Files](https://www.freebsd.org/doc/ha See the [dnsmasq](#dnsmasq) section of this guide for more hosts blocking options. -#### dnscrypt +#### DNSCrypt -Use [dnscrypt](https://dnscrypt.org/) to encrypt DNS traffic to the provider of choice. In combination with Dnsmasq and DNSSEC, the security of both outbounding and inbounding dns traffic are strengthened. +To encrypt outgoing DNS traffic, consider using [dnscrypt](https://dnscrypt.org/). In combination with Dnsmasq and DNSSEC, the security of both outbounding and inbounding dns traffic are strengthened. If you prefer a GUI application, see [alterstep/dnscrypt-osxclient](https://github.com/alterstep/dnscrypt-osxclient). Below are the guide for installation and configuration of the command-line DNSCrypt. @@ -1448,13 +1448,13 @@ You could periodically run a tool like [Knock Knock](https://github.com/synack/k See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sophailv2.pdf) (pdf), [Analysis and Exploitation of an ESET Vulnerability](http://googleprojectzero.blogspot.ro/2015/06/analysis-and-exploitation-of-eset.html), [a trivial Avast RCE](https://code.google.com/p/google-security-research/issues/detail?id=546), [Popular Security Software Came Under Relentless NSA and GCHQ Attacks](https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/), [How Israel Caught Russian Hackers Scouring the World for U.S. Secrets](https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html) and [AVG: "Web TuneUP" extension multiple critical vulnerabilities](https://code.google.com/p/google-security-research/issues/detail?id=675). -Therefore, the best anti-virus is **Common Sense 2017**. See more discussion in [issue #44](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/44). +Therefore, the best anti-virus is **Common Sense 2018**. See more discussion in [issue #44](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/44). CylancePROTECT may be worth running for the exploit mitigation features and (when locked down) is much harder to locally bypass than traditional AV, but it's effectiveness at detecting malware on MacOS is questionable. It's core feature is an algorithm derived from a machine-learning process which aims to identify malware based on various characteristics of a binary executable. Cylance have a [whitepaper](https://www.cylance.com/content/dam/cylance/pdfs/data_sheets/CylancePROTECT.pdf) with information about how it works. Single licenses are available from third party resellers such as [Cyberforce](https://cybrforce.com) or [Malware Managed](https://www.malwaremanaged.com) and there is also a home/personal edition in the works but it is currently only available for companies to make available to their employees. On MacOS it complements Apple's built-in XProtect by continuously vmmap'ing the memory of active processes to watch for patterns that indicate bad things happening. Local privilege escalation bugs are plenty on macOS, so always be careful when downloading and running untrusted programs or trusted programs from third party websites or downloaded over HTTP ([example](http://arstechnica.com/security/2015/08/0-day-bug-in-fully-patched-os-x-comes-under-active-exploit-to-hijack-macs/)). -Have a look at [The Safe Mac](http://www.thesafemac.com/) for past and current Mac security news. +Have a look at [The Safe Mac](http://www.thesafemac.com/) for past and [Malwarebytes Blog](https://blog.malwarebytes.com/) for current Mac security news. Also check out [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html) malware for Mac OS: [root installation for MacOS](https://github.com/hackedteam/vector-macos-root), [Support driver for Mac Agent](https://github.com/hackedteam/driver-macos) and [RCS Agent for Mac](https://github.com/hackedteam/core-macos), which is a good example of advanced malware with capabilities to hide from **userland** (e.g., `ps`, `ls`), for example. For more, see [A Brief Analysis of an RCS Implant Installer](https://objective-see.com/blog/blog_0x0D.html) and [reverse.put.as](https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/) From 999168336f86d1b56bd06c9d226e9f8abc3bda1b Mon Sep 17 00:00:00 2001 From: drduh Date: Mon, 22 Jan 2018 11:19:06 -0800 Subject: [PATCH 049/476] Update flash instructions, fix #247 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 94d95e01..f1aa3732 100755 --- a/README.md +++ b/README.md @@ -1146,7 +1146,7 @@ To improve the privacy and security posture of the browser, create at least thre The idea is to separate and compartmentalize data so that an exploit or privacy violation in one "session" does not necessarily affect data in another. -In each profile, visit `chrome://plugins/` and disable **Adobe Flash Player**. If you must use Flash, visit `chrome://settings/contents` to enable **Let me choose when to run plugin content**, under the Plugins section (also known as *click-to-play*). +In each profile, visit `chrome://settings/content` and enable **Block sites from running Flash** so Flash applications do not run by default without explicit permission. [Incognito](https://support.google.com/chrome/answer/7440301) mode in Chrome disables extensions, since extensions such as Ad blockers have access to Chrome's network requests. Extensions have to be enabled manually. Moreover, while in Incognito mode, Chrome does not use session data from previous sessions. Incognito mode is another option if you want to access sensitive information without setting up separate profiles. From 551d08a7ad1a77b0e35e61dec4ed8310ff40bfbc Mon Sep 17 00:00:00 2001 From: Chris Franklin Date: Wed, 21 Feb 2018 12:13:15 +0000 Subject: [PATCH 050/476] Update InstallESD_Hashes.csv Add 10.13.3 update: Build number from: https://support.apple.com/en-gb/HT201260 Shasum run on 10.13.3 host using the following commands: shasum -a 256 /Applications/Install macOS High Sierra.app/Contents/SharedSupport/InstallESD.dmg shasum -a 1 /Applications/Install macOS High Sierra.app/Contents/SharedSupport/InstallESD.dmg I have not verified these hashes elsewhere. --- InstallESD_Hashes.csv | 1 + 1 file changed, 1 insertion(+) diff --git a/InstallESD_Hashes.csv b/InstallESD_Hashes.csv index 36f10235..714fc4b7 100644 --- a/InstallESD_Hashes.csv +++ b/InstallESD_Hashes.csv @@ -19,3 +19,4 @@ Version,Build,SHA-256,SHA-1 10.12.5,16F73,dae2d71921a737d41df8f00379b7c04653bd35ed8db0f38313f8d86eb7f39f88,51df126965433187403987c9d74d95c26cba9266 10.12.6,16G29,d93efaaaa9d029b52ac1985043fabf0e6c8d5015841e7338f96ed9e162538b2c,b53c36706eef6e0e15c1f76ef51d1b552705fc75 10.13.2,17C88,a016570e65a70e23462efdddd845d3a1a5a7cc39aa770a0052af16e3d5f2ac4f,49e336085247331ea6033ebd3598a827caa6596e +10.13.3,17D47,438fc19055e56ac90fb485796d3aacc4059d241d79bc5c303220c4c2468a1f9d,726c7516fdbe33ae3f2384ba1ce7efcda4335776 From 090d329a3746ccd86ecec453122881f36f2c2d9d Mon Sep 17 00:00:00 2001 From: drduh Date: Mon, 26 Feb 2018 11:20:03 -0800 Subject: [PATCH 051/476] Include activation privacy concerns tldr, fix #249 --- README.md | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index f1aa3732..7c366617 100755 --- a/README.md +++ b/README.md @@ -15,6 +15,7 @@ This guide is also available in [简体中文](https://github.com/xitu/macOS-Sec - [Preparing and Installing macOS](#preparing-and-installing-macos) - [Virtualization](#virtualization) - [First boot](#first-boot) +- [System activation](#system-activation) - [Admin and standard user accounts](#admin-and-standard-user-accounts) - [Full disk encryption](#full-disk-encryption) - [Firewall](#firewall) @@ -356,7 +357,7 @@ Take and Restore from saved guest vm snapshots before and after attempting risky ## First boot -**Note** Before setting up macOS, consider disconnecting networking and configuring a firewall(s) first. However, [late 2016 MacBooks](https://www.ifixit.com/Device/MacBook_Pro_15%22_Late_2016_Touch_Bar) with Touch Bar hardware [require online OS activation](https://onemoreadmin.wordpress.com/2016/11/27/the-untouchables-apples-new-os-activation-for-touch-bar-macbook-pros/). +**Note** Before setting up macOS, consider disconnecting networking and configuring a firewall(s) first. However, [late 2016 MacBooks](https://www.ifixit.com/Device/MacBook_Pro_15%22_Late_2016_Touch_Bar) with Touch Bar hardware [require online OS activation](https://onemoreadmin.wordpress.com/2016/11/27/the-untouchables-apples-new-os-activation-for-touch-bar-macbook-pros/) (also see next section). On first boot, hold `Command` `Option` `P` `R` keys to [clear NVRAM](https://support.apple.com/en-us/HT204063). @@ -369,6 +370,26 @@ If you enter your real name at the account setup process, be aware that your [co $ sudo scutil --set ComputerName your_computer_name $ sudo scutil --set LocalHostName your_hostname +## System activation + +A few words on the privacy implications of activating "Touch Bar" MacBook devices from your friendly anonymous security researcher: + +> Apple increasingly seems (despite vague claims to the contrary) increasingly interested in merging or "unifying" the two OSes, and there are constantly rumors of fundamental changes to macOS that make it far more like iOS than the macOS of old. Apple's introduction of ARM-based coprocessors running iOS/sepOS, first with the T1 processor on the TouchBar MacBook Pros (run the TouchBar, implement NFC/ApplePay, add biometric login using sep, and verify firmware integrity) and the iMac Pro's T2 (implements/verifies embedded device firmware, implements secure boot, etc) seems to cement this concern and basically renders using macOS devices without sending metadata to Apple difficult to impossible. +> +> iOS devices have always required "activation" on first boot and when the battery has gone dead which initializes sepOS to proceed with verified boot. First boot activation not only initializes sepOS as discussed below, but sends metadata to Apple (and carriers via Apple with cellular devices) to activate the baseband and SIM. In activation processes after first boot, just as with first boot, a long list of highly sensitive metadata are sent hashed (note hashing does not give you any privacy from Apple here since they link this exact metadata to payment information at purchase) to Apple so it can return the personalized response required for secure boot to complete. What is particularly worrying about this process is that it is a network-linked secure boot process where centralized external servers have the power to dictate what the device should boot. Equally there are significant privacy concerns with devices constantly sending metadata (both during activation and other Apple-linked/-hosted activities) and linking IP addresses very strongly with real identities based on purchase payment information and if a cellular device, metadata collected about SIM, etc unless such connections are blocked at the network level (which is only possible on self-managed infrastructure, i.e. not cellular) and doing this basically renders using the device impossible since simply installing an application requires sending device metadata to Apple. +> +> That the activation verification mechanism is designed specifically to rely on unique device identifiers that are associated with payment information at purchase and actively associated on a continuing basis by Apple for every Apple-hosted service that the device interacts with (Apple ID-based services, softwareupdate, iMessage, FaceTime, etc.) the ability (and invitation) for Apple to silently send targeted malicious updates to devices matching specific unique ID criteria is a valid concern, and something that should not be dismissed as unlikely, especially given Apple's full compliance with recently implemented Chinese (and other authoritarian and "non-authoritarian" countries') national security laws. +> +> iOS has from the start been designed with very little end-user control with no way for end-users to configure devices according to their wishes while maintaining security and relies heavily on new, closed source code. While macOS has for most of its history been designed on the surface in a similar fashion, power and enterprise users can (for the moment) still configure their devices relatively securely while maintaining basically zero network interaction with Apple and with the installation of third party software/kernel extensions, completely control the network stack and intercept filesystem events on a per-process basis. macOS, despite having a good deal of closed source code, was designed at a very different period in Apple's history and was designed more in line with open source standards, and designed to be configurable and controllable by enterprise/power users. +> +> The introduction of these coprocessors to Mac devices, while increasing security in many ways, brings with it all the issues with iOS discussed above, and means that running mac devices securely with complete user control, and without forced network interaction with the Apple mothership in highly sensitive corporate and other environments problematic and risky. Given this author is unaware of the exact hardware configuration of the coprocessors, the following may be inaccurate. However, given the low-level nature of these coprocessors, it would not surprise the author if these coprocessors, if not already, will eventually have separate network access of their own, independent of the Intel CPU (indications suggest not currently the case for T1; unclear on T2), which leads to concerns similar to those that many have raised around Intel ME/AMT (and of course mac devices also have ME in the Intel CPU...). One could argue that these coprocessors increase security, and in many ways that is the case, but not the user's security against a malicious Apple. +> +> The lack of configurability is the key issue. Apple could have introduced secure boot and firmware protection without making it require network access, without making verification linked to device-unique IDs and without introducing an enormous amount of potentially exploitable code to protect against a much smaller, but highly exploitable codebase, while running on a coprocessor with a highly privileged position on the board which gives immense power to an adversary with manufacturer compliance for targeted attacks. +> +> This is an ongoing concern and in the worst case scenario could potentially represent the end of macs as independent, end-user controllable and relatively secure systems appropriate for sensitive environments with strict network and security policies. + +For more details, see [iOS, The Future Of macOS, Freedom, Security And Privacy In An Increasingly Hostile Global Environment](https://gist.github.com/iosecure/357e724811fe04167332ef54e736670d). + ## Admin and standard user accounts The first user account is always an admin account. Admin accounts are members of the admin group and have access to `sudo`, which allows them to usurp other accounts, in particular root, and gives them effective control over the system. Any program that the admin executes can potentially obtain the same access, making this a security risk. Utilities like `sudo` have [weaknesses that can be exploited](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/) by concurrently running programs and many panes in System Preferences are [unlocked by default](http://csrc.nist.gov/publications/drafts/800-179/sp800_179_draft.pdf) (pdf) (p. 61–62) for admin accounts. It is considered a best practice by [Apple](https://help.apple.com/machelp/mac/10.12/index.html#/mh11389) and [others](http://csrc.nist.gov/publications/drafts/800-179/sp800_179_draft.pdf) (pdf) (p. 41–42) to use a separate standard account for day-to-day work and use the admin account for installations and system configuration. From 9c4e7767d16bfa6b7de306b97809f3f54ebd140f Mon Sep 17 00:00:00 2001 From: Nathaniel Suchy Date: Tue, 20 Mar 2018 17:55:00 -0400 Subject: [PATCH 052/476] Update wording on Intelligent Tracking Protection --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7c366617..69d939f1 100755 --- a/README.md +++ b/README.md @@ -1200,7 +1200,7 @@ Submission of Web Extensions is Firefox is free. Web Extensions in Firefox most [Safari](https://www.apple.com/safari/) is the default Web Browser of macOS. It is also the most optimized browser for reducing battery use. Safari, like Chrome, has both Open Source and proprietary components. Safari is based on the open source Web Engine [WebKit](https://en.wikipedia.org/wiki/WebKit), which is ubiquitous among the macOS ecosystem. WebKit is used by Apple apps such as Mail, iTunes, iBooks, and the App store. Chrome's [Blink](https://www.chromium.org/blink) engine is a fork of WebKit and both engines share a number of similarities. -Safari supports certain unique features that benefit user security and privacy. [Content blockers](https://webkit.org/blog/3476/content-blockers-first-look/) enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory user, security, and privacy. Safari 11 will introduce an [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/) system. This feature will automatically remove tracking data stored in Safari after a period of non-interaction by the user from the tracker's website. +Safari supports certain unique features that benefit user security and privacy. [Content blockers](https://webkit.org/blog/3476/content-blockers-first-look/) enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory user, security, and privacy. Safari 11 introduced an [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/) system. This feature automatically removes tracking data stored in Safari after a period of non-interaction by the user from the tracker's website. Similar to Chrome and Firefox, Safari offers an invite only [bounty program](https://developer.apple.com/bug-reporting/) for bug reporting to a select number of security researchers. The bounty program was announced during Apple's [presentation](https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf) at [BlackHat](https://www.blackhat.com/us-16/briefings.html#behind-the-scenes-of-ios-security) 2016. From 657f2418069566958c08869121eb5d11c99f71bf Mon Sep 17 00:00:00 2001 From: Nathaniel Suchy Date: Wed, 21 Mar 2018 15:06:39 -0400 Subject: [PATCH 053/476] Fixed dead link with Internet Archive Link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 69d939f1..07ec90f4 100755 --- a/README.md +++ b/README.md @@ -2314,7 +2314,7 @@ export HOME=/Users/blah [DoD Security Technical Implementation Guides for Mac OS](http://iase.disa.mil/stigs/os/mac/Pages/mac-os.aspx) -[The EFI boot process](http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/efi-boot-process.html) +[The EFI boot process](http://web.archive.org/web/20160508052211/http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/efi-boot-process.html) [The Intel Mac boot process](http://refit.sourceforge.net/info/boot_process.html) From 32a989c3bb4f3f6a7f7865c1cc037481a7375d73 Mon Sep 17 00:00:00 2001 From: Joss Brown Date: Tue, 3 Apr 2018 12:17:09 +0200 Subject: [PATCH 054/476] WebRTC Safari & DNSCrypt version 2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit (1) You can disable/reenable/toggle WebRTC in Safari, but only with a system hack (2) Updated general information for new version of `dsncrypt-proxy` (_see below_) **Note:** the information on using dnscrypt-proxy together with dnsmasq _might_ be outdated, now that we have version 2. I will post in the DNSCrypt issues and ask the developer @jedisct1 … if it's outdated, someone who's actually using dnscrypt-proxy in tandem with dnsmasq should update that section. --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 07ec90f4..11742b7d 100755 --- a/README.md +++ b/README.md @@ -747,11 +747,11 @@ See the [dnsmasq](#dnsmasq) section of this guide for more hosts blocking option #### DNSCrypt -To encrypt outgoing DNS traffic, consider using [dnscrypt](https://dnscrypt.org/). In combination with Dnsmasq and DNSSEC, the security of both outbounding and inbounding dns traffic are strengthened. +To encrypt outgoing DNS traffic, consider using [dnscrypt](https://dnscrypt.info). In combination with Dnsmasq and DNSSEC, the security of both outbounding and inbounding dns traffic are strengthened. -If you prefer a GUI application, see [alterstep/dnscrypt-osxclient](https://github.com/alterstep/dnscrypt-osxclient). Below are the guide for installation and configuration of the command-line DNSCrypt. +A GUI application is only available for the discontinued version 1 of `dnscrypt-proxy` ([alterstep/dnscrypt-osxclient](https://github.com/alterstep/dnscrypt-osxclient)). It is recommended to install the improved [`dnscrypt-proxy` version 2](https://github.com/jedisct1/dnscrypt-proxy) and use a BitBar plugin like [DNSCrypt Menu](https://github.com/JayBrown/DNSCrypt-Menu) or [dnscrypt-proxy-switcher](https://github.com/jedisct1/bitbar-dnscrypt-proxy-switcher) until an updated GUI application is available. Below are the guides for installation and configuration of the command-line DNSCrypt. -Install DNSCrypt from Homebrew: +Install DNSCrypt from Homebrew and follow the instructions to configure and start `dnscrypt-proxy`: ``` $ brew install dnscrypt-proxy @@ -763,7 +763,7 @@ If using in combination with Dnsmasq, find the file `homebrew.mxcl.dnscrypt-prox $ brew info dnscrypt-proxy ``` -which will shows the location like `/usr/local/Cellar/dnscrypt-proxy/1.9.5_1` and `homebrew.mxcl.dnscrypt-proxy.plist` is in this folder. +which will show a location like `/usr/local/Cellar/dnscrypt-proxy/2.0.8`, and `homebrew.mxcl.dnscrypt-proxy.plist` is in this folder. Edit it to have the line: @@ -1226,7 +1226,7 @@ Since Web Browsers execute untrusted code from the server, it is important to un To hinder third party trackers, it is recommended to disable third-party cookies from your Web Browser settings. A third party cookie is a cookie associated with a file requested by different domain than the one the user is currently viewing. Most of the time third party are used to create browsing profiles by tracking a user's movement on the web. Disabling third-party cookies prevents HTTP responses and scripts from other domains from setting cookies. Moreover, cookies are removed from requests to domains that are not the document origin domain, so cookies are only sent to the current site that is being viewed. -Also be aware of [WebRTC](https://en.wikipedia.org/wiki/WebRTC#Concerns), which may reveal your local or public (if connected to VPN) IP address(es). This can be disabled with extensions such as [uBlock Origin](https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address) and [rentamob/WebRTC-Leak-Prevent](https://github.com/rentamob/WebRTC-Leak-Prevent). +Also be aware of [WebRTC](https://en.wikipedia.org/wiki/WebRTC#Concerns), which may reveal your local or public (if connected to VPN) IP address(es). In Firefox and Chrome/Chromium this can be disabled with extensions such as [uBlock Origin](https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address) and [rentamob/WebRTC-Leak-Prevent](https://github.com/rentamob/WebRTC-Leak-Prevent). Disabling WebRTC in Safari is only possible with a [system hack](https://github.com/JayBrown/Disable-and-toggle-WebRTC-in-macOS-Safari). ### Plugins From c106e55036b34ad1b1cdad0394ce7dd58f91c014 Mon Sep 17 00:00:00 2001 From: juanjonol Date: Tue, 3 Apr 2018 23:50:15 +0200 Subject: [PATCH 055/476] Update InstallESD_Hashes.csv --- InstallESD_Hashes.csv | 1 + 1 file changed, 1 insertion(+) diff --git a/InstallESD_Hashes.csv b/InstallESD_Hashes.csv index 714fc4b7..3951bf4b 100644 --- a/InstallESD_Hashes.csv +++ b/InstallESD_Hashes.csv @@ -20,3 +20,4 @@ Version,Build,SHA-256,SHA-1 10.12.6,16G29,d93efaaaa9d029b52ac1985043fabf0e6c8d5015841e7338f96ed9e162538b2c,b53c36706eef6e0e15c1f76ef51d1b552705fc75 10.13.2,17C88,a016570e65a70e23462efdddd845d3a1a5a7cc39aa770a0052af16e3d5f2ac4f,49e336085247331ea6033ebd3598a827caa6596e 10.13.3,17D47,438fc19055e56ac90fb485796d3aacc4059d241d79bc5c303220c4c2468a1f9d,726c7516fdbe33ae3f2384ba1ce7efcda4335776 +10.13.4,17E199,fd33bb6f8a4132c2ba50808c0e1f92eb05b6c300d38e58287d5d7dec01a4cd65,2c72b22a45ea8f5a80bee91db8aba96dae8310ea From c1afb96d6ea01ad4cddb37d8d4133ff948326b49 Mon Sep 17 00:00:00 2001 From: George Glessner Date: Wed, 11 Apr 2018 23:41:22 -0400 Subject: [PATCH 056/476] Minor typos --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 11742b7d..db2c6809 100755 --- a/README.md +++ b/README.md @@ -1181,7 +1181,7 @@ It is best to remember that Google is an advertising company and its major sourc [Firefox](https://www.mozilla.org/en-US/firefox/new/) is an excellent browser as well as being completely open source. Currently, Firefox is in a renaissance period. It replaces major parts of its infrastructure and code base under projects [Quantum](https://wiki.mozilla.org/Quantum) and [Photon](https://wiki.mozilla.org/Firefox/Photon/Updates). Part of the Quantum project is to replace C++ code with [Rust](https://www.rust-lang.org/en-US/). Rust is a systems programming language with a focus on security and thread safety. It is expected that Rust adoption will greatly improve the overall security posture of Firefox. -Firefox offers a similar security model to Chrome. It offers +Firefox offers a similar security model to Chrome. It offers a [bounty](https://www.mozilla.org/en-US/security/bug-bounty/) program, although it is not a lucrative as Chrome's. Firefox follows a six-week release cycle similar to Chrome. See discussion in issues [#2](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/2), [#90](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/90) for more information about certain differences in Firefox and Chrome. @@ -1192,7 +1192,7 @@ Firefox is focussed on user privacy. It supports [tracking protection](https://d Previous versions of Firefox used a [Web Extension SDK](https://developer.mozilla.org/en-US/Add-ons/Legacy_add_ons) that was quite invasive and offered immense freedom to developers. Sadly, that freedom also introduced a number of vulnerabilities in Firefox that greatly affected its users. You can find more information about vulnerabilities introduced by Firefox's legacy extensions in this [paper](https://www.exploit-db.com/docs/24541.pdf). Currently, Firefox only supports Web Extensions through the [Web Extension Api](https://developer.mozilla.org/en-US/Add-ons/WebExtensions), which is very similar to Chrome's. -Submission of Web Extensions is Firefox is free. Web Extensions in Firefox most of the time are Open Source, although certain Web Extensions are proprietary. +Submission of Web Extensions in Firefox is free. Web Extensions in Firefox most of the time are Open Source, although certain Web Extensions are proprietary. **Note**. Similar to Chrome and Safari, Firefox allows account sync across multiple devices. While stored login passwords are encrypted, Firefox does not require a password to reveal their plain text format. Firefox only displays as yes/no prompt. This is an important security issue. Keep that in mind if you sign in to your Firefox account from devices that do not belong to you and leave them unattended. The [issue](https://bugzilla.mozilla.org/show_bug.cgi?id=1393493) has been raised among the Firefox community and hopefully will be resolved in the coming versions. @@ -1220,11 +1220,11 @@ Other miscellaneous browsers, such as [Brave](https://github.com/drduh/OS-X-Secu #### Web Browsers and Privacy -All Web Browsers retain certain information about our browsing habits. That information is used for a number of reasons. One of them is to improve the overall performance of the Web Browser. Most Web Browsers offer predictions services to resolve typos or URL redirections, store analytics data of browsing patterns, crash reports and black listing of known malicious servers. Those options can be turned on and off from each Web Browser's settings panel. +All Web Browsers retain certain information about our browsing habits. That information is used for a number of reasons. One of them is to improve the overall performance of the Web Browser. Most Web Browsers offer prediction services to resolve typos or URL redirections, store analytics data of browsing patterns, crash reports and black listing of known malicious servers. Those options can be turned on and off from each Web Browser's settings panel. -Since Web Browsers execute untrusted code from the server, it is important to understand what type of information can be accessed. The [Navigator](https://developer.mozilla.org/en-US/docs/Web/API/Navigator) interface gives access to information about the Web Browsers user agent. Those include information such as the operating system, Websites' permissions, and the device's battery level. For more information about security conscious browsing and what type of information is being "leaked" by your browser, see [HowTo: Privacy & Security Conscious Browsing](https://gist.github.com/atcuno/3425484ac5cce5298932), [browserleaks.com](https://www.browserleaks.com/) and [EFF Panopticlick](https://panopticlick.eff.org/). +Since Web Browsers execute untrusted code from the server, it is important to understand what type of information can be accessed. The [Navigator](https://developer.mozilla.org/en-US/docs/Web/API/Navigator) interface gives access to information about the Web Browser's user agent. Those include information such as the operating system, Websites' permissions, and the device's battery level. For more information about security conscious browsing and what type of information is being "leaked" by your browser, see [HowTo: Privacy & Security Conscious Browsing](https://gist.github.com/atcuno/3425484ac5cce5298932), [browserleaks.com](https://www.browserleaks.com/) and [EFF Panopticlick](https://panopticlick.eff.org/). -To hinder third party trackers, it is recommended to disable third-party cookies from your Web Browser settings. A third party cookie is a cookie associated with a file requested by different domain than the one the user is currently viewing. Most of the time third party are used to create browsing profiles by tracking a user's movement on the web. Disabling third-party cookies prevents HTTP responses and scripts from other domains from setting cookies. Moreover, cookies are removed from requests to domains that are not the document origin domain, so cookies are only sent to the current site that is being viewed. +To hinder third party trackers, it is recommended to disable third-party cookies from your Web Browser settings. A third party cookie is a cookie associated with a file requested by a different domain than the one the user is currently viewing. Most of the time third-party cookies are used to create browsing profiles by tracking a user's movement on the web. Disabling third-party cookies prevents HTTP responses and scripts from other domains from setting cookies. Moreover, cookies are removed from requests to domains that are not the document origin domain, so cookies are only sent to the current site that is being viewed. Also be aware of [WebRTC](https://en.wikipedia.org/wiki/WebRTC#Concerns), which may reveal your local or public (if connected to VPN) IP address(es). In Firefox and Chrome/Chromium this can be disabled with extensions such as [uBlock Origin](https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address) and [rentamob/WebRTC-Leak-Prevent](https://github.com/rentamob/WebRTC-Leak-Prevent). Disabling WebRTC in Safari is only possible with a [system hack](https://github.com/JayBrown/Disable-and-toggle-WebRTC-in-macOS-Safari). From a04e52bdf4c05903e438374b3e52e5afe351c7a5 Mon Sep 17 00:00:00 2001 From: alichtman Date: Fri, 11 May 2018 04:59:32 -0500 Subject: [PATCH 057/476] Added stronghold and removed trailing whitespace --- README.md | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index db2c6809..37f9851f 100755 --- a/README.md +++ b/README.md @@ -579,7 +579,7 @@ It is possible to use the pf firewall to block network access to entire ranges o Query [Merit RADb](http://www.radb.net/) for the list of networks in use by an autonomous system, like [Facebook](https://ipinfo.io/AS32934): $ whois -h whois.radb.net '!gAS32934' - + Copy and paste the list of networks returned into the blocklist command: $ sudo pfctl -t blocklist -T add 31.13.24.0/21 31.13.64.0/24 157.240.0.0/16 @@ -784,7 +784,7 @@ This can also be done using Homebrew, by installing `gnu-sed` and using the `gse By default, the `resolvers-list` will point to the dnscrypt version specific resolvers file. When dnscrypt is updated, this version may no longer exist, and if it does, may point to an outdated file. This can be fixed by changing the resolvers file in `homebrew.mxcl.dnscrypt-proxy.plist` (found earlier using find) to the symlinked version in `/usr/local/share`: --resolvers-list=/usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv - + Below the line: /usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy @@ -1181,7 +1181,7 @@ It is best to remember that Google is an advertising company and its major sourc [Firefox](https://www.mozilla.org/en-US/firefox/new/) is an excellent browser as well as being completely open source. Currently, Firefox is in a renaissance period. It replaces major parts of its infrastructure and code base under projects [Quantum](https://wiki.mozilla.org/Quantum) and [Photon](https://wiki.mozilla.org/Firefox/Photon/Updates). Part of the Quantum project is to replace C++ code with [Rust](https://www.rust-lang.org/en-US/). Rust is a systems programming language with a focus on security and thread safety. It is expected that Rust adoption will greatly improve the overall security posture of Firefox. -Firefox offers a similar security model to Chrome. It offers a +Firefox offers a similar security model to Chrome. It offers a [bounty](https://www.mozilla.org/en-US/security/bug-bounty/) program, although it is not a lucrative as Chrome's. Firefox follows a six-week release cycle similar to Chrome. See discussion in issues [#2](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/2), [#90](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/90) for more information about certain differences in Firefox and Chrome. @@ -1616,7 +1616,7 @@ To clear the list of iOS devices connected, use: ```` sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect" -sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist Devices +sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist Devices sudo defaults delete /Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect" sudo defaults delete /Library/Preferences/com.apple.iPod.plist Devices sudo rm -rfv /var/db/lockdown/* @@ -1625,20 +1625,20 @@ sudo rm -rfv /var/db/lockdown/* QuickLook thumbnail data can be cleared using the `qlmanage -r cache` command, but this writes to the file `resetreason` in the Quicklook directories, and states that the Quicklook cache was manually cleared. It can also be manually cleared by getting the directory names with `getconf DARWIN_USER_CACHE_DIR` and `sudo getconf DARWIN_USER_CACHE_DIR`, then removing them: ```` -rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive -rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite -rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-shm -rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-wal -rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/resetreason -rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.data +rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive +rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite +rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-shm +rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-wal +rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/resetreason +rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.data ```` Similarly, for the root user: ```` -sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandler -sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive -sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite +sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandler +sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive +sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-shm sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-wal sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/resetreason @@ -1671,7 +1671,7 @@ macOS stored preferred Wi-Fi data (including credentials) in nvram. To clear it, ```` sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:current-network sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-networks -sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-count +sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-count ```` macOS may collect sensitive information about what you type, even if user dictionary and suggestions are off. To remove them, and prevent them from being created again, use the following commands: @@ -1689,7 +1689,7 @@ rm -rfv "~/Library/Application Support/Quick Look/*" chmod -R 000 "~/Library/Application Support/Quick Look" chflags -R uchg "~/Library/Application Support/Quick Look" ```` - + Document revision metadata is stored in `/.DocumentRevisions-V100` and can be cleared and locked with the following commands - caution should be taken as this may break some core Apple applications: ```` @@ -1748,7 +1748,7 @@ Additional metadata may exist in the following files: ```` ~/Library/Containers/com.apple.appstore/Data/Library/Preferences/com.apple.commerce.knownclients.plist ~/Library/Preferences/com.apple.commerce.plist -~/Library/Preferences/com.apple.QuickTimePlayerX.plist +~/Library/Preferences/com.apple.QuickTimePlayerX.plist ```` ## Passwords @@ -2268,6 +2268,8 @@ export HOME=/Users/blah ## Related software +[stronghold](https://github.com/alichtman/stronghold) - Easily configure Mac security settings from the terminal. + [Santa](https://github.com/google/santa/) - A binary whitelisting/blacklisting system for macOS. [kristovatlas/osx-config-check](https://github.com/kristovatlas/osx-config-check) - checks your OSX machine against various hardened configuration settings. From 84349aa4e3184b09b1af5eed13f52a2dac1c06d6 Mon Sep 17 00:00:00 2001 From: alichtman Date: Fri, 11 May 2018 05:01:12 -0500 Subject: [PATCH 058/476] Capitalized related software descriptions --- README.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 37f9851f..5d2f6ae4 100755 --- a/README.md +++ b/README.md @@ -2272,27 +2272,27 @@ export HOME=/Users/blah [Santa](https://github.com/google/santa/) - A binary whitelisting/blacklisting system for macOS. -[kristovatlas/osx-config-check](https://github.com/kristovatlas/osx-config-check) - checks your OSX machine against various hardened configuration settings. +[kristovatlas/osx-config-check](https://github.com/kristovatlas/osx-config-check) - Checks your OSX machine against various hardened configuration settings. -[Lockdown](https://objective-see.com/products/lockdown.html) - audits and remediates security configuration settings. +[Lockdown](https://objective-see.com/products/lockdown.html) - Audits and remediates security configuration settings. -[Dylib Hijack Scanner](https://objective-see.com/products/dhs.html) - scan for applications that are either susceptible to dylib hijacking or have been hijacked. +[Dylib Hijack Scanner](https://objective-see.com/products/dhs.html) - Scan for applications that are either susceptible to dylib hijacking or have been hijacked. [F-Secure XFENCE](https://campaigns.f-secure.com/xfence/) (formerly [Little Flocker](https://github.com/drduh/macOS-Security-and-Privacy-Guide/pull/237)) - "Little Snitch for files"; prevents applications from accessing files. -[facebook/osquery](https://github.com/facebook/osquery) - can be used to retrieve low level system information. Users can write SQL queries to retrieve system information. +[facebook/osquery](https://github.com/facebook/osquery) - Can be used to retrieve low level system information. Users can write SQL queries to retrieve system information. -[google/grr](https://github.com/google/grr) - incident response framework focused on remote live forensics. +[google/grr](https://github.com/google/grr) - Incident response framework focused on remote live forensics. -[yelp/osxcollector](https://github.com/yelp/osxcollector) - forensic evidence collection & analysis toolkit for OS X. +[yelp/osxcollector](https://github.com/yelp/osxcollector) - Forensic evidence collection & analysis toolkit for OS X. -[jipegit/OSXAuditor](https://github.com/jipegit/OSXAuditor) - analyzes artifacts on a running system, such as quarantined files, Safari, Chrome and Firefox history, downloads, HTML5 databases and localstore, social media and email accounts, and Wi-Fi access point names. +[jipegit/OSXAuditor](https://github.com/jipegit/OSXAuditor) - Analyzes artifacts on a running system, such as quarantined files, Safari, Chrome and Firefox history, downloads, HTML5 databases and localstore, social media and email accounts, and Wi-Fi access point names. -[libyal/libfvde](https://github.com/libyal/libfvde) - library to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes. +[libyal/libfvde](https://github.com/libyal/libfvde) - Library to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes. -[CISOfy/lynis](https://github.com/CISOfy/lynis) - cross-platform security auditing tool and assists with compliance testing and system hardening. +[CISOfy/lynis](https://github.com/CISOfy/lynis) - Cross-platform security auditing tool and assists with compliance testing and system hardening. -[Zentral](https://github.com/zentralopensource/zentral) - a log and configuration server for santa and osquery. Run audit and probes on inventory, events, logfiles, combine with point-in-time alerting. A full Framework and Django web server build on top of the elastic stack (formerly known as ELK stack). +[Zentral](https://github.com/zentralopensource/zentral) - A log and configuration server for santa and osquery. Run audit and probes on inventory, events, logfiles, combine with point-in-time alerting. A full Framework and Django web server build on top of the elastic stack (formerly known as ELK stack). ## Additional resources From 13a4a8fd569414706335d2665c823225d39bf251 Mon Sep 17 00:00:00 2001 From: alichtman Date: Fri, 11 May 2018 05:18:04 -0500 Subject: [PATCH 059/476] Added shell syntax for all code-formatted blocks --- README.md | 369 +++++++++++++++++++++++++++++++----------------------- 1 file changed, 209 insertions(+), 160 deletions(-) diff --git a/README.md b/README.md index 5d2f6ae4..7dbb9460 100755 --- a/README.md +++ b/README.md @@ -139,7 +139,7 @@ Another way is to download **macOS Sierra** from the [App Store](https://itunes. The macOS Sierra installer application is [code signed](https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW6), which should be verified to make sure you received a legitimate copy, using the `spctl -a -v` or `pkgutil --check-signature` commands: -``` +```shell $ pkgutil --check-signature /Applications/Install\ macOS\ Sierra.app Package "Install macOS Sierra.app": Status: signed by a certificate trusted by Mac OS X @@ -157,7 +157,7 @@ Package "Install macOS Sierra.app": You may also use the `codesign` command to examine an application's code signature: -``` +```shell $ codesign -dvv /Applications/Install\ macOS\ Sierra.app Executable=/Applications/Install macOS Sierra.app/Contents/MacOS/InstallAssistant Identifier=com.apple.InstallAssistant.Sierra @@ -179,7 +179,7 @@ macOS installers can be made with the `createinstallmedia` utility included in ` To create a **bootable USB installer**, mount a USB drive, and erase and partition it, then use the `createinstallmedia` utility: -``` +```shell $ diskutil list [Find disk matching correct size, usually "disk2"] @@ -279,7 +279,7 @@ We're not done yet! Unless you have built the image with [AutoDMG](https://githu Download the file [RecoveryHDUpdate.dmg](https://support.apple.com/downloads/DL1464/en_US/RecoveryHDUpdate.dmg). -``` +```shell RecoveryHDUpdate.dmg SHA-256: f6a4f8ac25eaa6163aa33ac46d40f223f40e58ec0b6b9bf6ad96bdbfc771e12c SHA-1: 1ac3b7059ae0fcb2877d22375121d4e6920ae5ba @@ -287,7 +287,7 @@ SHA-1: 1ac3b7059ae0fcb2877d22375121d4e6920ae5ba Attach and expand the installer, then run it: -``` +```shell $ hdiutil attach RecoveryHDUpdate.dmg $ pkgutil --expand /Volumes/Mac\ OS\ X\ Lion\ Recovery\ HD\ Update/RecoveryHDUpdate.pkg /tmp/recovery @@ -307,7 +307,7 @@ Once you're done, eject the disk with `hdiutil unmount /Volumes/macOS` and power To install macOS as a virtual machine (vm) using [VMware Fusion](https://www.vmware.com/products/fusion.html), follow the instructions above to create an image. You will **not** need to download and create a recovery partition manually. -``` +```shell VMware-Fusion-10.1.0-7370838.dmg SHA-256: 5e968c5f88eb929740115374e0162779cbccd0383bc70e7bc52a0a680bf8fe2b SHA-1: ef694e2bba7205253d5fde6e68e8ba78fad82952 @@ -337,7 +337,7 @@ From the host Mac, start Apache in the foreground: From the guest VM, install the disk image to the volume over the local network using `asr`: -``` +```shell -bash-3.2# asr restore --source http://172.16.34.1/sierra.dmg --target /Volumes/Macintosh\ HD/ --erase --buffersize 4m Validating target...done Validating source...done @@ -410,14 +410,14 @@ It is not strictly required to ever log into the admin account via the macOS log Accounts can be created and managed in System Preferences. On settled systems, it is generally easier to create a second admin account and then demote the first account. This avoids data migration. Newly installed systems can also just add a standard account. Demoting an account can be done either from the the new admin account in System Preferences – the other account must be logged out – or by executing these commands (it may not be necessary to execute both, see [issue #179](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/179)): -``` +```shell $ sudo dscl . -delete /Groups/admin GroupMembership $ sudo dscl . -delete /Groups/admin GroupMembers ``` You can find the “GeneratedUID” of your account with: -``` +```shell $ dscl . -read /Users/ GeneratedUID ``` @@ -523,7 +523,7 @@ Programs such as [Little Snitch](https://www.obdev.at/products/littlesnitch/inde *Example of Little Snitch-monitored session* -``` +```shell LittleSnitch-4.0.5.dmg SHA-256: a954a269596c9a8e9efb3efadf843a6ae419fe218145c5b8d877e2acb0692981 SHA-1: f642900c9c4f82a0fec38a0c826133e54cfbc0dc @@ -547,7 +547,7 @@ There are many books and articles on the subject of pf firewall. Here's is just Add the following into a file called `pf.rules`, modifying `en0` to be your outbound network adapter: -``` +```shell set block-policy drop set fingerprints "/etc/pf.os" set ruleset-optimization basic @@ -586,18 +586,18 @@ Copy and paste the list of networks returned into the blocklist command: Confirm the addresses were added: -```` +```shell $ sudo pfctl -t blocklist -T show No ALTQ support in kernel ALTQ related functions disabled 31.13.24.0/21 31.13.64.0/24 157.240.0.0/16 -```` +``` Confirm network traffic is blocked to those addresses (note that DNS requests will still work): -```` +```shell $ dig a +short facebook.com 157.240.2.35 @@ -614,7 +614,7 @@ IP 192.168.1.1.62771 > 157.240.2.35.80: tcp 0 IP 192.168.1.1.62771 > 157.240.2.35.80: tcp 0 IP 192.168.1.1.62771 > 157.240.2.35.80: tcp 0 IP 192.168.1.1.162771 > 157.240.2.35.80: tcp 0 -```` +``` Outgoing TCP SYN packets are blocked, so a TCP connection is not established and thus a Web site is effectively blocked at the IP layer. @@ -678,7 +678,7 @@ See [fix-macosx.com](https://fix-macosx.com/) for detailed instructions. To download, view and apply their suggested fixes: -``` +```shell $ curl -O https://fix-macosx.com/fix-macosx.py $ less fix-macosx.py @@ -729,7 +729,7 @@ For hosts lists, see [someonewhocares.org](http://someonewhocares.org/hosts/zero To append a list of hosts from a list, use the `tee` command, then confirm by editing `/etc/hosts` or counting the number of lines in it: -``` +```shell $ curl "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" | sudo tee -a /etc/hosts $ wc -l /etc/hosts @@ -753,13 +753,13 @@ A GUI application is only available for the discontinued version 1 of `dnscrypt- Install DNSCrypt from Homebrew and follow the instructions to configure and start `dnscrypt-proxy`: -``` +```shell $ brew install dnscrypt-proxy ``` If using in combination with Dnsmasq, find the file `homebrew.mxcl.dnscrypt-proxy.plist` by running -``` +```shell $ brew info dnscrypt-proxy ``` @@ -767,11 +767,15 @@ which will show a location like `/usr/local/Cellar/dnscrypt-proxy/2.0.8`, and `h Edit it to have the line: - --local-address=127.0.0.1:5355 +```shell +--local-address=127.0.0.1:5355 +``` Below the line: - /usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy +```shell +/usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy +``` dnscrypt @@ -779,23 +783,28 @@ Below the line: This can also be done using Homebrew, by installing `gnu-sed` and using the `gsed` command: - $ sudo gsed -i "/sbin\\/dnscrypt-proxy<\\/string>/a--local-address=127.0.0.1:5355<\\/string>\n" $(find ~/homebrew -name homebrew.mxcl.dnscrypt-proxy.plist) - +```shell +$ sudo gsed -i "/sbin\\/dnscrypt-proxy<\\/string>/a--local-address=127.0.0.1:5355<\\/string>\n" $(find ~/homebrew -name homebrew.mxcl.dnscrypt-proxy.plist) +``` By default, the `resolvers-list` will point to the dnscrypt version specific resolvers file. When dnscrypt is updated, this version may no longer exist, and if it does, may point to an outdated file. This can be fixed by changing the resolvers file in `homebrew.mxcl.dnscrypt-proxy.plist` (found earlier using find) to the symlinked version in `/usr/local/share`: - --resolvers-list=/usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv +```shell +--resolvers-list=/usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv +``` Below the line: - - /usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy +```shell +/usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy +``` Start DNSCrypt: - - $ sudo brew services restart dnscrypt-proxy +```shell +$ sudo brew services restart dnscrypt-proxy +``` Make sure DNSCrypt is running: -``` +```shell $ sudo lsof -Pni UDP:5355 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME dnscrypt- 13415 nobody 6u IPv4 0x1773f85ff9f8bbef 0t0 UDP 127.0.0.1:5355 @@ -814,7 +823,7 @@ You can run your own [dnscrypt server](https://github.com/Cofyc/dnscrypt-wrapper Confirm outgoing DNS traffic is encrypted: -``` +```shell $ sudo tcpdump -qtni en0 IP 10.8.8.8.59636 > 107.181.168.52: UDP, length 512 IP 107.181.168.52 > 10.8.8.8.59636: UDP, length 368 @@ -827,10 +836,10 @@ dnscrypt-proxy also has the capability to blacklist domains, including the use o **Note** Applications and programs may resolve DNS using their own provided servers. If dnscrypt-proxy is used, it is possible to disable all other, non-dnscrypt DNS traffic with the following pf rules: -```` +```shell block drop quick on !lo0 proto udp from any to any port = 53 block drop quick on !lo0 proto tcp from any to any port = 53 -```` +``` See also [What is a DNS leak](https://dnsleaktest.com/what-is-a-dns-leak.html), the [mDNSResponder manual page](https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/mDNSResponder.8.html) and [ipv6-test.com](http://ipv6-test.com/). @@ -846,19 +855,19 @@ If you don't wish to use DNSCrypt, you should at least use DNS [not provided](ht Install Dnsmasq (DNSSEC is optional): -``` +```shell $ brew install dnsmasq --with-dnssec $ cp /usr/local/etc/dnsmasq.conf.default /usr/local/etc/dnsmasq.conf ``` Edit the configuration: -``` +```shell $ vim /usr/local/etc/dnsmasq.conf ``` Examine all the options. Here are a few recommended settings to enable: -``` +```shell # Forward queries to DNSCrypt on localhost port 5355 server=127.0.0.1#5355 @@ -909,19 +918,19 @@ log-facility=/var/log/dnsmasq.log Install and start the program (sudo is required to bind to [privileged port](https://unix.stackexchange.com/questions/16564/why-are-the-first-1024-ports-restricted-to-the-root-user-only) 53): -``` +```shell $ sudo brew services start dnsmasq ``` To set Dnsmasq as your local DNS server, open **System Preferences** > **Network** and select the active interface, then the **DNS** tab, select **+** and add `127.0.0.1`, or use: -``` +```shell $ sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1 ``` Make sure Dnsmasq is correctly configured: -``` +```shell $ scutil --dns DNS configuration @@ -991,7 +1000,7 @@ If you're going to use OpenSSL on your Mac, download and install a recent versio Compare the TLS protocol and cipher between the homebrew version and the system version of OpenSSL: -``` +```shell $ ~/homebrew/bin/openssl version; echo | ~/homebrew/bin/openssl s_client -connect github.com:443 2>&1 | grep -A2 SSL-Session OpenSSL 1.0.2j 26 Sep 2016 SSL-Session: @@ -1015,7 +1024,7 @@ If you prefer to use OpenSSL, install with `brew install curl --with-openssl` an Here are several recommended [options](http://curl.haxx.se/docs/manpage.html) to add to `~/.curlrc` (see `man curl` for more): -``` +```shell user-agent = "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" referer = ";auto" connect-timeout = 10 @@ -1038,24 +1047,29 @@ Consider using [Privoxy](http://www.privoxy.org/) as a local proxy to filter Web A signed installation package for privoxy can be downloaded from [silvester.org.uk](https://silvester.org.uk/privoxy/OSX/) or [Sourceforge](https://sourceforge.net/projects/ijbswa/files/Macintosh%20%28OS%20X%29/). The signed package is [more secure](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/65) than the Homebrew version, and attracts full support from the Privoxy project. Alternatively, install and start privoxy using Homebrew: +```shell +$ brew install privoxy - $ brew install privoxy - - $ brew services start privoxy +$ brew services start privoxy +``` By default, privoxy listens on local TCP port 8118. Set the system **HTTP** proxy for your active network interface `127.0.0.1` and `8118` (This can be done through **System Preferences > Network > Advanced > Proxies**): - $ sudo networksetup -setwebproxy "Wi-Fi" 127.0.0.1 8118 +```shell +$ sudo networksetup -setwebproxy "Wi-Fi" 127.0.0.1 8118 +``` **(Optional)** Set the system **HTTPS** proxy, which still allows for domain name filtering, with: - $ sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 8118 +```shell +$ sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 8118 +``` Confirm the proxy is set: -``` +```shell $ scutil --proxy { ExceptionsList : { @@ -1071,7 +1085,7 @@ $ scutil --proxy Visit in a browser, or with Curl: -``` +```shell $ ALL_PROXY=127.0.0.1:8118 curl -I http://p.p/ HTTP/1.1 200 OK Content-Length: 2401 @@ -1085,7 +1099,7 @@ Edit `~/homebrew/etc/privoxy/user.action` to filter elements by domain or with r Here are some examples: -``` +```shell { +block{social networking} } www.facebook.com/(extern|plugins)/(login_status|like(box)?|activity|fan)\.php .facebook.com @@ -1109,7 +1123,7 @@ imgur.com Verify Privoxy is blocking and redirecting: -``` +```shell $ ALL_PROXY=127.0.0.1:8118 curl ads.foo.com/ -IL HTTP/1.1 403 Request blocked by Privoxy Content-Type: image/gif @@ -1250,7 +1264,7 @@ If you prefer a graphical application, download and install [GPG Suite](https:// Here are several [recommended options](https://github.com/drduh/config/blob/master/gpg.conf) to add to `~/.gnupg/gpg.conf`: -``` +```shell auto-key-locate keyserver keyserver hkps://hkps.pool.sks-keyservers.net keyserver-options no-honor-keyserver-url @@ -1287,7 +1301,7 @@ The first time you start a conversation with someone new, you'll be asked to ver A popular macOS GUI client for XMPP and other chat protocols is [Adium](https://adium.im/). -``` +```shell Adium_1.5.10.4.dmg SHA-256: 31fa3fd32b86dd3381b60e0d5aafbc2a9452036f0fb4963bffbc2a6c64a9458b SHA-1: 8a674a642447839ea287aed528194e4fd32763b8 @@ -1311,7 +1325,7 @@ Do **not** attempt to configure other browsers or applications to use Tor as you Download both the `dmg` and `asc` signature files, then verify the disk image has been signed by Tor developers: -``` +```shell $ cd ~/Downloads $ file Tor* @@ -1347,7 +1361,7 @@ See [How to verify signatures for packages](https://www.torproject.org/docs/veri To finish installing Tor Browser, open the disk image and drag the it into the Applications folder, or with: -``` +```shell $ hdiutil mount TorBrowser-7.0.10-osx64_en-US.dmg $ cp -rv /Volumes/Tor\ Browser/TorBrowser.app /Applications @@ -1355,7 +1369,7 @@ $ cp -rv /Volumes/Tor\ Browser/TorBrowser.app /Applications Verify the Tor application's code signature was made by with The Tor Project's Apple developer ID **MADPSAYN6T**, using the `spctl -a -v` and/or `pkgutil --check-signature` commands: -``` +```shell $ spctl -a -vv /Applications/TorBrowser.app /Applications/TorBrowser.app: accepted source=Developer ID @@ -1377,7 +1391,7 @@ Package "TorBrowser.app": You may also use the `codesign` command to examine an application's code signature: -``` +```shell $ codesign -dvv /Applications/TorBrowser.app Executable=/Applications/TorBrowser.app/Contents/MacOS/firefox Identifier=org.torproject.torbrowser @@ -1397,7 +1411,7 @@ Internal requirements count=1 size=188 To view full certificate details, extract them with `codesign` and decode it with `openssl`: -``` +```shell $ codesign -d --extract-certificates /Applications/TorBrowser.app Executable=/Applications/TorBrowser.app/Contents/MacOS/firefox @@ -1421,7 +1435,7 @@ SHA256 Fingerprint=B5:0D:47:F0:3E:CB:42:B6:68:1C:6F:38:06:2B:C2:9F:41:FA:D6:54:F Tor traffic is **encrypted** to the [exit node](https://en.wikipedia.org/wiki/Tor_(anonymity_network)#Exit_node_eavesdropping) (i.e., cannot be read by a passive network eavesdropper), but Tor use **can** be identified - for example, TLS handshake "hostnames" will show up in plaintext: -``` +```shell $ sudo tcpdump -An "tcp" | grep "www" listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes .............". ...www.odezz26nvv7jeqz1xghzs.com......... @@ -1508,16 +1522,17 @@ See also [Mac Malware Guide : How does Mac OS X protect me?](http://www.thesafem See [here](http://www.zoharbabin.com/hey-mac-i-dont-appreciate-you-spying-on-me-hidden-downloads-log-in-os-x/) for more information. To permanently disable this feature, [clear the file](https://superuser.com/questions/90008/how-to-clear-the-contents-of-a-file-from-the-command-line) and [make it immutable](http://hints.macworld.com/article.php?story=20031017061722471): +```shell +$ :>~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 - $ :>~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 - - $ sudo chflags schg ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 +$ sudo chflags schg ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 +``` ## Metadata and artifacts macOS attaches metadata ([HFS+ extended attributes](https://en.wikipedia.org/wiki/Extended_file_attributes#OS_X)) to downloaded files, which can be viewed with the `mdls` and `xattr` commands: -``` +```shell $ ls -l@ ~/Downloads/TorBrowser-6.0.8-osx64_en-US.dmg -rw-r--r--@ 1 drduh staff 59322237 Dec 1 12:00 TorBrowser-6.0.8-osx64_en-US.dmg com.apple.metadata:kMDItemWhereFroms 186 @@ -1581,7 +1596,7 @@ com.apple.quarantine: 0081;58519ffa;Google Chrome.app;1F032CAB-F5A1-4D92-84EB-CB Metadata attributes can also be removed with the `-d` flag: -``` +```shell $ xattr -d com.apple.metadata:kMDItemWhereFroms ~/Downloads/TorBrowser-6.0.5-osx64_en-US.dmg $ xattr -d com.apple.quarantine ~/Downloads/TorBrowser-6.0.5-osx64_en-US.dmg @@ -1596,46 +1611,46 @@ Other metadata and artifacts may be found in the directories including, but not `/Library/Preferences/com.apple.Bluetooth.plist` contains Bluetooth metadata, including device history. If Bluetooth is not used, the metadata can be cleared with: -```` +```shell sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist DeviceCache sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist IDSPairedDevices sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist PANDevices sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist PANInterfaces sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist SCOAudioDevices -```` +``` `/var/spool/cups` contains the CUPS printer job cache. To clear it, use the commands: -```` +```shell sudo rm -rfv /var/spool/cups/c0* sudo rm -rfv /var/spool/cups/tmp/* sudo rm -rfv /var/spool/cups/cache/job.cache* -```` +``` To clear the list of iOS devices connected, use: -```` +```shell sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect" sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist Devices sudo defaults delete /Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect" sudo defaults delete /Library/Preferences/com.apple.iPod.plist Devices sudo rm -rfv /var/db/lockdown/* -```` +``` QuickLook thumbnail data can be cleared using the `qlmanage -r cache` command, but this writes to the file `resetreason` in the Quicklook directories, and states that the Quicklook cache was manually cleared. It can also be manually cleared by getting the directory names with `getconf DARWIN_USER_CACHE_DIR` and `sudo getconf DARWIN_USER_CACHE_DIR`, then removing them: -```` +```shell rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-shm rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-wal rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/resetreason rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.data -```` +``` Similarly, for the root user: -```` +```shell sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandler sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite @@ -1644,137 +1659,143 @@ sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/resetreason sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.data sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandler -```` +``` To clear Finder preferences: -```` +```shell defaults delete ~/Library/Preferences/com.apple.finder.plist FXDesktopVolumePositions defaults delete ~/Library/Preferences/com.apple.finder.plist FXRecentFolders defaults delete ~/Library/Preferences/com.apple.finder.plist RecentMoveAndCopyDestinations defaults delete ~/Library/Preferences/com.apple.finder.plist RecentSearches defaults delete ~/Library/Preferences/com.apple.finder.plist SGTRecentFileSearches -```` +``` Additional diagnostic files may be found in the following directories - but caution should be taken before removing any, as it may break logging or cause other issues: -```` +```shell /var/db/CoreDuet/ /var/db/diagnostics/ /var/db/systemstats/ /var/db/uuidtext/ /var/log/DiagnosticMessages/ -```` +``` macOS stored preferred Wi-Fi data (including credentials) in nvram. To clear it, use the following commands: -```` +```shell sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:current-network sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-networks sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-count -```` +``` macOS may collect sensitive information about what you type, even if user dictionary and suggestions are off. To remove them, and prevent them from being created again, use the following commands: -```` +```shell rm -rfv "~/Library/LanguageModeling/*" "~/Library/Spelling/*" "~/Library/Suggestions/*" chmod -R 000 ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions chflags -R uchg ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions -```` +``` QuickLook application support metadata can be cleared and locked with the following commands: -```` +```shell rm -rfv "~/Library/Application Support/Quick Look/*" chmod -R 000 "~/Library/Application Support/Quick Look" chflags -R uchg "~/Library/Application Support/Quick Look" -```` +``` Document revision metadata is stored in `/.DocumentRevisions-V100` and can be cleared and locked with the following commands - caution should be taken as this may break some core Apple applications: -```` +```shell sudo rm -rfv /.DocumentRevisions-V100/* sudo chmod -R 000 /.DocumentRevisions-V100 sudo chflags -R uchg /.DocumentRevisions-V100 -```` +``` Saved application state metadata may be cleared and locked with the following commands: -```` +```shell rm -rfv "~/Library/Saved Application State/*" rm -rfv "~/Library/Containers//Saved Application State" chmod -R 000 "~/Library/Saved Application State/" chmod -R 000 "~/Library/Containers//Saved Application State" chflags -R uchg "~/Library/Saved Application State/" chflags -R uchg "~/Library/Containers//Saved Application State" -```` +``` Autosave metadata can be cleared and locked with the following commands: -```` +```shell rm -rfv "~/Library/Containers//Data/Library/Autosave Information" rm -rfv "~/Library/Autosave Information" chmod -R 000 "~/Library/Containers//Data/Library/Autosave Information" chmod -R 000 "~/Library/Autosave Information" chflags -R uchg "~/Library/Containers//Data/Library/Autosave Information" chflags -R uchg "~/Library/Autosave Information" -```` +``` The Siri analytics database, which is created even if the Siri launch agent disabled, can be cleared and locked with the following commands: -```` +```shell rm -rfv ~/Library/Assistant/SiriAnalytics.db chmod -R 000 ~/Library/Assistant/SiriAnalytics.db chflags -R uchg ~/Library/Assistant/SiriAnalytics.db -```` +``` `~/Library/Preferences/com.apple.iTunes.plist` contains iTunes metadata. Recent iTunes search data may be cleared with the following command: -```` +```shell defaults delete ~/Library/Preferences/com.apple.iTunes.plist recentSearches -```` +``` If you do not use Apple ID-linked services, the following keys may be cleared, too, using the following commands: -```` +```shell defaults delete ~/Library/Preferences/com.apple.iTunes.plist StoreUserInfo defaults delete ~/Library/Preferences/com.apple.iTunes.plist WirelessBuddyID -```` +``` `~/Library/Containers/com.apple.QuickTimePlayerX/Data/Library/Preferences/com.apple.QuickTimePlayerX.plist` contains all media played in QuickTime Player. Additional metadata may exist in the following files: -```` +```shell ~/Library/Containers/com.apple.appstore/Data/Library/Preferences/com.apple.commerce.knownclients.plist ~/Library/Preferences/com.apple.commerce.plist ~/Library/Preferences/com.apple.QuickTimePlayerX.plist -```` +``` ## Passwords You can generate strong passwords with OpenSSL: - $ openssl rand -base64 30 - LK9xkjUEAemc1gV2Ux5xqku+PDmMmCbSTmwfiMRI +```shell +$ openssl rand -base64 30 +LK9xkjUEAemc1gV2Ux5xqku+PDmMmCbSTmwfiMRI +``` Or GPG: - - $ gpg --gen-random -a 0 30 - 4/bGZL+yUEe8fOqQhF5V01HpGwFSpUPwFcU3aOWQ +```shell +$ gpg --gen-random -a 0 30 +4/bGZL+yUEe8fOqQhF5V01HpGwFSpUPwFcU3aOWQ +``` Or `/dev/urandom` output: - - $ dd if=/dev/urandom bs=1 count=30 2>/dev/null | base64 - CbRGKASFI4eTa96NMrgyamj8dLZdFYBaqtWUSxKe +```shell +$ dd if=/dev/urandom bs=1 count=30 2>/dev/null | base64 +CbRGKASFI4eTa96NMrgyamj8dLZdFYBaqtWUSxKe +``` With control over character sets: - $ LANG=C tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 40 | head -n 1 - jm0iKn7ngQST8I0mMMCbbi6SKPcoUWwCb5lWEjxK +```shell +$ LANG=C tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 40 | head -n 1 +jm0iKn7ngQST8I0mMMCbbi6SKPcoUWwCb5lWEjxK - $ LANG=C tr -dc 'DrDuh0-9' < /dev/urandom | fold -w 40 | head -n 1 - 686672u2Dh7r754209uD312hhh23uD7u41h3875D +$ LANG=C tr -dc 'DrDuh0-9' < /dev/urandom | fold -w 40 | head -n 1 +686672u2Dh7r754209uD312hhh23uD7u41h3875D +``` You can also generate passwords, even memorable ones, using **Keychain Access** password assistant, or a command line equivalent like [anders/pwgen](https://github.com/anders/pwgen). @@ -1796,16 +1817,22 @@ One way is to use a symmetric cipher with GPG and a password of your choosing. To encrypt a directory: - $ tar zcvf - ~/Downloads | gpg -c > ~/Desktop/backup-$(date +%F-%H%M).tar.gz.gpg +```shell +$ tar zcvf - ~/Downloads | gpg -c > ~/Desktop/backup-$(date +%F-%H%M).tar.gz.gpg +``` To decrypt an archive: - $ gpg -o ~/Desktop/decrypted-backup.tar.gz -d ~/Desktop/backup-2015-01-01-0000.tar.gz.gpg && \ - tar zxvf ~/Desktop/decrypted-backup.tar.gz +```shell +$ gpg -o ~/Desktop/decrypted-backup.tar.gz -d ~/Desktop/backup-2015-01-01-0000.tar.gz.gpg && \ + tar zxvf ~/Desktop/decrypted-backup.tar.gz +``` You may also create encrypted volumes using **Disk Utility** or `hdiutil`: - $ hdiutil create ~/Desktop/encrypted.dmg -encryption -size 1g -volname "Name" -fs JHFS+ +```shell +$ hdiutil create ~/Desktop/encrypted.dmg -encryption -size 1g -volname "Name" -fs JHFS+ +``` Also see the following applications and services: [SpiderOak](https://spideroak.com/), [Arq](https://www.arqbackup.com/), [Espionage](https://www.espionageapp.com/), and [restic](https://restic.github.io/). @@ -1821,7 +1848,9 @@ Saved Wi-Fi information (SSID, last connection, etc.) can be found in `/Library/ You may wish to [spoof the MAC address](https://en.wikipedia.org/wiki/MAC_spoofing) of your network card before connecting to new and untrusted wireless networks to mitigate passive fingerprinting: - $ sudo ifconfig en0 ether $(openssl rand -hex 6 | sed 's%\(..\)%\1:%g; s%.$%%') +```shell +$ sudo ifconfig en0 ether $(openssl rand -hex 6 | sed 's%\(..\)%\1:%g; s%.$%%') +``` **Note** MAC addresses will reset to hardware defaults on each boot. @@ -1835,10 +1864,12 @@ For outgoing ssh connections, use hardware- or password-protected keys, [set up] Here are several recommended [options](https://www.freebsd.org/cgi/man.cgi?query=ssh_config&sektion=5) to add to `~/.ssh/config`: - Host * - PasswordAuthentication no - ChallengeResponseAuthentication no - HashKnownHosts yes +```shell +Host * + PasswordAuthentication no + ChallengeResponseAuthentication no + HashKnownHosts yes +``` **Note** [macOS Sierra permanently remembers SSH key passphrases by default](https://openradar.appspot.com/28394826). Append the option `UseKeyChain no` to turn this feature off. @@ -1846,21 +1877,25 @@ You can also use ssh to create an [encrypted tunnel](http://blog.trackets.com/20 For example, to use Privoxy on a remote host: - $ ssh -C -L 5555:127.0.0.1:8118 you@remote-host.tld - - $ sudo networksetup -setwebproxy "Wi-Fi" 127.0.0.1 5555 - - $ sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 5555 +```shell +$ ssh -C -L 5555:127.0.0.1:8118 you@remote-host.tld +$ sudo networksetup -setwebproxy "Wi-Fi" 127.0.0.1 5555 +$ sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 5555 +``` Or to use an ssh connection as a [SOCKS proxy](https://www.mikeash.com/ssh_socks.html): - $ ssh -NCD 3000 you@remote-host.tld +```shell +$ ssh -NCD 3000 you@remote-host.tld +``` By default, macOS does **not** have sshd or *Remote Login* enabled. To enable sshd and allow incoming ssh connections: - $ sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist +```shell +$ sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist +``` Or use the **System Preferences** > **Sharing** menu. @@ -1868,15 +1903,17 @@ If you are going to enable sshd, at least disable password authentication and co To `/etc/sshd_config`, add: -``` +```shell PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no ``` - Confirm whether sshd is enabled or disabled: +Confirm whether sshd is enabled or disabled: - $ sudo lsof -Pni TCP:22 +```shell +$ sudo lsof -Pni TCP:22 +``` ## Physical access @@ -1896,7 +1933,7 @@ macOS has a powerful OpenBSM auditing capability. You can use it to monitor proc To tail audit logs, use the `praudit` utility: -``` +```shell $ sudo praudit -l /dev/auditpipe header,201,11,execve(2),0,Thu Sep 1 12:00:00 2015, + 195 msec,exec arg,/Applications/.evilapp/rootkit,path,/Applications/.evilapp/rootkit,path,/Applications/.evilapp/rootkit,attribute,100755,root,wheel,16777220,986535,0,subject,drduh,root,wheel,root,wheel,412,100005,50511731,0.0.0.0,return,success,0,trailer,201, header,88,11,connect(2),0,Thu Sep 1 12:00:00 2015, + 238 msec,argument,1,0x5,fd,socket-inet,2,443,173.194.74.104,subject,drduh,root,wheel,root,wheel,326,100005,50331650,0.0.0.0,return,failure : Operation now in progress,4354967105,trailer,88 @@ -1947,7 +1984,7 @@ You can also use [Wireshark](https://www.wireshark.org/) from the command line. Monitor DNS queries and replies: -``` +```shell $ tshark -Y "dns.flags.response == 1" -Tfields \ -e frame.time_delta \ -e dns.qry.name \ @@ -1957,7 +1994,7 @@ $ tshark -Y "dns.flags.response == 1" -Tfields \ Monitor HTTP requests and responses: -``` +```shell $ tshark -Y "http.request or http.response" -Tfields \ -e ip.dst \ -e http.request.full_uri \ @@ -1969,7 +2006,7 @@ $ tshark -Y "http.request or http.response" -Tfields \ Monitor x509 certificates: -``` +```shell $ tshark -Y "ssl.handshake.certificate" -Tfields \ -e ip.src \ -e x509sat.uTF8String \ @@ -1994,7 +2031,7 @@ Santa uses the [Kernel Authorization API](https://developer.apple.com/library/co To install Santa, visit the [Releases](https://github.com/google/santa/releases) page and download the latest disk image, the mount it and install the contained package: -``` +```shell $ hdiutil mount ~/Downloads/santa-0.9.20.dmg $ sudo installer -pkg /Volumes/santa-0.9.20/santa-0.9.20.pkg -tgt / @@ -2004,7 +2041,7 @@ By default, Santa installs in "Monitor" mode (meaning, nothing gets blocked, onl Verify Santa is running and its kernel module is loaded: -``` +```shell $ santactl status >>> Daemon Info Mode | Monitor @@ -2049,7 +2086,7 @@ Open iTunes: Create a new, example C program: -``` +```shell $ cat < foo.c > #include > main() { printf("Hello World\n”); } @@ -2058,7 +2095,7 @@ $ cat < foo.c Compile the program with GCC (requires installation of Xcode or command-line tools): -``` +```shell $ gcc -o foo foo.c $ file foo @@ -2070,7 +2107,7 @@ foo: code object is not signed at all Run it: -``` +```shell $ ./foo Hello World ``` @@ -2081,7 +2118,7 @@ Toggle Santa into “Lockdown” mode, which only allows whitelisted binaries to Try to run the unsigned binary: -``` +```shell $ ./foo bash: ./foo: Operation not permitted @@ -2096,7 +2133,7 @@ Parent: bash (701) ``` To whitelist a specific binary, determine its SHA-256 sum: -``` +```shell $ santactl fileinfo /Users/demouser/foo Path : /Users/demouser/foo SHA-256 : 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed @@ -2108,12 +2145,14 @@ Rule : Blacklisted (Unknown) Add a whitelist rule: - $ sudo santactl rule --whitelist --sha256 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed - Added rule for SHA-256: 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed. +```shell +$ sudo santactl rule --whitelist --sha256 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed +Added rule for SHA-256: 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed. +``` Run it: -``` +```shell $ ./foo Hello World ``` @@ -2122,7 +2161,7 @@ It's allowed and works! Applications can also be whitelisted by developer certificate (so that new binary versions will not need to be manually whitelisted on each update). For example, download and run Google Chrome - it will be blocked by Santa in "Lockdown" mode: -``` +```shell $ curl -sO https://dl.google.com/chrome/mac/stable/GGRO/googlechrome.dmg $ hdiutil mount googlechrome.dmg @@ -2135,7 +2174,7 @@ LSOpenURLsWithRole() failed with error -10810 for the file /Applications/Google Whitelist the application by its developer certificate (first item in the Signing Chain): -``` +```shell $ santactl fileinfo /Applications/Google\ Chrome.app/ Path : /Applications/Google Chrome.app/Contents/MacOS/Google Chrome SHA-256 : 0eb08224d427fb1d87d2276d911bbb6c4326ec9f74448a4d9a3cfce0c3413810 @@ -2174,7 +2213,7 @@ Signing Chain: In this case, `15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153` is the SHA-256 of Google’s Apple developer certificate (team ID EQHXZ8M8AV). To whitelist it: -``` +```shell $ sudo santactl rule --whitelist --certificate --sha256 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153 Added rule for SHA-256: 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153. ``` @@ -2202,7 +2241,7 @@ If you want to use **torrents**, use [Transmission](http://www.transmissionbt.co Manage default file handlers with [duti](http://duti.org/), which can be installed with `brew install duti`. One reason to manage extensions is to prevent auto-mounting of remote filesystems in Finder (see [Protecting Yourself From Sparklegate](https://www.taoeffect.com/blog/2016/02/apologies-sky-kinda-falling-protecting-yourself-from-sparklegate/)). Here are several recommended handlers to manage: -``` +```shellshell $ duti -s com.apple.Safari afp $ duti -s com.apple.Safari ftp @@ -2218,33 +2257,43 @@ In systems prior to macOS Sierra (10.12), enable the [tty_tickets flag](https:// Set your screen to lock as soon as the screensaver starts: - $ defaults write com.apple.screensaver askForPassword -int 1 - - $ defaults write com.apple.screensaver askForPasswordDelay -int 0 +```shell +$ defaults write com.apple.screensaver askForPassword -int 1 +$ defaults write com.apple.screensaver askForPasswordDelay -int 0 +``` Expose hidden files and Library folder in Finder: - $ defaults write com.apple.finder AppleShowAllFiles -bool true - - $ chflags nohidden ~/Library +```shell +$ defaults write com.apple.finder AppleShowAllFiles -bool true +$ chflags nohidden ~/Library +``` Show all filename extensions (so that "Evil.jpg.app" cannot masquerade easily). - $ defaults write NSGlobalDomain AppleShowAllExtensions -bool true +```shell +$ defaults write NSGlobalDomain AppleShowAllExtensions -bool true +``` Don't default to saving documents to iCloud: - $ defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false +```shell +$ defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false +``` Enable [Secure Keyboard Entry](https://security.stackexchange.com/questions/47749/how-secure-is-secure-keyboard-entry-in-mac-os-xs-terminal) in Terminal (unless you use [YubiKey](https://mig5.net/content/secure-keyboard-entry-os-x-blocks-interaction-yubikeys) or applications such as [TextExpander](https://smilesoftware.com/textexpander/secureinput)). Disable crash reporter (the dialog which appears after an application crashes and prompts to report the problem to Apple): - $ defaults write com.apple.CrashReporter DialogType none +```shell +$ defaults write com.apple.CrashReporter DialogType none +``` Disable Bonjour [multicast advertisements](https://www.trustwave.com/Resources/SpiderLabs-Blog/mDNS---Telling-the-world-about-you-(and-your-device)/): - $ sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES +```shell +$ sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES +``` [Disable Handoff](https://apple.stackexchange.com/questions/151481/why-is-my-macbook-visibile-on-bluetooth-after-yosemite-install) and Bluetooth features, if they aren't necessary. @@ -2254,21 +2303,21 @@ Did you know Apple has not shipped a computer with TPM since [2006](http://osxbo MacOS comes with this line in /etc/sudoers: -```` +```shell Defaults env_keep += "HOME MAIL" -```` +``` Which stops sudo from changing the HOME variable when you elevate privileges. This means it will execute as root the bash dotfiles in the non-root user's home directory when you run "sudo bash". It is adviseable to comment this line out to avoid a potentially easy way for malware or a local attacker to escalate privileges to root. If you want to retain the convenience of the root user having a non-root user's home directory, you can append an export line to /var/root/.bashrc, eg: -```` +```shell export HOME=/Users/blah -```` +``` ## Related software -[stronghold](https://github.com/alichtman/stronghold) - Easily configure Mac security settings from the terminal. +[stronghold](https://github.com/alichtman/stronghold) - Securely and easily configure your Mac from the terminal. Inspired by this guide. [Santa](https://github.com/google/santa/) - A binary whitelisting/blacklisting system for macOS. From c560b7134c0dd6c69d3d53480a22bae8f6f46c46 Mon Sep 17 00:00:00 2001 From: Nathaniel Suchy Date: Thu, 17 May 2018 09:24:17 -0400 Subject: [PATCH 060/476] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7dbb9460..af8b1037 100755 --- a/README.md +++ b/README.md @@ -1228,7 +1228,7 @@ An excellent open source ad blocker for Safari that fully leverages Content bloc #### Other Web Browsers -Many Chromium-derived browsers are not recommended. They are usually [closed source](http://yro.slashdot.org/comments.pl?sid=4176879&cid=44774943), [poorly maintained](https://plus.google.com/+JustinSchuh/posts/69qw9wZVH8z), [have bugs](https://code.google.com/p/google-security-research/issues/detail?id=679), and make dubious claims to protect privacy. See [The Private Life of Chromium Browsers](http://thesimplecomputer.info/the-private-life-of-chromium-browsers). +Many Chromium-derived browsers are not recommended. They are usually [closed source](http://yro.slashdot.org/comments.pl?sid=4176879&cid=44774943), [poorly maintained](https://plus.google.com/+JustinSchuh/posts/69qw9wZVH8z), [have bugs](https://code.google.com/p/google-security-research/issues/detail?id=679), and make dubious claims to protect privacy. See [The Private Life of Chromium Browsers](https://web.archive.org/web/20180517132144/http://thesimplecomputer.info/the-private-life-of-chromium-browsers). Other miscellaneous browsers, such as [Brave](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/94), are not evaluated in this guide, so are neither recommended nor actively discouraged from use. From c38db30eaae10495392bf4e326747f0874fb9f6f Mon Sep 17 00:00:00 2001 From: drduh Date: Sat, 2 Jun 2018 15:44:42 -0700 Subject: [PATCH 061/476] Mention Purse --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index af8b1037..52a0f5f7 100755 --- a/README.md +++ b/README.md @@ -1801,7 +1801,7 @@ You can also generate passwords, even memorable ones, using **Keychain Access** Keychains are encrypted with a [PBKDF2 derived key](https://en.wikipedia.org/wiki/PBKDF2) and are a _pretty safe_ place to store credentials. See also [Breaking into the OS X keychain](http://juusosalonen.com/post/30923743427/breaking-into-the-os-x-keychain). Also be aware that Keychain [does not encrypt](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/118) the names corresponding to password entries. -Alternatively, you can manage an encrypted passwords file yourself with GnuPG (shameless plug for my [drduh/pwd.sh](https://github.com/drduh/pwd.sh) password manager script). +Alternatively, you can manage an encrypted passwords file yourself with GnuPG (see [drduh/Purse](https://github.com/drduh/Purse) and [drduh/pwd.sh](https://github.com/drduh/pwd.sh) for example). In addition to passwords, ensure eligible online accounts, such as GitHub, Google accounts, banking, have [two factor authentication](https://en.wikipedia.org/wiki/Two-factor_authentication) enabled. From cdcd5305f182b846fd3a5f0320e4e02d91456eb2 Mon Sep 17 00:00:00 2001 From: Joost-Wim Boekesteijn Date: Tue, 5 Jun 2018 11:20:42 +0200 Subject: [PATCH 062/476] add 10.13.5 InstallESD.dmg hashes --- InstallESD_Hashes.csv | 1 + 1 file changed, 1 insertion(+) diff --git a/InstallESD_Hashes.csv b/InstallESD_Hashes.csv index 3951bf4b..94a096f7 100644 --- a/InstallESD_Hashes.csv +++ b/InstallESD_Hashes.csv @@ -21,3 +21,4 @@ Version,Build,SHA-256,SHA-1 10.13.2,17C88,a016570e65a70e23462efdddd845d3a1a5a7cc39aa770a0052af16e3d5f2ac4f,49e336085247331ea6033ebd3598a827caa6596e 10.13.3,17D47,438fc19055e56ac90fb485796d3aacc4059d241d79bc5c303220c4c2468a1f9d,726c7516fdbe33ae3f2384ba1ce7efcda4335776 10.13.4,17E199,fd33bb6f8a4132c2ba50808c0e1f92eb05b6c300d38e58287d5d7dec01a4cd65,2c72b22a45ea8f5a80bee91db8aba96dae8310ea +10.13.5,17F77,c4ff5048bafbf7f386cd6cb3b09b58112df607a526874c726d9b0c5ba2e61a4f,216b38acfb234b4e29c2dba41fd76814550b59e2 From b89b1a5c110be01a78998ed10096bd27c1c525bc Mon Sep 17 00:00:00 2001 From: Shreyas Minocha Date: Tue, 19 Jun 2018 00:59:39 +0530 Subject: [PATCH 063/476] Move a file path into a code snippet The page at http://macos.duh.to no longer awkwardly scrolls to the right. --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 52a0f5f7..d8153c3c 100755 --- a/README.md +++ b/README.md @@ -1756,7 +1756,11 @@ defaults delete ~/Library/Preferences/com.apple.iTunes.plist StoreUserInfo defaults delete ~/Library/Preferences/com.apple.iTunes.plist WirelessBuddyID ``` -`~/Library/Containers/com.apple.QuickTimePlayerX/Data/Library/Preferences/com.apple.QuickTimePlayerX.plist` contains all media played in QuickTime Player. +All media played in QuickTime Player can be found in: + +```shell +~/Library/Containers/com.apple.QuickTimePlayerX/Data/Library/Preferences/com.apple.QuickTimePlayerX.plist +``` Additional metadata may exist in the following files: From 74ab3ee9aee58ac871e7505fb3834d03cbe08bbb Mon Sep 17 00:00:00 2001 From: HazCod Date: Wed, 4 Jul 2018 08:46:43 +0200 Subject: [PATCH 064/476] Wi-Fi: Add warning about NVRAM --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index d8153c3c..b80ba922 100755 --- a/README.md +++ b/README.md @@ -1856,6 +1856,8 @@ You may wish to [spoof the MAC address](https://en.wikipedia.org/wiki/MAC_spoofi $ sudo ifconfig en0 ether $(openssl rand -hex 6 | sed 's%\(..\)%\1:%g; s%.$%%') ``` +It is also good to know that macOS will store your Wi-FI SSID and passwords in NVRAM, because Recovery mode needs access to restore from the internet. When you need to pass your Mac along, be sure to either clear NVRAM or de-authenticate your Mac from your Apple account, which will clear the NVRAM. (Resetting the SMC will clear some of the NVRAM, but not all.) + **Note** MAC addresses will reset to hardware defaults on each boot. Also see [feross/SpoofMAC](https://github.com/feross/SpoofMAC). From 0d63694e48c8cf23953aacc4173307fda1463355 Mon Sep 17 00:00:00 2001 From: drduh Date: Fri, 6 Jul 2018 10:51:04 -0700 Subject: [PATCH 065/476] Remove Broken Gorhill uMatrix Link to fix #309 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b80ba922..1495fd51 100755 --- a/README.md +++ b/README.md @@ -725,7 +725,7 @@ To block a domain, append `0 example.com` or `0.0.0.0 example.com` or `127.0.0.1 There are many lists of domains available online which you can paste in, just make sure each line starts with `0`, `0.0.0.0`, `127.0.0.1`, and the line `127.0.0.1 localhost` is included. -For hosts lists, see [someonewhocares.org](http://someonewhocares.org/hosts/zero/hosts), [l1k/osxparanoia/blob/master/hosts](https://github.com/l1k/osxparanoia/blob/master/hosts), [StevenBlack/hosts](https://github.com/StevenBlack/hosts) and [gorhill/uMatrix/hosts-files.json](https://github.com/gorhill/uMatrix/blob/master/assets/umatrix/hosts-files.json). +For hosts lists, see [someonewhocares.org](http://someonewhocares.org/hosts/zero/hosts), [l1k/osxparanoia/blob/master/hosts](https://github.com/l1k/osxparanoia/blob/master/hosts) and [StevenBlack/hosts](https://github.com/StevenBlack/hosts). To append a list of hosts from a list, use the `tee` command, then confirm by editing `/etc/hosts` or counting the number of lines in it: From 6fe73c8d025560bb88fac9c685e079a9664d0fca Mon Sep 17 00:00:00 2001 From: drduh Date: Fri, 6 Jul 2018 11:41:14 -0700 Subject: [PATCH 066/476] Link objective-see quicklook blog entry. Fix #307 --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 1495fd51..190ca912 100755 --- a/README.md +++ b/README.md @@ -1637,7 +1637,9 @@ sudo defaults delete /Library/Preferences/com.apple.iPod.plist Devices sudo rm -rfv /var/db/lockdown/* ``` -QuickLook thumbnail data can be cleared using the `qlmanage -r cache` command, but this writes to the file `resetreason` in the Quicklook directories, and states that the Quicklook cache was manually cleared. It can also be manually cleared by getting the directory names with `getconf DARWIN_USER_CACHE_DIR` and `sudo getconf DARWIN_USER_CACHE_DIR`, then removing them: +QuickLook thumbnail data can be cleared using the `qlmanage -r cache` command, but this writes to the file `resetreason` in the Quicklook directories, and states that the Quicklook cache was manually cleared. + +It can also be manually cleared by getting the directory names with `getconf DARWIN_USER_CACHE_DIR` and `sudo getconf DARWIN_USER_CACHE_DIR`, then removing them: ```shell rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive @@ -1661,6 +1663,8 @@ sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandler ``` +Also see ['quicklook' cache may leak encrypted data](https://objective-see.com/blog/blog_0x30.html). + To clear Finder preferences: ```shell From dad901f5195c412ccbf83fa2b36209db5e2c5b3f Mon Sep 17 00:00:00 2001 From: drduh Date: Fri, 6 Jul 2018 11:54:47 -0700 Subject: [PATCH 067/476] Archive several links to fix #306 --- README.md | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 190ca912..2b7ab939 100755 --- a/README.md +++ b/README.md @@ -676,18 +676,7 @@ See [fix-macosx.com](https://fix-macosx.com/) for detailed instructions. **Note** This Web site and instructions may no longer work on macOS Sierra - see [issue 164](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/164). -To download, view and apply their suggested fixes: - -```shell -$ curl -O https://fix-macosx.com/fix-macosx.py - -$ less fix-macosx.py - -$ python fix-macosx.py -All done. Make sure to log out (and back in) for the changes to take effect. -``` - -For comparison, also see +For comparison to Windows 10, see ## Homebrew @@ -974,7 +963,7 @@ An attacker could trigger the utility and direct a Mac to a site with malware wi $ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false -See also [Apple OS X Lion Security: Captive Portal Hijacking Attack](https://www.securestate.com/blog/2011/10/07/apple-os-x-lion-captive-portal-hijacking-attack), [Apple's secret "wispr" request](http://blog.erratasec.com/2010/09/apples-secret-wispr-request.html), [How to disable the captive portal window in Mac OS Lion](https://web.archive.org/web/20130407200745/http://www.divertednetworks.net/apple-captiveportal.html), and [An undocumented change to Captive Network Assistant settings in OS X 10.10 Yosemite](https://grpugh.wordpress.com/2014/10/29/an-undocumented-change-to-captive-network-assistant-settings-in-os-x-10-10-yosemite/). +Also see [Apple's secret "wispr" request](https://web.archive.org/web/20171008071031/http://blog.erratasec.com/2010/09/apples-secret-wispr-request.html), [How to disable the captive portal window in Mac OS Lion](https://web.archive.org/web/20130407200745/http://www.divertednetworks.net/apple-captiveportal.html) and [An undocumented change to Captive Network Assistant settings in OS X 10.10 Yosemite](https://web.archive.org/web/20170622064304/https://grpugh.wordpress.com/2014/10/29/an-undocumented-change-to-captive-network-assistant-settings-in-os-x-10-10-yosemite/). ## Certificate authorities @@ -1022,7 +1011,7 @@ The version of Curl which comes with macOS uses [Secure Transport](https://devel If you prefer to use OpenSSL, install with `brew install curl --with-openssl` and ensure it's the default with `brew link --force curl` -Here are several recommended [options](http://curl.haxx.se/docs/manpage.html) to add to `~/.curlrc` (see `man curl` for more): +Here are several recommended [options](https://curl.haxx.se/docs/manpage.html) to add to `~/.curlrc` (see `man curl` for more): ```shell user-agent = "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" @@ -2307,7 +2296,7 @@ $ sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulti [Disable Handoff](https://apple.stackexchange.com/questions/151481/why-is-my-macbook-visibile-on-bluetooth-after-yosemite-install) and Bluetooth features, if they aren't necessary. -Consider [sandboxing](https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/sandbox-exec.1.html) your applications. See [fG! Sandbox Guide](https://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v0.1.pdf) (pdf) and [s7ephen/OSX-Sandbox--Seatbelt--Profiles](https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles). +Consider [sandboxing](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/sandbox-exec.1.html) your applications. See [fG! Sandbox Guide](https://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v0.1.pdf) (pdf) and [s7ephen/OSX-Sandbox--Seatbelt--Profiles](https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles). Did you know Apple has not shipped a computer with TPM since [2006](http://osxbook.com/book/bonus/chapter10/tpm/)? From acf1403200b626bda4ef02dd788ec076c78ea8ad Mon Sep 17 00:00:00 2001 From: Nathaniel Suchy Date: Fri, 20 Jul 2018 15:51:30 -0400 Subject: [PATCH 068/476] fixed dead link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2b7ab939..82edb4f9 100755 --- a/README.md +++ b/README.md @@ -429,7 +429,7 @@ See also [this post](https://superuser.com/a/395738) for more information about FileVault encryption protects data at rest and hardens (but [not always prevents](http://blog.frizk.net/2016/12/filevault-password-retrieval.html)) someone with physical access from stealing data or tampering with your Mac. -With much of the cryptographic operations happening [efficiently in hardware](https://software.intel.com/en-us/articles/intel-advanced-encryption-standard-aes-instructions-set/), the performance penalty for FileVault is not noticeable. +With much of the cryptographic operations happening [efficiently in hardware](http://web.archive.org/web/20180720195105/https://software.intel.com/sites/default/files/m/d/4/1/d/8/AES_WP_Rev_03_Final_2010_01_26.pdf), the performance penalty for FileVault is not noticeable. Like all cryptosystems, the security of FileVault greatly depends on the quality of the pseudo random number generator (PRNG). From 2341f09d8e64910d6fe10995caf781f8d6402225 Mon Sep 17 00:00:00 2001 From: drduh Date: Fri, 20 Jul 2018 18:33:23 -0700 Subject: [PATCH 069/476] Add new dnssec trust anchor --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 82edb4f9..a098597f 100755 --- a/README.md +++ b/README.md @@ -902,6 +902,7 @@ log-facility=/var/log/dnsmasq.log # Enable DNSSEC (see https://www.iana.org/dnssec/files) #dnssec #trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 +#trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D #dnssec-check-unsigned ``` From 4297b5debfe27ff311eddc4201b987a38d0f7683 Mon Sep 17 00:00:00 2001 From: drduh Date: Fri, 20 Jul 2018 18:36:50 -0700 Subject: [PATCH 070/476] Disable thumbnail cache for #307 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a098597f..3678033d 100755 --- a/README.md +++ b/README.md @@ -1627,7 +1627,7 @@ sudo defaults delete /Library/Preferences/com.apple.iPod.plist Devices sudo rm -rfv /var/db/lockdown/* ``` -QuickLook thumbnail data can be cleared using the `qlmanage -r cache` command, but this writes to the file `resetreason` in the Quicklook directories, and states that the Quicklook cache was manually cleared. +QuickLook thumbnail data can be cleared using the `qlmanage -r cache` command, but this writes to the file `resetreason` in the Quicklook directories, and states that the Quicklook cache was manually cleared. Disable the thumbnail cache with `qlmanage -r disablecache` It can also be manually cleared by getting the directory names with `getconf DARWIN_USER_CACHE_DIR` and `sudo getconf DARWIN_USER_CACHE_DIR`, then removing them: From 51cc575ecc9e9f47cca1fabfdd3a1099fb206266 Mon Sep 17 00:00:00 2001 From: drduh Date: Sat, 21 Jul 2018 09:57:05 -0700 Subject: [PATCH 071/476] Clean up passwords, add VirusTotal tip --- README.md | 38 +++++++++++++++++++++++--------------- 1 file changed, 23 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 3678033d..dd2867b2 100755 --- a/README.md +++ b/README.md @@ -1766,33 +1766,39 @@ Additional metadata may exist in the following files: ## Passwords -You can generate strong passwords with OpenSSL: +Generate strong passwords with several programs or directly from [`/dev/urandom`](https://github.com/jedisct1/libsodium/issues/594): ```shell $ openssl rand -base64 30 LK9xkjUEAemc1gV2Ux5xqku+PDmMmCbSTmwfiMRI -``` -Or GPG: -```shell $ gpg --gen-random -a 0 30 4/bGZL+yUEe8fOqQhF5V01HpGwFSpUPwFcU3aOWQ -``` -Or `/dev/urandom` output: -```shell -$ dd if=/dev/urandom bs=1 count=30 2>/dev/null | base64 -CbRGKASFI4eTa96NMrgyamj8dLZdFYBaqtWUSxKe +$ cat /dev/urandom | base64 | fold -w40 | head -n5 +zAfhO1KGgyDwRUigYT+O1VZLnW9k5BIC8j3XYXAu +Hkx2/3d/Tem6rUG7bGYQizU9ueWQYIb9WJD1lzO2 +d8MfMu4PkIns3hY6FTkMhTKTIYDaqAxwTbIktu1X +ibd3+PKxRPY97nxQiIE45fzBLkjDnKcW3pfeaTNz +e5dIbZidfuiOQrlRCDIj9pg2p0lp8BhTgz3IMCc7 ``` With control over character sets: ```shell -$ LANG=C tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 40 | head -n 1 -jm0iKn7ngQST8I0mMMCbbi6SKPcoUWwCb5lWEjxK +$ LANG=C tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 40 | head -n 5 +rgBaAV0N09FzsqFRWhC6UFMJSjeisRhDuyqcJQox +ZG4NDhxBXlF1yHwdCMaanCRkFZKvQUrDRid9Hmop +TtRn5YVENCQ5krapAZxxS1bXk2vYIABOutDa4q1n +AHQMHD9ovOteWXVBLvLhccTaukOHLGUMhH7C6IPg +9kz7Kf4KIKAGq3Jy4XpQoQVMy9YL34wQbuCzhr4O -$ LANG=C tr -dc 'DrDuh0-9' < /dev/urandom | fold -w 40 | head -n 1 -686672u2Dh7r754209uD312hhh23uD7u41h3875D +$ LANG=C tr -dc 'A-F0-9' < /dev/urandom | fold -w 40 | head -n 5 +45D0371481EE5E5A5C1F68EA59E69F9CA52CB321 +A30B37A00302643921F205621B145E7EAF520164 +B6EF38A2DA1D0586D20105502AFFF0468EA5F16A +029D6EA9F76CD64D3356E342EA154BEFEBE23387 +07F468F0569579A0A06471247CABC4F4C1386E24 ``` You can also generate passwords, even memorable ones, using **Keychain Access** password assistant, or a command line equivalent like [anders/pwgen](https://github.com/anders/pwgen). @@ -2233,15 +2239,17 @@ Zentral will support Santa in both MONITORING and LOCKDOWN operation mode. Clien ## Miscellaneous -If you wish, disable [Diagnostics & Usage Data](https://github.com/fix-macosx/fix-macosx/wiki/Diagnostics-&-Usage-Data). +Disable [Diagnostics & Usage Data](https://github.com/fix-macosx/fix-macosx/wiki/Diagnostics-&-Usage-Data). If you want to play **music** or watch **videos**, use [VLC media player](https://www.videolan.org/vlc/index.html) which is free and open source. If you want to use **torrents**, use [Transmission](http://www.transmissionbt.com/download/) which is free and open source (note: like all software, even open source projects, [malware may still find its way in](http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/)). You may also wish to use a block list to avoid peering with known bad hosts - see [Which is the best blocklist for Transmission](https://giuliomac.wordpress.com/2014/02/19/best-blocklist-for-transmission/) and [johntyree/3331662](https://gist.github.com/johntyree/3331662). +If you're unsure about whether an application or file is safe to open, upload it to [VirusTotal](https://www.virustotal.com/#/home/upload) to be scanned and to examine its behavior. + Manage default file handlers with [duti](http://duti.org/), which can be installed with `brew install duti`. One reason to manage extensions is to prevent auto-mounting of remote filesystems in Finder (see [Protecting Yourself From Sparklegate](https://www.taoeffect.com/blog/2016/02/apologies-sky-kinda-falling-protecting-yourself-from-sparklegate/)). Here are several recommended handlers to manage: -```shellshell +```shell $ duti -s com.apple.Safari afp $ duti -s com.apple.Safari ftp From e3bca517f1613d8b3a36baec8f827b1d0845e895 Mon Sep 17 00:00:00 2001 From: drduh Date: Sat, 21 Jul 2018 16:50:07 -0700 Subject: [PATCH 072/476] Fix links, grammar and prepare for high sierra --- README.md | 151 ++++++++++++++++++++++++++++++------------------------ 1 file changed, 83 insertions(+), 68 deletions(-) diff --git a/README.md b/README.md index dd2867b2..ad4a5e36 100755 --- a/README.md +++ b/README.md @@ -70,7 +70,7 @@ This guide is also available in [简体中文](https://github.com/xitu/macOS-Sec The standard best security practices apply: * Create a threat model - * What are you trying to protect and from whom? Is your adversary a [three letter agency](https://theintercept.com/document/2015/03/10/strawhorse-attacking-macos-ios-software-development-kit/) (if so, you may want to consider using [OpenBSD](http://www.openbsd.org/) instead), a nosy eavesdropper on the network, or determined [apt](https://en.wikipedia.org/wiki/Advanced_persistent_threat) orchestrating a campaign against you? + * What are you trying to protect and from whom? Is your adversary a [three letter agency](https://theintercept.com/document/2015/03/10/strawhorse-attacking-macos-ios-software-development-kit/) (if so, you may want to consider using [OpenBSD](https://www.openbsd.org/) instead), a nosy eavesdropper on the network, or determined [apt](https://en.wikipedia.org/wiki/Advanced_persistent_threat) orchestrating a campaign against you? * Study and [recognize threats](https://www.usenix.org/system/files/1401_08-12_mickens.pdf) and how to reduce attack surface against them. * Keep the system up to date @@ -280,9 +280,8 @@ We're not done yet! Unless you have built the image with [AutoDMG](https://githu Download the file [RecoveryHDUpdate.dmg](https://support.apple.com/downloads/DL1464/en_US/RecoveryHDUpdate.dmg). ```shell -RecoveryHDUpdate.dmg -SHA-256: f6a4f8ac25eaa6163aa33ac46d40f223f40e58ec0b6b9bf6ad96bdbfc771e12c -SHA-1: 1ac3b7059ae0fcb2877d22375121d4e6920ae5ba +$ shasum -a 256 RecoveryHDUpdate.dmg +f6a4f8ac25eaa6163aa33ac46d40f223f40e58ec0b6b9bf6ad96bdbfc771e12c RecoveryHDUpdate.dmg ``` Attach and expand the installer, then run it: @@ -307,12 +306,6 @@ Once you're done, eject the disk with `hdiutil unmount /Volumes/macOS` and power To install macOS as a virtual machine (vm) using [VMware Fusion](https://www.vmware.com/products/fusion.html), follow the instructions above to create an image. You will **not** need to download and create a recovery partition manually. -```shell -VMware-Fusion-10.1.0-7370838.dmg -SHA-256: 5e968c5f88eb929740115374e0162779cbccd0383bc70e7bc52a0a680bf8fe2b -SHA-1: ef694e2bba7205253d5fde6e68e8ba78fad82952 -``` - For the Installation Method, select *Install macOS from the recovery partition*. Customize any memory or CPU requirements and complete setup. The guest vm should boot into [Recovery Mode](https://support.apple.com/en-us/HT201314) by default. **Note** If the virtual machine does not boot due to a kernel panic, adjust the memory and process resource settings. @@ -363,7 +356,7 @@ On first boot, hold `Command` `Option` `P` `R` keys to [clear NVRAM](https://sup When macOS first starts, you'll be greeted by **Setup Assistant**. -When creating your account, use a [strong password](http://www.explainxkcd.com/wiki/index.php/936:_Password_Strength) without a hint. +When creating your account, use a [strong password](https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength) without a hint. If you enter your real name at the account setup process, be aware that your [computer's name and local hostname](https://support.apple.com/kb/PH18720) will comprise that name (e.g., *John Appleseed's MacBook*) and thus will appear on local networks and in various preference files. You can change them both in **System Preferences > Sharing** or with the following commands: @@ -392,9 +385,9 @@ For more details, see [iOS, The Future Of macOS, Freedom, Security And Privacy I ## Admin and standard user accounts -The first user account is always an admin account. Admin accounts are members of the admin group and have access to `sudo`, which allows them to usurp other accounts, in particular root, and gives them effective control over the system. Any program that the admin executes can potentially obtain the same access, making this a security risk. Utilities like `sudo` have [weaknesses that can be exploited](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/) by concurrently running programs and many panes in System Preferences are [unlocked by default](http://csrc.nist.gov/publications/drafts/800-179/sp800_179_draft.pdf) (pdf) (p. 61–62) for admin accounts. It is considered a best practice by [Apple](https://help.apple.com/machelp/mac/10.12/index.html#/mh11389) and [others](http://csrc.nist.gov/publications/drafts/800-179/sp800_179_draft.pdf) (pdf) (p. 41–42) to use a separate standard account for day-to-day work and use the admin account for installations and system configuration. +The first user account is always an admin account. Admin accounts are members of the admin group and have access to `sudo`, which allows them to usurp other accounts, in particular root, and gives them effective control over the system. Any program that the admin executes can potentially obtain the same access, making this a security risk. Utilities like `sudo` have [weaknesses that can be exploited](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/) by concurrently running programs and many panes in System Preferences are [unlocked by default](https://csrc.nist.gov/publications/drafts/800-179/sp800_179_draft.pdf) (pdf) (p. 61–62) for admin accounts. It is considered a best practice by [Apple](https://help.apple.com/machelp/mac/10.12/index.html#/mh11389) and [others](https://csrc.nist.gov/publications/drafts/800-179/sp800_179_draft.pdf) (pdf) (p. 41–42) to use a separate standard account for day-to-day work and use the admin account for installations and system configuration. -It is not strictly required to ever log into the admin account via the macOS login screen. The system will prompt for authentication when required and Terminal can do the rest. To that end, Apple provides some [recommendations](https://support.apple.com/HT203998) for hiding the admin account and its home directory. This can be an elegant solution to avoid having a visible 'ghost' account. The admin account can also be [removed from FileVault](http://apple.stackexchange.com/a/94373). +It is not strictly required to ever log into the admin account via the macOS login screen. The system will prompt for authentication when required and Terminal can do the rest. To that end, Apple provides some [recommendations](https://support.apple.com/HT203998) for hiding the admin account and its home directory. This can be an elegant solution to avoid having a visible 'ghost' account. The admin account can also be [removed from FileVault](https://apple.stackexchange.com/a/94373). #### Caveats @@ -429,14 +422,12 @@ See also [this post](https://superuser.com/a/395738) for more information about FileVault encryption protects data at rest and hardens (but [not always prevents](http://blog.frizk.net/2016/12/filevault-password-retrieval.html)) someone with physical access from stealing data or tampering with your Mac. -With much of the cryptographic operations happening [efficiently in hardware](http://web.archive.org/web/20180720195105/https://software.intel.com/sites/default/files/m/d/4/1/d/8/AES_WP_Rev_03_Final_2010_01_26.pdf), the performance penalty for FileVault is not noticeable. +With much of the cryptographic operations happening [efficiently in hardware](https://web.archive.org/web/20180720195105/https://software.intel.com/sites/default/files/m/d/4/1/d/8/AES_WP_Rev_03_Final_2010_01_26.pdf), the performance penalty for FileVault is not noticeable. Like all cryptosystems, the security of FileVault greatly depends on the quality of the pseudo random number generator (PRNG). > The random device implements the Yarrow pseudo random number generator algorithm and maintains its entropy pool. Additional entropy is fed to the generator regularly by the SecurityServer daemon from random jitter measurements of the kernel. -> SecurityServer is also responsible for periodically saving some entropy to disk and reloading it during startup to provide entropy in early system operation. - See `man 4 random` for more information. Turning on FileVault in System Preferences **after** installing macOS, rather than creating an encrypted partition for the installation first, is [more secure](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/230), because more PRNG entropy is available then. @@ -445,14 +436,35 @@ Additionally, the PRNG can be manually seeded with entropy by writing to /dev/ra To manually seed entropy *before* enabling FileVault: - $ cat > /dev/random - [Type random letters for a long while, then press Control-D] + $ cat > /dev/random + [Type random letters for a long while, then press Control-D] + +To test entropy and randomness quality, download and use [`ent`](http://www.fourmilab.ch/random/) with Homebrew, then: + +````shell +$ dd if=/dev/random of=/tmp/random count=8192 + +$ ent /tmp/random +Entropy = 7.999952 bits per byte. + +Optimum compression would reduce the size +of this 4194304 byte file by 0 percent. + +Chi square distribution for 4194304 samples is 278.80, and randomly +would exceed this value 14.64 percent of the times. + +Arithmetic mean value of data bytes is 127.4922 (127.5 = random). +Monte Carlo value for Pi is 3.142499106 (error 0.03 percent). +Serial correlation coefficient is 0.000508 (totally uncorrelated = 0.0) +```` + +See [Entropy and Random Number Generators](https://calomel.org/entropy_random_number_generators.html) and [Fun with encryption and randomness](https://rsmith.home.xs4all.nl/howto/fun-with-encryption-and-randomness.html) for more information. Enable FileVault with `sudo fdesetup enable` or through **System Preferences** > **Security & Privacy** and reboot. If you can remember your password, there's no reason to save the **recovery key**. However, your encrypted data will be lost forever if you can't remember the password or recovery key. -If you want to know more about how FileVault works, see the paper [Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption](https://eprint.iacr.org/2012/374.pdf) (pdf) and related [presentation](http://www.cl.cam.ac.uk/~osc22/docs/slides_fv2_ifip_2013.pdf) (pdf). Also see [IEEE Std 1619-2007 “The XTS-AES Tweakable Block Cipher”](http://libeccio.di.unisa.it/Crypto14/Lab/p1619.pdf) (pdf). +To learn about how FileVault works, see the paper [Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption](https://eprint.iacr.org/2012/374.pdf) (pdf) and related [presentation](http://www.cl.cam.ac.uk/~osc22/docs/slides_fv2_ifip_2013.pdf) (pdf). Also see [IEEE Std 1619-2007 “The XTS-AES Tweakable Block Cipher”](http://libeccio.di.unisa.it/Crypto14/Lab/p1619.pdf) (pdf). You may wish to enforce **hibernation** and evict FileVault keys from memory instead of traditional sleep to memory: @@ -463,7 +475,7 @@ You may wish to enforce **hibernation** and evict FileVault keys from memory ins > Organizations especially sensitive to a high-attack environment, or potentially exposed to full device access when the device is in standby mode, should mitigate this risk by destroying the FileVault key in firmware. Doing so doesn’t destroy the use of FileVault, but simply requires the user to enter the password in order for the system to come out of standby mode. -If you choose to evict FileVault keys in standby mode, you should also modify your standby and power nap settings. Otherwise, your machine may wake while in standby mode and then power off due to the absence of the FileVault key. See [issue #124](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/124) for more information. These settings can be changed with: +If you choose to evict FileVault keys in standby mode, you should also modify your standby and power nap settings. Otherwise, your machine may wake while in standby mode and then power off due to the absence of the FileVault key. See [issue #124](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/124) for more information. These settings can be changed with: $ sudo pmset -a powernap 0 $ sudo pmset -a standby 0 @@ -471,7 +483,7 @@ If you choose to evict FileVault keys in standby mode, you should also modify yo $ sudo pmset -a autopoweroff 0 For more information, see [Best Practices for -Deploying FileVault 2](http://training.apple.com/pdf/WP_FileVault2.pdf) (pdf) and paper [Lest We Remember: Cold Boot Attacks on Encryption Keys](https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf) (pdf) +Deploying FileVault 2](https://training.apple.com/pdf/WP_FileVault2.pdf) (pdf) and paper [Lest We Remember: Cold Boot Attacks on Encryption Keys](https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf) (pdf) ## Firewall @@ -517,18 +529,12 @@ After interacting with `socketfilterfw`, you may want to restart (or terminate) #### Third party firewalls -Programs such as [Little Snitch](https://www.obdev.at/products/littlesnitch/index.html), [Hands Off](https://www.oneperiodic.com/products/handsoff/), [Radio Silence](http://radiosilenceapp.com/) and [Security Growler](https://pirate.github.io/security-growler/) provide a good balance of usability and security. +Programs such as [Little Snitch](https://www.obdev.at/products/littlesnitch/index.html), [Hands Off](https://www.oneperiodic.com/products/handsoff/), [Radio Silence](https://radiosilenceapp.com/) and [Security Growler](https://pirate.github.io/security-growler/) provide a good balance of usability and security. Example of Little Snitch monitored session *Example of Little Snitch-monitored session* -```shell -LittleSnitch-4.0.5.dmg -SHA-256: a954a269596c9a8e9efb3efadf843a6ae419fe218145c5b8d877e2acb0692981 -SHA-1: f642900c9c4f82a0fec38a0c826133e54cfbc0dc -``` - These programs are capable of monitoring and blocking **incoming** and **outgoing** network connections. However, they may require the use of a closed source [kernel extension](https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/KernelProgramming/Extend/Extend.html). If the number of choices of allowing/blocking network connections is overwhelming, use **Silent Mode** with connections allowed, then periodically check your settings to gain understanding of what various applications are doing. @@ -541,7 +547,7 @@ For more on how Little Snitch works, see the [Network Kernel Extensions Programm A highly customizable, powerful, but also most complicated firewall exists in the kernel. It can be controlled with `pfctl` and various configuration files. -pf can also be controlled with a GUI application such as [IceFloor](http://www.hanynet.com/icefloor/) or [Murus](http://www.murusfirewall.com/). +pf can also be controlled with a GUI application such as [IceFloor](http://www.hanynet.com/icefloor/) or [Murus](https://www.murusfirewall.com/). There are many books and articles on the subject of pf firewall. Here's is just one example of blocking traffic by IP address. @@ -662,7 +668,7 @@ Annotated lists of launch daemons and agents, the respective program executed, a $ diff <(python read_launch_plists.py) <(cat 16A323_launchd.csv) -See also [cirrusj.github.io/Yosemite-Stop-Launch](http://cirrusj.github.io/Yosemite-Stop-Launch/) for descriptions of services and [Provisioning OS X and Disabling Unnecessary Services](https://vilimpoc.org/blog/2014/01/15/provisioning-os-x-and-disabling-unnecessary-services/) for another explanation. +See also [cirrusj.github.io/Yosemite-Stop-Launch](https://cirrusj.github.io/Yosemite-Stop-Launch/) for descriptions of services and [Provisioning OS X and Disabling Unnecessary Services](https://vilimpoc.org/blog/2014/01/15/provisioning-os-x-and-disabling-unnecessary-services/) for another explanation. ## Spotlight Suggestions @@ -680,7 +686,7 @@ For comparison to Windows 10, see ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 @@ -1772,10 +1780,13 @@ Generate strong passwords with several programs or directly from [`/dev/urandom` $ openssl rand -base64 30 LK9xkjUEAemc1gV2Ux5xqku+PDmMmCbSTmwfiMRI -$ gpg --gen-random -a 0 30 -4/bGZL+yUEe8fOqQhF5V01HpGwFSpUPwFcU3aOWQ +$ gpg --gen-random -a 0 60 | fold -w 20 +oYekhlKAtw4e+Ak032bi +fDNAN9laYKG/+59QJKve +zxMV8nVtnoI+NdyhUp+5 +x5BjEk/xxkWvd4Hf3iRG -$ cat /dev/urandom | base64 | fold -w40 | head -n5 +$ cat /dev/urandom | openssl base64 | fold -w40 | head -n5 zAfhO1KGgyDwRUigYT+O1VZLnW9k5BIC8j3XYXAu Hkx2/3d/Tem6rUG7bGYQizU9ueWQYIb9WJD1lzO2 d8MfMu4PkIns3hY6FTkMhTKTIYDaqAxwTbIktu1X @@ -1803,7 +1814,7 @@ B6EF38A2DA1D0586D20105502AFFF0468EA5F16A You can also generate passwords, even memorable ones, using **Keychain Access** password assistant, or a command line equivalent like [anders/pwgen](https://github.com/anders/pwgen). -Keychains are encrypted with a [PBKDF2 derived key](https://en.wikipedia.org/wiki/PBKDF2) and are a _pretty safe_ place to store credentials. See also [Breaking into the OS X keychain](http://juusosalonen.com/post/30923743427/breaking-into-the-os-x-keychain). Also be aware that Keychain [does not encrypt](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/118) the names corresponding to password entries. +Keychains are encrypted with a [PBKDF2 derived key](https://en.wikipedia.org/wiki/PBKDF2) and are a _pretty safe_ place to store credentials. See also [Breaking into the OS X keychain](http://juusosalonen.com/post/30923743427/breaking-into-the-os-x-keychain). Also be aware that Keychain [does not encrypt](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/118) the names corresponding to password entries. Alternatively, you can manage an encrypted passwords file yourself with GnuPG (see [drduh/Purse](https://github.com/drduh/Purse) and [drduh/pwd.sh](https://github.com/drduh/pwd.sh) for example). @@ -1817,7 +1828,7 @@ In Addition to Login and other pam modules you can use Yubikey to secure your lo Always encrypt files locally before backing them up to external media or online services. -One way is to use a symmetric cipher with GPG and a password of your choosing. +One way is to use a symmetric cipher with GPG and a password of your choosing. Files can also be encrypted to a public key with GPG, with the private key stored on [YubiKey](https://github.com/drduh/YubiKey-Guide). To encrypt a directory: @@ -1825,11 +1836,12 @@ To encrypt a directory: $ tar zcvf - ~/Downloads | gpg -c > ~/Desktop/backup-$(date +%F-%H%M).tar.gz.gpg ``` -To decrypt an archive: +To decrypt a compressed directory: ```shell -$ gpg -o ~/Desktop/decrypted-backup.tar.gz -d ~/Desktop/backup-2015-01-01-0000.tar.gz.gpg && \ - tar zxvf ~/Desktop/decrypted-backup.tar.gz +$ gpg -o ~/Desktop/decrypted-backup.tar.gz -d ~/Desktop/backup-2015-01-01-0000.tar.gz.gpg + +$ tar zxvf ~/Desktop/decrypted-backup.tar.gz ``` You may also create encrypted volumes using **Disk Utility** or `hdiutil`: @@ -1866,7 +1878,7 @@ Finally, WEP protection on wireless networks is [not secure](http://www.howtogee ## SSH -For outgoing ssh connections, use hardware- or password-protected keys, [set up](http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/) remote hosts and consider [hashing](http://nms.csail.mit.edu/projects/ssh/) them for added privacy. +For outgoing ssh connections, use hardware or password-protected keys, [set up](http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/) remote hosts and consider [hashing](http://nms.csail.mit.edu/projects/ssh/) them for added privacy. Here are several recommended [options](https://www.freebsd.org/cgi/man.cgi?query=ssh_config&sektion=5) to add to `~/.ssh/config`: @@ -1875,6 +1887,7 @@ Host * PasswordAuthentication no ChallengeResponseAuthentication no HashKnownHosts yes + VisualHostKey yes ``` **Note** [macOS Sierra permanently remembers SSH key passphrases by default](https://openradar.appspot.com/28394826). Append the option `UseKeyChain no` to turn this feature off. @@ -1954,6 +1967,8 @@ See articles on [ilostmynotes.blogspot.com](http://ilostmynotes.blogspot.com/201 #### DTrace +**Note** [System Integrity Protection](https://github.com/drduh/macOS-Security-and-Privacy-Guide#system-integrity-protection) [interferes](http://internals.exposed/blog/dtrace-vs-sip.html) with DTrace, so it is not possible to use it in recent macOS versions without disabling SIP. + `iosnoop` monitors disk I/O `opensnoop` monitors file opens @@ -1966,8 +1981,6 @@ See articles on [ilostmynotes.blogspot.com](http://ilostmynotes.blogspot.com/201 See `man -k dtrace` for more information. -**Note** [System Integrity Protection](https://github.com/drduh/OS-X-Security-and-Privacy-Guide#system-integrity-protection) [interferes](http://internals.exposed/blog/dtrace-vs-sip.html) with DTrace, so it may no longer be possible to use these tools. - #### Execution `ps -ef` lists information about all running processes. @@ -2267,6 +2280,7 @@ Set your screen to lock as soon as the screensaver starts: ```shell $ defaults write com.apple.screensaver askForPassword -int 1 + $ defaults write com.apple.screensaver askForPasswordDelay -int 0 ``` @@ -2274,6 +2288,7 @@ Expose hidden files and Library folder in Finder: ```shell $ defaults write com.apple.finder AppleShowAllFiles -bool true + $ chflags nohidden ~/Library ``` @@ -2395,19 +2410,19 @@ export HOME=/Users/blah [Apple Open Source](https://opensource.apple.com/) -[OS X 10.10 Yosemite: The Ars Technica Review](http://arstechnica.com/apple/2014/10/os-x-10-10/) +[OS X 10.10 Yosemite: The Ars Technica Review](https://arstechnica.com/apple/2014/10/os-x-10-10/) [CIS Apple OSX 10.10 Benchmark](https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.10_Benchmark_v1.1.0.pdf) (pdf) [How to Switch to the Mac](https://taoofmac.com/space/HOWTO/Switch) -[Security Configuration For Mac OS X Version 10.6 Snow Leopard](http://www.apple.com/support/security/guides/docs/SnowLeopard_Security_Config_v10.6.pdf) (pdf) +[Security Configuration For Mac OS X Version 10.6 Snow Leopard](https://www.apple.com/support/security/guides/docs/SnowLeopard_Security_Config_v10.6.pdf) (pdf) [EFF Surveillance Self-Defense Guide](https://ssd.eff.org/) [MacAdmins on Slack](https://macadmins.herokuapp.com/) -[iCloud security and privacy overview](http://support.apple.com/kb/HT4865) +[iCloud security and privacy overview](https://support.apple.com/kb/HT4865) [Demystifying the DMG File Format](http://newosxbook.com/DMG.html) From 505ceab983b0b33b892abf2254334622eafaec62 Mon Sep 17 00:00:00 2001 From: drduh Date: Sun, 29 Jul 2018 15:47:24 -0700 Subject: [PATCH 073/476] Updating for High Sierra installation attempt --- README.md | 183 +++++++++++++++++++++++++++++++----------------------- 1 file changed, 104 insertions(+), 79 deletions(-) diff --git a/README.md b/README.md index ad4a5e36..7117014d 100755 --- a/README.md +++ b/README.md @@ -1,22 +1,30 @@ -This guide is a collection of thoughts on and techniques for securing a modern Apple Mac computer ("MacBook") using macOS (formerly known as *OS X*) version 10.12 "Sierra", as well as steps to generally improving privacy. +This guide is a collection of techniques for improving the security and privacy of a modern Apple Macintosh computer ("MacBook") and macOS (formerly known as "OS X"). This guide is targeted to “power users” who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac. A system is only as secure as its administrator is capable of making it. There is no one single technology, software, nor technique to guarantee perfect computer security; a modern operating system and computer is very complex, and requires numerous incremental changes to meaningfully improve one's security and privacy posture. -This guide is provided on an 'as is' basis without any warranties of any kind. Only **you** are responsible if you break a Mac by following any of the steps herein. +This guide is provided on an 'as is' basis without any warranties of any kind. Only **you** are responsible if you break anything or get in any sort of trouble by following this guide. -If you wish to make a correction or improvement, please send a pull request or [open an issue](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues). +If you wish to make a correction or improvement, please send a pull request or [open an issue](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues). This guide is also available in [简体中文](https://github.com/xitu/macOS-Security-and-Privacy-Guide/blob/master/README-cn.md). - [Basics](#basics) - [Firmware](#firmware) - [Preparing and Installing macOS](#preparing-and-installing-macos) - - [Virtualization](#virtualization) + - [Verifying Installation Integrity](#verifying-installation-integrity) + - [Creating a Bootable USB Installer](#creating-a-bootable-usb-installer) + - [Creating an Install Image](#creating-an-install-image) + - [Manual Way](#manual-way) + - [Target Disk Mode](#target-disk-mode) + - [Creating a Recovery Partition](#creating-a-recovery-partition) + - [Virtualization](#virtualization) - [First boot](#first-boot) - [System activation](#system-activation) - [Admin and standard user accounts](#admin-and-standard-user-accounts) + - [Caveats](#caveats) + - [Setup](#setup) - [Full disk encryption](#full-disk-encryption) - [Firewall](#firewall) - [Application layer firewall](#application-layer-firewall) @@ -35,13 +43,14 @@ This guide is also available in [简体中文](https://github.com/xitu/macOS-Sec - [OpenSSL](#openssl) - [Curl](#curl) - [Web](#web) - - [Privoxy](#privoxy) - - [Browser](#browser) - - [Google Chrome](#google-chrome) - - [Firefox](#firefox) - - [Safari](#safari) - - [Web Browsers and Privacy](#web-browsers-and-privacy) - - [Plugins](#plugins) + - [Privoxy](#privoxy) + - [Browser](#browser) + - [Google Chrome](#google-chrome) + - [Firefox](#firefox) + - [Safari](#safari) + - [Other Web Browsers](#other-web-browsers) + - [Web Browsers and Privacy](#web-browsers-and-privacy) + - [Plugins](#plugins) - [PGP/GPG](#pgpgpg) - [OTR](#otr) - [Tor](#tor) @@ -67,19 +76,19 @@ This guide is also available in [简体中文](https://github.com/xitu/macOS-Sec ## Basics -The standard best security practices apply: +Here is an overview of basic, standard best security practices which apply on macOS: -* Create a threat model - * What are you trying to protect and from whom? Is your adversary a [three letter agency](https://theintercept.com/document/2015/03/10/strawhorse-attacking-macos-ios-software-development-kit/) (if so, you may want to consider using [OpenBSD](https://www.openbsd.org/) instead), a nosy eavesdropper on the network, or determined [apt](https://en.wikipedia.org/wiki/Advanced_persistent_threat) orchestrating a campaign against you? - * Study and [recognize threats](https://www.usenix.org/system/files/1401_08-12_mickens.pdf) and how to reduce attack surface against them. +* Create a [threat model](https://www.owasp.org/index.php/Application_Threat_Modeling) + * What are you trying to protect and from whom? Is your adversary a [three letter agency](https://theintercept.com/document/2015/03/10/strawhorse-attacking-macos-ios-software-development-kit/) (if so, you may want to consider using [OpenBSD](https://www.openbsd.org/) instead); a nosy eavesdropper on the network; or a determined [apt](https://en.wikipedia.org/wiki/Advanced_persistent_threat) orchestrating a campaign against you? + * [Recognize threats](https://www.usenix.org/system/files/1401_08-12_mickens.pdf) and how to reduce attack surface against them. * Keep the system up to date - * Patch, patch, patch your system and software. + * Patch, patch, patch the base system and third party software. * macOS system updates can be completed using the App Store application, or the `softwareupdate` command-line utility - neither requires registering an Apple account. - * Subscribe to announcement mailing lists (e.g., [Apple security-announce](https://lists.apple.com/mailman/listinfo/security-announce)) for programs you use often. + * Subscribe to announcement mailing lists like [Apple security-announce](https://lists.apple.com/mailman/listinfo/security-announce). -* Encrypt sensitive data - * In addition to full disk encryption, create one or many encrypted containers to store passwords, keys, personal documents, and other data at rest. +* Encrypt sensitive data at rest + * In addition to full disk encryption, consider creating one or several encrypted partitions or containers to store passwords, keys, personal documents, and other data, at rest. * This will mitigate damage in case of compromise and data exfiltration. * Frequent backups @@ -93,31 +102,36 @@ The standard best security practices apply: ## Firmware -Setting a firmware password prevents your Mac from starting up from any device other than your startup disk. It may also be set to be required on each boot. +Setting a firmware password prevents a Mac from starting up from any device other than your startup disk. It may also be set to be required on each boot. This may be useful for mitigating some attacks which require physical access to hardware. This feature [can be helpful if your laptop is lost or stolen](https://www.ftc.gov/news-events/blogs/techftc/2015/08/virtues-strong-enduser-device-controls), protects against Direct Memory Access (DMA) attacks which can read your FileVault passwords and inject kernel modules such as [pcileech](https://github.com/ufrisk/pcileech), as the only way to reset the firmware password is through an Apple Store, or by using an [SPI programmer](https://reverse.put.as/2016/06/25/apple-efi-firmware-passwords-and-the-scbo-myth/), such as [Bus Pirate](http://ho.ax/posts/2012/06/unbricking-a-macbook/) or other flash IC programmer. -1. Start up pressing `Command` `R` keys to boot to [Recovery Mode](https://support.apple.com/en-au/HT201314) mode. - -3. When the Recovery window appears, choose **Firmware Password Utility** from the Utilities menu. - -4. In the Firmware Utility window that appears, select **Turn On Firmware Password**. - -5. Enter a new password, then enter the same password in the **Verify** field. - -6. Select **Set Password**. - -7. Select **Quit Firmware Utility** to close the Firmware Password Utility. - -8. Select the Apple menu and choose Restart or Shutdown. +1. Start up pressing `Command` and `R` keys to boot to [Recovery Mode](https://support.apple.com/en-au/HT201314) mode. +1. When the Recovery window appears, choose **Firmware Password Utility** from the Utilities menu. +1. In the Firmware Utility window that appears, select **Turn On Firmware Password**. +1. Enter a new password, then enter the same password in the **Verify** field. +1. Select **Set Password**. +1. Select **Quit Firmware Utility** to close the Firmware Password Utility. +1. Select the Apple menu and select Restart or Shutdown. The firmware password will activate at next boot. To validate the password, hold `Alt` during boot - you should be prompted to enter the password. The firmware password can also be managed with the `firmwarepasswd` utility while booted into the OS. For example, to prompt for the firmware password when attempting to boot from a different volume: - $ sudo firmwarepasswd -setpasswd -setmode command +``` +$ sudo firmwarepasswd -setpasswd -setmode command +``` + +To verify: -Enter a password and reboot. +``` +$ sudo firmwarepasswd -verify +Verifying Firmware Password +Enter password: +Correct +``` + +Note, a firmware password may be bypassed by a determined attacker or Apple, with physical access to the computer. Using a Dediprog SF600 to dump and flash a 2013 MacBook SPI Flash chip to remove a firmware password, sans Apple @@ -127,17 +141,21 @@ See [HT204455](https://support.apple.com/en-au/HT204455), [LongSoft/UEFITool](ht ## Preparing and Installing macOS -There are several ways to install a fresh copy of macOS. +There are several ways to install macOS. -The simplest way is to boot into [Recovery Mode](https://support.apple.com/en-us/HT201314) by holding `Command` `R` keys at boot. A system image can be downloaded and applied directly from Apple. However, this way exposes the serial number and other identifying information over the network in plaintext. +The simplest way is to boot into [Recovery Mode](https://support.apple.com/en-us/HT201314) by holding `Command` and `R` keys at boot. A system image can be downloaded and applied directly from Apple. However, this way exposes the serial number and other identifying information over the network in plaintext, which may not be desired for privacy reasons. PII is transmitted to Apple in plaintext when using macOS Recovery *Packet capture of an unencrypted HTTP conversation during macOS recovery* -Another way is to download **macOS Sierra** from the [App Store](https://itunes.apple.com/us/app/macos-sierra/id1127487414) or some other place and create a custom, installable system image. +An alternative way to install macOS is to first download **macOS High Sierra** from the [App Store](https://itunes.apple.com/us/app/macos-high-sierra/id1246284741) or elsewhere, and create a custom installable system image. + +### Verifying Installation Integrity + +The macOS installation application is [code signed](https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW6), which should be verified to make sure you received a legitimate copy, using the `spctl -a -v` or `pkgutil --check-signature` or `codesign -dvv` commands. -The macOS Sierra installer application is [code signed](https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW6), which should be verified to make sure you received a legitimate copy, using the `spctl -a -v` or `pkgutil --check-signature` commands: +Here are two example ways to verify the code signature and integrity of macOS application bundles: ```shell $ pkgutil --check-signature /Applications/Install\ macOS\ Sierra.app @@ -173,9 +191,11 @@ Sealed Resources version=2 rules=7 files=137 Internal requirements count=1 size=124 ``` -macOS installers can be made with the `createinstallmedia` utility included in `Install macOS Sierra.app/Contents/Resources/`. See [Create a bootable installer for macOS](https://support.apple.com/en-us/HT201372), or run the utility without arguments to see how it works. +### Creating a Bootable USB Installer -**Note** Apple's installer [does not appear to work](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/120) across OS versions. If you want to build a 10.12 image, for example, the following steps must be run on a 10.12 machine! +macOS installers can be made with the `createinstallmedia` utility included in `Contents/Resources` folder of the installer application bundle. See [Create a bootable installer for macOS](https://support.apple.com/en-us/HT201372), or run the utility without arguments to see how it works. + +**Note** Apple's installer [does not appear to work](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/120) across OS versions. If you want to build a 10.12 image, for example, the following steps must be run on macOS verison 10.12! To create a **bootable USB installer**, mount a USB drive, and erase and partition it, then use the `createinstallmedia` utility: @@ -199,59 +219,65 @@ Copy complete. Done. ``` -To create a **custom installable image** which can be [restored](https://en.wikipedia.org/wiki/Apple_Software_Restore) to a Mac, you will need to find the file `InstallESD.dmg`, which is also inside `Install macOS Sierra.app`. +### Creating an Install Image -With Finder, right click on the app, select **Show Package Contents** and navigate to **Contents** > **SharedSupport** to find the file `InstallESD.dmg`. +To create a **custom install image** which can be [restored](https://en.wikipedia.org/wiki/Apple_Software_Restore) to a Mac (using a USB-C cable and target disk mode, for example), use [MagerValp/AutoDMG](https://github.com/MagerValp/AutoDMG). -You can [verify](https://support.apple.com/en-us/HT201259) the following cryptographic hashes to ensure you have the same copy with `openssl sha1 InstallESD.dmg` or `shasum -a 1 InstallESD.dmg` or `shasum -a 256 InstallESD.dmg` (in Finder, you can drag the file into a Terminal window to provide the full path). +#### Manual Way -To determine which macOS versions and builds originally shipped with or are available for your Mac, see [HT204319](https://support.apple.com/en-us/HT204319). +*Note* The following instructions appear to work only on macOS versions before 10.13. -See [InstallESD_Hashes.csv](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/blob/master/InstallESD_Hashes.csv) in this repository for a list of current and previous file hashes. You can also Google the cryptographic hashes to ensure the file is genuine and has not been tampered with. +You will need to find the file `InstallESD.dmg`, which is also inside installation application. -To create the image, use [MagerValp/AutoDMG](https://github.com/MagerValp/AutoDMG), or to create it manually, mount and install the operating system to a temporary image: +Locate it in Terminal or with Finder, right click on the application bundle, select **Show Package Contents** and navigate to **Contents** > **SharedSupport** to find the file `InstallESD.dmg` - $ hdiutil attach -mountpoint /tmp/install_esd ./InstallESD.dmg +Before continuing, [verify](https://support.apple.com/en-us/HT201259) the file's integrity by comparing its cryptographic hashes with either of the following commands: - $ hdiutil create -size 32g -type SPARSE -fs HFS+J -volname "macOS" -uid 0 -gid 80 -mode 1775 /tmp/output.sparseimage +``` +$ shasum -a 256 InstallESD.dmg - $ hdiutil attach -mountpoint /tmp/os -owners on /tmp/output.sparseimage +$ openssl sha256 InstallESD.dmg +``` - $ sudo installer -pkg /tmp/install_esd/Packages/OSInstall.mpkg -tgt /tmp/os -verbose +Both results should match a verion of macOS in [InstallESD_Hashes.csv](https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/InstallESD_Hashes.csv). You can also search for hashes to ensure others are seeing the same. To determine which macOS versions and builds originally shipped with or are available for a Mac, see [HT204319](https://support.apple.com/en-us/HT204319). -This part will take a while, so be patient. You can `tail -F /var/log/install.log` in another Terminal window to check progress. +Mount and install the operating system to a temporary image: -**(Optional)** Install additional software, for example [Wireshark](https://www.wireshark.org/download.html): +```shell +$ hdiutil attach -mountpoint /tmp/InstallESD ./InstallESD.dmg - $ hdiutil attach Wireshark\ 2.2.0\ Intel\ 64.dmg +$ hdiutil create -size 32g -type SPARSE -fs HFS+J -volname "macOS" -uid 0 -gid 80 -mode 1775 /tmp/output.sparseimage - $ sudo installer -pkg /Volumes/Wireshark/Wireshark\ 2.2.0\ Intel\ 64.pkg -tgt /tmp/os +$ hdiutil attach -mountpoint /tmp/os -owners on /tmp/output.sparseimage - $ hdiutil unmount /Volumes/Wireshark +$ sudo installer -pkg /tmp/InstallESD/Packages/OSInstall.mpkg -tgt /tmp/os -verbose +``` -See [MagerValp/AutoDMG/wiki/Packages-Suitable-for-Deployment](https://github.com/MagerValp/AutoDMG/wiki/Packages-Suitable-for-Deployment) for caveats and [chilcote/outset](https://github.com/chilcote/outset) to instead processes packages and scripts at first boot. +The installation will take a while, so be patient. You can use the command `tail -F /var/log/install.log` in another Terminal window to monitor progress or check for any failures. When you're done, detach, convert and verify the image: - $ hdiutil detach /tmp/os +```shell +$ hdiutil detach /tmp/os - $ hdiutil detach /tmp/install_esd +$ hdiutil detach /tmp/InstallESD - $ hdiutil convert -format UDZO /tmp/output.sparseimage -o ~/sierra.dmg +$ hdiutil convert -format UDZO /tmp/output.sparseimage -o ~/sierra.dmg - $ asr imagescan --source ~/sierra.dmg +$ asr imagescan --source ~/sierra.dmg +``` -Now `sierra.dmg` is ready to be applied to one or many Macs. One could futher customize the image to include premade users, applications, preferences, etc. +The file `sierra.dmg` is ready to be applied to any modern Macs. The image could be futher customized to include provisioned users, installed applications, preferences, for example. This image can be installed using another Mac in [Target Disk Mode](https://support.apple.com/en-us/HT201462) or from a bootable USB installer. -This image can be installed using another Mac in [Target Disk Mode](https://support.apple.com/en-us/HT201462) or from a bootable USB installer. +### Target Disk Mode -To use **Target Disk Mode**, boot up the Mac you wish to image while holding the `T` key and connect it to another Mac using a Firewire, Thunderbolt or USB-C cable. +To use **Target Disk Mode**, boot up the Mac you wish to image while holding the `T` key and connect it to another Mac using a USB-C, Thundrbolt or Firewire cable. If you don't have another Mac, boot to a USB installer, with `sierra.dmg` and other required files copied to it, by holding the *Option* key at boot. -Run `diskutil list` to identify the connected Mac's disk, usually `/dev/disk2` +Use the command `diskutil list` to identify the disk of the connected Mac, usually `/dev/disk2` -**(Optional)** [Securely erase](https://www.backblaze.com/blog/securely-erase-mac-ssd/) the disk with a single pass (if previously FileVault-encrypted, the disk must first be unlocked and mounted as `/dev/disk3s2`): +Optionally, [securely erase](https://www.backblaze.com/blog/securely-erase-mac-ssd/) the disk with a single pass (if previously FileVault-encrypted, the disk must first be unlocked and mounted as `/dev/disk3s2`): $ sudo diskutil secureErase freespace 1 /dev/disk3s2 @@ -275,9 +301,11 @@ If you want to transfer any files, copy them to a shared folder like `/Users/Sha *Finished restore install from USB recovery boot* -We're not done yet! Unless you have built the image with [AutoDMG](https://github.com/MagerValp/AutoDMG), or installed macOS to a second partition on your Mac, you will need to create a recovery partition (in order to use full disk encryption). You can do so using [MagerValp/Create-Recovery-Partition-Installer](https://github.com/MagerValp/Create-Recovery-Partition-Installer) or using the following manual steps: +### Creating a Recovery Partition -Download the file [RecoveryHDUpdate.dmg](https://support.apple.com/downloads/DL1464/en_US/RecoveryHDUpdate.dmg). +**Unless** you have built the image with [AutoDMG](https://github.com/MagerValp/AutoDMG), or installed macOS to a second partition on the same Mac, you will need to create a recovery partition in order to use full disk encryption. You can do so using [MagerValp/Create-Recovery-Partition-Installer](https://github.com/MagerValp/Create-Recovery-Partition-Installer) or manually by following these steps: + +Download [RecoveryHDUpdate.dmg](https://support.apple.com/downloads/DL1464/en_US/RecoveryHDUpdate.dmg) and verify its integrity: ```shell $ shasum -a 256 RecoveryHDUpdate.dmg @@ -300,7 +328,7 @@ Replace `/Volumes/macOS` with the path to the target disk mode-booted Mac as nec This step will take several minutes. Run `diskutil list` again to make sure **Recovery HD** now exists on `/dev/disk2` or equivalent identifier. -Once you're done, eject the disk with `hdiutil unmount /Volumes/macOS` and power down the target disk mode-booted Mac. +Eject the disk with `hdiutil unmount /Volumes/macOS` and power down the target disk mode-booted Mac. ### Virtualization @@ -441,7 +469,7 @@ To manually seed entropy *before* enabling FileVault: To test entropy and randomness quality, download and use [`ent`](http://www.fourmilab.ch/random/) with Homebrew, then: -````shell +```shell $ dd if=/dev/random of=/tmp/random count=8192 $ ent /tmp/random @@ -456,7 +484,7 @@ would exceed this value 14.64 percent of the times. Arithmetic mean value of data bytes is 127.4922 (127.5 = random). Monte Carlo value for Pi is 3.142499106 (error 0.03 percent). Serial correlation coefficient is 0.000508 (totally uncorrelated = 0.0) -```` +``` See [Entropy and Random Number Generators](https://calomel.org/entropy_random_number_generators.html) and [Fun with encryption and randomness](https://rsmith.home.xs4all.nl/howto/fun-with-encryption-and-randomness.html) for more information. @@ -1163,7 +1191,7 @@ Chrome offers [separate profiles](https://www.chromium.org/user-experience/multi Chrome offers account sync between multiple devices. Part of the sync data are stored website logins. The login passwords are encrypted and in order to access them, a user's Google account password is required. You can use your Google account to sign to your Chrome customized settings from other devices while retaining your the security of your passwords. -Chrome's Web store for extensions requires a [$5 dollar lifetime fee](https://developer.chrome.com/webstore/publish#pay-the-developer-signup-fee) in order to submit extensions. The low cost allows the development of many quality Open Source Web Extensions that do not aim to monetize through usage. +Chrome's Web store for extensions requires a [5 dollar lifetime fee](https://developer.chrome.com/webstore/publish#pay-the-developer-signup-fee) in order to submit extensions. The low cost allows the development of many quality Open Source Web Extensions that do not aim to monetize through usage. Chrome has the largest share of global usage and is the preferred target platform for the majority of developers. Major technologies are based on Chrome's Open Source components, such as [node.js](https://nodejs.org/en/) which uses [Chrome's V8](https://developers.google.com/v8/) Engine and the [Electron](https://electron.atom.io/) framework, which is based on Chromium and node.js. Chrome's vast user base makes it the most attractive target for threat actors and security researchers. Despite under constants attacks, Chrome has retained an impressive security track record over the years. This is not a small feat. @@ -1194,7 +1222,7 @@ It is best to remember that Google is an advertising company and its major sourc Firefox offers a similar security model to Chrome. It offers a [bounty](https://www.mozilla.org/en-US/security/bug-bounty/) program, although it is not a lucrative as Chrome's. Firefox follows a six-week release cycle similar to Chrome. -See discussion in issues [#2](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/2), [#90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) for more information about certain differences in Firefox and Chrome. +See discussion in issues [#2](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/2), [#90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) for more information about certain differences in Firefox and Chrome. If using Firefox, see [TheCreeper/PrivacyFox](https://github.com/TheCreeper/PrivacyFox), [pyllyukko/user.js](https://github.com/pyllyukko/user.js) and [ghacksuserjs/ghacks-user.js](https://github.com/ghacksuserjs/ghacks-user.js/) for recommended privacy preferences and other hardening measures. Also be sure to check out [NoScript](https://noscript.net/) for Mozilla-based browsers, which allows whitelist-based, pre-emptive script blocking. @@ -1258,7 +1286,7 @@ Install from Homebrew with `brew install gnupg`. If you prefer a graphical application, download and install [GPG Suite](https://gpgtools.org/). -Here are several [recommended options](https://github.com/drduh/config/blob/master/gpg.conf) to add to `~/.gnupg/gpg.conf`: +Below are several recommended options to add to `~/.gnupg/gpg.conf` - these settings will configure GnuPG to use SSL when fetching new keys and prefer strong cryptographic primitives. Also see [drduh/config/gpg.conf](https://github.com/drduh/config/blob/master/gpg.conf): ```shell auto-key-locate keyserver @@ -1279,13 +1307,10 @@ list-options show-uid-validity verify-options show-uid-validity with-fingerprint ``` -These settings will configure GnuPG to use SSL when fetching new keys and prefer strong cryptographic primitives. - -See also [ioerror/duraconf/configs/gnupg/gpg.conf](https://github.com/ioerror/duraconf/blob/master/configs/gnupg/gpg.conf). You should also take some time to read [OpenPGP Best Practices](https://help.riseup.net/en/security/message-security/openpgp/best-practices). -If you don't already have a keypair, create one using `gpg --gen-key`. Also see [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide). +If you don't already have a keypair, create one using `gpg --gen-key`. Also see [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) to secure store the private key on hardware. -Read [online](https://alexcabal.com/creating-the-perfect-gpg-keypair/) [guides](https://security.stackexchange.com/questions/31594/what-is-a-good-general-purpose-gnupg-key-setup) and practice encrypting and decrypting email to yourself and your friends. Get them interested in this stuff! +Read [online](https://alexcabal.com/creating-the-perfect-gpg-keypair/) [guides](https://security.stackexchange.com/questions/31594/what-is-a-good-general-purpose-gnupg-key-setup) and [practice](https://help.riseup.net/en/security/message-security/openpgp/best-practices) encrypting and decrypting email to yourself and your friends. Get them interested in this stuff! ## OTR From df7425ca566bc7f6dfe76f9b65ee8ea1d6a69219 Mon Sep 17 00:00:00 2001 From: drduh Date: Sun, 29 Jul 2018 21:14:09 -0700 Subject: [PATCH 074/476] More updates from HS install plus link fixes --- README.md | 350 ++++++++++++++++++++++++++++++------------------------ 1 file changed, 192 insertions(+), 158 deletions(-) diff --git a/README.md b/README.md index 7117014d..589b3b7e 100755 --- a/README.md +++ b/README.md @@ -11,14 +11,13 @@ If you wish to make a correction or improvement, please send a pull request or [ This guide is also available in [简体中文](https://github.com/xitu/macOS-Security-and-Privacy-Guide/blob/master/README-cn.md). - [Basics](#basics) -- [Firmware](#firmware) -- [Preparing and Installing macOS](#preparing-and-installing-macos) - - [Verifying Installation Integrity](#verifying-installation-integrity) - - [Creating a Bootable USB Installer](#creating-a-bootable-usb-installer) - - [Creating an Install Image](#creating-an-install-image) - - [Manual Way](#manual-way) - - [Target Disk Mode](#target-disk-mode) - - [Creating a Recovery Partition](#creating-a-recovery-partition) +- [Preparing and installing macOS](#preparing-and-installing-macos) + - [Verifying installation integrity](#verifying-installation-integrity) + - [Creating a bootable USB installer](#creating-a-bootable-usb-installer) + - [Creating an install image](#creating-an-install-image) + - [Manual way](#manual-way) + - [Target disk mode](#target-disk-mode) + - [Creating a recovery partition](#creating-a-recovery-partition) - [Virtualization](#virtualization) - [First boot](#first-boot) - [System activation](#system-activation) @@ -26,6 +25,7 @@ This guide is also available in [简体中文](https://github.com/xitu/macOS-Sec - [Caveats](#caveats) - [Setup](#setup) - [Full disk encryption](#full-disk-encryption) +- [Firmware](#firmware) - [Firewall](#firewall) - [Application layer firewall](#application-layer-firewall) - [Third party firewalls](#third-party-firewalls) @@ -48,8 +48,8 @@ This guide is also available in [简体中文](https://github.com/xitu/macOS-Sec - [Google Chrome](#google-chrome) - [Firefox](#firefox) - [Safari](#safari) - - [Other Web Browsers](#other-web-browsers) - - [Web Browsers and Privacy](#web-browsers-and-privacy) + - [Other Web browsers](#other-web-browsers) + - [Web browsers and privacy](#web-browsers-and-privacy) - [Plugins](#plugins) - [PGP/GPG](#pgpgpg) - [OTR](#otr) @@ -100,46 +100,7 @@ Here is an overview of basic, standard best security practices which apply on ma * Ultimately, the security of a system can be reduced to its administrator. * Care should be taken when installing new software. Always prefer [free](https://www.gnu.org/philosophy/free-sw.en.html) and open source software ([which macOS is not](https://superuser.com/questions/19492/is-mac-os-x-open-source)). -## Firmware - -Setting a firmware password prevents a Mac from starting up from any device other than your startup disk. It may also be set to be required on each boot. This may be useful for mitigating some attacks which require physical access to hardware. - -This feature [can be helpful if your laptop is lost or stolen](https://www.ftc.gov/news-events/blogs/techftc/2015/08/virtues-strong-enduser-device-controls), protects against Direct Memory Access (DMA) attacks which can read your FileVault passwords and inject kernel modules such as [pcileech](https://github.com/ufrisk/pcileech), as the only way to reset the firmware password is through an Apple Store, or by using an [SPI programmer](https://reverse.put.as/2016/06/25/apple-efi-firmware-passwords-and-the-scbo-myth/), such as [Bus Pirate](http://ho.ax/posts/2012/06/unbricking-a-macbook/) or other flash IC programmer. - -1. Start up pressing `Command` and `R` keys to boot to [Recovery Mode](https://support.apple.com/en-au/HT201314) mode. -1. When the Recovery window appears, choose **Firmware Password Utility** from the Utilities menu. -1. In the Firmware Utility window that appears, select **Turn On Firmware Password**. -1. Enter a new password, then enter the same password in the **Verify** field. -1. Select **Set Password**. -1. Select **Quit Firmware Utility** to close the Firmware Password Utility. -1. Select the Apple menu and select Restart or Shutdown. - -The firmware password will activate at next boot. To validate the password, hold `Alt` during boot - you should be prompted to enter the password. - -The firmware password can also be managed with the `firmwarepasswd` utility while booted into the OS. For example, to prompt for the firmware password when attempting to boot from a different volume: - -``` -$ sudo firmwarepasswd -setpasswd -setmode command -``` - -To verify: - -``` -$ sudo firmwarepasswd -verify -Verifying Firmware Password -Enter password: -Correct -``` - -Note, a firmware password may be bypassed by a determined attacker or Apple, with physical access to the computer. - -Using a Dediprog SF600 to dump and flash a 2013 MacBook SPI Flash chip to remove a firmware password, sans Apple - -*Using a [Dediprog SF600](http://www.dediprog.com/pd/spi-flash-solution/sf600) to dump and flash a 2013 MacBook SPI Flash chip to remove a firmware password, sans Apple* - -See [HT204455](https://support.apple.com/en-au/HT204455), [LongSoft/UEFITool](https://github.com/LongSoft/UEFITool) and [chipsec/chipsec](https://github.com/chipsec/chipsec) for more information. - -## Preparing and Installing macOS +## Preparing and installing macOS There are several ways to install macOS. @@ -151,9 +112,9 @@ The simplest way is to boot into [Recovery Mode](https://support.apple.com/en-us An alternative way to install macOS is to first download **macOS High Sierra** from the [App Store](https://itunes.apple.com/us/app/macos-high-sierra/id1246284741) or elsewhere, and create a custom installable system image. -### Verifying Installation Integrity +### Verifying installation integrity -The macOS installation application is [code signed](https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW6), which should be verified to make sure you received a legitimate copy, using the `spctl -a -v` or `pkgutil --check-signature` or `codesign -dvv` commands. +The macOS installation application is [code signed](https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW6), which should be verified to make sure you received a legitimate copy, using the `pkgutil --check-signature` or `codesign -dvv` commands. Here are two example ways to verify the code signature and integrity of macOS application bundles: @@ -191,9 +152,9 @@ Sealed Resources version=2 rules=7 files=137 Internal requirements count=1 size=124 ``` -### Creating a Bootable USB Installer +### Creating a bootable USB installer -macOS installers can be made with the `createinstallmedia` utility included in `Contents/Resources` folder of the installer application bundle. See [Create a bootable installer for macOS](https://support.apple.com/en-us/HT201372), or run the utility without arguments to see how it works. +Instead of booting from the network or using target disk mode, a bootable macOS installer can be made with the `createinstallmedia` utility included in `Contents/Resources` folder of the installer application bundle. See [Create a bootable installer for macOS](https://support.apple.com/en-us/HT201372), or run the utility without arguments to see how it works. **Note** Apple's installer [does not appear to work](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/120) across OS versions. If you want to build a 10.12 image, for example, the following steps must be run on macOS verison 10.12! @@ -219,11 +180,11 @@ Copy complete. Done. ``` -### Creating an Install Image +### Creating an install image To create a **custom install image** which can be [restored](https://en.wikipedia.org/wiki/Apple_Software_Restore) to a Mac (using a USB-C cable and target disk mode, for example), use [MagerValp/AutoDMG](https://github.com/MagerValp/AutoDMG). -#### Manual Way +#### Manual way *Note* The following instructions appear to work only on macOS versions before 10.13. @@ -239,37 +200,46 @@ $ shasum -a 256 InstallESD.dmg $ openssl sha256 InstallESD.dmg ``` -Both results should match a verion of macOS in [InstallESD_Hashes.csv](https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/InstallESD_Hashes.csv). You can also search for hashes to ensure others are seeing the same. To determine which macOS versions and builds originally shipped with or are available for a Mac, see [HT204319](https://support.apple.com/en-us/HT204319). +Both results should match a version of macOS in [InstallESD_Hashes.csv](https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/InstallESD_Hashes.csv). You can also search for hashes to ensure others are seeing the same. To determine which macOS versions and builds originally shipped with or are available for a Mac, see [HT204319](https://support.apple.com/en-us/HT204319). Mount and install the operating system to a temporary image: ```shell $ hdiutil attach -mountpoint /tmp/InstallESD ./InstallESD.dmg -$ hdiutil create -size 32g -type SPARSE -fs HFS+J -volname "macOS" -uid 0 -gid 80 -mode 1775 /tmp/output.sparseimage +$ hdiutil create -size 32g -type SPARSE -fs HFS+J -volname "macOS" -uid 0 -gid 80 -mode 1775 /tmp/macos.sparseimage -$ hdiutil attach -mountpoint /tmp/os -owners on /tmp/output.sparseimage +$ hdiutil attach -mountpoint /tmp/macos -owners on /tmp/macos.sparseimage -$ sudo installer -pkg /tmp/InstallESD/Packages/OSInstall.mpkg -tgt /tmp/os -verbose +$ sudo installer -pkg /tmp/InstallESD/Packages/OSInstall.mpkg -tgt /tmp/macos -verbose +installer: OS Install started. +############# +[...] ``` The installation will take a while, so be patient. You can use the command `tail -F /var/log/install.log` in another Terminal window to monitor progress or check for any failures. -When you're done, detach, convert and verify the image: +Once the installation completes successfully, detach, convert and verify the image: ```shell -$ hdiutil detach /tmp/os +$ hdiutil detach /tmp/macos +"disk4" unmounted. +"disk4" ejected. $ hdiutil detach /tmp/InstallESD +"disk3" unmounted. +"disk3" ejected. -$ hdiutil convert -format UDZO /tmp/output.sparseimage -o ~/sierra.dmg +$ hdiutil convert -format UDZO /tmp/macos.sparseimage -o ~/sierra.dmg +Preparing imaging engine... +[...] $ asr imagescan --source ~/sierra.dmg ``` -The file `sierra.dmg` is ready to be applied to any modern Macs. The image could be futher customized to include provisioned users, installed applications, preferences, for example. This image can be installed using another Mac in [Target Disk Mode](https://support.apple.com/en-us/HT201462) or from a bootable USB installer. +The file `sierra.dmg` is now ready to be applied over [Target Disk Mode](https://support.apple.com/en-us/HT201462), from a bootable USB installer, booting from the network or recovery mode. The image could be futher customized to include provisioned users, installed applications, preferences, for example. -### Target Disk Mode +### Target disk mode To use **Target Disk Mode**, boot up the Mac you wish to image while holding the `T` key and connect it to another Mac using a USB-C, Thundrbolt or Firewire cable. @@ -283,25 +253,30 @@ Optionally, [securely erase](https://www.backblaze.com/blog/securely-erase-mac-s Partition the disk to Journaled HFS+: - $ sudo diskutil unmountDisk /dev/disk2 - - $ sudo diskutil partitionDisk /dev/disk2 1 JHFS+ macOS 100% +``` +$ sudo diskutil unmountDisk /dev/disk2 -Restore the image to the new volume: +$ sudo diskutil partitionDisk /dev/disk2 1 JHFS+ macOS 100% +``` - $ sudo asr restore --source ~/sierra.dmg --target /Volumes/macOS --erase --buffersize 4m +Restore the image to the new volume, making sure `/dev/disk2` is the disk being erased: -You can also use the **Disk Utility** application to erase the connected Mac's disk, then restore `sierra.dmg` to the newly created partition. +``` +$ sudo asr restore --source ~/sierra.dmg --target /Volumes/macOS --erase --buffersize 4m +[...] +Erase contents of /dev/disk2s2 (/Volumes/macOS)? [ny]:y +[...] +``` -If you've followed these steps correctly, the target Mac should now have a new install of macOS Sierra. +The **Disk Utility** application may also be used to erase the connected disk and restore `sierra.dmg` to the newly created partition. -If you want to transfer any files, copy them to a shared folder like `/Users/Shared` on the mounted disk image, e.g. `cp Xcode_8.0.dmg /Volumes/macOS/Users/Shared` +To transfer any files, copy them to a shared folder like `/Users/Shared` on the mounted disk image, e.g. `cp Xcode_8.0.dmg /Volumes/macOS/Users/Shared` Finished restore install from USB recovery boot *Finished restore install from USB recovery boot* -### Creating a Recovery Partition +### Creating a recovery partition **Unless** you have built the image with [AutoDMG](https://github.com/MagerValp/AutoDMG), or installed macOS to a second partition on the same Mac, you will need to create a recovery partition in order to use full disk encryption. You can do so using [MagerValp/Create-Recovery-Partition-Installer](https://github.com/MagerValp/Create-Recovery-Partition-Installer) or manually by following these steps: @@ -312,7 +287,7 @@ $ shasum -a 256 RecoveryHDUpdate.dmg f6a4f8ac25eaa6163aa33ac46d40f223f40e58ec0b6b9bf6ad96bdbfc771e12c RecoveryHDUpdate.dmg ``` -Attach and expand the installer, then run it: +Attach and expand the installer, then run it - again ensuring `/Volumes/macOS` path is the newly created partition on the connected disk: ```shell $ hdiutil attach RecoveryHDUpdate.dmg @@ -322,13 +297,11 @@ $ pkgutil --expand /Volumes/Mac\ OS\ X\ Lion\ Recovery\ HD\ Update/RecoveryHDUpd $ hdiutil attach /tmp/recovery/RecoveryHDUpdate.pkg/RecoveryHDMeta.dmg $ /tmp/recovery/RecoveryHDUpdate.pkg/Scripts/Tools/dmtest ensureRecoveryPartition /Volumes/macOS/ /Volumes/Recovery\ HD\ Update/BaseSystem.dmg 0 0 /Volumes/Recovery\ HD\ Update/BaseSystem.chunklist +[...] +Creating recovery partition: finished ``` -Replace `/Volumes/macOS` with the path to the target disk mode-booted Mac as necessary. - -This step will take several minutes. Run `diskutil list` again to make sure **Recovery HD** now exists on `/dev/disk2` or equivalent identifier. - -Eject the disk with `hdiutil unmount /Volumes/macOS` and power down the target disk mode-booted Mac. +Run `diskutil list` again to make sure `Recovery HD` now exists on `/dev/disk2`. Eject the disk with `hdiutil unmount /Volumes/macOS` and power down the target disk mode-booted Mac. ### Virtualization @@ -384,12 +357,14 @@ On first boot, hold `Command` `Option` `P` `R` keys to [clear NVRAM](https://sup When macOS first starts, you'll be greeted by **Setup Assistant**. -When creating your account, use a [strong password](https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength) without a hint. +When creating the first account, use a [strong password](https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength) without a hint. -If you enter your real name at the account setup process, be aware that your [computer's name and local hostname](https://support.apple.com/kb/PH18720) will comprise that name (e.g., *John Appleseed's MacBook*) and thus will appear on local networks and in various preference files. You can change them both in **System Preferences > Sharing** or with the following commands: +If you enter your real name at the account setup process, be aware that your [computer's name and local hostname](https://support.apple.com/kb/PH18720) will comprise that name (e.g., *John Appleseed's MacBook*) and thus will appear on local networks and in various preference files. - $ sudo scutil --set ComputerName your_computer_name - $ sudo scutil --set LocalHostName your_hostname +Both should be verified and updated as needed in **System Preferences > Sharing** or with the following commands after installation: + + $ sudo scutil --set ComputerName MacBook + $ sudo scutil --set LocalHostName MacBook ## System activation @@ -409,34 +384,38 @@ A few words on the privacy implications of activating "Touch Bar" MacBook device > > This is an ongoing concern and in the worst case scenario could potentially represent the end of macs as independent, end-user controllable and relatively secure systems appropriate for sensitive environments with strict network and security policies. -For more details, see [iOS, The Future Of macOS, Freedom, Security And Privacy In An Increasingly Hostile Global Environment](https://gist.github.com/iosecure/357e724811fe04167332ef54e736670d). +From [iOS, The Future Of macOS, Freedom, Security And Privacy In An Increasingly Hostile Global Environment](https://gist.github.com/iosecure/357e724811fe04167332ef54e736670d). ## Admin and standard user accounts -The first user account is always an admin account. Admin accounts are members of the admin group and have access to `sudo`, which allows them to usurp other accounts, in particular root, and gives them effective control over the system. Any program that the admin executes can potentially obtain the same access, making this a security risk. Utilities like `sudo` have [weaknesses that can be exploited](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/) by concurrently running programs and many panes in System Preferences are [unlocked by default](https://csrc.nist.gov/publications/drafts/800-179/sp800_179_draft.pdf) (pdf) (p. 61–62) for admin accounts. It is considered a best practice by [Apple](https://help.apple.com/machelp/mac/10.12/index.html#/mh11389) and [others](https://csrc.nist.gov/publications/drafts/800-179/sp800_179_draft.pdf) (pdf) (p. 41–42) to use a separate standard account for day-to-day work and use the admin account for installations and system configuration. - -It is not strictly required to ever log into the admin account via the macOS login screen. The system will prompt for authentication when required and Terminal can do the rest. To that end, Apple provides some [recommendations](https://support.apple.com/HT203998) for hiding the admin account and its home directory. This can be an elegant solution to avoid having a visible 'ghost' account. The admin account can also be [removed from FileVault](https://apple.stackexchange.com/a/94373). +The first user account is always an admin account. Admin accounts are members of the admin group and have access to `sudo`, which allows them to usurp other accounts, in particular root, and gives them effective control over the system. Any program that the admin executes can potentially obtain the same access, making this a security risk. -#### Caveats +Utilities like `sudo` have [weaknesses that can be exploited](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/) by concurrently running programs and many panes in System Preferences are [unlocked by default](https://csrc.nist.gov/publications/drafts/800-179/sp800_179_draft.pdf) (pdf) (p. 61–62) for admin accounts. -1. Only administrators can install applications in `/Applications` (local directory). Finder and Installer will prompt a standard user with an authentication dialog. Many applications can be installed in `~/Applications` instead (the directory can be created manually). As a rule of thumb: applications that do not require admin access – or do not complain about not being installed in `/Applications` – should be installed in the user directory, the rest in the local directory. Mac App Store applications are still installed in `/Applications` and require no additional authentication. +It is considered a best practice by [Apple](https://help.apple.com/machelp/mac/10.12/index.html#/mh11389) and [others](https://csrc.nist.gov/publications/drafts/800-179/sp800_179_draft.pdf) (pdf) (p. 41–42) to use a separate standard account for day-to-day work and use the admin account for installations and system configuration. -2. `sudo` is not available in shells of the standard user, which requires using `su` or `login` to enter a shell of the admin account. This can make some maneuvers trickier and requires some basic experience with command-line interfaces. +It is not strictly required to ever log into the admin account via the macOS login screen. The system will prompt for authentication when required and Terminal can do the rest. To that end, Apple provides some [recommendations](https://support.apple.com/HT203998) for hiding the admin account and its home directory. This can be an elegant solution to avoid having a visible 'ghost' account. The admin account can also be [removed from FileVault](https://apple.stackexchange.com/a/94373) for additional hardening. -3. System Preferences and several system utilities (e.g. Wi-Fi Diagnostics) will require root privileges for full functionality. Many panels in System Preferences are locked and need to be unlocked separately by clicking on the lock icon. Some applications will simply prompt for authentication upon opening, others must be opened by an admin account directly to get access to all functions (e.g. Console). +#### Caveats -4. There are third-party applications that will not work correctly because they assume that the user account is an admin. These programs may have to be executed by logging into the admin account, or by using the `open` utility. +* Only administrators can install applications in `/Applications` (local directory). Finder and Installer will prompt a standard user with an authentication dialog. Many applications can be installed in `~/Applications` instead (the directory can be created manually). As a rule of thumb: applications that do not require admin access – or do not complain about not being installed in `/Applications` – should be installed in the user directory, the rest in the local directory. Mac App Store applications are still installed in `/Applications` and require no additional authentication. +* `sudo` is not available in shells of the standard user, which requires using `su` or `login` to enter a shell of the admin account. This can make some maneuvers trickier and requires some basic experience with command-line interfaces. +* System Preferences and several system utilities (e.g. Wi-Fi Diagnostics) will require root privileges for full functionality. Many panels in System Preferences are locked and need to be unlocked separately by clicking on the lock icon. Some applications will simply prompt for authentication upon opening, others must be opened by an admin account directly to get access to all functions (e.g. Console). +* There are third-party applications that will not work correctly because they assume that the user account is an admin. These programs may have to be executed by logging into the admin account, or by using the `open` utility. +* See additional discussion in [issue #167](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/167). #### Setup -Accounts can be created and managed in System Preferences. On settled systems, it is generally easier to create a second admin account and then demote the first account. This avoids data migration. Newly installed systems can also just add a standard account. Demoting an account can be done either from the the new admin account in System Preferences – the other account must be logged out – or by executing these commands (it may not be necessary to execute both, see [issue #179](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/179)): +Accounts can be created and managed in System Preferences. On settled systems, it is generally easier to create a second admin account and then demote the first account. This avoids data migration. Newly installed systems can also just add a standard account. + +Demoting an account can be done either from the the new admin account in System Preferences – the other account must be logged out – or by executing these commands (it may not be necessary to execute both, see [issue #179](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/179)): ```shell $ sudo dscl . -delete /Groups/admin GroupMembership $ sudo dscl . -delete /Groups/admin GroupMembers ``` -You can find the “GeneratedUID” of your account with: +You can find the “GeneratedUID” of an account with: ```shell $ dscl . -read /Users/ GeneratedUID @@ -448,7 +427,7 @@ See also [this post](https://superuser.com/a/395738) for more information about [FileVault](https://en.wikipedia.org/wiki/FileVault) provides full disk (technically, full _volume_) encryption on macOS. -FileVault encryption protects data at rest and hardens (but [not always prevents](http://blog.frizk.net/2016/12/filevault-password-retrieval.html)) someone with physical access from stealing data or tampering with your Mac. +FileVault encryption protects data at rest and hardens (but [not always prevents](https://blog.frizk.net/2016/12/filevault-password-retrieval.html)) someone with physical access from stealing data or tampering with your Mac. With much of the cryptographic operations happening [efficiently in hardware](https://web.archive.org/web/20180720195105/https://software.intel.com/sites/default/files/m/d/4/1/d/8/AES_WP_Rev_03_Final_2010_01_26.pdf), the performance penalty for FileVault is not noticeable. @@ -488,6 +467,8 @@ Serial correlation coefficient is 0.000508 (totally uncorrelated = 0.0) See [Entropy and Random Number Generators](https://calomel.org/entropy_random_number_generators.html) and [Fun with encryption and randomness](https://rsmith.home.xs4all.nl/howto/fun-with-encryption-and-randomness.html) for more information. +It may also be possible to increase entropy with an external source, like [OneRNG](http://onerng.info/). + Enable FileVault with `sudo fdesetup enable` or through **System Preferences** > **Security & Privacy** and reboot. If you can remember your password, there's no reason to save the **recovery key**. However, your encrypted data will be lost forever if you can't remember the password or recovery key. @@ -513,39 +494,83 @@ If you choose to evict FileVault keys in standby mode, you should also modify yo For more information, see [Best Practices for Deploying FileVault 2](https://training.apple.com/pdf/WP_FileVault2.pdf) (pdf) and paper [Lest We Remember: Cold Boot Attacks on Encryption Keys](https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf) (pdf) -## Firewall +## Firmware + +Setting a firmware password prevents a Mac from starting up from any device other than your startup disk. It may also be set to be required on each boot. This may be useful for mitigating some attacks which require physical access to hardware. -Before connecting to the Internet, it's a good idea to first configure a firewall. +This feature [can be helpful if your laptop is lost or stolen](https://www.ftc.gov/news-events/blogs/techftc/2015/08/virtues-strong-enduser-device-controls), protects against Direct Memory Access (DMA) attacks which can read your FileVault passwords and inject kernel modules such as [pcileech](https://github.com/ufrisk/pcileech), as the only way to reset the firmware password is through an Apple Store, or by using an [SPI programmer](https://reverse.put.as/2016/06/25/apple-efi-firmware-passwords-and-the-scbo-myth/), such as [Bus Pirate](http://ho.ax/posts/2012/06/unbricking-a-macbook/) or other flash IC programmer. -There are several types of firewall available for macOS. +1. Start up pressing `Command` and `R` keys to boot to [Recovery Mode](https://support.apple.com/en-au/HT201314) mode. +1. When the Recovery window appears, choose **Firmware Password Utility** from the Utilities menu. +1. In the Firmware Utility window that appears, select **Turn On Firmware Password**. +1. Enter a new password, then enter the same password in the **Verify** field. +1. Select **Set Password**. +1. Select **Quit Firmware Utility** to close the Firmware Password Utility. +1. Select the Apple menu and select Restart or Shutdown. -#### Application layer firewall +The firmware password will activate at next boot. To validate the password, hold `Alt` during boot - you should be prompted to enter the password. -Built-in, basic firewall which blocks **incoming** connections only. +The firmware password can also be managed with the `firmwarepasswd` utility while booted into the OS. For example, to prompt for the firmware password when attempting to boot from a different volume: -Note, this firewall does not have the ability to monitor, nor block **outgoing** connections. +``` +$ sudo firmwarepasswd -setpasswd -setmode command +``` -It can be controlled by the **Firewall** tab of **Security & Privacy** in **System Preferences**, or with the following commands. +To verify: + +``` +$ sudo firmwarepasswd -verify +Verifying Firmware Password +Enter password: +Correct +``` + +Note, a firmware password may be bypassed by a determined attacker or Apple, with physical access to the computer. + +Using a Dediprog SF600 to dump and flash a 2013 MacBook SPI Flash chip to remove a firmware password, sans Apple + +*Using a [Dediprog SF600](http://www.dediprog.com/pd/spi-flash-solution/sf600) to dump and flash a 2013 MacBook SPI Flash chip to remove a firmware password, sans Apple* -Enable the firewall: +See [HT204455](https://support.apple.com/en-au/HT204455), [LongSoft/UEFITool](https://github.com/LongSoft/UEFITool) and [chipsec/chipsec](https://github.com/chipsec/chipsec) for more information. + +## Firewall + +There are several types of firewalls available for macOS which should be enabled. - $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on +#### Application layer firewall + +Built-in, basic firewall which blocks **incoming** connections only. This firewall does not have the ability to monitor, nor block **outgoing** connections. -Enable logging: +It can be controlled by the **Firewall** tab of **Security & Privacy** in **System Preferences**, or with the following commands. - $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on +Enable the firewall with logging: + +``` +$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on +Firewall is enabled. (State = 1) + +$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on +Turning on log mode +``` You may also wish to enable stealth mode: - $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on +``` +$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on +Stealth mode enabled +``` > Computer hackers scan networks so they can attempt to identify computers to attack. You can prevent your computer from responding to some of these scans by using **stealth mode**. When stealth mode is enabled, your computer does not respond to ICMP ping requests, and does not answer to connection attempts from a closed TCP or UDP port. This makes it more difficult for attackers to find your computer. -Finally, you may wish to prevent *built-in software* as well as *code-signed, downloaded software from being whitelisted automatically*: +To prevent *built-in software* as well as *code-signed, downloaded software from being whitelisted automatically*: - $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned off +``` +$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned off +Disabled allow signed built-in applications automatically - $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off +$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off +Disabled allow signed downloaded applications automatically +``` > Applications that are signed by a valid certificate authority are automatically added to the list of allowed apps, rather than prompting the user to authorize them. Apps included in macOS are signed by Apple and are allowed to receive incoming connections when this setting is enabled. For example, since iTunes is already signed by Apple, it is automatically allowed to receive incoming connections through the firewall. @@ -553,7 +578,9 @@ Finally, you may wish to prevent *built-in software* as well as *code-signed, do After interacting with `socketfilterfw`, you may want to restart (or terminate) the process: - $ sudo pkill -HUP socketfilterfw +``` +$ sudo pkill -HUP socketfilterfw +``` #### Third party firewalls @@ -658,6 +685,8 @@ To use pf to audit "phone home" behavior of user and system-level processes, see Before you connect to the Internet, you may wish to disable some system services, which use up resources or phone home to Apple. +**Note** [System Integrity Protection](https://github.com/drduh/macOS-Security-and-Privacy-Guide#system-integrity-protection) does not allow disabling system services on recent macOS versions. Either temporarily disable SIP or turn them off from Recovery Mode. + See [fix-macosx/yosemite-phone-home](https://github.com/fix-macosx/yosemite-phone-home), [l1k/osxparanoia](https://github.com/l1k/osxparanoia) and [karek314/macOS-home-call-drop](https://github.com/karek314/macOS-home-call-drop) for further recommendations. Services on macOS are managed by **launchd**. See [launchd.info](http://launchd.info/), as well as [Apple's Daemons and Services Programming Guide](https://developer.apple.com/library/mac/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html) and [Technical Note TN2083](https://developer.apple.com/library/mac/technotes/tn2083/_index.html) @@ -684,9 +713,9 @@ For example, if you're not interested in Apple Push Notifications, disable the s Be careful about disabling any system daemons you don't understand, as it may render your system unbootable. If you break your Mac, use [single user mode](https://support.apple.com/en-us/HT201573) to fix it. -Use [Console](https://en.wikipedia.org/wiki/Console_(OS_X)) and [Activity Monitor](https://support.apple.com/en-us/HT201464) applications if you notice your Mac heating up, feeling sluggish, or generally misbehaving, as it may have resulted from your tinkering. +Use [Console](https://en.wikipedia.org/wiki/List_of_macOS_components#Console) and [Activity Monitor](https://support.apple.com/en-us/HT201464) applications if you notice your Mac heating up, feeling sluggish, or generally misbehaving, as it may have resulted from your tinkering. -To view currently disabled services: +To view the status of services: $ find /var/db/com.apple.xpc.launchd/ -type f -print -exec defaults read {} \; 2>/dev/null @@ -772,7 +801,7 @@ See the [dnsmasq](#dnsmasq) section of this guide for more hosts blocking option To encrypt outgoing DNS traffic, consider using [dnscrypt](https://dnscrypt.info). In combination with Dnsmasq and DNSSEC, the security of both outbounding and inbounding dns traffic are strengthened. -A GUI application is only available for the discontinued version 1 of `dnscrypt-proxy` ([alterstep/dnscrypt-osxclient](https://github.com/alterstep/dnscrypt-osxclient)). It is recommended to install the improved [`dnscrypt-proxy` version 2](https://github.com/jedisct1/dnscrypt-proxy) and use a BitBar plugin like [DNSCrypt Menu](https://github.com/JayBrown/DNSCrypt-Menu) or [dnscrypt-proxy-switcher](https://github.com/jedisct1/bitbar-dnscrypt-proxy-switcher) until an updated GUI application is available. Below are the guides for installation and configuration of the command-line DNSCrypt. +A GUI application is only available for the discontinued version 1 of `dnscrypt-proxy` ([alterstep/dnscrypt-osxclient](https://github.com/alterstep/dnscrypt-osxclient)). It is recommended to install the improved [dnscrypt-proxy version 2](https://github.com/jedisct1/dnscrypt-proxy) and use a BitBar plugin like [DNSCrypt Menu](https://github.com/JayBrown/DNSCrypt-Menu) or [dnscrypt-proxy-switcher](https://github.com/jedisct1/bitbar-dnscrypt-proxy-switcher) until an updated GUI application is available. Below are the guides for installation and configuration of the command-line DNSCrypt. Install DNSCrypt from Homebrew and follow the instructions to configure and start `dnscrypt-proxy`: @@ -880,12 +909,12 @@ Install Dnsmasq (DNSSEC is optional): ```shell $ brew install dnsmasq --with-dnssec -$ cp /usr/local/etc/dnsmasq.conf.default /usr/local/etc/dnsmasq.conf ``` -Edit the configuration: +Edit the default configuration: + ```shell -$ vim /usr/local/etc/dnsmasq.conf +$ vim homebrew/etc/dnsmasq.conf ``` Examine all the options. Here are several [recommended settings](https://github.com/drduh/config/blob/master/dnsmasq.conf) to enable: @@ -1004,7 +1033,7 @@ Also see [Apple's secret "wispr" request](https://web.archive.org/web/2017100807 macOS comes with [over 200](https://support.apple.com/en-us/HT202858) root authority certificates installed from for-profit corporations like Apple, Verisign, Thawte, Digicert and government agencies from China, Japan, Netherlands, U.S., and more! These Certificate Authorities (CAs) are capable of issuing SSL/TLS certificates for any domain, code signing certificates, etc. -For more information, see [Certification Authority Trust Tracker](https://github.com/kirei/catt), [Analysis of the HTTPS certificate ecosystem](http://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf) (pdf), and [You Won’t Be Needing These Any More: On Removing Unused Certificates From Trust Stores](http://www.ifca.ai/fc14/papers/fc14_submission_100.pdf) (pdf). +For more information, see [Certification Authority Trust Tracker](https://github.com/kirei/catt), [Analysis of the HTTPS certificate ecosystem](https://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf) (pdf), and [You Won’t Be Needing These Any More: On Removing Unused Certificates From Trust Stores](https://www.ifca.ai/fc14/papers/fc14_submission_100.pdf) (pdf). You can inspect system root certificates in **Keychain Access**, under the **System Roots** tab or by using the `security` command line tool and `/System/Library/Keychains/SystemRootCertificates.keychain` file. @@ -1049,7 +1078,7 @@ If you prefer to use OpenSSL, install with `brew install curl --with-openssl` an Here are several recommended [options](https://curl.haxx.se/docs/manpage.html) to add to `~/.curlrc` (see `man curl` for more): ```shell -user-agent = "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" +user-agent = "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" referer = ";auto" connect-timeout = 10 progress-bar @@ -1066,7 +1095,7 @@ ipv4 Consider using [Privoxy](https://www.privoxy.org/) as a local proxy to filter Web browsing traffic. -**Note** macOS proxy settings are not universal; apps and services may or may not honor system proxy settings. Ensure the app you wish to proxy is correctly configured and manually verify connections don't leak. Additionally, it may be possible to configure the *pf* firewall to transparently proxy all traffic. +**Note** macOS proxy settings are not universal; apps and services may not honor system proxy settings. Ensure the app you wish to proxy is correctly configured and manually verify connections don't leak. Additionally, it may be possible to configure the *pf* firewall to transparently proxy all traffic. A signed installation package for privoxy can be downloaded from [silvester.org.uk](https://silvester.org.uk/privoxy/OSX/) or [Sourceforge](https://sourceforge.net/projects/ijbswa/files/Macintosh%20%28OS%20X%29/). The signed package is [more secure](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/65) than the Homebrew version, and attracts full support from the Privoxy project. @@ -1179,13 +1208,14 @@ Another important consideration about Web Browser security is Web Extensions. We #### Google Chrome [Google Chrome](https://www.google.com/chrome/browser/desktop/) is based on the Open Source [Chromium project](https://www.chromium.org/Home) with certain proprietary components. The proprietary components are the [following](https://fossbytes.com/difference-google-chrome-vs-chromium-browser/): - 1. Automatic updates through the GoogleSoftwareUpdateDaemon. - 1. Usage tracking and crash reporting, which can be disabled through Chrome's settings. - 1. Chrome Web Store - 1. Non-optional tracking. Google Chrome installer includes a randomly generated token. The token is sent to Google after the installation completes in order to measure the success rate. The RLZ identifier stores information – in the form of encoded strings – like the source of chrome download and installation week. It doesn’t include any personal information and it’s used to measure the effectiveness of a promotional campaign. **Chrome downloaded from Google’s website doesn’t have the RLZ identifier**. The source code to decode the strings is made open by Google. - 1. Adobe Flash Plugin. Google Chrome supports a Pepper API version of Adobe Flash which gets updated automatically with Chrome. - 1. Media Codec support. Adds support for proprietary codecs. - 1. Chrome's [PDF viewer](http://0xdabbad00.com/2013/01/13/most-secure-pdf-viewer-chrome-pdf-viewer/). + +* Automatic updates with GoogleSoftwareUpdateDaemon. +* Usage tracking and crash reporting, which can be disabled through Chrome's settings. +* Chrome Web Store. +* Adobe Flash Plugin - Chrome supports a Pepper API version of Adobe Flash which gets updated automatically with Chrome. +* Media Codec support. Adds support for proprietary codecs. +* Chrome [PDF viewer](http://0xdabbad00.com/2013/01/13/most-secure-pdf-viewer-chrome-pdf-viewer/). +* Non-optional tracking. Google Chrome installer includes a randomly generated token. The token is sent to Google after the installation completes in order to measure the success rate. The RLZ identifier stores information – in the form of encoded strings – like the source of chrome download and installation week. It doesn’t include any personal information and it’s used to measure the effectiveness of a promotional campaign. **Chrome downloaded from Google’s website doesn’t have the RLZ identifier**. The source code to decode the strings is made open by Google. Chrome offers [separate profiles](https://www.chromium.org/user-experience/multi-profiles), [sandboxing](https://www.chromium.org/developers/design-documents/sandbox), [frequent updates](https://googlechromereleases.blogspot.com/) (including Flash, although you should disable it - see below), and carries [impressive credentials](https://www.chromium.org/Home/chromium-security/brag-sheet). In addition, Google offers a very lucrative [bounty](https://www.google.com/about/appsecurity/chrome-rewards/) program for reporting vulnerabilities along with its own [Project Zero](https://googleprojectzero.blogspot.com). This means that a large number of highly talented and motivated people are constantly auditing Chrome's code base. @@ -1232,37 +1262,37 @@ Previous versions of Firefox used a [Web Extension SDK](https://developer.mozill Submission of Web Extensions in Firefox is free. Web Extensions in Firefox most of the time are Open Source, although certain Web Extensions are proprietary. -**Note**. Similar to Chrome and Safari, Firefox allows account sync across multiple devices. While stored login passwords are encrypted, Firefox does not require a password to reveal their plain text format. Firefox only displays as yes/no prompt. This is an important security issue. Keep that in mind if you sign in to your Firefox account from devices that do not belong to you and leave them unattended. The [issue](https://bugzilla.mozilla.org/show_bug.cgi?id=1393493) has been raised among the Firefox community and hopefully will be resolved in the coming versions. +**Note**: Similar to Chrome and Safari, Firefox allows account sync across multiple devices. While stored login passwords are encrypted, Firefox does not require a password to reveal their plain text format. Firefox only displays as yes/no prompt. This is an important security issue. Keep that in mind if you sign in to your Firefox account from devices that do not belong to you and leave them unattended. The [issue](https://bugzilla.mozilla.org/show_bug.cgi?id=1393493) has been raised among the Firefox community and hopefully will be resolved in the coming versions. #### Safari -[Safari](https://www.apple.com/safari/) is the default Web Browser of macOS. It is also the most optimized browser for reducing battery use. Safari, like Chrome, has both Open Source and proprietary components. Safari is based on the open source Web Engine [WebKit](https://en.wikipedia.org/wiki/WebKit), which is ubiquitous among the macOS ecosystem. WebKit is used by Apple apps such as Mail, iTunes, iBooks, and the App store. Chrome's [Blink](https://www.chromium.org/blink) engine is a fork of WebKit and both engines share a number of similarities. +[Safari](https://www.apple.com/safari/) is the default Web browser of macOS. It is also the most optimized browser for reducing battery use. Safari, like Chrome, has both Open Source and proprietary components. Safari is based on the open source Web Engine [WebKit](https://en.wikipedia.org/wiki/WebKit), which is ubiquitous among the macOS ecosystem. WebKit is used by Apple apps such as Mail, iTunes, iBooks, and the App Store. Chrome's [Blink](https://www.chromium.org/blink) engine is a fork of WebKit and both engines share a number of similarities. Safari supports certain unique features that benefit user security and privacy. [Content blockers](https://webkit.org/blog/3476/content-blockers-first-look/) enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory user, security, and privacy. Safari 11 introduced an [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/) system. This feature automatically removes tracking data stored in Safari after a period of non-interaction by the user from the tracker's website. Similar to Chrome and Firefox, Safari offers an invite only [bounty program](https://developer.apple.com/bug-reporting/) for bug reporting to a select number of security researchers. The bounty program was announced during Apple's [presentation](https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf) at [BlackHat](https://www.blackhat.com/us-16/briefings.html#behind-the-scenes-of-ios-security) 2016. -Web Extensions in Safari have an additional option to use native code in the Safari's sandbox environment, in addition to Web Extension APIs. Web Extensions in Safari are also distributed through Apple's App store. App store submission comes with the added benefit of Web Extension code being audited by Apple. On the other hand App store submission comes at a steep cost. Yearly [developer subscription](https://developer.apple.com/support/compare-memberships/) fee costs $100 (in contrast to Chrome's $5 lifetime fee and Firefox's free submission). The high cost is prohibitive for the majority of Open Source developers. As a result, Safari has very few extensions to choose from. However, you should keep the high cost in mind when installing extensions. It is expected that most Web Extensions will have some way of monetizing usage in order to cover developer costs. And be extra careful when the Web Extension's source code is not Open Source. On a side note, some Safari extensions are Open Source and freely available. Be grateful to those developers. +Web Extensions in Safari have an additional option to use native code in the Safari's sandbox environment, in addition to Web Extension APIs. Web Extensions in Safari are also distributed through Apple's App store. App store submission comes with the added benefit of Web Extension code being audited by Apple. On the other hand App store submission comes at a steep cost. Yearly [developer subscription](https://developer.apple.com/support/compare-memberships/) fee costs 100 USD (in contrast to Chrome's 5 dollar lifetime fee and Firefox's free submission). The high cost is prohibitive for the majority of Open Source developers. As a result, Safari has very few extensions to choose from. However, you should keep the high cost in mind when installing extensions. It is expected that most Web Extensions will have some way of monetizing usage in order to cover developer costs. And be extra careful when the Web Extension's source code is not Open Source. On a side note, some Safari extensions are Open Source and freely available. Be grateful to those developers. -Safari syncs user's preferences and stored logins through the iCloud Keychain. Stored passwords are [encrypted](https://support.apple.com/en-gb/HT202303) with 256-bit AES . In order to be viewed in plain text, a user must input the account password of the current device. This means that users can sync data across devices with added security. +Safari syncs user's preferences and stored logins through the iCloud Keychain. Stored passwords are [encrypted](https://support.apple.com/en-gb/HT202303) with AES 256-bit encryption. In order to be viewed in plain text, a user must input the account password of the current device. This means that users can sync data across devices with added security. Safari follows a slower release cycle than Chrome and Firefox (3-4 minor releases, 1 major release, per year). Newer features are slower to be adopted to the stable channel. Although security updates in Safari are handled independent of the stable release schedule and issued automatically through the App store. The Safari channel that follows a six-week release cycle (similar to as Chrome and Firefox) is called [Safari Technology Preview](https://developer.apple.com/safari/technology-preview/) and it is the recommended option instead of the stable channel of Safari. -An excellent open source ad blocker for Safari that fully leverages Content blockers is [Ka-Block](http://kablock.com/). Ka-Block is focussed on user privacy. The only time the extension makes a network connection is when a new version of the extension is released. You can view the extension's repository [here](https://github.com/dgraham/Ka-Block). +An excellent open source ad blocker for Safari that fully leverages Content blockers is [dgraham/Ka-Block](https://github.com/dgraham/Ka-Block). Ka-Block is focussed on user privacy. The only time the extension makes a network connection is when a new version of the extension is released. -#### Other Web Browsers +#### Other Web browsers Many Chromium-derived browsers are not recommended. They are usually [closed source](http://yro.slashdot.org/comments.pl?sid=4176879&cid=44774943), [poorly maintained](https://plus.google.com/+JustinSchuh/posts/69qw9wZVH8z), [have bugs](https://code.google.com/p/google-security-research/issues/detail?id=679), and make dubious claims to protect privacy. See [The Private Life of Chromium Browsers](https://web.archive.org/web/20180517132144/http://thesimplecomputer.info/the-private-life-of-chromium-browsers). Other miscellaneous browsers, such as [Brave](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/94), are not evaluated in this guide, so are neither recommended nor actively discouraged from use. -#### Web Browsers and Privacy +#### Web browsers and privacy -All Web Browsers retain certain information about our browsing habits. That information is used for a number of reasons. One of them is to improve the overall performance of the Web Browser. Most Web Browsers offer prediction services to resolve typos or URL redirections, store analytics data of browsing patterns, crash reports and black listing of known malicious servers. Those options can be turned on and off from each Web Browser's settings panel. +All Web Browsers retain certain information about our browsing habits. That information is used for a number of reasons. One of them is to improve the overall performance of the Web Browser. Most Web Browsers offer prediction services to resolve typos or URL redirections, store analytics data of browsing patterns, crash reports and black listing of known malicious servers. Those options can be turned on and off from each Web browser's settings panel. -Since Web Browsers execute untrusted code from the server, it is important to understand what type of information can be accessed. The [Navigator](https://developer.mozilla.org/en-US/docs/Web/API/Navigator) interface gives access to information about the Web Browser's user agent. Those include information such as the operating system, Websites' permissions, and the device's battery level. For more information about security conscious browsing and what type of information is being "leaked" by your browser, see [HowTo: Privacy & Security Conscious Browsing](https://gist.github.com/atcuno/3425484ac5cce5298932), [browserleaks.com](https://www.browserleaks.com/) and [EFF Panopticlick](https://panopticlick.eff.org/). +Since Web browsers execute untrusted code from the server, it is important to understand what type of information can be accessed. The [Navigator](https://developer.mozilla.org/en-US/docs/Web/API/Navigator) interface gives access to information about the Web Browser's user agent. Those include information such as the operating system, Web sites' permissions, and the device's battery level. For more information about security conscious browsing and what type of information is being "leaked" by your browser, see [HowTo: Privacy & Security Conscious Browsing](https://gist.github.com/atcuno/3425484ac5cce5298932), [browserleaks.com](https://www.browserleaks.com/) and [EFF Panopticlick](https://panopticlick.eff.org/). -To hinder third party trackers, it is recommended to disable third-party cookies from your Web Browser settings. A third party cookie is a cookie associated with a file requested by a different domain than the one the user is currently viewing. Most of the time third-party cookies are used to create browsing profiles by tracking a user's movement on the web. Disabling third-party cookies prevents HTTP responses and scripts from other domains from setting cookies. Moreover, cookies are removed from requests to domains that are not the document origin domain, so cookies are only sent to the current site that is being viewed. +To hinder third party trackers, it is recommended to disable third-party cookies from your Web browser settings. A third party cookie is a cookie associated with a file requested by a different domain than the one the user is currently viewing. Most of the time third-party cookies are used to create browsing profiles by tracking a user's movement on the web. Disabling third-party cookies prevents HTTP responses and scripts from other domains from setting cookies. Moreover, cookies are removed from requests to domains that are not the document origin domain, so cookies are only sent to the current site that is being viewed. Also be aware of [WebRTC](https://en.wikipedia.org/wiki/WebRTC#Concerns), which may reveal your local or public (if connected to VPN) IP address(es). In Firefox and Chrome/Chromium this can be disabled with extensions such as [uBlock Origin](https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address) and [rentamob/WebRTC-Leak-Prevent](https://github.com/rentamob/WebRTC-Leak-Prevent). Disabling WebRTC in Safari is only possible with a [system hack](https://github.com/JayBrown/Disable-and-toggle-WebRTC-in-macOS-Safari). @@ -1272,7 +1302,7 @@ Also be aware of [WebRTC](https://en.wikipedia.org/wiki/WebRTC#Concerns), which If they are necessary, only use them in a disposable virtual machine and subscribe to security announcements to make sure you're always patched. -See [Hacking Team Flash Zero-Day](http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-zero-day-integrated-into-exploit-kits/), [Java Trojan BackDoor.Flashback](https://en.wikipedia.org/wiki/Trojan_BackDoor.Flashback), [Acrobat Reader: Security Vulnerabilities](http://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-497/Adobe-Acrobat-Reader.html), and [Angling for Silverlight Exploits](https://blogs.cisco.com/security/angling-for-silverlight-exploits), for example. +See [Hacking Team Flash Zero-Day](https://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-zero-day-integrated-into-exploit-kits/), [Java Trojan BackDoor.Flashback](https://en.wikipedia.org/wiki/Trojan_BackDoor.Flashback), [Acrobat Reader: Security Vulnerabilities](https://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-497/Adobe-Acrobat-Reader.html), and [Angling for Silverlight Exploits](https://blogs.cisco.com/security/angling-for-silverlight-exploits), for example. ## PGP/GPG @@ -1499,19 +1529,21 @@ See [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/co You could periodically run a tool like [Knock Knock](https://github.com/synack/knockknock) to examine persistent applications (e.g. scripts, binaries). But by then, it is probably too late. Maybe applications such as [Block Block](https://objective-see.com/products/blockblock.html) and [Ostiarius](https://objective-see.com/products/ostiarius.html) will help. See warnings and caveats in [issue #90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) first, however. -**Anti-virus** programs are a double-edged sword -- not useful for **advanced** users and will likely increase attack surface against sophisticated threats, however possibly useful for catching "garden variety" malware on **novice** users' Macs. There is also the additional processing overhead to consider. +**Anti-virus** programs are a double-edged sword -- not so useful for **advanced** users and will likely increase attack surface against sophisticated threats; however possibly useful for catching "garden variety" malware on **novice** users' Macs. There is also the additional processing overhead to consider when using "active" scanning features. -See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sophailv2.pdf) (pdf), [Analysis and Exploitation of an ESET Vulnerability](https://googleprojectzero.blogspot.ro/2015/06/analysis-and-exploitation-of-eset.html), [a trivial Avast RCE](https://code.google.com/p/google-security-research/issues/detail?id=546), [Popular Security Software Came Under Relentless NSA and GCHQ Attacks](https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/), [How Israel Caught Russian Hackers Scouring the World for U.S. Secrets](https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html) and [AVG: "Web TuneUP" extension multiple critical vulnerabilities](https://code.google.com/p/google-security-research/issues/detail?id=675). +See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sophailv2.pdf) (pdf), [Analysis and Exploitation of an ESET Vulnerability](https://googleprojectzero.blogspot.ro/2015/06/analysis-and-exploitation-of-eset.html), [a trivial Avast RCE](https://code.google.com/p/google-security-research/issues/detail?id=546), [Popular Security Software Came Under Relentless NSA and GCHQ Attacks](https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/), [How Israel Caught Russian Hackers Scouring the World for U.S. Secrets](https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html) and [AVG: "Web TuneUP" extension multiple critical vulnerabilities](https://code.google.com/p/google-security-research/issues/detail?id=675). Therefore, the best anti-virus is **Common Sense 2018**. See more discussion in [issue #44](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/44). -CylancePROTECT may be worth running for the exploit mitigation features and (when locked down) is much harder to locally bypass than traditional AV, but it's effectiveness at detecting malware on MacOS is questionable. It's core feature is an algorithm derived from a machine-learning process which aims to identify malware based on various characteristics of a binary executable. Cylance have a [whitepaper](https://www.cylance.com/content/dam/cylance/pdfs/data_sheets/CylancePROTECT.pdf) with information about how it works. Single licenses are available from third party resellers such as [Cyberforce](https://cybrforce.com) or [Malware Managed](https://www.malwaremanaged.com) and there is also a home/personal edition in the works but it is currently only available for companies to make available to their employees. On MacOS it complements Apple's built-in XProtect by continuously vmmap'ing the memory of active processes to watch for patterns that indicate bad things happening. +CylancePROTECT may be worth running for the exploit mitigation features and (when locked down) is much harder to locally bypass than traditional AV, but it's effectiveness at detecting malware on macOS is questionable. It's core feature is an algorithm derived from a machine-learning process which aims to identify malware based on various characteristics of a binary executable. Cylance have a [whitepaper](https://www.cylance.com/content/dam/cylance/pdfs/data_sheets/CylancePROTECT.pdf) (pdf) with information about how it works. Single licenses are available from third party resellers such as [Cyberforce](https://cybrforce.com) or [Malware Managed](https://www.malwaremanaged.com) and there is also a home/personal edition in the works but it is currently only available for companies to make available to their employees. On macOS it complements Apple's built-in XProtect by continuously vmmap'ing the memory of active processes to watch for patterns that indicate bad things happening. Local privilege escalation bugs are plenty on macOS, so always be careful when downloading and running untrusted programs or trusted programs from third party websites or downloaded over HTTP ([example](https://arstechnica.com/security/2015/08/0-day-bug-in-fully-patched-os-x-comes-under-active-exploit-to-hijack-macs/)). -Have a look at [The Safe Mac](http://www.thesafemac.com/) for past and [Malwarebytes Blog](https://blog.malwarebytes.com/) for current Mac security news. +Subscribe to updates at [The Safe Mac](http://www.thesafemac.com/) and [Malwarebytes Blog](https://blog.malwarebytes.com/) for current Mac security news. + +If you're unsure about whether an application or file is safe to open, upload it to [VirusTotal](https://www.virustotal.com/#/home/upload) to be scanned and to examine its behavior. -Also check out [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html) malware for Mac OS: [root installation for MacOS](https://github.com/hackedteam/vector-macos-root), [Support driver for Mac Agent](https://github.com/hackedteam/driver-macos) and [RCS Agent for Mac](https://github.com/hackedteam/core-macos), which is a good example of advanced malware with capabilities to hide from **userland** (e.g., `ps`, `ls`), for example. For more, see [A Brief Analysis of an RCS Implant Installer](https://objective-see.com/blog/blog_0x0D.html) and [reverse.put.as](https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/) +Also check out [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html) malware for macOS: [root installation for MacOS](https://github.com/hackedteam/vector-macos-root), [Support driver for Mac Agent](https://github.com/hackedteam/driver-macos) and [RCS Agent for Mac](https://github.com/hackedteam/core-macos), which is a good example of advanced malware with capabilities to hide from **userland** (e.g., `ps`, `ls`), for example. For more, see [A Brief Analysis of an RCS Implant Installer](https://objective-see.com/blog/blog_0x0D.html) and [reverse.put.as](https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/) ## System Integrity Protection @@ -1523,7 +1555,7 @@ From [What's New in OS X 10.11](https://developer.apple.com/library/prerelease/m Also see [What is the “rootless” feature in El Capitan, really?](https://apple.stackexchange.com/questions/193368/what-is-the-rootless-feature-in-el-capitan-really) -Some MacBook hardware has shipped with [SIP disabled](http://appleinsider.com/articles/16/11/17/system-integrity-protection-disabled-by-default-on-some-touch-bar-macbook-pros). To verify SIP is enabled, use the command `csrutil status`, which should return: `System Integrity Protection status: enabled.` Otherwise, [enable SIP](https://developer.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html) through Recovery Mode. +Some MacBook hardware has shipped with [SIP disabled](https://appleinsider.com/articles/16/11/17/system-integrity-protection-disabled-by-default-on-some-touch-bar-macbook-pros). To verify SIP is enabled, use the command `csrutil status`, which should return: `System Integrity Protection status: enabled.` Otherwise, [enable SIP](https://developer.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html) through Recovery Mode. ## Gatekeeper and XProtect @@ -1533,15 +1565,15 @@ Some MacBook hardware has shipped with [SIP disabled](http://appleinsider.com/ar Both offer trivial protection against common risks and are fine at default settings. -See also [Mac Malware Guide : How does Mac OS X protect me?](http://www.thesafemac.com/mmg-builtin/) and [Gatekeeper, XProtect and the Quarantine attribute](http://ilostmynotes.blogspot.com/2012/06/gatekeeper-xprotect-and-quarantine.html). +See also [Mac Malware Guide : How does Mac OS X protect me?](http://www.thesafemac.com/mmg-builtin/) and [Gatekeeper, XProtect and the Quarantine attribute](https://ilostmynotes.blogspot.com/2012/06/gatekeeper-xprotect-and-quarantine.html). **Note** Quarantine stores information about downloaded files in `~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2`, which may pose a privacy risk. To examine the file, simply use `strings` or the following command: -````shell +```shell $ echo 'SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent;' | sqlite3 /Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 -```` +``` -See [here](http://www.zoharbabin.com/hey-mac-i-dont-appreciate-you-spying-on-me-hidden-downloads-log-in-os-x/) for more information. +See [here](https://www.zoharbabin.com/hey-mac-i-dont-appreciate-you-spying-on-me-hidden-downloads-log-in-os-x/) for more information. To permanently disable this feature, [clear the file](https://superuser.com/questions/90008/how-to-clear-the-contents-of-a-file-from-the-command-line) and [make it immutable](http://hints.macworld.com/article.php?story=20031017061722471): @@ -1883,17 +1915,17 @@ macOS remembers access points it has connected to. Like all wireless devices, th This is a privacy risk, so remove networks from the list in **System Preferences** > **Network** > **Advanced** when they're no longer needed. -Also see [Signals from the Crowd: Uncovering Social Relationships through Smartphone Probes](http://conferences.sigcomm.org/imc/2013/papers/imc148-barberaSP106.pdf) (pdf) and [Wi-Fi told me everything about you](http://confiance-numerique.clermont-universite.fr/Slides/M-Cunche-2014.pdf) (pdf). +Also see [Signals from the Crowd: Uncovering Social Relationships through Smartphone Probes](https://conferences.sigcomm.org/imc/2013/papers/imc148-barberaSP106.pdf) (pdf) and [Wi-Fi told me everything about you](http://confiance-numerique.clermont-universite.fr/Slides/M-Cunche-2014.pdf) (pdf). Saved Wi-Fi information (SSID, last connection, etc.) can be found in `/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist` -You may wish to [spoof the MAC address](https://en.wikipedia.org/wiki/MAC_spoofing) of your network card before connecting to new and untrusted wireless networks to mitigate passive fingerprinting: +You may wish to [spoof the MAC address](https://en.wikipedia.org/wiki/MAC_spoofing) of the network card before connecting to new and untrusted wireless networks to mitigate passive fingerprinting: ```shell $ sudo ifconfig en0 ether $(openssl rand -hex 6 | sed 's%\(..\)%\1:%g; s%.$%%') ``` -It is also good to know that macOS will store your Wi-FI SSID and passwords in NVRAM, because Recovery mode needs access to restore from the internet. When you need to pass your Mac along, be sure to either clear NVRAM or de-authenticate your Mac from your Apple account, which will clear the NVRAM. (Resetting the SMC will clear some of the NVRAM, but not all.) +It is also good to know that macOS will store Wi-FI SSIDs and passwords in NVRAM, because Recovery Mode needs access to restore from the Internet. Be sure to either clear NVRAM or de-authenticate your Mac from your Apple account, which will clear the NVRAM, before passing a Mac along. (Resetting the SMC will clear some of the NVRAM, but not all.) **Note** MAC addresses will reset to hardware defaults on each boot. @@ -1988,11 +2020,11 @@ See the manual pages for `audit`, `praudit`, `audit_control` and other files in **Note** although `man audit` says the `-s` flag will synchronize the audit configuration, it appears necessary to reboot for changes to take effect. -See articles on [ilostmynotes.blogspot.com](http://ilostmynotes.blogspot.com/2013/10/openbsm-auditd-on-os-x-these-are-logs.html) and [derflounder.wordpress.com](https://derflounder.wordpress.com/2012/01/30/openbsm-auditing-on-mac-os-x/) for more information. +See articles on [ilostmynotes.blogspot.com](https://ilostmynotes.blogspot.com/2013/10/openbsm-auditd-on-os-x-these-are-logs.html) and [derflounder.wordpress.com](https://derflounder.wordpress.com/2012/01/30/openbsm-auditing-on-mac-os-x/) for more information. #### DTrace -**Note** [System Integrity Protection](https://github.com/drduh/macOS-Security-and-Privacy-Guide#system-integrity-protection) [interferes](http://internals.exposed/blog/dtrace-vs-sip.html) with DTrace, so it is not possible to use it in recent macOS versions without disabling SIP. +**Note** [System Integrity Protection](https://github.com/drduh/macOS-Security-and-Privacy-Guide#system-integrity-protection) [interferes](https://internals.exposed/blog/dtrace-vs-sip.html) with DTrace, so it is not possible to use it in recent macOS versions without disabling SIP. `iosnoop` monitors disk I/O @@ -2175,6 +2207,7 @@ Path: /Users/demouser/foo Identifier: 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed Parent: bash (701) ``` + To whitelist a specific binary, determine its SHA-256 sum: ```shell @@ -2271,6 +2304,7 @@ To disable “Lockdown” mode: See `/var/log/santa.log` to monitor ALLOW and DENY execution decisions. A log and configuration server for Santa is available in [Zentral](https://github.com/zentralopensource/zentral), an open source event monitoring solution and TLS server for osquery and Santa. + Zentral will support Santa in both MONITORING and LOCKDOWN operation mode. Clients need to be enrolled with a TLS connection to sync Santa Rules, all Santa events from endpoints are aggregated and logged back in Zentral. Santa events can trigger actions and notifications from within the Zentral Framework. **Note** Python, Bash and other interpreters are whitelisted (since they are signed by Apple's developer certificate), so Santa will not be able to block such scripts from executing. Thus, a potential non-binary program which disables Santa is a weakness (not vulnerability, since it is so by design) to take note of. @@ -2281,9 +2315,7 @@ Disable [Diagnostics & Usage Data](https://github.com/fix-macosx/fix-macosx/wiki If you want to play **music** or watch **videos**, use [VLC media player](https://www.videolan.org/vlc/index.html) which is free and open source. -If you want to use **torrents**, use [Transmission](http://www.transmissionbt.com/download/) which is free and open source (note: like all software, even open source projects, [malware may still find its way in](http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/)). You may also wish to use a block list to avoid peering with known bad hosts - see [Which is the best blocklist for Transmission](https://giuliomac.wordpress.com/2014/02/19/best-blocklist-for-transmission/) and [johntyree/3331662](https://gist.github.com/johntyree/3331662). - -If you're unsure about whether an application or file is safe to open, upload it to [VirusTotal](https://www.virustotal.com/#/home/upload) to be scanned and to examine its behavior. +If you want to use **torrents**, use [Transmission](https://www.transmissionbt.com/download/) which is free and open source (note: like all software, even open source projects, [malware may still find its way in](http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/)). You may also wish to use a block list to avoid peering with known bad hosts - see [Which is the best blocklist for Transmission](https://giuliomac.wordpress.com/2014/02/19/best-blocklist-for-transmission/) and [johntyree/3331662](https://gist.github.com/johntyree/3331662). Manage default file handlers with [duti](http://duti.org/), which can be installed with `brew install duti`. One reason to manage extensions is to prevent auto-mounting of remote filesystems in Finder (see [Protecting Yourself From Sparklegate](https://www.taoeffect.com/blog/2016/02/apologies-sky-kinda-falling-protecting-yourself-from-sparklegate/)). Here are several recommended handlers to manage: @@ -2297,7 +2329,7 @@ $ duti -s com.apple.Safari nfs $ duti -s com.apple.Safari smb ``` -Monitor system logs with the **Console** application or `syslog -w` or `log stream` commands. +Monitor system logs with the **Console** application or `syslog -w` or `/usr/bin/log stream` commands. In systems prior to macOS Sierra (10.12), enable the [tty_tickets flag](https://derflounder.wordpress.com/2016/09/21/tty_tickets-option-now-on-by-default-for-macos-sierras-sudo-tool/) in `/etc/sudoers` to restrict the sudo session to the Terminal window/tab that started it. To do so, use `sudo visudo` and add the line `Defaults tty_tickets`. @@ -2478,3 +2510,5 @@ export HOME=/Users/blah [OSX.Pirrit Mac Adware Part III: The DaVinci Code](https://www.cybereason.com/blog/targetingedge-mac-os-x-pirrit-malware-adware-still-active) [How to make macOS Spotlight fuck the fuck off and do your bidding](https://m4.rkw.io/blog/how-to-make-macos-spotlight-fuck-the-fuck-off-and-do-your-bidding.html) + +[Fuzzing the macOS WindowServer for Exploitable Vulnerabilities](http://blog.ret2.io/2018/07/25/pwn2own-2018-safari-sandbox/) From 8da30b7643a41f28f8aaf633922cdff038001ce8 Mon Sep 17 00:00:00 2001 From: drduh Date: Sun, 29 Jul 2018 21:20:54 -0700 Subject: [PATCH 075/476] Physical access protections, fix #204 --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 589b3b7e..fffcf9a1 100755 --- a/README.md +++ b/README.md @@ -1995,12 +1995,14 @@ $ sudo lsof -Pni TCP:22 Keep your Mac physically secure at all times. Don't leave it unattended in hotels and such. -A skilled attacker with unsupervised physical access to your computer can infect the boot ROM to install a keylogger and steal your password - see [Thunderstrike](https://trmm.net/Thunderstrike), for example. +A skilled attacker with unsupervised physical access to your computer can infect the boot ROM to install a keylogger and steal your password - see [Thunderstrike](https://trmm.net/Thunderstrike) for an example. A helpful tool is [usbkill](https://github.com/hephaest0s/usbkill), which is *"an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer"*. Consider purchasing a [privacy filter](https://www.amazon.com/s/ref=nb_sb_noss_2?url=node%3D15782001&field-keywords=macbook) for your screen to thwart shoulder surfers. +Superglues or epoxy resins can also be used to disable physical access. [Nail polish](https://trmm.net/Glitter) and tamper-evidence seals can be applied to components to detect tampering. + ## System monitoring #### OpenBSM audit From dfd85f05299e174828b8466b9b6d3bfce73af1bd Mon Sep 17 00:00:00 2001 From: drduh Date: Sun, 29 Jul 2018 21:32:47 -0700 Subject: [PATCH 076/476] Recommend some ciphers and link to fix #114. --- README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index fffcf9a1..766d48d9 100755 --- a/README.md +++ b/README.md @@ -1507,18 +1507,20 @@ Also see [Invisible Internet Project (I2P)](https://geti2p.net/en/about/intro) a ## VPN -If you use your Mac on untrusted networks - airports, cafes, etc. - your network traffic is being monitored and possibly tampered with. +Unencrypted network traffic is being actively monitored and possibly tampered with. Encrypted traffic still exposes [connection metadata](https://security.stackexchange.com/questions/142833/does-https-encrypt-metadata#142855) and could be used to infer behavior or specific actions. -It is a good idea to use a VPN which encrypts **all** outgoing network traffic (i.e., not **split tunnel**) with a provider you trust. For an example of how to set up and host your own VPN, see [drduh/Debian-Privacy-Server-Guide](https://github.com/drduh/Debian-Privacy-Server-Guide). +It is a good idea to use a VPN which outgoing network traffic (*not* **split tunnel**) with a trustworthy provider. [drduh/Debian-Privacy-Server-Guide](https://github.com/drduh/Debian-Privacy-Server-Guide) is one of many available guides for setting up a personal VPN server. Don't just blindly sign up for a VPN service without understanding the full implications and how your traffic will be routed. If you don't understand how the VPN works or are not familiar with the software used, you are probably better off without it. -When choosing a VPN service or setting up your own, be sure to research the protocols, key exchange algorithms, authentication mechanisms, and type of encryption being used. Some protocols, such as [PPTP](https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security), should be avoided in favor of [OpenVPN](https://en.wikipedia.org/wiki/OpenVPN), for example. +When choosing a VPN service or setting up your own, be sure to research the protocols, key exchange algorithms, authentication mechanisms, and type of encryption being used. Some protocols, such as [PPTP](https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security), should be avoided in favor of [OpenVPN](https://en.wikipedia.org/wiki/OpenVPN), for example. Strong cryptographic algorithms like AES-256, RSA-4096, SHA-256 should be preferred. Some clients may send traffic over the next available interface when VPN is interrupted or disconnected. See [scy/8122924](https://gist.github.com/scy/8122924) for an example on how to allow traffic only over VPN. Another set of scripts to lock down your system so it will only access the internet via a VPN can be found as part of the Voodoo Privacy project - [sarfata/voodooprivacy](https://github.com/sarfata/voodooprivacy) and there is an updated guide to setting up an IPSec VPN on a virtual machine ([hwdsl2/setup-ipsec-vpn](https://github.com/hwdsl2/setup-ipsec-vpn)) or a docker container ([hwdsl2/docker-ipsec-vpn-server](https://github.com/hwdsl2/docker-ipsec-vpn-server)). +It may be worthwhile to consider the geographical location of the VPN provider. See further discussion in [issue #114](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/114). + ## Viruses and malware There is an [ever-increasing](https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html) amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software! From 6be94d622bc254ddadcceda589d52f2bad43e4fb Mon Sep 17 00:00:00 2001 From: drduh Date: Mon, 30 Jul 2018 17:39:21 -0700 Subject: [PATCH 077/476] Add persistence locations and interesting vpn link --- README.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 766d48d9..775cbc3d 100755 --- a/README.md +++ b/README.md @@ -727,6 +727,19 @@ Annotated lists of launch daemons and agents, the respective program executed, a See also [cirrusj.github.io/Yosemite-Stop-Launch](https://cirrusj.github.io/Yosemite-Stop-Launch/) for descriptions of services and [Provisioning OS X and Disabling Unnecessary Services](https://vilimpoc.org/blog/2014/01/15/provisioning-os-x-and-disabling-unnecessary-services/) for another explanation. +Other persistent login items may exist in these locations (see [Mac OSX Startup](http://www.malicious-streams.com/article/Mac_OSX_Startup.pdf) (pdf): + +* `/System/Library/LaunchAgents` +* `/System/Library/LaunchDaemons` +* `/Library/LaunchAgents` +* `~/Library/LaunchAgents` +* `/Library/LaunchDaemons` +* `/System/Library/ScriptingAdditions` +* `/Library/ScriptingAdditions` +* `/System/Library/StartupItems` +* `/Library/StartupItems` +* `~/Library/Preferences/com.apple.loginitems.plist` + ## Spotlight Suggestions Disable **Spotlight Suggestions** in both the Spotlight preferences and Safari's Search preferences to avoid your search queries being sent to Apple. @@ -1521,6 +1534,8 @@ Another set of scripts to lock down your system so it will only access the inter It may be worthwhile to consider the geographical location of the VPN provider. See further discussion in [issue #114](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/114). +Also see this [technical overview](https://blog.timac.org/2018/0717-macos-vpn-architecture/) of the macOS built-in VPN L2TP/IPSec and IKEv2 client. + ## Viruses and malware There is an [ever-increasing](https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html) amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software! @@ -2403,7 +2418,7 @@ export HOME=/Users/blah [stronghold](https://github.com/alichtman/stronghold) - Securely and easily configure your Mac from the terminal. Inspired by this guide. -[Santa](https://github.com/google/santa/) - A binary whitelisting/blacklisting system for macOS. +[Santa](https://github.com/google/santa) - A binary whitelisting/blacklisting system for macOS. [kristovatlas/osx-config-check](https://github.com/kristovatlas/osx-config-check) - Checks your OSX machine against various hardened configuration settings. From d86adf22f408e3ffbd39390f6d960a6c45826de5 Mon Sep 17 00:00:00 2001 From: drduh Date: Tue, 31 Jul 2018 17:47:27 -0700 Subject: [PATCH 078/476] Mention Eclectic Light Co downloads to fix #277 --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 775cbc3d..1cf7d5c7 100755 --- a/README.md +++ b/README.md @@ -727,7 +727,7 @@ Annotated lists of launch daemons and agents, the respective program executed, a See also [cirrusj.github.io/Yosemite-Stop-Launch](https://cirrusj.github.io/Yosemite-Stop-Launch/) for descriptions of services and [Provisioning OS X and Disabling Unnecessary Services](https://vilimpoc.org/blog/2014/01/15/provisioning-os-x-and-disabling-unnecessary-services/) for another explanation. -Other persistent login items may exist in these locations (see [Mac OSX Startup](http://www.malicious-streams.com/article/Mac_OSX_Startup.pdf) (pdf): +Other persistent login items may exist in these locations (see [Mac OSX Startup](http://www.malicious-streams.com/article/Mac_OSX_Startup.pdf) (pdf)): * `/System/Library/LaunchAgents` * `/System/Library/LaunchDaemons` @@ -2442,6 +2442,8 @@ export HOME=/Users/blah [Zentral](https://github.com/zentralopensource/zentral) - A log and configuration server for santa and osquery. Run audit and probes on inventory, events, logfiles, combine with point-in-time alerting. A full Framework and Django web server build on top of the elastic stack (formerly known as ELK stack). +[The Eclectic Light Company - Downloads](https://eclecticlight.co/downloads/) - A collection of useful diagnostics and control applications and utilities for macOS. + ## Additional resources *In no particular order* From d1ff586e0bc7359806aa065a3cac48e6d00c2582 Mon Sep 17 00:00:00 2001 From: HazCod Date: Fri, 24 Aug 2018 07:24:38 +0200 Subject: [PATCH 079/476] Add note about T2 chip --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 1cf7d5c7..dd38a986 100755 --- a/README.md +++ b/README.md @@ -533,6 +533,8 @@ Note, a firmware password may be bypassed by a determined attacker or Apple, wit See [HT204455](https://support.apple.com/en-au/HT204455), [LongSoft/UEFITool](https://github.com/LongSoft/UEFITool) and [chipsec/chipsec](https://github.com/chipsec/chipsec) for more information. +Newer Mac models now contain a T2 chip (Mac Pro, iMac Pro, Macbook with TouchBar, ...) that verifies the firmware that is being loaded, which alleviates EFI firmware attacks altogether if enabled. Read [this blog post](http://michaellynn.github.io/2018/07/27/booting-secure/) for more information. + ## Firewall There are several types of firewalls available for macOS which should be enabled. From 79e924e68b9c7467d8f422070b9e1cf02d83db11 Mon Sep 17 00:00:00 2001 From: cclauss Date: Thu, 30 Aug 2018 16:10:03 +0200 Subject: [PATCH 080/476] print() is a function in Python 3 --- read_launch_plists.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/read_launch_plists.py b/read_launch_plists.py index 25966f50..a6a3015a 100755 --- a/read_launch_plists.py +++ b/read_launch_plists.py @@ -25,7 +25,7 @@ def LoadPlist(filename): out_data, err_data = p.communicate() except IOError as e: # file could not be found - print e + print(e) if(p.returncode == 0): data = plistlib.readPlistFromString(out_data) From e109114e1bfa911e013ef11bd503aaf35cf7293f Mon Sep 17 00:00:00 2001 From: HazCod Date: Thu, 30 Aug 2018 21:27:36 +0200 Subject: [PATCH 081/476] Add maclaunch reference shameless self-plug --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index dd38a986..b2bd7be3 100755 --- a/README.md +++ b/README.md @@ -1546,7 +1546,7 @@ Some malware comes bundled with both legitimate software, such as the [Java bund See [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) and [Malware Persistence on OS X Yosemite](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite) to learn about how garden-variety malware functions. -You could periodically run a tool like [Knock Knock](https://github.com/synack/knockknock) to examine persistent applications (e.g. scripts, binaries). But by then, it is probably too late. Maybe applications such as [Block Block](https://objective-see.com/products/blockblock.html) and [Ostiarius](https://objective-see.com/products/ostiarius.html) will help. See warnings and caveats in [issue #90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) first, however. +You could periodically run a tool like [Knock Knock](https://github.com/synack/knockknock) to examine persistent applications (e.g. scripts, binaries). But by then, it is probably too late. Maybe applications such as [Block Block](https://objective-see.com/products/blockblock.html) and [Ostiarius](https://objective-see.com/products/ostiarius.html) will help. See warnings and caveats in [issue #90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) first, however. An open-source alternative could be [maclaunch.sh](https://github.com/hazcod/maclaunch). **Anti-virus** programs are a double-edged sword -- not so useful for **advanced** users and will likely increase attack surface against sophisticated threats; however possibly useful for catching "garden variety" malware on **novice** users' Macs. There is also the additional processing overhead to consider when using "active" scanning features. From e5f92e9c3f4f140a50f15ead9c65db17f3c95879 Mon Sep 17 00:00:00 2001 From: Steven Black Date: Thu, 30 Aug 2018 17:31:11 -0400 Subject: [PATCH 082/476] The `tee -a` option appends to the target hosts file, which is non re-entrant. Also, update the value returned by `wc -l`. --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index dd38a986..c3a113d2 100755 --- a/README.md +++ b/README.md @@ -797,10 +797,10 @@ For hosts lists, see [someonewhocares.org](https://someonewhocares.org/hosts/zer To append a list of hosts from a list, use the `tee` command, then confirm by editing `/etc/hosts` or counting the number of lines in it: ```shell -$ curl "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" | sudo tee -a /etc/hosts +$ curl "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" | sudo tee /etc/hosts $ wc -l /etc/hosts -47476 +65580 $ egrep -ve "^#|^255.255.255|^0.0.0.0|^127.0.0.1|^0 " /etc/hosts | sort | uniq | sort ::1 localhost From d69d2541e9bab100c25e5de91fa0dd0322578ac5 Mon Sep 17 00:00:00 2001 From: juanjonol Date: Thu, 27 Sep 2018 08:51:49 +0200 Subject: [PATCH 083/476] Update InstallESD_Hashes.csv --- InstallESD_Hashes.csv | 1 + 1 file changed, 1 insertion(+) diff --git a/InstallESD_Hashes.csv b/InstallESD_Hashes.csv index 94a096f7..4f75e993 100644 --- a/InstallESD_Hashes.csv +++ b/InstallESD_Hashes.csv @@ -22,3 +22,4 @@ Version,Build,SHA-256,SHA-1 10.13.3,17D47,438fc19055e56ac90fb485796d3aacc4059d241d79bc5c303220c4c2468a1f9d,726c7516fdbe33ae3f2384ba1ce7efcda4335776 10.13.4,17E199,fd33bb6f8a4132c2ba50808c0e1f92eb05b6c300d38e58287d5d7dec01a4cd65,2c72b22a45ea8f5a80bee91db8aba96dae8310ea 10.13.5,17F77,c4ff5048bafbf7f386cd6cb3b09b58112df607a526874c726d9b0c5ba2e61a4f,216b38acfb234b4e29c2dba41fd76814550b59e2 +10.14,18A391,cdf15a36a082af2da1cc3ac913a6facb78894a5311c69d51fdfce706b83d8692,d29afb53d32d350453356d6025c4cbb2fb123985 From a366ee3949aaef5c466ccbce0804793f308b4f34 Mon Sep 17 00:00:00 2001 From: Michael Rash Date: Tue, 2 Oct 2018 20:37:13 -0400 Subject: [PATCH 084/476] add links to Wireguard as an additional VPN option --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2d0dbfda..ee69f753 100755 --- a/README.md +++ b/README.md @@ -1524,7 +1524,7 @@ Also see [Invisible Internet Project (I2P)](https://geti2p.net/en/about/intro) a Unencrypted network traffic is being actively monitored and possibly tampered with. Encrypted traffic still exposes [connection metadata](https://security.stackexchange.com/questions/142833/does-https-encrypt-metadata#142855) and could be used to infer behavior or specific actions. -It is a good idea to use a VPN which outgoing network traffic (*not* **split tunnel**) with a trustworthy provider. [drduh/Debian-Privacy-Server-Guide](https://github.com/drduh/Debian-Privacy-Server-Guide) is one of many available guides for setting up a personal VPN server. +It is a good idea to use a VPN with outgoing network traffic (*not* **split tunnel**) together with a trustworthy provider. [drduh/Debian-Privacy-Server-Guide](https://github.com/drduh/Debian-Privacy-Server-Guide) is one of many available guides for setting up a personal VPN server. Don't just blindly sign up for a VPN service without understanding the full implications and how your traffic will be routed. If you don't understand how the VPN works or are not familiar with the software used, you are probably better off without it. @@ -1538,6 +1538,8 @@ It may be worthwhile to consider the geographical location of the VPN provider. Also see this [technical overview](https://blog.timac.org/2018/0717-macos-vpn-architecture/) of the macOS built-in VPN L2TP/IPSec and IKEv2 client. +Further, it is possible to run the contemporary Linux-based [Wireguard](https://www.wireguard.com/) VPN either [from a Linux VM](https://github.com/mrash/Wireguard-macOS-LinuxVM) or via a set of [cross platform tools](https://www.wireguard.com/xplatform/). + ## Viruses and malware There is an [ever-increasing](https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html) amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software! From 3779b507b0b0cb740e48838dfb9d23a10eb57b75 Mon Sep 17 00:00:00 2001 From: marcus-cr Date: Sat, 6 Oct 2018 19:14:13 -0400 Subject: [PATCH 085/476] Fixed typo / continuity error Removed extra space. Fixed Wi-Fi name for continuity. --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ee69f753..3f34f83f 100755 --- a/README.md +++ b/README.md @@ -359,7 +359,7 @@ When macOS first starts, you'll be greeted by **Setup Assistant**. When creating the first account, use a [strong password](https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength) without a hint. -If you enter your real name at the account setup process, be aware that your [computer's name and local hostname](https://support.apple.com/kb/PH18720) will comprise that name (e.g., *John Appleseed's MacBook*) and thus will appear on local networks and in various preference files. +If you enter your real name at the account setup process, be aware that your [computer's name and local hostname](https://support.apple.com/kb/PH18720) will comprise that name (e.g., *John Appleseed's MacBook*) and thus will appear on local networks and in various preference files. Both should be verified and updated as needed in **System Preferences > Sharing** or with the following commands after installation: @@ -1946,7 +1946,7 @@ You may wish to [spoof the MAC address](https://en.wikipedia.org/wiki/MAC_spoofi $ sudo ifconfig en0 ether $(openssl rand -hex 6 | sed 's%\(..\)%\1:%g; s%.$%%') ``` -It is also good to know that macOS will store Wi-FI SSIDs and passwords in NVRAM, because Recovery Mode needs access to restore from the Internet. Be sure to either clear NVRAM or de-authenticate your Mac from your Apple account, which will clear the NVRAM, before passing a Mac along. (Resetting the SMC will clear some of the NVRAM, but not all.) +It is also good to know that macOS will store Wi-Fi SSIDs and passwords in NVRAM, because Recovery Mode needs access to restore from the Internet. Be sure to either clear NVRAM or de-authenticate your Mac from your Apple account, which will clear the NVRAM, before passing a Mac along. (Resetting the SMC will clear some of the NVRAM, but not all.) **Note** MAC addresses will reset to hardware defaults on each boot. From 0b562decffda12e515a8efc965ca5cd38574ff18 Mon Sep 17 00:00:00 2001 From: marcus-cr Date: Sat, 6 Oct 2018 19:15:15 -0400 Subject: [PATCH 086/476] Captive Control config file name The file com.apple.captive.control doesn't exist. Fixed and tested on Mojave. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3f34f83f..39bee35a 100755 --- a/README.md +++ b/README.md @@ -1040,7 +1040,7 @@ When macOS connects to new networks, it **probes** the network and launches a Ca An attacker could trigger the utility and direct a Mac to a site with malware without user interaction, so it's best to disable this feature and log in to captive portals using your regular Web browser, provided you have first disable any custom dns and/or proxy settings. - $ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false + $ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active -bool false Also see [Apple's secret "wispr" request](https://web.archive.org/web/20171008071031/http://blog.erratasec.com/2010/09/apples-secret-wispr-request.html), [How to disable the captive portal window in Mac OS Lion](https://web.archive.org/web/20130407200745/http://www.divertednetworks.net/apple-captiveportal.html) and [An undocumented change to Captive Network Assistant settings in OS X 10.10 Yosemite](https://web.archive.org/web/20170622064304/https://grpugh.wordpress.com/2014/10/29/an-undocumented-change-to-captive-network-assistant-settings-in-os-x-10-10-yosemite/). From bee7803e707bc9ce10d0039abf5c3992627a436c Mon Sep 17 00:00:00 2001 From: marcus-cr Date: Sat, 6 Oct 2018 19:17:06 -0400 Subject: [PATCH 087/476] Added Tresorit service Tresorit service was added to list. Its' security is superior to SpiderOak One Backup (https://tresorit.com/business/spideroak-alternative). --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 39bee35a..e0255c9f 100755 --- a/README.md +++ b/README.md @@ -1928,7 +1928,7 @@ You may also create encrypted volumes using **Disk Utility** or `hdiutil`: $ hdiutil create ~/Desktop/encrypted.dmg -encryption -size 1g -volname "Name" -fs JHFS+ ``` -Also see the following applications and services: [SpiderOak](https://spideroak.com/), [Arq](https://www.arqbackup.com/), [Espionage](https://www.espionageapp.com/), and [restic](https://restic.github.io/). +Also see the following applications and services: [Tresorit](https://www.tresorit.com), [SpiderOak](https://www.spideroak.com/), [Arq](https://www.arqbackup.com/), [Espionage](https://www.espionageapp.com/), and [restic](https://restic.github.io/). ## Wi-Fi From 2d958cfc1e164ba9598240931b8c1dfd4be959d2 Mon Sep 17 00:00:00 2001 From: TheTunnelix Date: Fri, 12 Oct 2018 09:13:15 -0400 Subject: [PATCH 088/476] Update root trust anchor in preparation for the rollover on the 11st Oct --- README-cn.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README-cn.md b/README-cn.md index fbe6f900..b8219cb7 100755 --- a/README-cn.md +++ b/README-cn.md @@ -719,6 +719,7 @@ log-facility=/var/log/dnsmasq.log # Uncomment to enable DNSSEC #dnssec #trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 +#trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D #dnssec-check-unsigned ``` From c5682a1848e5749b156d73a4576328430a8ee925 Mon Sep 17 00:00:00 2001 From: Joost-Wim Boekesteijn Date: Thu, 1 Nov 2018 16:10:44 +0100 Subject: [PATCH 089/476] add macOS Mojave 10.14.1 hashes --- InstallESD_Hashes.csv | 1 + 1 file changed, 1 insertion(+) diff --git a/InstallESD_Hashes.csv b/InstallESD_Hashes.csv index 4f75e993..0d68589b 100644 --- a/InstallESD_Hashes.csv +++ b/InstallESD_Hashes.csv @@ -23,3 +23,4 @@ Version,Build,SHA-256,SHA-1 10.13.4,17E199,fd33bb6f8a4132c2ba50808c0e1f92eb05b6c300d38e58287d5d7dec01a4cd65,2c72b22a45ea8f5a80bee91db8aba96dae8310ea 10.13.5,17F77,c4ff5048bafbf7f386cd6cb3b09b58112df607a526874c726d9b0c5ba2e61a4f,216b38acfb234b4e29c2dba41fd76814550b59e2 10.14,18A391,cdf15a36a082af2da1cc3ac913a6facb78894a5311c69d51fdfce706b83d8692,d29afb53d32d350453356d6025c4cbb2fb123985 +10.14.1,18B75,84989fd343e4eeb1013703565eb54f652f2f89d3305fa952d85879d94606619a,635fdcb4a9baee1885825e9067d104d7aa0b9c2f From 0fc1a3c17882d50998b970051a0f18995938a1d8 Mon Sep 17 00:00:00 2001 From: Joost-Wim Boekesteijn Date: Fri, 7 Dec 2018 10:34:55 +0100 Subject: [PATCH 090/476] add Mojave 10.14.2 hashes --- InstallESD_Hashes.csv | 1 + 1 file changed, 1 insertion(+) diff --git a/InstallESD_Hashes.csv b/InstallESD_Hashes.csv index 0d68589b..82b3bc51 100644 --- a/InstallESD_Hashes.csv +++ b/InstallESD_Hashes.csv @@ -24,3 +24,4 @@ Version,Build,SHA-256,SHA-1 10.13.5,17F77,c4ff5048bafbf7f386cd6cb3b09b58112df607a526874c726d9b0c5ba2e61a4f,216b38acfb234b4e29c2dba41fd76814550b59e2 10.14,18A391,cdf15a36a082af2da1cc3ac913a6facb78894a5311c69d51fdfce706b83d8692,d29afb53d32d350453356d6025c4cbb2fb123985 10.14.1,18B75,84989fd343e4eeb1013703565eb54f652f2f89d3305fa952d85879d94606619a,635fdcb4a9baee1885825e9067d104d7aa0b9c2f +10.14.2,18C54,25a6c7d467fb72fed170dce786202f24c0120045c358902a19be8d3e106fe1a4,da00f1ccb5e0927ae4550fd8399160cc5f3a9b47 From 3fe3d25512797468ee1908b2dc941bdd272b08d4 Mon Sep 17 00:00:00 2001 From: Jared Ledvina Date: Sun, 23 Dec 2018 11:37:21 -0500 Subject: [PATCH 091/476] #316 - Update Guide for macOS Mojave Signed-off-by: Jared Ledvina --- README.md | 56 +++++++++++++++++++++++++++---------------------------- 1 file changed, 27 insertions(+), 29 deletions(-) diff --git a/README.md b/README.md index e0255c9f..e27c20d7 100755 --- a/README.md +++ b/README.md @@ -110,7 +110,7 @@ The simplest way is to boot into [Recovery Mode](https://support.apple.com/en-us *Packet capture of an unencrypted HTTP conversation during macOS recovery* -An alternative way to install macOS is to first download **macOS High Sierra** from the [App Store](https://itunes.apple.com/us/app/macos-high-sierra/id1246284741) or elsewhere, and create a custom installable system image. +An alternative way to install macOS is to first download **macOS Mojave** from the [App Store](https://itunes.apple.com/us/app/macos-mojave/id1398502828) or elsewhere, and create a custom installable system image. ### Verifying installation integrity @@ -119,69 +119,67 @@ The macOS installation application is [code signed](https://developer.apple.com/ Here are two example ways to verify the code signature and integrity of macOS application bundles: ```shell -$ pkgutil --check-signature /Applications/Install\ macOS\ Sierra.app -Package "Install macOS Sierra.app": +$ pkgutil --check-signature /Applications/Install\ macOS\ Mojave.app +Package "Install macOS Mojave": Status: signed by a certificate trusted by Mac OS X Certificate Chain: - 1. Apple Mac OS Application Signing - SHA1 fingerprint: B9 3B DA AA F1 A8 84 6B 34 BA 32 33 26 35 CB 2B 84 85 3D A8 + 1. Software Signing + SHA1 fingerprint: 01 3E 27 87 74 8A 74 10 3D 62 D2 CD BF 77 A1 34 55 17 C4 82 ----------------------------------------------------------------------------- - 2. Apple Worldwide Developer Relations Certification Authority - SHA1 fingerprint: FF 67 97 79 3A 3C D7 98 DC 5B 2A BE F5 6F 73 ED C9 F8 3A 64 + 2. Apple Code Signing Certification Authority + SHA1 fingerprint: 1D 01 00 78 A6 1F 4F A4 69 4A FF 4D B1 AC 26 6C E1 B4 59 46 ----------------------------------------------------------------------------- 3. Apple Root CA SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60 - ``` You may also use the `codesign` command to examine an application's code signature: ```shell -$ codesign -dvv /Applications/Install\ macOS\ Sierra.app -Executable=/Applications/Install macOS Sierra.app/Contents/MacOS/InstallAssistant -Identifier=com.apple.InstallAssistant.Sierra +$ codesign -dvv /Applications/Install\ macOS\ Mojave.app +Executable=/Applications/Install macOS Mojave.app/Contents/MacOS/InstallAssistant_springboard +Identifier=com.apple.InstallAssistant.Mojave Format=app bundle with Mach-O thin (x86_64) -CodeDirectory v=20200 size=297 flags=0x200(kill) hashes=5+5 location=embedded -Signature size=4167 -Authority=Apple Mac OS Application Signing -Authority=Apple Worldwide Developer Relations Certification Authority +CodeDirectory v=20100 size=274 flags=0x2000(library-validation) hashes=3+3 location=embedded +Platform identifier=5 +Signature size=4535 +Authority=Software Signing +Authority=Apple Code Signing Certification Authority Authority=Apple Root CA -Info.plist entries=30 -TeamIdentifier=K36BKF7T3D -Sealed Resources version=2 rules=7 files=137 -Internal requirements count=1 size=124 +Info.plist entries=34 +TeamIdentifier=not set +Sealed Resources version=2 rules=13 files=194 +Internal requirements count=1 size=84 ``` ### Creating a bootable USB installer Instead of booting from the network or using target disk mode, a bootable macOS installer can be made with the `createinstallmedia` utility included in `Contents/Resources` folder of the installer application bundle. See [Create a bootable installer for macOS](https://support.apple.com/en-us/HT201372), or run the utility without arguments to see how it works. -**Note** Apple's installer [does not appear to work](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/120) across OS versions. If you want to build a 10.12 image, for example, the following steps must be run on macOS verison 10.12! - To create a **bootable USB installer**, mount a USB drive, and erase and partition it, then use the `createinstallmedia` utility: ```shell $ diskutil list -[Find disk matching correct size, usually "disk2"] +[Find disk matching correct size, usually the last disk. i.e. /dev/disk2] $ diskutil unmountDisk /dev/disk2 $ diskutil partitionDisk /dev/disk2 1 JHFS+ Installer 100% -$ cd /Applications/Install\ macOS\ Sierra.app +$ cd /Applications/Install\ macOS\ Mojave.app -$ sudo ./Contents/Resources/createinstallmedia --volume /Volumes/Installer --applicationpath /Applications/Install\ macOS\ Sierra.app --nointeraction -Erasing Disk: 0%... 10%... 20%... 30%... 100%... -Copying installer files to disk... -Copy complete. +$ sudo ./Contents/Resources/createinstallmedia --volume /Volumes/Installer --nointeraction +Erasing disk: 0%... 10%... 20%... 30%... 100% +Copying to disk: 0%... 10%... 20%... 30%... 40%... 50%... 60%... 70%... 80%... 90%... 100% Making disk bootable... Copying boot files... -Copy complete. -Done. +Install media now available at "/Volumes/Install macOS Mojave" ``` ### Creating an install image +**Note** Apple's AutoDMG installer [does not appear to work](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/120) across OS versions. If you want to build a 10.14 image, for example, the following steps must be run on macOS verison 10.14! + To create a **custom install image** which can be [restored](https://en.wikipedia.org/wiki/Apple_Software_Restore) to a Mac (using a USB-C cable and target disk mode, for example), use [MagerValp/AutoDMG](https://github.com/MagerValp/AutoDMG). #### Manual way From e08b5da7cfeb1d7b60608455f23934a9fe46f23c Mon Sep 17 00:00:00 2001 From: drduh Date: Thu, 17 Jan 2019 17:45:51 -0800 Subject: [PATCH 092/476] Console formatting and add diskutil encryption steps --- README.md | 183 +++++++++++++++++++++++++++++++----------------------- 1 file changed, 105 insertions(+), 78 deletions(-) diff --git a/README.md b/README.md index e27c20d7..5f29aa40 100755 --- a/README.md +++ b/README.md @@ -118,7 +118,7 @@ The macOS installation application is [code signed](https://developer.apple.com/ Here are two example ways to verify the code signature and integrity of macOS application bundles: -```shell +```console $ pkgutil --check-signature /Applications/Install\ macOS\ Mojave.app Package "Install macOS Mojave": Status: signed by a certificate trusted by Mac OS X @@ -135,7 +135,7 @@ Package "Install macOS Mojave": You may also use the `codesign` command to examine an application's code signature: -```shell +```console $ codesign -dvv /Applications/Install\ macOS\ Mojave.app Executable=/Applications/Install macOS Mojave.app/Contents/MacOS/InstallAssistant_springboard Identifier=com.apple.InstallAssistant.Mojave @@ -158,9 +158,9 @@ Instead of booting from the network or using target disk mode, a bootable macOS To create a **bootable USB installer**, mount a USB drive, and erase and partition it, then use the `createinstallmedia` utility: -```shell +```console $ diskutil list -[Find disk matching correct size, usually the last disk. i.e. /dev/disk2] +[Find disk matching correct size, usually the last disk, e.g. /dev/disk2] $ diskutil unmountDisk /dev/disk2 @@ -190,19 +190,17 @@ You will need to find the file `InstallESD.dmg`, which is also inside installati Locate it in Terminal or with Finder, right click on the application bundle, select **Show Package Contents** and navigate to **Contents** > **SharedSupport** to find the file `InstallESD.dmg` -Before continuing, [verify](https://support.apple.com/en-us/HT201259) the file's integrity by comparing its cryptographic hashes with either of the following commands: +Before continuing, [verify](https://support.apple.com/en-us/HT201259) the file's integrity by comparing its SHA-256 hash with others found in this repository or elsewhere online. -``` +```console $ shasum -a 256 InstallESD.dmg - -$ openssl sha256 InstallESD.dmg ``` Both results should match a version of macOS in [InstallESD_Hashes.csv](https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/InstallESD_Hashes.csv). You can also search for hashes to ensure others are seeing the same. To determine which macOS versions and builds originally shipped with or are available for a Mac, see [HT204319](https://support.apple.com/en-us/HT204319). Mount and install the operating system to a temporary image: -```shell +```console $ hdiutil attach -mountpoint /tmp/InstallESD ./InstallESD.dmg $ hdiutil create -size 32g -type SPARSE -fs HFS+J -volname "macOS" -uid 0 -gid 80 -mode 1775 /tmp/macos.sparseimage @@ -219,7 +217,7 @@ The installation will take a while, so be patient. You can use the command `tail Once the installation completes successfully, detach, convert and verify the image: -```shell +```console $ hdiutil detach /tmp/macos "disk4" unmounted. "disk4" ejected. @@ -251,7 +249,7 @@ Optionally, [securely erase](https://www.backblaze.com/blog/securely-erase-mac-s Partition the disk to Journaled HFS+: -``` +```console $ sudo diskutil unmountDisk /dev/disk2 $ sudo diskutil partitionDisk /dev/disk2 1 JHFS+ macOS 100% @@ -259,7 +257,7 @@ $ sudo diskutil partitionDisk /dev/disk2 1 JHFS+ macOS 100% Restore the image to the new volume, making sure `/dev/disk2` is the disk being erased: -``` +```console $ sudo asr restore --source ~/sierra.dmg --target /Volumes/macOS --erase --buffersize 4m [...] Erase contents of /dev/disk2s2 (/Volumes/macOS)? [ny]:y @@ -280,14 +278,14 @@ To transfer any files, copy them to a shared folder like `/Users/Shared` on the Download [RecoveryHDUpdate.dmg](https://support.apple.com/downloads/DL1464/en_US/RecoveryHDUpdate.dmg) and verify its integrity: -```shell +```console $ shasum -a 256 RecoveryHDUpdate.dmg f6a4f8ac25eaa6163aa33ac46d40f223f40e58ec0b6b9bf6ad96bdbfc771e12c RecoveryHDUpdate.dmg ``` Attach and expand the installer, then run it - again ensuring `/Volumes/macOS` path is the newly created partition on the connected disk: -```shell +```console $ hdiutil attach RecoveryHDUpdate.dmg $ pkgutil --expand /Volumes/Mac\ OS\ X\ Lion\ Recovery\ HD\ Update/RecoveryHDUpdate.pkg /tmp/recovery @@ -329,7 +327,7 @@ From the host Mac, start Apache in the foreground: From the guest VM, install the disk image to the volume over the local network using `asr`: -```shell +```console -bash-3.2# asr restore --source http://172.16.34.1/sierra.dmg --target /Volumes/Macintosh\ HD/ --erase --buffersize 4m Validating target...done Validating source...done @@ -446,7 +444,7 @@ To manually seed entropy *before* enabling FileVault: To test entropy and randomness quality, download and use [`ent`](http://www.fourmilab.ch/random/) with Homebrew, then: -```shell +```console $ dd if=/dev/random of=/tmp/random count=8192 $ ent /tmp/random @@ -484,10 +482,12 @@ You may wish to enforce **hibernation** and evict FileVault keys from memory ins If you choose to evict FileVault keys in standby mode, you should also modify your standby and power nap settings. Otherwise, your machine may wake while in standby mode and then power off due to the absence of the FileVault key. See [issue #124](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/124) for more information. These settings can be changed with: - $ sudo pmset -a powernap 0 - $ sudo pmset -a standby 0 - $ sudo pmset -a standbydelay 0 - $ sudo pmset -a autopoweroff 0 +```console +$ sudo pmset -a powernap 0 +$ sudo pmset -a standby 0 +$ sudo pmset -a standbydelay 0 +$ sudo pmset -a autopoweroff 0 +``` For more information, see [Best Practices for Deploying FileVault 2](https://training.apple.com/pdf/WP_FileVault2.pdf) (pdf) and paper [Lest We Remember: Cold Boot Attacks on Encryption Keys](https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf) (pdf) @@ -510,13 +510,13 @@ The firmware password will activate at next boot. To validate the password, hold The firmware password can also be managed with the `firmwarepasswd` utility while booted into the OS. For example, to prompt for the firmware password when attempting to boot from a different volume: -``` +```console $ sudo firmwarepasswd -setpasswd -setmode command ``` To verify: -``` +```console $ sudo firmwarepasswd -verify Verifying Firmware Password Enter password: @@ -543,19 +543,15 @@ Built-in, basic firewall which blocks **incoming** connections only. This firewa It can be controlled by the **Firewall** tab of **Security & Privacy** in **System Preferences**, or with the following commands. -Enable the firewall with logging: +Enable the firewall with logging and stealth mode: -``` +```console $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on Firewall is enabled. (State = 1) $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on Turning on log mode -``` -You may also wish to enable stealth mode: - -``` $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on Stealth mode enabled ``` @@ -564,7 +560,7 @@ Stealth mode enabled To prevent *built-in software* as well as *code-signed, downloaded software from being whitelisted automatically*: -``` +```console $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned off Disabled allow signed built-in applications automatically @@ -578,7 +574,7 @@ Disabled allow signed downloaded applications automatically After interacting with `socketfilterfw`, you may want to restart (or terminate) the process: -``` +```console $ sudo pkill -HUP socketfilterfw ``` @@ -608,7 +604,7 @@ There are many books and articles on the subject of pf firewall. Here's is just Add the following into a file called `pf.rules`, modifying `en0` to be your outbound network adapter: -```shell +``` set block-policy drop set fingerprints "/etc/pf.os" set ruleset-optimization basic @@ -647,7 +643,7 @@ Copy and paste the list of networks returned into the blocklist command: Confirm the addresses were added: -```shell +```console $ sudo pfctl -t blocklist -T show No ALTQ support in kernel ALTQ related functions disabled @@ -658,7 +654,7 @@ ALTQ related functions disabled Confirm network traffic is blocked to those addresses (note that DNS requests will still work): -```shell +```console $ dig a +short facebook.com 157.240.2.35 @@ -1424,7 +1420,7 @@ See [How to verify signatures for packages](https://www.torproject.org/docs/veri To finish installing Tor Browser, open the disk image and drag the it into the Applications folder, or with: -```shell +```console $ hdiutil mount TorBrowser-7.0.10-osx64_en-US.dmg $ cp -rv /Volumes/Tor\ Browser/TorBrowser.app /Applications @@ -1432,7 +1428,7 @@ $ cp -rv /Volumes/Tor\ Browser/TorBrowser.app /Applications Verify the Tor application's code signature was made by with The Tor Project's Apple developer ID **MADPSAYN6T**, using the `spctl -a -v` and/or `pkgutil --check-signature` commands: -```shell +```console $ spctl -a -vv /Applications/TorBrowser.app /Applications/TorBrowser.app: accepted source=Developer ID @@ -1454,7 +1450,7 @@ Package "TorBrowser.app": You may also use the `codesign` command to examine an application's code signature: -```shell +```console $ codesign -dvv /Applications/TorBrowser.app Executable=/Applications/TorBrowser.app/Contents/MacOS/firefox Identifier=org.torproject.torbrowser @@ -1920,13 +1916,29 @@ $ gpg -o ~/Desktop/decrypted-backup.tar.gz -d ~/Desktop/backup-2015-01-01-0000.t $ tar zxvf ~/Desktop/decrypted-backup.tar.gz ``` -You may also create encrypted volumes using **Disk Utility** or `hdiutil`: +You can also create and use encrypted volumes using **Disk Utility** or `hdiutil`: ```shell -$ hdiutil create ~/Desktop/encrypted.dmg -encryption -size 1g -volname "Name" -fs JHFS+ +$ hdiutil create ~/Desktop/encrypted.dmg -encryption -size 20M -volname "secretStuff" -fs JHFS+ +Enter a new password to secure "encrypted.dmg": +Re-enter new password: +.................................... +Created: /Users/drduh/Desktop/encrypted.img + +$ hdiutil mount ~/Desktop/encrypted.dmg +Enter password to access "encrypted.dmg": +[...] +/Volumes/secretStuff + +$ cp -v ~/Documents/passwords.txt /Volumes/secretStuff +[...] + +$ hdiutil eject /Volumes/secretStuff +"disk4" unmounted. +"disk4" ejected. ``` -Also see the following applications and services: [Tresorit](https://www.tresorit.com), [SpiderOak](https://www.spideroak.com/), [Arq](https://www.arqbackup.com/), [Espionage](https://www.espionageapp.com/), and [restic](https://restic.github.io/). +See also the following applications and services: [Tresorit](https://www.tresorit.com), [SpiderOak](https://www.spideroak.com/), [Arq](https://www.arqbackup.com/), [Espionage](https://www.espionageapp.com/), and [restic](https://restic.github.io/). ## Wi-Fi @@ -1936,11 +1948,13 @@ This is a privacy risk, so remove networks from the list in **System Preferences Also see [Signals from the Crowd: Uncovering Social Relationships through Smartphone Probes](https://conferences.sigcomm.org/imc/2013/papers/imc148-barberaSP106.pdf) (pdf) and [Wi-Fi told me everything about you](http://confiance-numerique.clermont-universite.fr/Slides/M-Cunche-2014.pdf) (pdf). -Saved Wi-Fi information (SSID, last connection, etc.) can be found in `/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist` +Saved Wi-Fi information (SSID, last connection, etc.) can be found in: -You may wish to [spoof the MAC address](https://en.wikipedia.org/wiki/MAC_spoofing) of the network card before connecting to new and untrusted wireless networks to mitigate passive fingerprinting: + /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist -```shell +You may want to [spoof the MAC address](https://en.wikipedia.org/wiki/MAC_spoofing) of the network card before connecting to new and untrusted wireless networks to mitigate passive fingerprinting: + +```console $ sudo ifconfig en0 ether $(openssl rand -hex 6 | sed 's%\(..\)%\1:%g; s%.$%%') ``` @@ -1956,9 +1970,9 @@ Finally, WEP protection on wireless networks is [not secure](http://www.howtogee For outgoing ssh connections, use hardware or password-protected keys, [set up](http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/) remote hosts and consider [hashing](http://nms.csail.mit.edu/projects/ssh/) them for added privacy. -Here are several recommended [options](https://www.freebsd.org/cgi/man.cgi?query=ssh_config&sektion=5) to add to `~/.ssh/config`: +Here are several [recommended options](https://www.freebsd.org/cgi/man.cgi?query=ssh_config&sektion=5) to add to `~/.ssh/config`: -```shell +``` Host * PasswordAuthentication no ChallengeResponseAuthentication no @@ -1972,7 +1986,7 @@ You can also use ssh to create an [encrypted tunnel](http://blog.trackets.com/20 For example, to use Privoxy on a remote host: -```shell +```console $ ssh -C -L 5555:127.0.0.1:8118 you@remote-host.tld $ sudo networksetup -setwebproxy "Wi-Fi" 127.0.0.1 5555 $ sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 5555 @@ -1980,7 +1994,7 @@ $ sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 5555 Or to use an ssh connection as a [SOCKS proxy](https://www.mikeash.com/ssh_socks.html): -```shell +```console $ ssh -NCD 3000 you@remote-host.tld ``` @@ -1988,7 +2002,7 @@ By default, macOS does **not** have sshd or *Remote Login* enabled. To enable sshd and allow incoming ssh connections: -```shell +```console $ sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist ``` @@ -1998,7 +2012,7 @@ If you are going to enable sshd, at least disable password authentication and co To `/etc/sshd_config`, add: -```shell +``` PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no @@ -2006,10 +2020,12 @@ UsePAM no Confirm whether sshd is enabled or disabled: -```shell +```console $ sudo lsof -Pni TCP:22 ``` +See also [drduh/config/ssh_config](https://github.com/drduh/config/ssh_config) and [drduh/config/sshd_config](https://github.com/drduh/config/sshd_config). + ## Physical access Keep your Mac physically secure at all times. Don't leave it unattended in hotels and such. @@ -2030,7 +2046,7 @@ macOS has a powerful OpenBSM auditing capability. You can use it to monitor proc To tail audit logs, use the `praudit` utility: -```shell +```console $ sudo praudit -l /dev/auditpipe header,201,11,execve(2),0,Thu Sep 1 12:00:00 2015, + 195 msec,exec arg,/Applications/.evilapp/rootkit,path,/Applications/.evilapp/rootkit,path,/Applications/.evilapp/rootkit,attribute,100755,root,wheel,16777220,986535,0,subject,drduh,root,wheel,root,wheel,412,100005,50511731,0.0.0.0,return,success,0,trailer,201, header,88,11,connect(2),0,Thu Sep 1 12:00:00 2015, + 238 msec,argument,1,0x5,fd,socket-inet,2,443,173.194.74.104,subject,drduh,root,wheel,root,wheel,326,100005,50331650,0.0.0.0,return,failure : Operation now in progress,4354967105,trailer,88 @@ -2081,7 +2097,7 @@ You can also use [Wireshark](https://www.wireshark.org/) from the command line. Monitor DNS queries and replies: -```shell +```console $ tshark -Y "dns.flags.response == 1" -Tfields \ -e frame.time_delta \ -e dns.qry.name \ @@ -2091,7 +2107,7 @@ $ tshark -Y "dns.flags.response == 1" -Tfields \ Monitor HTTP requests and responses: -```shell +```console $ tshark -Y "http.request or http.response" -Tfields \ -e ip.dst \ -e http.request.full_uri \ @@ -2101,9 +2117,9 @@ $ tshark -Y "http.request or http.response" -Tfields \ -Eseparator=/s ``` -Monitor x509 certificates: +Monitor x509 (SSL/TLS) certificates: -```shell +```console $ tshark -Y "ssl.handshake.certificate" -Tfields \ -e ip.src \ -e x509sat.uTF8String \ @@ -2128,7 +2144,7 @@ Santa uses the [Kernel Authorization API](https://developer.apple.com/library/co To install Santa, visit the [Releases](https://github.com/google/santa/releases) page and download the latest disk image, the mount it and install the contained package: -```shell +```console $ hdiutil mount ~/Downloads/santa-0.9.20.dmg $ sudo installer -pkg /Volumes/santa-0.9.20/santa-0.9.20.pkg -tgt / @@ -2138,7 +2154,7 @@ By default, Santa installs in "Monitor" mode (meaning, nothing gets blocked, onl Verify Santa is running and its kernel module is loaded: -```shell +```console $ santactl status >>> Daemon Info Mode | Monitor @@ -2161,29 +2177,37 @@ $ kextstat | grep santa Create a blacklist rule to prevent iTunes from executing: - $ sudo santactl rule --blacklist --path /Applications/iTunes.app/ - Added rule for SHA-256: e1365b51d2cb2c8562e7f1de36bfb3d5248de586f40b23a2ed641af2072225b3. +```console +$ sudo santactl rule --blacklist --path /Applications/iTunes.app/ +Added rule for SHA-256: e1365b51d2cb2c8562e7f1de36bfb3d5248de586f40b23a2ed641af2072225b3. +``` Try to launch iTunes - it will be blocked. - $ open /Applications/iTunes.app/ - LSOpenURLsWithRole() failed with error -10810 for the file /Applications/iTunes.app. +```console +$ open /Applications/iTunes.app/ +LSOpenURLsWithRole() failed with error -10810 for the file /Applications/iTunes.app. +``` Santa block dialog when attempting to run a blacklisted program To remove the rule: - $ sudo santactl rule --remove --path /Applications/iTunes.app/ - Removed rule for SHA-256: e1365b51d2cb2c8562e7f1de36bfb3d5248de586f40b23a2ed641af2072225b3. +```console +$ sudo santactl rule --remove --path /Applications/iTunes.app/ +Removed rule for SHA-256: e1365b51d2cb2c8562e7f1de36bfb3d5248de586f40b23a2ed641af2072225b3. +``` Open iTunes: - $ open /Applications/iTunes.app/ - [iTunes will open successfully] +```console +$ open /Applications/iTunes.app/ +[iTunes will open successfully] +``` Create a new, example C program: -```shell +```console $ cat < foo.c > #include > main() { printf("Hello World\n”); } @@ -2192,7 +2216,7 @@ $ cat < foo.c Compile the program with GCC (requires installation of Xcode or command-line tools): -```shell +```console $ gcc -o foo foo.c $ file foo @@ -2204,18 +2228,18 @@ foo: code object is not signed at all Run it: -```shell +```console $ ./foo Hello World ``` -Toggle Santa into “Lockdown” mode, which only allows whitelisted binaries to run: +Toggle Santa into "Lockdown" mode, which only allows whitelisted binaries to run: $ sudo defaults write /var/db/santa/config.plist ClientMode -int 2 Try to run the unsigned binary: -```shell +```console $ ./foo bash: ./foo: Operation not permitted @@ -2231,7 +2255,7 @@ Parent: bash (701) To whitelist a specific binary, determine its SHA-256 sum: -```shell +```console $ santactl fileinfo /Users/demouser/foo Path : /Users/demouser/foo SHA-256 : 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed @@ -2243,14 +2267,14 @@ Rule : Blacklisted (Unknown) Add a whitelist rule: -```shell +```console $ sudo santactl rule --whitelist --sha256 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed Added rule for SHA-256: 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed. ``` Run it: -```shell +```console $ ./foo Hello World ``` @@ -2259,7 +2283,7 @@ It's allowed and works! Applications can also be whitelisted by developer certificate (so that new binary versions will not need to be manually whitelisted on each update). For example, download and run Google Chrome - it will be blocked by Santa in "Lockdown" mode: -```shell +```console $ curl -sO https://dl.google.com/chrome/mac/stable/GGRO/googlechrome.dmg $ hdiutil mount googlechrome.dmg @@ -2272,7 +2296,7 @@ LSOpenURLsWithRole() failed with error -10810 for the file /Applications/Google Whitelist the application by its developer certificate (first item in the Signing Chain): -```shell +```console $ santactl fileinfo /Applications/Google\ Chrome.app/ Path : /Applications/Google Chrome.app/Contents/MacOS/Google Chrome SHA-256 : 0eb08224d427fb1d87d2276d911bbb6c4326ec9f74448a4d9a3cfce0c3413810 @@ -2311,16 +2335,18 @@ Signing Chain: In this case, `15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153` is the SHA-256 of Google’s Apple developer certificate (team ID EQHXZ8M8AV). To whitelist it: -```shell +```console $ sudo santactl rule --whitelist --certificate --sha256 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153 Added rule for SHA-256: 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153. ``` Google Chrome should now launch, and subsequent updates to the application will continue to work as long as the code signing certificate doesn’t change or expire. -To disable “Lockdown” mode: +To disable "Lockdown" mode: - $ sudo defaults delete /var/db/santa/config.plist ClientMode +```console +$ sudo defaults delete /var/db/santa/config.plist ClientMode +``` See `/var/log/santa.log` to monitor ALLOW and DENY execution decisions. @@ -2340,7 +2366,7 @@ If you want to use **torrents**, use [Transmission](https://www.transmissionbt.c Manage default file handlers with [duti](http://duti.org/), which can be installed with `brew install duti`. One reason to manage extensions is to prevent auto-mounting of remote filesystems in Finder (see [Protecting Yourself From Sparklegate](https://www.taoeffect.com/blog/2016/02/apologies-sky-kinda-falling-protecting-yourself-from-sparklegate/)). Here are several recommended handlers to manage: -```shell +```console $ duti -s com.apple.Safari afp $ duti -s com.apple.Safari ftp @@ -2535,3 +2561,4 @@ export HOME=/Users/blah [How to make macOS Spotlight fuck the fuck off and do your bidding](https://m4.rkw.io/blog/how-to-make-macos-spotlight-fuck-the-fuck-off-and-do-your-bidding.html) [Fuzzing the macOS WindowServer for Exploitable Vulnerabilities](http://blog.ret2.io/2018/07/25/pwn2own-2018-safari-sandbox/) + From 49e9a8f3bc9ce5da3fab00f1c4b72c44000b67b3 Mon Sep 17 00:00:00 2001 From: drduh Date: Thu, 17 Jan 2019 20:38:25 -0800 Subject: [PATCH 093/476] Style and format, consolidate config links --- README.md | 622 +++++++++++++++++++++++++----------------------------- 1 file changed, 284 insertions(+), 338 deletions(-) diff --git a/README.md b/README.md index 5f29aa40..8f9f5637 100755 --- a/README.md +++ b/README.md @@ -133,7 +133,7 @@ Package "Install macOS Mojave": SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60 ``` -You may also use the `codesign` command to examine an application's code signature: +Use the `codesign` command to examine an application's code signature: ```console $ codesign -dvv /Applications/Install\ macOS\ Mojave.app @@ -406,14 +406,14 @@ Accounts can be created and managed in System Preferences. On settled systems, i Demoting an account can be done either from the the new admin account in System Preferences – the other account must be logged out – or by executing these commands (it may not be necessary to execute both, see [issue #179](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/179)): -```shell +```console $ sudo dscl . -delete /Groups/admin GroupMembership $ sudo dscl . -delete /Groups/admin GroupMembers ``` You can find the “GeneratedUID” of an account with: -```shell +```console $ dscl . -read /Users/ GeneratedUID ``` @@ -439,8 +439,10 @@ Additionally, the PRNG can be manually seeded with entropy by writing to /dev/ra To manually seed entropy *before* enabling FileVault: - $ cat > /dev/random - [Type random letters for a long while, then press Control-D] +```console +$ cat > /dev/random +[Type random letters for a long while, then press Control-D] +``` To test entropy and randomness quality, download and use [`ent`](http://www.fourmilab.ch/random/) with Homebrew, then: @@ -471,10 +473,12 @@ If you can remember your password, there's no reason to save the **recovery key* To learn about how FileVault works, see the paper [Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption](https://eprint.iacr.org/2012/374.pdf) (pdf) and related [presentation](http://www.cl.cam.ac.uk/~osc22/docs/slides_fv2_ifip_2013.pdf) (pdf). Also see [IEEE Std 1619-2007 “The XTS-AES Tweakable Block Cipher”](http://libeccio.di.unisa.it/Crypto14/Lab/p1619.pdf) (pdf). -You may wish to enforce **hibernation** and evict FileVault keys from memory instead of traditional sleep to memory: +**Optional** Enforce **hibernation** and evict FileVault keys from memory instead of traditional sleep to memory: - $ sudo pmset -a destroyfvkeyonstandby 1 - $ sudo pmset -a hibernatemode 25 +```console +$ sudo pmset -a destroyfvkeyonstandby 1 +$ sudo pmset -a hibernatemode 25 +``` > All computers have firmware of some type—EFI, BIOS—to help in the discovery of hardware components and ultimately to properly bootstrap the computer using the desired OS instance. In the case of Apple hardware and the use of EFI, Apple stores relevant information within EFI to aid in the functionality of macOS. For example, the FileVault key is stored in EFI to transparently come out of standby mode. @@ -572,7 +576,7 @@ Disabled allow signed downloaded applications automatically > If you run an unsigned app that is not listed in the firewall list, a dialog appears with options to Allow or Deny connections for the app. If you choose "Allow", macOS signs the application and automatically adds it to the firewall list. If you choose "Deny", macOS adds it to the list but denies incoming connections intended for this app. -After interacting with `socketfilterfw`, you may want to restart (or terminate) the process: +After interacting with `socketfilterfw`, restart the process by sending a line hangup signal: ```console $ sudo pkill -HUP socketfilterfw @@ -675,13 +679,11 @@ IP 192.168.1.1.162771 > 157.240.2.35.80: tcp 0 Outgoing TCP SYN packets are blocked, so a TCP connection is not established and thus a Web site is effectively blocked at the IP layer. -To use pf to audit "phone home" behavior of user and system-level processes, see [fix-macosx/net-monitor](https://github.com/fix-macosx/net-monitor). +To use pf to audit "phone home" behavior of user and system-level processes, see [fix-macosx/net-monitor](https://github.com/fix-macosx/net-monitor). See [drduh/config/scripts/pf-blocklist.sh](https://github.com/drduh/config/blob/master/scripts/pf-blocklist.sh) for more inspiration. ## Services -Before you connect to the Internet, you may wish to disable some system services, which use up resources or phone home to Apple. - -**Note** [System Integrity Protection](https://github.com/drduh/macOS-Security-and-Privacy-Guide#system-integrity-protection) does not allow disabling system services on recent macOS versions. Either temporarily disable SIP or turn them off from Recovery Mode. +**Note** [System Integrity Protection](https://github.com/drduh/macOS-Security-and-Privacy-Guide#system-integrity-protection) does not allow disabling system services on recent macOS versions. Either temporarily disable SIP or disable services from Recovery Mode. See [fix-macosx/yosemite-phone-home](https://github.com/fix-macosx/yosemite-phone-home), [l1k/osxparanoia](https://github.com/l1k/osxparanoia) and [karek314/macOS-home-call-drop](https://github.com/karek314/macOS-home-call-drop) for further recommendations. @@ -742,7 +744,7 @@ Disable **Spotlight Suggestions** in both the Spotlight preferences and Safari's Also disable **Bing Web Searches** in the Spotlight preferences to avoid your search queries being sent to Microsoft. -See [fix-macosx.com](https://fix-macosx.com/) for detailed instructions. +See [fix-macosx.com](https://web.archive.org/web/20180817061520/https://fix-macosx.com/) for detailed instructions. > If you've upgraded to OS X 10.10 "Yosemite" and you're using the default settings, each time you start typing in Spotlight (to open an application or search for a file on your computer), your local search terms and location are sent to Apple and third parties (including Microsoft). @@ -762,7 +764,7 @@ To [install Homebrew](https://github.com/Homebrew/brew/blob/master/docs/Installa Edit `PATH` in your shell or shell rc file to use `~/homebrew/bin` and `~/homebrew/sbin`. For example, `echo 'PATH=$PATH:~/homebrew/sbin:~/homebrew/bin' >> .zshrc`, then change your login shell to Z shell with `chsh -s /bin/zsh`, open a new Terminal window and run `brew update`. -Homebrew uses SSL/TLS to talk with GitHub and verifies checksums of downloaded packages, so it's [fairly secure](https://github.com/Homebrew/homebrew/issues/18036). +Homebrew uses SSL/TLS to talk with GitHub and verifies integrity of downloaded packages, so it's [fairly secure](https://github.com/Homebrew/homebrew/issues/18036). Remember to periodically run `brew update` and `brew upgrade` on trusted and secure networks to download and install software updates. To get information on a package before installation, run `brew info ` and check its recipe online. @@ -780,7 +782,12 @@ Use the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) to block known Edit the hosts file as root, for example with `sudo vi /etc/hosts`. The hosts file can also be managed with the GUI app [2ndalpha/gasmask](https://github.com/2ndalpha/gasmask). -To block a domain, append `0 example.com` or `0.0.0.0 example.com` or `127.0.0.1 example.com` to `/etc/hosts` +To block a domain `A` record, append one of the following lines to `/etc/hosts`: +``` +0 example.com +0.0.0.0 example.com +127.0.0.1 example.com +``` **Note** IPv6 uses the `AAAA` DNS record type, rather than `A` record type, so you may also want to block those connections by *also* including `::1 example.com` entries, like shown [here](https://someonewhocares.org/hosts/ipv6/). @@ -790,7 +797,7 @@ For hosts lists, see [someonewhocares.org](https://someonewhocares.org/hosts/zer To append a list of hosts from a list, use the `tee` command, then confirm by editing `/etc/hosts` or counting the number of lines in it: -```shell +```console $ curl "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" | sudo tee /etc/hosts $ wc -l /etc/hosts @@ -814,13 +821,13 @@ A GUI application is only available for the discontinued version 1 of `dnscrypt- Install DNSCrypt from Homebrew and follow the instructions to configure and start `dnscrypt-proxy`: -```shell +```console $ brew install dnscrypt-proxy ``` If using in combination with Dnsmasq, find the file `homebrew.mxcl.dnscrypt-proxy.plist` by running -```shell +```console $ brew info dnscrypt-proxy ``` @@ -828,13 +835,13 @@ which will show a location like `/usr/local/Cellar/dnscrypt-proxy/2.0.8`, and `h Edit it to have the line: -```shell +``` --local-address=127.0.0.1:5355 ``` Below the line: -```shell +``` /usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy ``` @@ -844,22 +851,24 @@ Below the line: This can also be done using Homebrew, by installing `gnu-sed` and using the `gsed` command: -```shell +```console $ sudo gsed -i "/sbin\\/dnscrypt-proxy<\\/string>/a--local-address=127.0.0.1:5355<\\/string>\n" $(find ~/homebrew -name homebrew.mxcl.dnscrypt-proxy.plist) ``` By default, the `resolvers-list` will point to the dnscrypt version specific resolvers file. When dnscrypt is updated, this version may no longer exist, and if it does, may point to an outdated file. This can be fixed by changing the resolvers file in `homebrew.mxcl.dnscrypt-proxy.plist` (found earlier using find) to the symlinked version in `/usr/local/share`: -```shell +```console --resolvers-list=/usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv ``` Below the line: + ```shell /usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy ``` Start DNSCrypt: -```shell + +```console $ sudo brew services restart dnscrypt-proxy ``` @@ -884,7 +893,7 @@ You can run your own [dnscrypt server](https://github.com/Cofyc/dnscrypt-wrapper Confirm outgoing DNS traffic is encrypted: -```shell +```console $ sudo tcpdump -qtni en0 IP 10.8.8.8.59636 > 107.181.168.52: UDP, length 512 IP 107.181.168.52 > 10.8.8.8.59636: UDP, length 368 @@ -916,91 +925,41 @@ If you don't wish to use DNSCrypt, you should at least use DNS [not provided](ht Install Dnsmasq (DNSSEC is optional): -```shell +```console $ brew install dnsmasq --with-dnssec ``` -Edit the default configuration: +Download [drduh/config/dnsmasq.conf](https://github.com/drduh/config/blob/master/dnsmasq.conf): -```shell -$ vim homebrew/etc/dnsmasq.conf ``` - -Examine all the options. Here are several [recommended settings](https://github.com/drduh/config/blob/master/dnsmasq.conf) to enable: - -```shell -# Forward queries to DNSCrypt on localhost port 5355 -server=127.0.0.1#5355 - -# Uncomment to forward queries to Google Public DNS, if DNSCrypt is not used -# You may also use your own DNS server or other public DNS server you trust -#server=8.8.8.8 -#server=8.8.4.4 - -# Never forward plain (local) names -domain-needed - -# Examples of blocking TLDs or subdomains -#address=/.onion/0.0.0.0 -#address=/.local/0.0.0.0 -#address=/.mycoolnetwork/0.0.0.0 -#address=/.facebook.com/0.0.0.0 -#address=/.push.apple.com/0.0.0.0 - -# Never forward addresses in the non-routed address spaces -bogus-priv - -# Reject private addresses from upstream nameservers -stop-dns-rebind - -# Query servers in order -strict-order - -# Set the size of the cache -# The default is to keep 150 hostnames -cache-size=8192 - -# Optional logging directives -log-async -log-dhcp -log-facility=/var/log/dnsmasq.log - -# Log all queries -#log-queries - -# Path to list of additional hosts -#addn-hosts=/etc/blacklist - -# Enable DNSSEC (see https://www.iana.org/dnssec/files) -#dnssec -#trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 -#trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D -#dnssec-check-unsigned +$ curl -o homebrew/etc/dnsmasq.conf https://raw.githubusercontent.com/drduh/config/master/dnsmasq.conf ``` +Edit the file and examine all the options. To block entire levels of domains, append [drduh/config/domains](https://github.com/drduh/config/tree/master/domains) or your own rules. + Install and start the program (sudo is required to bind to [privileged port](https://unix.stackexchange.com/questions/16564/why-are-the-first-1024-ports-restricted-to-the-root-user-only) 53): -```shell +```console $ sudo brew services start dnsmasq ``` To set Dnsmasq as your local DNS server, open **System Preferences** > **Network** and select the active interface, then the **DNS** tab, select **+** and add `127.0.0.1`, or use: -```shell +```console $ sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1 ``` Make sure Dnsmasq is correctly configured: -```shell -$ scutil --dns +```console +$ scutil --dns | head DNS configuration resolver #1 search domain[0] : whatever nameserver[0] : 127.0.0.1 flags : Request A records, Request AAAA records - reach : Reachable, Local Address, Directly Reachable Address + reach : 0x00030002 (Reachable,Local Address,Directly Reachable Address) $ networksetup -getdnsservers "Wi-Fi" 127.0.0.1 @@ -1010,43 +969,44 @@ $ networksetup -getdnsservers "Wi-Fi" ##### Test DNSSEC validation -Test DNSSEC validation succeeds for signed zones: - - $ dig +dnssec icann.org - -Reply should have `NOERROR` status and contain `ad` flag. For instance, - - ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47039 - ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 +Test DNSSEC validation succeeds for signed zones - the reply should have `NOERROR` status and contain `ad` flag: -Test DNSSEC validation fails for zones that are signed improperly: - - $ dig www.dnssec-failed.org +```console +$ dig +dnssec icann.org +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47039 +;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 +``` -Reply should have `SERVFAIL` status. For instance, +Test DNSSEC validation fails for zones that are signed improperly - the reply should have `SERVFAIL` status: - ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15190 - ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 +```console +$ dig www.dnssec-failed.org +;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15190 +;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 +``` ## Captive portal -When macOS connects to new networks, it **probes** the network and launches a Captive Portal assistant utility if connectivity can't be determined. +When macOS connects to new networks, it checks for Internet connectivity and may launch a Captive Portal assistant utility application. -An attacker could trigger the utility and direct a Mac to a site with malware without user interaction, so it's best to disable this feature and log in to captive portals using your regular Web browser, provided you have first disable any custom dns and/or proxy settings. +An attacker could trigger the utility and direct a Mac to a site with malware without user interaction, so it's best to disable this feature and log in to captive portals using your regular Web browser by navigating to a non-secure HTTP page and accepting a redirect to the captive portal login interface (after disabling any custom proxy or DNS settings). - $ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active -bool false +```console +$ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active -bool false +``` Also see [Apple's secret "wispr" request](https://web.archive.org/web/20171008071031/http://blog.erratasec.com/2010/09/apples-secret-wispr-request.html), [How to disable the captive portal window in Mac OS Lion](https://web.archive.org/web/20130407200745/http://www.divertednetworks.net/apple-captiveportal.html) and [An undocumented change to Captive Network Assistant settings in OS X 10.10 Yosemite](https://web.archive.org/web/20170622064304/https://grpugh.wordpress.com/2014/10/29/an-undocumented-change-to-captive-network-assistant-settings-in-os-x-10-10-yosemite/). + ## Certificate authorities macOS comes with [over 200](https://support.apple.com/en-us/HT202858) root authority certificates installed from for-profit corporations like Apple, Verisign, Thawte, Digicert and government agencies from China, Japan, Netherlands, U.S., and more! These Certificate Authorities (CAs) are capable of issuing SSL/TLS certificates for any domain, code signing certificates, etc. For more information, see [Certification Authority Trust Tracker](https://github.com/kirei/catt), [Analysis of the HTTPS certificate ecosystem](https://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf) (pdf), and [You Won’t Be Needing These Any More: On Removing Unused Certificates From Trust Stores](https://www.ifca.ai/fc14/papers/fc14_submission_100.pdf) (pdf). -You can inspect system root certificates in **Keychain Access**, under the **System Roots** tab or by using the `security` command line tool and `/System/Library/Keychains/SystemRootCertificates.keychain` file. +Inspect system root certificates in **Keychain Access**, under the **System Roots** tab or by using the `security` command line tool and `/System/Library/Keychains/SystemRootCertificates.keychain` file. -You can disable certificate authorities through Keychain Access by marking them as **Never Trust** and closing the window: +Disable certificate authorities through Keychain Access by marking them as **Never Trust** and closing the window: A certificate authority certificate @@ -1062,7 +1022,7 @@ If you're going to use OpenSSL on your Mac, download and install a recent versio Compare the TLS protocol and cipher between the homebrew version and the system version of OpenSSL: -```shell +```console $ ~/homebrew/bin/openssl version; echo | ~/homebrew/bin/openssl s_client -connect github.com:443 2>&1 | grep -A2 SSL-Session OpenSSL 1.0.2j 26 Sep 2016 SSL-Session: @@ -1084,18 +1044,10 @@ The version of Curl which comes with macOS uses [Secure Transport](https://devel If you prefer to use OpenSSL, install with `brew install curl --with-openssl` and ensure it's the default with `brew link --force curl` -Here are several recommended [options](https://curl.haxx.se/docs/manpage.html) to add to `~/.curlrc` (see `man curl` for more): +Download [drduh/config/curlrc](https://github.com/drduh/config/blob/master/curlrc) or see the [man page](https://curl.haxx.se/docs/manpage.html): -```shell -user-agent = "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" -referer = ";auto" -connect-timeout = 10 -progress-bar -max-time = 90 -verbose -show-error -remote-time -ipv4 +```console +$ curl -o ~/.curlrc https://raw.githubusercontent.com/drduh/config/master/curlrc ``` ## Web @@ -1109,29 +1061,30 @@ Consider using [Privoxy](https://www.privoxy.org/) as a local proxy to filter We A signed installation package for privoxy can be downloaded from [silvester.org.uk](https://silvester.org.uk/privoxy/OSX/) or [Sourceforge](https://sourceforge.net/projects/ijbswa/files/Macintosh%20%28OS%20X%29/). The signed package is [more secure](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/65) than the Homebrew version, and attracts full support from the Privoxy project. Alternatively, install and start privoxy using Homebrew: -```shell + +```console $ brew install privoxy $ brew services start privoxy ``` -By default, privoxy listens on local TCP port 8118. +By default, privoxy listens on localhost, TCP port 8118. Set the system **HTTP** proxy for your active network interface `127.0.0.1` and `8118` (This can be done through **System Preferences > Network > Advanced > Proxies**): -```shell +```console $ sudo networksetup -setwebproxy "Wi-Fi" 127.0.0.1 8118 ``` **(Optional)** Set the system **HTTPS** proxy, which still allows for domain name filtering, with: -```shell +```console $ sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 8118 ``` Confirm the proxy is set: -```shell +```console $ scutil --proxy { ExceptionsList : { @@ -1147,7 +1100,7 @@ $ scutil --proxy Visit in a browser, or with Curl: -```shell +```console $ ALL_PROXY=127.0.0.1:8118 curl -I http://p.p/ HTTP/1.1 200 OK Content-Length: 2401 @@ -1157,35 +1110,19 @@ Cache-Control: no-cache Privoxy already comes with many good rules, however you can also write your own. -Edit `~/homebrew/etc/privoxy/user.action` to filter elements by domain or with regular expressions. - -Here are some examples: - -```shell -{ +block{social networking} } -www.facebook.com/(extern|plugins)/(login_status|like(box)?|activity|fan)\.php -.facebook.com +Download [drduh/config/privoxy/config](https://github.com/drduh/config/blob/master/privoxy/config) and [drduh/config/privoxy/user.action](https://github.com/drduh/config/blob/master/privoxy/user.action) to get started: -{ +block{unwanted images} +handle-as-image } -.com/ads/ -/.*1x1.gif -/.*fb-icon.[jpg|gif|png] -/assets/social-.* -/cleardot.gif -/img/social.* -ads.*.co.*/ -ads.*.com/ +```console +$ curl -o homebrew/etc/privoxy/config https://raw.githubusercontent.com/drduh/config/master/privoxy/config -{ +redirect{s@http://@https://@} } -.google.com -.wikipedia.org -code.jquery.com -imgur.com +$ curl -o homebrew/etc/privoxy/user.action https://raw.githubusercontent.com/drduh/config/master/privoxy/user.action ``` -Verify Privoxy is blocking and redirecting: +Restart Privoxy: and verify it's blocking and redirecting traffic: + +```console +$ sudo brew services restart privoxy -```shell $ ALL_PROXY=127.0.0.1:8118 curl ads.foo.com/ -IL HTTP/1.1 403 Request blocked by Privoxy Content-Type: image/gif @@ -1301,7 +1238,7 @@ All Web Browsers retain certain information about our browsing habits. That info Since Web browsers execute untrusted code from the server, it is important to understand what type of information can be accessed. The [Navigator](https://developer.mozilla.org/en-US/docs/Web/API/Navigator) interface gives access to information about the Web Browser's user agent. Those include information such as the operating system, Web sites' permissions, and the device's battery level. For more information about security conscious browsing and what type of information is being "leaked" by your browser, see [HowTo: Privacy & Security Conscious Browsing](https://gist.github.com/atcuno/3425484ac5cce5298932), [browserleaks.com](https://www.browserleaks.com/) and [EFF Panopticlick](https://panopticlick.eff.org/). -To hinder third party trackers, it is recommended to disable third-party cookies from your Web browser settings. A third party cookie is a cookie associated with a file requested by a different domain than the one the user is currently viewing. Most of the time third-party cookies are used to create browsing profiles by tracking a user's movement on the web. Disabling third-party cookies prevents HTTP responses and scripts from other domains from setting cookies. Moreover, cookies are removed from requests to domains that are not the document origin domain, so cookies are only sent to the current site that is being viewed. +To hinder third party trackers, it is recommended to **disable third-party cookies** in Web browser settings. A third party cookie is a cookie associated with a file requested by a different domain than the one the user is currently viewing. Most of the time third-party cookies are used to create browsing profiles by tracking a user's movement on the web. Disabling third-party cookies prevents HTTP responses and scripts from other domains from setting cookies. Moreover, cookies are removed from requests to domains that are not the document origin domain, so cookies are only sent to the current site that is being viewed. Also be aware of [WebRTC](https://en.wikipedia.org/wiki/WebRTC#Concerns), which may reveal your local or public (if connected to VPN) IP address(es). In Firefox and Chrome/Chromium this can be disabled with extensions such as [uBlock Origin](https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address) and [rentamob/WebRTC-Leak-Prevent](https://github.com/rentamob/WebRTC-Leak-Prevent). Disabling WebRTC in Safari is only possible with a [system hack](https://github.com/JayBrown/Disable-and-toggle-WebRTC-in-macOS-Safari). @@ -1325,29 +1262,13 @@ Install from Homebrew with `brew install gnupg`. If you prefer a graphical application, download and install [GPG Suite](https://gpgtools.org/). -Below are several recommended options to add to `~/.gnupg/gpg.conf` - these settings will configure GnuPG to use SSL when fetching new keys and prefer strong cryptographic primitives. Also see [drduh/config/gpg.conf](https://github.com/drduh/config/blob/master/gpg.conf): +Download [drduh/config/gpg.conf](https://github.com/drduh/config/blob/master/gpg.conf) to use recommended settings: -```shell -auto-key-locate keyserver -keyserver hkps://hkps.pool.sks-keyservers.net -keyserver-options no-honor-keyserver-url -personal-cipher-preferences AES256 AES192 AES CAST5 -personal-digest-preferences SHA512 SHA384 SHA256 SHA224 -default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed -cert-digest-algo SHA512 -s2k-digest-algo SHA512 -s2k-cipher-algo AES256 -charset utf-8 -fixed-list-mode -no-comments -no-emit-version -keyid-format 0xlong -list-options show-uid-validity -verify-options show-uid-validity -with-fingerprint -``` - -If you don't already have a keypair, create one using `gpg --gen-key`. Also see [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) to secure store the private key on hardware. +```console +$ curl -o ~/.gnupg/gpg.conf https://raw.githubusercontent.com/drduh/config/master/gpg.conf +``` + +See [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) to securely generate and store GPG keys. Read [online](https://alexcabal.com/creating-the-perfect-gpg-keypair/) [guides](https://security.stackexchange.com/questions/31594/what-is-a-good-general-purpose-gnupg-key-setup) and [practice](https://help.riseup.net/en/security/message-security/openpgp/best-practices) encrypting and decrypting email to yourself and your friends. Get them interested in this stuff! @@ -1361,7 +1282,7 @@ The first time you start a conversation with someone new, you'll be asked to ver A popular macOS GUI client for XMPP and other chat protocols is [Adium](https://adium.im/). -```shell +```console $ shasum -a 256 Adium_1.5.10.4.dmg 31fa3fd32b86dd3381b60e0d5aafbc2a9452036f0fb4963bffbc2a6c64a9458b Adium_1.5.10.4.dmg ``` @@ -1384,17 +1305,15 @@ Do **not** attempt to configure other browsers or applications to use Tor as you Download both the `dmg` and `asc` signature files, then verify the disk image has been signed by Tor developers: -```shell +```console $ cd ~/Downloads $ file Tor* -TorBrowser-7.0.10-osx64_en-US.dmg: bzip2 compressed data, block size = 900k -TorBrowser-7.0.10-osx64_en-US.dmg.asc: PGP signature Signature (old) +TorBrowser-8.0.4-osx64_en-US.dmg: bzip2 compressed data, block size = 900k +TorBrowser-8.0.4-osx64_en-US.dmg.asc: PGP signature Signature (old) $ gpg Tor*asc -gpg: assuming signed data in 'TorBrowser-7.0.10-osx64_en-US.dmg' -gpg: Signature made Thu Nov 9 08:58:11 2017 PST -gpg: using RSA key 0xD1483FA6C3C07136 +[...] gpg: Can't check signature: No public key $ gpg --recv 0x4E2C6E8793298290 @@ -1404,14 +1323,14 @@ gpg: Total number processed: 1 gpg: imported: 1 $ gpg --verify Tor*asc -gpg: assuming signed data in 'TorBrowser-7.0.10-osx64_en-US.dmg' -gpg: Signature made Thu Nov 9 08:58:11 2017 PST -gpg: using RSA key 0xD1483FA6C3C07136 +gpg: assuming signed data in 'TorBrowser-8.0.4-osx64_en-US.dmg' +gpg: Signature made Mon Dec 10 07:16:22 2018 PST +gpg: using RSA key 0xEB774491D9FF06E2 gpg: Good signature from "Tor Browser Developers (signing key) " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290 - Subkey fingerprint: A430 0A6B C93C 0877 A445 1486 D148 3FA6 C3C0 7136 + Subkey fingerprint: 1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2 ``` Make sure `Good signature from "Tor Browser Developers (signing key) "` appears in the output. The warning about the key not being certified is benign, as it has not yet been manually assigned trust. @@ -1421,21 +1340,22 @@ See [How to verify signatures for packages](https://www.torproject.org/docs/veri To finish installing Tor Browser, open the disk image and drag the it into the Applications folder, or with: ```console -$ hdiutil mount TorBrowser-7.0.10-osx64_en-US.dmg +$ hdiutil mount TorBrowser-8.0.4-osx64_en-US.dmg + +$ cp -r /Volumes/Tor\ Browser/Tor\ Browser.app/ ~/Applications/ -$ cp -rv /Volumes/Tor\ Browser/TorBrowser.app /Applications ``` Verify the Tor application's code signature was made by with The Tor Project's Apple developer ID **MADPSAYN6T**, using the `spctl -a -v` and/or `pkgutil --check-signature` commands: ```console -$ spctl -a -vv /Applications/TorBrowser.app -/Applications/TorBrowser.app: accepted +$ spctl -a -vv ~/Applications/Tor\ Browser.app +/Users/drduh/Applications/Tor Browser.app: accepted source=Developer ID origin=Developer ID Application: The Tor Project, Inc (MADPSAYN6T) -$ pkgutil --check-signature /Applications/TorBrowser.app -Package "TorBrowser.app": +$ pkgutil --check-signature ~/Applications/Tor\ Browser.app +Package "Tor Browser.app": Status: signed by a certificate trusted by Mac OS X Certificate Chain: 1. Developer ID Application: The Tor Project, Inc (MADPSAYN6T) @@ -1448,31 +1368,31 @@ Package "TorBrowser.app": SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60 ``` -You may also use the `codesign` command to examine an application's code signature: +You can also use the `codesign` command to examine an application's code signature: ```console -$ codesign -dvv /Applications/TorBrowser.app -Executable=/Applications/TorBrowser.app/Contents/MacOS/firefox +$ codesign -dvv ~/Applications/Tor\ Browser.app +Executable=/Users/drduh/Applications/Tor Browser.app/Contents/MacOS/firefox Identifier=org.torproject.torbrowser Format=app bundle with Mach-O thin (x86_64) -CodeDirectory v=20200 size=249 flags=0x0(none) hashes=5+3 location=embedded +CodeDirectory v=20200 size=229 flags=0x0(none) hashes=4+3 location=embedded Library validation warning=OS X SDK version before 10.9 does not support Library Validation Signature size=4247 Authority=Developer ID Application: The Tor Project, Inc (MADPSAYN6T) Authority=Developer ID Certification Authority Authority=Apple Root CA -Signed Time=Nov 9, 2017, 12:47:58 AM -Info.plist entries=22 +Signed Time=Dec 10, 2018 at 12:18:45 AM +Info.plist entries=24 TeamIdentifier=MADPSAYN6T -Sealed Resources version=2 rules=12 files=130 +Sealed Resources version=2 rules=12 files=128 Internal requirements count=1 size=188 ``` -To view full certificate details, extract them with `codesign` and decode it with `openssl`: +To view full certificate details for a signed application, extract them with `codesign` and decode it with `openssl`: -```shell -$ codesign -d --extract-certificates /Applications/TorBrowser.app -Executable=/Applications/TorBrowser.app/Contents/MacOS/firefox +```console +$ codesign -d --extract-certificates ~/Applications/Tor\ Browser.app +Executable=/Users/drduh/Applications/Tor Browser.app/Contents/MacOS/firefox $ file codesign* codesign0: data @@ -1494,7 +1414,7 @@ SHA256 Fingerprint=B5:0D:47:F0:3E:CB:42:B6:68:1C:6F:38:06:2B:C2:9F:41:FA:D6:54:F Tor traffic is **encrypted** to the [exit node](https://en.wikipedia.org/wiki/Tor_(anonymity_network)#Exit_node_eavesdropping) (i.e., cannot be read by a passive network eavesdropper), but Tor use **can** be identified - for example, TLS handshake "hostnames" will show up in plaintext: -```shell +```console $ sudo tcpdump -An "tcp" | grep "www" listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes .............". ...www.odezz26nvv7jeqz1xghzs.com......... @@ -1548,7 +1468,7 @@ You could periodically run a tool like [Knock Knock](https://github.com/synack/k See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sophailv2.pdf) (pdf), [Analysis and Exploitation of an ESET Vulnerability](https://googleprojectzero.blogspot.ro/2015/06/analysis-and-exploitation-of-eset.html), [a trivial Avast RCE](https://code.google.com/p/google-security-research/issues/detail?id=546), [Popular Security Software Came Under Relentless NSA and GCHQ Attacks](https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/), [How Israel Caught Russian Hackers Scouring the World for U.S. Secrets](https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html) and [AVG: "Web TuneUP" extension multiple critical vulnerabilities](https://code.google.com/p/google-security-research/issues/detail?id=675). -Therefore, the best anti-virus is **Common Sense 2018**. See more discussion in [issue #44](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/44). +Therefore, the best anti-virus is **Common Sense 2019**. See discussion in [issue #44](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/44). CylancePROTECT may be worth running for the exploit mitigation features and (when locked down) is much harder to locally bypass than traditional AV, but it's effectiveness at detecting malware on macOS is questionable. It's core feature is an algorithm derived from a machine-learning process which aims to identify malware based on various characteristics of a binary executable. Cylance have a [whitepaper](https://www.cylance.com/content/dam/cylance/pdfs/data_sheets/CylancePROTECT.pdf) (pdf) with information about how it works. Single licenses are available from third party resellers such as [Cyberforce](https://cybrforce.com) or [Malware Managed](https://www.malwaremanaged.com) and there is also a home/personal edition in the works but it is currently only available for companies to make available to their employees. On macOS it complements Apple's built-in XProtect by continuously vmmap'ing the memory of active processes to watch for patterns that indicate bad things happening. @@ -1584,15 +1504,17 @@ See also [Mac Malware Guide : How does Mac OS X protect me?](http://www.thesafem **Note** Quarantine stores information about downloaded files in `~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2`, which may pose a privacy risk. To examine the file, simply use `strings` or the following command: -```shell -$ echo 'SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent;' | sqlite3 /Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 +```console +$ echo 'SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, ' \ + 'LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent;' | \ + sqlite3 /Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 ``` See [here](https://www.zoharbabin.com/hey-mac-i-dont-appreciate-you-spying-on-me-hidden-downloads-log-in-os-x/) for more information. To permanently disable this feature, [clear the file](https://superuser.com/questions/90008/how-to-clear-the-contents-of-a-file-from-the-command-line) and [make it immutable](http://hints.macworld.com/article.php?story=20031017061722471): -```shell +```console $ :>~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 $ sudo chflags schg ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 @@ -1602,18 +1524,18 @@ $ sudo chflags schg ~/Library/Preferences/com.apple.LaunchServices.QuarantineEve macOS attaches metadata ([HFS+ extended attributes](https://en.wikipedia.org/wiki/Extended_file_attributes#OS_X)) to downloaded files, which can be viewed with the `mdls` and `xattr` commands: -```shell -$ ls -l@ ~/Downloads/TorBrowser-6.0.8-osx64_en-US.dmg --rw-r--r--@ 1 drduh staff 59322237 Dec 1 12:00 TorBrowser-6.0.8-osx64_en-US.dmg -com.apple.metadata:kMDItemWhereFroms 186 -com.apple.quarantine 68 - -$ mdls ~/Downloads/TorBrowser-6.0.8-osx64_en-US.dmg -_kMDItemOwnerUserID = 501 -kMDItemContentCreationDate = 2016-12-01 12:00:00 +0000 -kMDItemContentModificationDate = 2016-12-01 12:00:00 +0000 -kMDItemContentType = "com.apple.disk-image-udif" -kMDItemContentTypeTree = ( +```console +$ ls -l@ ~/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg +-rw-r--r--@ 1 drduh staff 63M Jan 1 12:00 TorBrowser-8.0.4-osx64_en-US.dmg + com.apple.metadata:kMDItemWhereFroms 46B + com.apple.quarantine 57B + +$ mdls ~/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg +kMDItemContentCreationDate = 2019-01-01 00:00:00 +0000 +kMDItemContentCreationDate_Ranking = 2019-01-01 00:00:00 +0000 +kMDItemContentModificationDate = 2019-01-01 00:00:00 +0000 +kMDItemContentType = "com.apple.disk-image-udif" +kMDItemContentTypeTree = ( "public.archive", "public.item", "public.data", @@ -1621,58 +1543,49 @@ kMDItemContentTypeTree = ( "com.apple.disk-image", "com.apple.disk-image-udif" ) -kMDItemDateAdded = 2016-12-01 12:00:00 +0000 -kMDItemDisplayName = "TorBrowser-6.0.8-osx64_en-US.dmg" -kMDItemFSContentChangeDate = 2016-12-01 12:00:00 +0000 -kMDItemFSCreationDate = 2016-12-01 12:00:00 +0000 -kMDItemFSCreatorCode = "" -kMDItemFSFinderFlags = 0 -kMDItemFSHasCustomIcon = (null) -kMDItemFSInvisible = 0 -kMDItemFSIsExtensionHidden = 0 -kMDItemFSIsStationery = (null) -kMDItemFSLabel = 0 -kMDItemFSName = "TorBrowser-6.0.8-osx64_en-US.dmg" -kMDItemFSNodeCount = (null) -kMDItemFSOwnerGroupID = 5000 -kMDItemFSOwnerUserID = 501 -kMDItemFSSize = 60273898 -kMDItemFSTypeCode = "" -kMDItemKind = "Disk Image" -kMDItemLogicalSize = 60273898 -kMDItemPhysicalSize = 60276736 -kMDItemWhereFroms = ( - "https://dist.torproject.org/torbrowser/6.0.8/TorBrowser-6.0.8-osx64_en-US.dmg", +kMDItemDateAdded = 2019-01-01 00:00:00 +0000 +kMDItemDateAdded_Ranking = 2019-01-01 00:00:00 +0000 +kMDItemDisplayName = "TorBrowser-8.0.4-osx64_en-US.dmg" +kMDItemFSContentChangeDate = 2019-01-01 00:00:00 +0000 +kMDItemFSCreationDate = 2019-01-01 00:00:00 +0000 +kMDItemFSCreatorCode = "" +kMDItemFSFinderFlags = 0 +kMDItemFSHasCustomIcon = (null) +kMDItemFSInvisible = 0 +kMDItemFSIsExtensionHidden = 0 +kMDItemFSIsStationery = (null) +kMDItemFSLabel = 0 +kMDItemFSName = "TorBrowser-8.0.4-osx64_en-US.dmg" +kMDItemFSNodeCount = (null) +kMDItemFSOwnerGroupID = 5000 +kMDItemFSOwnerUserID = 501 +kMDItemFSSize = 65840402 +kMDItemFSTypeCode = "" +kMDItemInterestingDate_Ranking = 2019-01-01 00:00:00 +0000 +kMDItemKind = "Disk Image" +kMDItemWhereFroms = ( + "https://dist.torproject.org/torbrowser/8.0.4/TorBrowser-8.0.4-osx64_en-US.dmg", "https://www.torproject.org/projects/torbrowser.html.en" ) -$ xattr -l TorBrowser-6.0.8-osx64_en-US.dmg +$ xattr -l ~/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg com.apple.metadata:kMDItemWhereFroms: 00000000  62 70 6C 69 73 74 30 30 A2 01 02 5F 10 4D 68 74  |bplist00..._.Mht| 00000010  74 70 73 3A 2F 2F 64 69 73 74 2E 74 6F 72 70 72  |tps://dist.torpr| 00000020  6F 6A 65 63 74 2E 6F 72 67 2F 74 6F 72 62 72 6F  |oject.org/torbro| -00000030  77 73 65 72 2F 36 2E 30 2E 38 2F 54 6F 72 42 72  |wser/6.0.8/TorBr| -00000040  6F 77 73 65 72 2D 36 2E 30 2E 38 2D 6F 73 78 36  |owser-6.0.8-osx6| -00000050  34 5F 65 6E 2D 55 53 2E 64 6D 67 5F 10 36 68 74  |4_en-US.dmg_.6ht| -00000060  74 70 73 3A 2F 2F 77 77 77 2E 74 6F 72 70 72 6F  |tps://www.torpro| -00000070  6A 65 63 74 2E 6F 72 67 2F 70 72 6F 6A 65 63 74  |ject.org/project| -00000080  73 2F 74 6F 72 62 72 6F 77 73 65 72 2E 68 74 6D  |s/torbrowser.htm| -00000090  6C 2E 65 6E 08 0B 5B 00 00 00 00 00 00 01 01 00  |l.en..[.........| -000000A0  00 00 00 00 00 00 03 00 00 00 00 00 00 00 00 00  |................| -000000B0  00 00 00 00 00 00 94                             |.......| -000000b7 +[...] com.apple.quarantine: 0081;58519ffa;Google Chrome.app;1F032CAB-F5A1-4D92-84EB-CBECA971B7BC ``` Metadata attributes can also be removed with the `-d` flag: -```shell -$ xattr -d com.apple.metadata:kMDItemWhereFroms ~/Downloads/TorBrowser-6.0.5-osx64_en-US.dmg +```console +$ xattr -d com.apple.metadata:kMDItemWhereFroms ~/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg -$ xattr -d com.apple.quarantine ~/Downloads/TorBrowser-6.0.5-osx64_en-US.dmg +$ xattr -d com.apple.quarantine ~/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg -$ xattr -l ~/Downloads/TorBrowser-6.0.5-osx64_en-US.dmg -[No output after removal.] +$ xattr -l ~/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg +[No output expected] ``` Other metadata and artifacts may be found in the directories including, but not limited to, `~/Library/Preferences/`, `~/Library/Containers//Data/Library/Preferences`, `/Library/Preferences`, some of which is detailed below. @@ -1681,48 +1594,48 @@ Other metadata and artifacts may be found in the directories including, but not `/Library/Preferences/com.apple.Bluetooth.plist` contains Bluetooth metadata, including device history. If Bluetooth is not used, the metadata can be cleared with: -```shell -sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist DeviceCache -sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist IDSPairedDevices -sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist PANDevices -sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist PANInterfaces -sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist SCOAudioDevices +```console +$ sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist DeviceCache +$ sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist IDSPairedDevices +$ sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist PANDevices +$ sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist PANInterfaces +$ sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist SCOAudioDevices ``` `/var/spool/cups` contains the CUPS printer job cache. To clear it, use the commands: -```shell -sudo rm -rfv /var/spool/cups/c0* -sudo rm -rfv /var/spool/cups/tmp/* -sudo rm -rfv /var/spool/cups/cache/job.cache* +```console +$ sudo rm -rfv /var/spool/cups/c0* +$ sudo rm -rfv /var/spool/cups/tmp/* +$ sudo rm -rfv /var/spool/cups/cache/job.cache* ``` To clear the list of iOS devices connected, use: -```shell -sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect" -sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist Devices -sudo defaults delete /Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect" -sudo defaults delete /Library/Preferences/com.apple.iPod.plist Devices -sudo rm -rfv /var/db/lockdown/* +```console +$ sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect" +$ sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist Devices +$ sudo defaults delete /Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect" +$ sudo defaults delete /Library/Preferences/com.apple.iPod.plist Devices +$ sudo rm -rfv /var/db/lockdown/* ``` QuickLook thumbnail data can be cleared using the `qlmanage -r cache` command, but this writes to the file `resetreason` in the Quicklook directories, and states that the Quicklook cache was manually cleared. Disable the thumbnail cache with `qlmanage -r disablecache` It can also be manually cleared by getting the directory names with `getconf DARWIN_USER_CACHE_DIR` and `sudo getconf DARWIN_USER_CACHE_DIR`, then removing them: -```shell -rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive -rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite -rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-shm -rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-wal -rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/resetreason -rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.data +```console +$ rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive +$ rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite +$ rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-shm +$ rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-wal +$ rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/resetreason +$ rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.data ``` Similarly, for the root user: -```shell +```console sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandler sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite @@ -1737,7 +1650,7 @@ Also see ['quicklook' cache may leak encrypted data](https://objective-see.com/b To clear Finder preferences: -```shell +```console defaults delete ~/Library/Preferences/com.apple.finder.plist FXDesktopVolumePositions defaults delete ~/Library/Preferences/com.apple.finder.plist FXRecentFolders defaults delete ~/Library/Preferences/com.apple.finder.plist RecentMoveAndCopyDestinations @@ -1747,7 +1660,7 @@ defaults delete ~/Library/Preferences/com.apple.finder.plist SGTRecentFileSearch Additional diagnostic files may be found in the following directories - but caution should be taken before removing any, as it may break logging or cause other issues: -```shell +```console /var/db/CoreDuet/ /var/db/diagnostics/ /var/db/systemstats/ @@ -1757,7 +1670,7 @@ Additional diagnostic files may be found in the following directories - but caut macOS stored preferred Wi-Fi data (including credentials) in nvram. To clear it, use the following commands: -```shell +```console sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:current-network sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-networks sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-count @@ -1765,7 +1678,7 @@ sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-count macOS may collect sensitive information about what you type, even if user dictionary and suggestions are off. To remove them, and prevent them from being created again, use the following commands: -```shell +```console rm -rfv "~/Library/LanguageModeling/*" "~/Library/Spelling/*" "~/Library/Suggestions/*" chmod -R 000 ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions chflags -R uchg ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions @@ -1773,7 +1686,7 @@ chflags -R uchg ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggesti QuickLook application support metadata can be cleared and locked with the following commands: -```shell +```console rm -rfv "~/Library/Application Support/Quick Look/*" chmod -R 000 "~/Library/Application Support/Quick Look" chflags -R uchg "~/Library/Application Support/Quick Look" @@ -1781,7 +1694,7 @@ chflags -R uchg "~/Library/Application Support/Quick Look" Document revision metadata is stored in `/.DocumentRevisions-V100` and can be cleared and locked with the following commands - caution should be taken as this may break some core Apple applications: -```shell +```console sudo rm -rfv /.DocumentRevisions-V100/* sudo chmod -R 000 /.DocumentRevisions-V100 sudo chflags -R uchg /.DocumentRevisions-V100 @@ -1789,7 +1702,7 @@ sudo chflags -R uchg /.DocumentRevisions-V100 Saved application state metadata may be cleared and locked with the following commands: -```shell +```console rm -rfv "~/Library/Saved Application State/*" rm -rfv "~/Library/Containers//Saved Application State" chmod -R 000 "~/Library/Saved Application State/" @@ -1800,7 +1713,7 @@ chflags -R uchg "~/Library/Containers//Saved Application State" Autosave metadata can be cleared and locked with the following commands: -```shell +```console rm -rfv "~/Library/Containers//Data/Library/Autosave Information" rm -rfv "~/Library/Autosave Information" chmod -R 000 "~/Library/Containers//Data/Library/Autosave Information" @@ -1811,7 +1724,7 @@ chflags -R uchg "~/Library/Autosave Information" The Siri analytics database, which is created even if the Siri launch agent disabled, can be cleared and locked with the following commands: -```shell +```console rm -rfv ~/Library/Assistant/SiriAnalytics.db chmod -R 000 ~/Library/Assistant/SiriAnalytics.db chflags -R uchg ~/Library/Assistant/SiriAnalytics.db @@ -1819,26 +1732,26 @@ chflags -R uchg ~/Library/Assistant/SiriAnalytics.db `~/Library/Preferences/com.apple.iTunes.plist` contains iTunes metadata. Recent iTunes search data may be cleared with the following command: -```shell +```console defaults delete ~/Library/Preferences/com.apple.iTunes.plist recentSearches ``` If you do not use Apple ID-linked services, the following keys may be cleared, too, using the following commands: -```shell +```console defaults delete ~/Library/Preferences/com.apple.iTunes.plist StoreUserInfo defaults delete ~/Library/Preferences/com.apple.iTunes.plist WirelessBuddyID ``` All media played in QuickTime Player can be found in: -```shell +```console ~/Library/Containers/com.apple.QuickTimePlayerX/Data/Library/Preferences/com.apple.QuickTimePlayerX.plist ``` Additional metadata may exist in the following files: -```shell +```console ~/Library/Containers/com.apple.appstore/Data/Library/Preferences/com.apple.commerce.knownclients.plist ~/Library/Preferences/com.apple.commerce.plist ~/Library/Preferences/com.apple.QuickTimePlayerX.plist @@ -1848,33 +1761,14 @@ Additional metadata may exist in the following files: Generate strong passwords with several programs or directly from [`/dev/urandom`](https://github.com/jedisct1/libsodium/issues/594): -```shell +```console $ openssl rand -base64 30 -LK9xkjUEAemc1gV2Ux5xqku+PDmMmCbSTmwfiMRI +qb8ZWbUU2Ri3FOAPY/1wKSFAJwMXmpQM4mZU4YbO -$ gpg --gen-random -a 0 60 | fold -w 20 -oYekhlKAtw4e+Ak032bi -fDNAN9laYKG/+59QJKve -zxMV8nVtnoI+NdyhUp+5 -x5BjEk/xxkWvd4Hf3iRG - -$ cat /dev/urandom | openssl base64 | fold -w40 | head -n5 -zAfhO1KGgyDwRUigYT+O1VZLnW9k5BIC8j3XYXAu -Hkx2/3d/Tem6rUG7bGYQizU9ueWQYIb9WJD1lzO2 -d8MfMu4PkIns3hY6FTkMhTKTIYDaqAxwTbIktu1X -ibd3+PKxRPY97nxQiIE45fzBLkjDnKcW3pfeaTNz -e5dIbZidfuiOQrlRCDIj9pg2p0lp8BhTgz3IMCc7 -``` - -With control over character sets: - -```shell -$ LANG=C tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 40 | head -n 5 -rgBaAV0N09FzsqFRWhC6UFMJSjeisRhDuyqcJQox -ZG4NDhxBXlF1yHwdCMaanCRkFZKvQUrDRid9Hmop -TtRn5YVENCQ5krapAZxxS1bXk2vYIABOutDa4q1n -AHQMHD9ovOteWXVBLvLhccTaukOHLGUMhH7C6IPg -9kz7Kf4KIKAGq3Jy4XpQoQVMy9YL34wQbuCzhr4O +$ gpg --gen-random -a 0 90 | fold -w 40 +3e+kfHOvovHVXxZYPgu+OOWQ1g1ttbljr+kNGv7f +loD//RsjUXYGIjfPM/bT0itsoEstyGLVUsFns8wP +zYM8VRBga+TsnxWrS7lWKfH1uvVPowzkq9kXCdvJ $ LANG=C tr -dc 'A-F0-9' < /dev/urandom | fold -w 40 | head -n 5 45D0371481EE5E5A5C1F68EA59E69F9CA52CB321 @@ -1882,6 +1776,34 @@ A30B37A00302643921F205621B145E7EAF520164 B6EF38A2DA1D0586D20105502AFFF0468EA5F16A 029D6EA9F76CD64D3356E342EA154BEFEBE23387 07F468F0569579A0A06471247CABC4F4C1386E24 + +$ tr -dc '[:alnum:]' < /dev/urandom | fold -w 40 | head -n5 +zmj8S0iuxud8y8YHjzdg7Hefu6U1KAYBiLl3aE8v +nCNpuMkWohTjQHntTzbiLQJG5zLzEHWSWaYSwjtm +R2L6M909S3ih852IkJqQFMDawCiHcpPBxlllAPrt +aZOXKVUmxhzQwVSYb6nqAbGTVMFSJOLf094bFZAb +HfgwSNlkVBXwIPQST6E6x6vDNCCasMLSSOoTUfSK + +$ tr -dc '[:lower:]' < /dev/urandom | fold -w 40 | head -n5 +gfvkanntxutzwxficgvavbwdvttexdezdftvvtmn +lgrsuiugwkqbtbkyggcbpbqlynwbiyxzlabstqcf +ufctdlsbyonkowzpmotxiksnsbwdzkjrjsupoqvr +hjwibdjxtmuvqricljayzkgdfztcmapsgwsubggr +bjstlmvwjczakgeetkbmwbjnidbeaerhaonpkacg + +$ tr -dc '[:upper:]' < /dev/urandom | fold -w 40 | head -n5 +EUHZMAOBOLNFXUNNDSTLJTPDCPVQBPUEQOLRZUQZ +HVNVKBEPAAYMXRCGVCNEZLFHNUYMRYPTWPWOOZVM +TAHEUPQJTSYQVJVYSKLURESMKWEZONXLUDHWQODB +PRDITWMAXXZLTRXEEOGOSGAWUXYDGDRJYRHUWICM +VHERIQBLBPHSIUZSGYZRDHTNAPUGJMRODIKBWZRJ + +$ tr -dc '[:graph:]' < /dev/urandom | fold -w 40 | head -n5 +n\T2|zUz:\C,@z9!#p3!B/[t6m:B94}q&t(^)Ol~ +J%MMDbAgGdP}zrSQO!3mrP3$w!.[Ng_xx-_[C<3g +^)6V&*<2"ZOgU.mBd]iInvFKiT ~/Desktop/backup-$(date +%F-%H%M).tar.gz.gpg +tar: Removing leading '/' from member names +a Users/drduh/Downloads +a Users/drduh/Downloads/.DS_Store +a Users/drduh/Downloads/.localized +a Users/drduh/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg.asc +a Users/drduh/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg ``` -To decrypt a compressed directory: +To decrypt and decompress the directory: -```shell +```console $ gpg -o ~/Desktop/decrypted-backup.tar.gz -d ~/Desktop/backup-2015-01-01-0000.tar.gz.gpg +gpg: AES256 encrypted data +gpg: encrypted with 1 passphrase $ tar zxvf ~/Desktop/decrypted-backup.tar.gz +tar: Removing leading '/' from member names +x Users/drduh/._Downloads +x Users/drduh/Downloads/ +x Users/drduh/Downloads/._.DS_Store +x Users/drduh/Downloads/.DS_Store +x Users/drduh/Downloads/.localized +x Users/drduh/Downloads/._TorBrowser-8.0.4-osx64_en-US.dmg.asc +x Users/drduh/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg.asc +x Users/drduh/Downloads/._TorBrowser-8.0.4-osx64_en-US.dmg +x Users/drduh/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg ``` You can also create and use encrypted volumes using **Disk Utility** or `hdiutil`: -```shell -$ hdiutil create ~/Desktop/encrypted.dmg -encryption -size 20M -volname "secretStuff" -fs JHFS+ +```console +$ hdiutil create ~/Desktop/encrypted.dmg -encryption -size 50M -volname "secretStuff" -fs JHFS+ Enter a new password to secure "encrypted.dmg": Re-enter new password: .................................... @@ -2024,7 +1964,7 @@ Confirm whether sshd is enabled or disabled: $ sudo lsof -Pni TCP:22 ``` -See also [drduh/config/ssh_config](https://github.com/drduh/config/ssh_config) and [drduh/config/sshd_config](https://github.com/drduh/config/sshd_config). +See also [drduh/config/ssh_config](https://github.com/drduh/config/blob/master/ssh_config) and [drduh/config/sshd_config](https://github.com/drduh/config/blob/master/sshd_config). ## Physical access @@ -2040,9 +1980,9 @@ Superglues or epoxy resins can also be used to disable physical access. [Nail po ## System monitoring -#### OpenBSM audit +### OpenBSM audit -macOS has a powerful OpenBSM auditing capability. You can use it to monitor process execution, network activity, and much more. +macOS has a powerful OpenBSM (Basic Security Module) auditing capability. You can use it to monitor process execution, network activity, and much more. To tail audit logs, use the `praudit` utility: @@ -2059,7 +1999,7 @@ See the manual pages for `audit`, `praudit`, `audit_control` and other files in See articles on [ilostmynotes.blogspot.com](https://ilostmynotes.blogspot.com/2013/10/openbsm-auditd-on-os-x-these-are-logs.html) and [derflounder.wordpress.com](https://derflounder.wordpress.com/2012/01/30/openbsm-auditing-on-mac-os-x/) for more information. -#### DTrace +### DTrace **Note** [System Integrity Protection](https://github.com/drduh/macOS-Security-and-Privacy-Guide#system-integrity-protection) [interferes](https://internals.exposed/blog/dtrace-vs-sip.html) with DTrace, so it is not possible to use it in recent macOS versions without disabling SIP. @@ -2075,7 +2015,7 @@ See articles on [ilostmynotes.blogspot.com](https://ilostmynotes.blogspot.com/20 See `man -k dtrace` for more information. -#### Execution +### Execution `ps -ef` lists information about all running processes. @@ -2083,17 +2023,21 @@ You can also view processes with **Activity Monitor**. `launchctl list` and `sudo launchctl list` list loaded and running user and system launch daemons and agents. -#### Network +### Network List open network files: - $ sudo lsof -Pni +```console +$ sudo lsof -Pni +``` List contents of various network-related data structures: - $ sudo netstat -atln +```console +$ sudo netstat -atln +``` -You can also use [Wireshark](https://www.wireshark.org/) from the command line. +You can also use [Wireshark](https://www.wireshark.org/) from the command line with `tshark`. Monitor DNS queries and replies: @@ -2374,6 +2318,8 @@ $ duti -s com.apple.Safari ftp $ duti -s com.apple.Safari nfs $ duti -s com.apple.Safari smb + +$ duti -s com.apple.TextEdit public.unix-executable ``` Monitor system logs with the **Console** application or `syslog -w` or `/usr/bin/log stream` commands. @@ -2382,7 +2328,7 @@ In systems prior to macOS Sierra (10.12), enable the [tty_tickets flag](https:// Set your screen to lock as soon as the screensaver starts: -```shell +```console $ defaults write com.apple.screensaver askForPassword -int 1 $ defaults write com.apple.screensaver askForPasswordDelay -int 0 @@ -2390,7 +2336,7 @@ $ defaults write com.apple.screensaver askForPasswordDelay -int 0 Expose hidden files and Library folder in Finder: -```shell +```console $ defaults write com.apple.finder AppleShowAllFiles -bool true $ chflags nohidden ~/Library @@ -2398,13 +2344,13 @@ $ chflags nohidden ~/Library Show all filename extensions (so that "Evil.jpg.app" cannot masquerade easily). -```shell +```console $ defaults write NSGlobalDomain AppleShowAllExtensions -bool true ``` Don't default to saving documents to iCloud: -```shell +```console $ defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false ``` @@ -2412,13 +2358,13 @@ Enable [Secure Keyboard Entry](https://security.stackexchange.com/questions/4774 Disable crash reporter (the dialog which appears after an application crashes and prompts to report the problem to Apple): -```shell +```console $ defaults write com.apple.CrashReporter DialogType none ``` Disable Bonjour [multicast advertisements](https://www.trustwave.com/Resources/SpiderLabs-Blog/mDNS---Telling-the-world-about-you-(and-your-device)/): -```shell +```console $ sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES ``` @@ -2428,9 +2374,9 @@ Consider [sandboxing](https://developer.apple.com/legacy/library/documentation/D Did you know Apple has not shipped a computer with TPM since [2006](http://osxbook.com/book/bonus/chapter10/tpm/)? -MacOS comes with this line in /etc/sudoers: +macOS comes with this line in `/etc/sudoers`: -```shell +``` Defaults env_keep += "HOME MAIL" ``` @@ -2438,7 +2384,7 @@ Which stops sudo from changing the HOME variable when you elevate privileges. Th If you want to retain the convenience of the root user having a non-root user's home directory, you can append an export line to /var/root/.bashrc, eg: -```shell +``` export HOME=/Users/blah ``` From cc591e84aab04e86f06dcd0fb1cf02b6df66165a Mon Sep 17 00:00:00 2001 From: drduh Date: Thu, 17 Jan 2019 20:51:37 -0800 Subject: [PATCH 094/476] Organize launchd files, additional links. Fix #324. --- README.md | 130 ++++++------------ .../14F27_launchd.csv | 0 .../15B42_launchd.csv | 0 .../16A323_launchd.csv | 0 comments.csv => launchd/comments.csv | 0 .../read_launch_plists.py | 0 6 files changed, 43 insertions(+), 87 deletions(-) rename 14F27_launchd.csv => launchd/14F27_launchd.csv (100%) rename 15B42_launchd.csv => launchd/15B42_launchd.csv (100%) rename 16A323_launchd.csv => launchd/16A323_launchd.csv (100%) rename comments.csv => launchd/comments.csv (100%) rename read_launch_plists.py => launchd/read_launch_plists.py (100%) diff --git a/README.md b/README.md index 8f9f5637..5ffcc96e 100755 --- a/README.md +++ b/README.md @@ -2420,91 +2420,47 @@ export HOME=/Users/blah ## Additional resources -*In no particular order* - -[MacOS Hardening Guide - Appendix of \*OS Internals: Volume III - Security & Insecurity Internals](http://newosxbook.com/files/moxii3/AppendixA.pdf) (pdf) - -[Mac Developer Library: Secure Coding Guide](https://developer.apple.com/library/mac/documentation/Security/Conceptual/SecureCodingGuide/Introduction.html) - -[OS X Core Technologies Overview White Paper](https://www.apple.com/osx/all-features/pdf/osx_elcapitan_core_technologies_overview.pdf) (pdf) - -[Reverse Engineering Mac OS X blog](https://reverse.put.as/) - -[Reverse Engineering Resources](http://samdmarshall.com/re.html) - -[Patrick Wardle's Objective-See blog](https://objective-see.com/blog.html) - -[Managing Macs at Google Scale (LISA '13)](https://www.usenix.org/conference/lisa13/managing-macs-google-scale) - -[OS X Hardening: Securing a Large Global Mac Fleet (LISA '13)](https://www.usenix.org/conference/lisa13/os-x-hardening-securing-large-global-mac-fleet) - -[DoD Security Technical Implementation Guides for Mac OS](http://iase.disa.mil/stigs/os/mac/Pages/mac-os.aspx) - -[The EFI boot process](http://web.archive.org/web/20160508052211/http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/efi-boot-process.html) - -[The Intel Mac boot process](http://refit.sourceforge.net/info/boot_process.html) - -[Userland Persistence on Mac OS X](https://archive.org/details/joshpitts_shmoocon2015) - -[Developing Mac OSX kernel rootkits](http://phrack.org/issues/66/16.html#article) - -[IOKit kernel code execution exploit](https://code.google.com/p/google-security-research/issues/detail?id=135) - -[Hidden backdoor API to root privileges in Apple OS X](https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/) - -[IPv6 Hardening Guide for OS X](http://www.insinuator.net/2015/02/ipv6-hardening-guide-for-os-x/) - -[Harden the World: Mac OSX 10.11 El Capitan](http://docs.hardentheworld.org/OS/OSX_10.11_El_Capitan/) - -[Hacker News discussion](https://news.ycombinator.com/item?id=10148077) - -[Hacker News discussion 2](https://news.ycombinator.com/item?id=13023823) - -[Apple Open Source](https://opensource.apple.com/) - -[OS X 10.10 Yosemite: The Ars Technica Review](https://arstechnica.com/apple/2014/10/os-x-10-10/) - -[CIS Apple OSX 10.10 Benchmark](https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.10_Benchmark_v1.1.0.pdf) (pdf) - -[How to Switch to the Mac](https://taoofmac.com/space/HOWTO/Switch) - -[Security Configuration For Mac OS X Version 10.6 Snow Leopard](https://www.apple.com/support/security/guides/docs/SnowLeopard_Security_Config_v10.6.pdf) (pdf) - -[EFF Surveillance Self-Defense Guide](https://ssd.eff.org/) - -[MacAdmins on Slack](https://macadmins.herokuapp.com/) - -[iCloud security and privacy overview](https://support.apple.com/kb/HT4865) - -[Demystifying the DMG File Format](http://newosxbook.com/DMG.html) - -[There's a lot of vulnerable OS X applications out there (Sparkle Framework RCE)](https://vulnsec.com/2016/osx-apps-vulnerabilities/) - -[iSeeYou: Disabling the MacBook Webcam Indicator LED](https://jscholarship.library.jhu.edu/handle/1774.2/36569) - -[Mac OS X Forensics - Technical Report](https://www.ma.rhul.ac.uk/static/techrep/2015/RHUL-MA-2015-8.pdf) (pdf) - -[Mac Forensics: Mac OS X and the HFS+ File System](https://cet4861.pbworks.com/w/file/fetch/71245694/mac.forensics.craiger-burke.IFIP.06.pdf) (pdf) - -[Extracting FileVault 2 Keys with Volatility](https://tribalchicken.com.au/security/extracting-filevault-2-keys-with-volatility/) - -[Auditing and Exploiting Apple IPC](https://googleprojectzero.blogspot.com/2015/09/revisiting-apple-ipc-1-distributed_28.html) - -[Mac OS X and iOS Internals: To the Apple's Core by Jonathan Levin](https://www.amazon.com/Mac-OS-iOS-Internals-Apples/dp/1118057651) - -[Demystifying the i-Device NVMe NAND (New storage used by Apple)](http://ramtin-amin.fr/#nvmepcie) - -[The macOS Phishing Easy Button: AppleScript Dangers](https://duo.com/blog/the-macos-phishing-easy-button-applescript-dangers) - -[Over The Air - Vol. 2, Pt. 1: Exploiting The Wi-Fi Stack on Apple Devices](https://googleprojectzero.blogspot.com/2017/09/over-air-vol-2-pt-1-exploiting-wi-fi.html) - -[The Great DOM Fuzz-off of 2017](https://googleprojectzero.blogspot.be/2017/09/the-great-dom-fuzz-off-of-2017.html) - -[Remote code execution, git, and OS X](https://rachelbythebay.com/w/2016/04/17/unprotected/) - -[OSX.Pirrit Mac Adware Part III: The DaVinci Code](https://www.cybereason.com/blog/targetingedge-mac-os-x-pirrit-malware-adware-still-active) - -[How to make macOS Spotlight fuck the fuck off and do your bidding](https://m4.rkw.io/blog/how-to-make-macos-spotlight-fuck-the-fuck-off-and-do-your-bidding.html) - -[Fuzzing the macOS WindowServer for Exploitable Vulnerabilities](http://blog.ret2.io/2018/07/25/pwn2own-2018-safari-sandbox/) +* [Apple Open Source](https://opensource.apple.com/) +* [Auditing and Exploiting Apple IPC](https://googleprojectzero.blogspot.com/2015/09/revisiting-apple-ipc-1-distributed_28.html) +* [CIS Benchmarks](https://www.cisecurity.org/benchmark/apple_os/) +* [Demystifying the DMG File Format](http://newosxbook.com/DMG.html) +* [Demystifying the i-Device NVMe NAND (New storage used by Apple)](http://ramtin-amin.fr/#nvmepcie) +* [Developing Mac OSX kernel rootkits](http://phrack.org/issues/66/16.html#article) +* [DoD Security Technical Implementation Guides for Mac OS](http://iase.disa.mil/stigs/os/mac/Pages/mac-os.aspx) +* [EFF Surveillance Self-Defense Guide](https://ssd.eff.org/) +* [Extracting FileVault 2 Keys with Volatility](https://tribalchicken.com.au/security/extracting-filevault-2-keys-with-volatility/) +* [Fuzzing the macOS WindowServer for Exploitable Vulnerabilities](http://blog.ret2.io/2018/07/25/pwn2own-2018-safari-sandbox/) +* [Hacker News discussion 2](https://news.ycombinator.com/item?id=13023823) +* [Hacker News discussion](https://news.ycombinator.com/item?id=10148077) +* [Harden the World: Mac OSX 10.11 El Capitan](http://docs.hardentheworld.org/OS/OSX_10.11_El_Capitan/) +* [Hidden backdoor API to root privileges in Apple OS X](https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/) +* [How to Switch to the Mac](https://taoofmac.com/space/HOWTO/Switch) +* [How to make macOS Spotlight fuck the fuck off and do your bidding](https://m4.rkw.io/blog/how-to-make-macos-spotlight-fuck-the-fuck-off-and-do-your-bidding.html) +* [IOKit kernel code execution exploit](https://code.google.com/p/google-security-research/issues/detail?id=135) +* [IPv6 Hardening Guide for OS X](http://www.insinuator.net/2015/02/ipv6-hardening-guide-for-os-x/) +* [Mac Developer Library: Secure Coding Guide](https://developer.apple.com/library/mac/documentation/Security/Conceptual/SecureCodingGuide/Introduction.html) +* [Mac Forensics: Mac OS X and the HFS+ File System](https://cet4861.pbworks.com/w/file/fetch/71245694/mac.forensics.craiger-burke.IFIP.06.pdf) (pdf) +* [Mac OS X Forensics - Technical Report](https://www.ma.rhul.ac.uk/static/techrep/2015/RHUL-MA-2015-8.pdf) (pdf) +* [Mac OS X and iOS Internals: To the Apple's Core by Jonathan Levin](https://www.amazon.com/Mac-OS-iOS-Internals-Apples/dp/1118057651) +* [MacAdmins on Slack](https://macadmins.herokuapp.com/) +* [MacOS Hardening Guide - Appendix of \*OS Internals: Volume III - Security & Insecurity Internals](http://newosxbook.com/files/moxii3/AppendixA.pdf) (pdf) +* [Managing Macs at Google Scale (LISA '13)](https://www.usenix.org/conference/lisa13/managing-macs-google-scale) +* [OS X 10.10 Yosemite: The Ars Technica Review](https://arstechnica.com/apple/2014/10/os-x-10-10/) +* [OS X Core Technologies Overview White Paper](https://www.apple.com/osx/all-features/pdf/osx_elcapitan_core_technologies_overview.pdf) (pdf) +* [OS X Hardening: Securing a Large Global Mac Fleet (LISA '13)](https://www.usenix.org/conference/lisa13/os-x-hardening-securing-large-global-mac-fleet) +* [OSX.Pirrit Mac Adware Part III: The DaVinci Code](https://www.cybereason.com/blog/targetingedge-mac-os-x-pirrit-malware-adware-still-active) +* [Over The Air - Vol. 2, Pt. 1: Exploiting The Wi-Fi Stack on Apple Devices](https://googleprojectzero.blogspot.com/2017/09/over-air-vol-2-pt-1-exploiting-wi-fi.html) +* [Patrick Wardle's Objective-See blog](https://objective-see.com/blog.html) +* [Remote code execution, git, and OS X](https://rachelbythebay.com/w/2016/04/17/unprotected/) +* [Reverse Engineering Mac OS X blog](https://reverse.put.as/) +* [Reverse Engineering Resources](http://samdmarshall.com/re.html) +* [Security Configuration For Mac OS X Version 10.6 Snow Leopard](https://www.apple.com/support/security/guides/docs/SnowLeopard_Security_Config_v10.6.pdf) (pdf) +* [The EFI boot process](http://web.archive.org/web/20160508052211/http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/efi-boot-process.html) +* [The Great DOM Fuzz-off of 2017](https://googleprojectzero.blogspot.be/2017/09/the-great-dom-fuzz-off-of-2017.html) +* [The Intel Mac boot process](http://refit.sourceforge.net/info/boot_process.html) +* [The macOS Phishing Easy Button: AppleScript Dangers](https://duo.com/blog/the-macos-phishing-easy-button-applescript-dangers) +* [There's a lot of vulnerable OS X applications out there (Sparkle Framework RCE)](https://vulnsec.com/2016/osx-apps-vulnerabilities/) +* [Userland Persistence on Mac OS X](https://archive.org/details/joshpitts_shmoocon2015) +* [iCloud security and privacy overview](https://support.apple.com/kb/HT4865) +* [iSeeYou: Disabling the MacBook Webcam Indicator LED](https://jscholarship.library.jhu.edu/handle/1774.2/36569) diff --git a/14F27_launchd.csv b/launchd/14F27_launchd.csv similarity index 100% rename from 14F27_launchd.csv rename to launchd/14F27_launchd.csv diff --git a/15B42_launchd.csv b/launchd/15B42_launchd.csv similarity index 100% rename from 15B42_launchd.csv rename to launchd/15B42_launchd.csv diff --git a/16A323_launchd.csv b/launchd/16A323_launchd.csv similarity index 100% rename from 16A323_launchd.csv rename to launchd/16A323_launchd.csv diff --git a/comments.csv b/launchd/comments.csv similarity index 100% rename from comments.csv rename to launchd/comments.csv diff --git a/read_launch_plists.py b/launchd/read_launch_plists.py similarity index 100% rename from read_launch_plists.py rename to launchd/read_launch_plists.py From 56b671df16a38e445c8fe1663518a8c37ce335a0 Mon Sep 17 00:00:00 2001 From: drduh Date: Thu, 17 Jan 2019 21:03:47 -0800 Subject: [PATCH 095/476] Mention umask and Adium is out of date. Fix #299. Fix #321. --- README.md | 60 +++++++++++++++++++++++++------------------------------ 1 file changed, 27 insertions(+), 33 deletions(-) diff --git a/README.md b/README.md index 5ffcc96e..9479a888 100755 --- a/README.md +++ b/README.md @@ -1282,16 +1282,9 @@ The first time you start a conversation with someone new, you'll be asked to ver A popular macOS GUI client for XMPP and other chat protocols is [Adium](https://adium.im/). -```console -$ shasum -a 256 Adium_1.5.10.4.dmg -31fa3fd32b86dd3381b60e0d5aafbc2a9452036f0fb4963bffbc2a6c64a9458b Adium_1.5.10.4.dmg -``` - -Remember to [disable logging](https://trac.adium.im/ticket/15722) for off the record chats with Adium. +**Important** While popular, Adium does not appear to be actively developed and may have vulnerabilities. See additional discussion in [issue #299](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/299). -A good console-based XMPP client is [profanity](http://www.profanity.im/), which can be installed with `brew install profanity` - -For improved anonymity, check out [Tor Messenger](https://blog.torproject.org/blog/tor-messenger-beta-chat-over-tor-easily), although it is still in beta, as well as [Ricochet](https://ricochet.im/) (which has recently received a thorough [security audit](https://ricochet.im/files/ricochet-ncc-audit-2016-01.pdf) (pdf)), which both use the Tor network rather than relying on messaging servers. +Other XMPP clients include [profanity](http://www.profanity.im/) and [agl/xmpp-client](https://github.com/agl/xmpp-client). If you want to know how OTR works, read the paper [Off-the-Record Communication, or, Why Not To Use PGP](https://otr.cypherpunks.ca/otr-wpes.pdf) (pdf) @@ -2388,35 +2381,36 @@ If you want to retain the convenience of the root user having a non-root user's export HOME=/Users/blah ``` -## Related software - -[stronghold](https://github.com/alichtman/stronghold) - Securely and easily configure your Mac from the terminal. Inspired by this guide. - -[Santa](https://github.com/google/santa) - A binary whitelisting/blacklisting system for macOS. - -[kristovatlas/osx-config-check](https://github.com/kristovatlas/osx-config-check) - Checks your OSX machine against various hardened configuration settings. - -[Lockdown](https://objective-see.com/products/lockdown.html) - Audits and remediates security configuration settings. - -[Dylib Hijack Scanner](https://objective-see.com/products/dhs.html) - Scan for applications that are either susceptible to dylib hijacking or have been hijacked. +Set a [custom umask](https://support.apple.com/en-us/HT201684): -[F-Secure XFENCE](https://campaigns.f-secure.com/xfence/) (formerly [Little Flocker](https://github.com/drduh/macOS-Security-and-Privacy-Guide/pull/237)) - "Little Snitch for files"; prevents applications from accessing files. - -[facebook/osquery](https://github.com/facebook/osquery) - Can be used to retrieve low level system information. Users can write SQL queries to retrieve system information. - -[google/grr](https://github.com/google/grr) - Incident response framework focused on remote live forensics. - -[yelp/osxcollector](https://github.com/yelp/osxcollector) - Forensic evidence collection & analysis toolkit for OS X. - -[jipegit/OSXAuditor](https://github.com/jipegit/OSXAuditor) - Analyzes artifacts on a running system, such as quarantined files, Safari, Chrome and Firefox history, downloads, HTML5 databases and localstore, social media and email accounts, and Wi-Fi access point names. +```console +sudo launchctl config user umask 077 +``` -[libyal/libfvde](https://github.com/libyal/libfvde) - Library to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes. +Reboot, create a file in Finder and verify its permissions (macOS default allows 'group/other' read access): -[CISOfy/lynis](https://github.com/CISOfy/lynis) - Cross-platform security auditing tool and assists with compliance testing and system hardening. +```console +$ ls -ld umask* +drwx------ 2 kevin staff 64 Dec 4 12:27 umask_testing_dir +-rw-------@ 1 kevin staff 2026566 Dec 4 12:28 umask_testing_file +``` -[Zentral](https://github.com/zentralopensource/zentral) - A log and configuration server for santa and osquery. Run audit and probes on inventory, events, logfiles, combine with point-in-time alerting. A full Framework and Django web server build on top of the elastic stack (formerly known as ELK stack). +## Related software -[The Eclectic Light Company - Downloads](https://eclecticlight.co/downloads/) - A collection of useful diagnostics and control applications and utilities for macOS. +* [CISOfy/lynis](https://github.com/CISOfy/lynis) - Cross-platform security auditing tool and assists with compliance testing and system hardening. +* [Dylib Hijack Scanner](https://objective-see.com/products/dhs.html) - Scan for applications that are either susceptible to dylib hijacking or have been hijacked. +* [F-Secure XFENCE](https://campaigns.f-secure.com/xfence/) (formerly [Little Flocker](https://github.com/drduh/macOS-Security-and-Privacy-Guide/pull/237)) - "Little Snitch for files"; prevents applications from accessing files. +* [Lockdown](https://objective-see.com/products/lockdown.html) - Audits and remediates security configuration settings. +* [Santa](https://github.com/google/santa) - A binary whitelisting/blacklisting system for macOS. +* [The Eclectic Light Company - Downloads](https://eclecticlight.co/downloads/) - A collection of useful diagnostics and control applications and utilities for macOS. +* [Zentral](https://github.com/zentralopensource/zentral) - A log and configuration server for santa and osquery. Run audit and probes on inventory, events, logfiles, combine with point-in-time alerting. A full Framework and Django web server build on top of the elastic stack (formerly known as ELK stack). +* [facebook/osquery](https://github.com/facebook/osquery) - Can be used to retrieve low level system information. Users can write SQL queries to retrieve system information. +* [google/grr](https://github.com/google/grr) - Incident response framework focused on remote live forensics. +* [jipegit/OSXAuditor](https://github.com/jipegit/OSXAuditor) - Analyzes artifacts on a running system, such as quarantined files, Safari, Chrome and Firefox history, downloads, HTML5 databases and localstore, social media and email accounts, and Wi-Fi access point names. +* [kristovatlas/osx-config-check](https://github.com/kristovatlas/osx-config-check) - Checks your OSX machine against various hardened configuration settings. +* [libyal/libfvde](https://github.com/libyal/libfvde) - Library to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes. +* [stronghold](https://github.com/alichtman/stronghold) - Securely and easily configure your Mac from the terminal. Inspired by this guide. +* [yelp/osxcollector](https://github.com/yelp/osxcollector) - Forensic evidence collection & analysis toolkit for OS X. ## Additional resources From 1b214b0f5029e7b58948a199837c2c2a28942bb8 Mon Sep 17 00:00:00 2001 From: drduh Date: Thu, 17 Jan 2019 21:11:12 -0800 Subject: [PATCH 096/476] Polish dnscrypt steps. Fix #273. --- README.md | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 9479a888..6324e935 100755 --- a/README.md +++ b/README.md @@ -35,8 +35,8 @@ This guide is also available in [简体中文](https://github.com/xitu/macOS-Sec - [Homebrew](#homebrew) - [DNS](#dns) - [Hosts file](#hosts-file) - - [DNSCrypt](#dnscrypt) - - [Dnsmasq](#dnsmasq) + - [dnscrypt](#dnscrypt) + - [dnsmasq](#dnsmasq) - [Test DNSSEC validation](#test-dnssec-validation) - [Captive portal](#captive-portal) - [Certificate authorities](#certificate-authorities) @@ -813,13 +813,13 @@ See `man hosts` and [FreeBSD Configuration Files](https://www.freebsd.org/doc/ha See the [dnsmasq](#dnsmasq) section of this guide for more hosts blocking options. -#### DNSCrypt +#### dnscrypt -To encrypt outgoing DNS traffic, consider using [dnscrypt](https://dnscrypt.info). In combination with Dnsmasq and DNSSEC, the security of both outbounding and inbounding dns traffic are strengthened. +To encrypt outgoing DNS traffic, consider using [jedisct1/dnscrypt-proxy](https://github.com/jedisct1/dnscrypt-proxy). In combination with dnsmasq and DNSSEC, the integrity and authenticity of DNS traffic is greatly improved. -A GUI application is only available for the discontinued version 1 of `dnscrypt-proxy` ([alterstep/dnscrypt-osxclient](https://github.com/alterstep/dnscrypt-osxclient)). It is recommended to install the improved [dnscrypt-proxy version 2](https://github.com/jedisct1/dnscrypt-proxy) and use a BitBar plugin like [DNSCrypt Menu](https://github.com/JayBrown/DNSCrypt-Menu) or [dnscrypt-proxy-switcher](https://github.com/jedisct1/bitbar-dnscrypt-proxy-switcher) until an updated GUI application is available. Below are the guides for installation and configuration of the command-line DNSCrypt. +[JayBrown/DNSCrypt-Menu](https://github.com/JayBrown/DNSCrypt-Menu) and [jedisct1/bitbar-dnscrypt-proxy-switcher](https://github.com/jedisct1/bitbar-dnscrypt-proxy-switcher) provide a graphical user interface to dnscrypt. -Install DNSCrypt from Homebrew and follow the instructions to configure and start `dnscrypt-proxy`: +Install dnscrypt from Homebrew and follow the instructions to configure and start `dnscrypt-proxy`: ```console $ brew install dnscrypt-proxy @@ -856,13 +856,13 @@ $ sudo gsed -i "/sbin\\/dnscrypt-proxy<\\/string>/a--local-address=127.0 ``` By default, the `resolvers-list` will point to the dnscrypt version specific resolvers file. When dnscrypt is updated, this version may no longer exist, and if it does, may point to an outdated file. This can be fixed by changing the resolvers file in `homebrew.mxcl.dnscrypt-proxy.plist` (found earlier using find) to the symlinked version in `/usr/local/share`: -```console +``` --resolvers-list=/usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv ``` Below the line: -```shell +``` /usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy ``` @@ -874,13 +874,10 @@ $ sudo brew services restart dnscrypt-proxy Make sure DNSCrypt is running: -```shell +```console $ sudo lsof -Pni UDP:5355 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME dnscrypt- 13415 nobody 6u IPv4 0x1773f85ff9f8bbef 0t0 UDP 127.0.0.1:5355 - -$ ps A | grep '[d]nscrypt' -13415 ?? Ss 13:57.21 /usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy --local-address=127.0.0.1:5355 --ephemeral-keys --resolvers-list=/usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv --resolver-name=d0wn-us-ns4 --user=nobody ``` > By default, dnscrypt-proxy runs on localhost (127.0.0.1), port 53, From 4cee71cd232d8aebc5907f6dae7f7681dd913f7a Mon Sep 17 00:00:00 2001 From: drduh Date: Thu, 17 Jan 2019 21:22:44 -0800 Subject: [PATCH 097/476] Mention issue to fix #213 for now, until someone writes more. --- README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 6324e935..50b0493d 100755 --- a/README.md +++ b/README.md @@ -392,7 +392,7 @@ It is considered a best practice by [Apple](https://help.apple.com/machelp/mac/1 It is not strictly required to ever log into the admin account via the macOS login screen. The system will prompt for authentication when required and Terminal can do the rest. To that end, Apple provides some [recommendations](https://support.apple.com/HT203998) for hiding the admin account and its home directory. This can be an elegant solution to avoid having a visible 'ghost' account. The admin account can also be [removed from FileVault](https://apple.stackexchange.com/a/94373) for additional hardening. -#### Caveats +### Caveats * Only administrators can install applications in `/Applications` (local directory). Finder and Installer will prompt a standard user with an authentication dialog. Many applications can be installed in `~/Applications` instead (the directory can be created manually). As a rule of thumb: applications that do not require admin access – or do not complain about not being installed in `/Applications` – should be installed in the user directory, the rest in the local directory. Mac App Store applications are still installed in `/Applications` and require no additional authentication. * `sudo` is not available in shells of the standard user, which requires using `su` or `login` to enter a shell of the admin account. This can make some maneuvers trickier and requires some basic experience with command-line interfaces. @@ -400,7 +400,7 @@ It is not strictly required to ever log into the admin account via the macOS log * There are third-party applications that will not work correctly because they assume that the user account is an admin. These programs may have to be executed by logging into the admin account, or by using the `open` utility. * See additional discussion in [issue #167](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/167). -#### Setup +### Setup Accounts can be created and managed in System Preferences. On settled systems, it is generally easier to create a second admin account and then demote the first account. This avoids data migration. Newly installed systems can also just add a standard account. @@ -498,7 +498,7 @@ Deploying FileVault 2](https://training.apple.com/pdf/WP_FileVault2.pdf) (pdf) a ## Firmware -Setting a firmware password prevents a Mac from starting up from any device other than your startup disk. It may also be set to be required on each boot. This may be useful for mitigating some attacks which require physical access to hardware. +Setting a firmware password prevents a Mac from starting up from any device other than your startup disk. It may also be set to be required on each boot. This may be useful for mitigating some attacks which require physical access to hardware. See [How to set a firmware password on your Mac](https://support.apple.com/en-au/HT204455) for official documentation. This feature [can be helpful if your laptop is lost or stolen](https://www.ftc.gov/news-events/blogs/techftc/2015/08/virtues-strong-enduser-device-controls), protects against Direct Memory Access (DMA) attacks which can read your FileVault passwords and inject kernel modules such as [pcileech](https://github.com/ufrisk/pcileech), as the only way to reset the firmware password is through an Apple Store, or by using an [SPI programmer](https://reverse.put.as/2016/06/25/apple-efi-firmware-passwords-and-the-scbo-myth/), such as [Bus Pirate](http://ho.ax/posts/2012/06/unbricking-a-macbook/) or other flash IC programmer. @@ -518,7 +518,7 @@ The firmware password can also be managed with the `firmwarepasswd` utility whil $ sudo firmwarepasswd -setpasswd -setmode command ``` -To verify: +To verify the firmware password: ```console $ sudo firmwarepasswd -verify @@ -533,15 +533,15 @@ Note, a firmware password may be bypassed by a determined attacker or Apple, wit *Using a [Dediprog SF600](http://www.dediprog.com/pd/spi-flash-solution/sf600) to dump and flash a 2013 MacBook SPI Flash chip to remove a firmware password, sans Apple* -See [HT204455](https://support.apple.com/en-au/HT204455), [LongSoft/UEFITool](https://github.com/LongSoft/UEFITool) and [chipsec/chipsec](https://github.com/chipsec/chipsec) for more information. +Newer Mac models (Mac Pro, iMac Pro, Macbook with TouchBar) with [Apple T2](https://en.wikipedia.org/wiki/Apple-designed_processors#Apple_T2) chips, which provide a secure enclave for encrypted keys, lessen the risk of EFI firmware attacks. See [this blog post](http://michaellynn.github.io/2018/07/27/booting-secure/) for more information. -Newer Mac models now contain a T2 chip (Mac Pro, iMac Pro, Macbook with TouchBar, ...) that verifies the firmware that is being loaded, which alleviates EFI firmware attacks altogether if enabled. Read [this blog post](http://michaellynn.github.io/2018/07/27/booting-secure/) for more information. +See [LongSoft/UEFITool](https://github.com/LongSoft/UEFITool), [chipsec/chipsec](https://github.com/chipsec/chipsec) and discussion in [issue #213](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/213) for more information. ## Firewall There are several types of firewalls available for macOS which should be enabled. -#### Application layer firewall +### Application layer firewall Built-in, basic firewall which blocks **incoming** connections only. This firewall does not have the ability to monitor, nor block **outgoing** connections. @@ -582,7 +582,7 @@ After interacting with `socketfilterfw`, restart the process by sending a line h $ sudo pkill -HUP socketfilterfw ``` -#### Third party firewalls +### Third party firewalls Programs such as [Little Snitch](https://www.obdev.at/products/littlesnitch/index.html), [Hands Off](https://www.oneperiodic.com/products/handsoff/), [Radio Silence](https://radiosilenceapp.com/) and [Security Growler](https://pirate.github.io/security-growler/) provide a good balance of usability and security. @@ -598,7 +598,7 @@ It is worth noting that these firewalls can be bypassed by programs running as * For more on how Little Snitch works, see the [Network Kernel Extensions Programming Guide](https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/NKEConceptual/socket_nke/socket_nke.html#//apple_ref/doc/uid/TP40001858-CH228-SW1) and [Shut up snitch! – reverse engineering and exploiting a critical Little Snitch vulnerability](https://reverse.put.as/2016/07/22/shut-up-snitch-reverse-engineering-and-exploiting-a-critical-little-snitch-vulnerability/). -#### Kernel level packet filtering +### Kernel level packet filtering A highly customizable, powerful, but also most complicated firewall exists in the kernel. It can be controlled with `pfctl` and various configuration files. From 152b006602732ae220c6f4aff95d26d4de02b94f Mon Sep 17 00:00:00 2001 From: drduh Date: Thu, 17 Jan 2019 21:35:36 -0800 Subject: [PATCH 098/476] Mention APFS encryption links. Fix #283. --- README.md | 106 +++++++++++++++++++++++++++--------------------------- 1 file changed, 54 insertions(+), 52 deletions(-) diff --git a/README.md b/README.md index 50b0493d..f54f9ccc 100755 --- a/README.md +++ b/README.md @@ -496,6 +496,8 @@ $ sudo pmset -a autopoweroff 0 For more information, see [Best Practices for Deploying FileVault 2](https://training.apple.com/pdf/WP_FileVault2.pdf) (pdf) and paper [Lest We Remember: Cold Boot Attacks on Encryption Keys](https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf) (pdf) +**Note** APFS may make evicting FV keys redundant - see discussion and links in [issue #283](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/283). + ## Firmware Setting a firmware password prevents a Mac from starting up from any device other than your startup disk. It may also be set to be required on each boot. This may be useful for mitigating some attacks which require physical access to hardware. See [How to set a firmware password on your Mac](https://support.apple.com/en-au/HT204455) for official documentation. @@ -508,7 +510,7 @@ This feature [can be helpful if your laptop is lost or stolen](https://www.ftc.g 1. Enter a new password, then enter the same password in the **Verify** field. 1. Select **Set Password**. 1. Select **Quit Firmware Utility** to close the Firmware Password Utility. -1. Select the Apple menu and select Restart or Shutdown. +1. Select Restart or Shutdown from the Apple menu in the top-left corner. The firmware password will activate at next boot. To validate the password, hold `Alt` during boot - you should be prompted to enter the password. @@ -795,10 +797,10 @@ There are many lists of domains available online which you can paste in, just ma For hosts lists, see [someonewhocares.org](https://someonewhocares.org/hosts/zero/hosts), [l1k/osxparanoia/blob/master/hosts](https://github.com/l1k/osxparanoia/blob/master/hosts) and [StevenBlack/hosts](https://github.com/StevenBlack/hosts). -To append a list of hosts from a list, use the `tee` command, then confirm by editing `/etc/hosts` or counting the number of lines in it: +Append a list of hosts with the `tee` command and confirm only non-routable addresses or comments were added: ```console -$ curl "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" | sudo tee /etc/hosts +$ curl https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | sudo tee -a /etc/hosts $ wc -l /etc/hosts 65580 @@ -1195,7 +1197,7 @@ It is best to remember that Google is an advertising company and its major sourc Firefox offers a similar security model to Chrome. It offers a [bounty](https://www.mozilla.org/en-US/security/bug-bounty/) program, although it is not a lucrative as Chrome's. Firefox follows a six-week release cycle similar to Chrome. -See discussion in issues [#2](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/2), [#90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) for more information about certain differences in Firefox and Chrome. +See discussion in issues [#2](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/2) and [#90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) for more information about certain differences in Firefox and Chrome. If using Firefox, see [TheCreeper/PrivacyFox](https://github.com/TheCreeper/PrivacyFox), [pyllyukko/user.js](https://github.com/pyllyukko/user.js) and [ghacksuserjs/ghacks-user.js](https://github.com/ghacksuserjs/ghacks-user.js/) for recommended privacy preferences and other hardening measures. Also be sure to check out [NoScript](https://noscript.net/) for Mozilla-based browsers, which allows whitelist-based, pre-emptive script blocking. @@ -1251,9 +1253,9 @@ See [Hacking Team Flash Zero-Day](https://blog.trendmicro.com/trendlabs-security PGP is a standard for encrypting email end to end. That means only the chosen recipients can decrypt a message, unlike regular email which is read and forever archived by providers. -**GPG**, or **GNU Privacy Guard**, is a GPL licensed program compliant with the standard. +GPG, or **GNU Privacy Guard**, is a GPL licensed program compliant with the standard. -**GPG** is used to verify signatures of software you download and install, as well as [symmetrically](https://en.wikipedia.org/wiki/Symmetric-key_algorithm) or [asymmetrically](https://en.wikipedia.org/wiki/Public-key_cryptography) encrypt files and text. +GPG is used to verify signatures of software you download and install, as well as [symmetrically](https://en.wikipedia.org/wiki/Symmetric-key_algorithm) or [asymmetrically](https://en.wikipedia.org/wiki/Public-key_cryptography) encrypt files and text. Install from Homebrew with `brew install gnupg`. @@ -1626,14 +1628,14 @@ $ rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/th Similarly, for the root user: ```console -sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandler -sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive -sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite -sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-shm -sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-wal -sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/resetreason -sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.data -sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandler +$ sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandler +$ sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive +$ sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite +$ sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-shm +$ sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-wal +$ sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/resetreason +$ sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.data +$ sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandler ``` Also see ['quicklook' cache may leak encrypted data](https://objective-see.com/blog/blog_0x30.html). @@ -1641,16 +1643,16 @@ Also see ['quicklook' cache may leak encrypted data](https://objective-see.com/b To clear Finder preferences: ```console -defaults delete ~/Library/Preferences/com.apple.finder.plist FXDesktopVolumePositions -defaults delete ~/Library/Preferences/com.apple.finder.plist FXRecentFolders -defaults delete ~/Library/Preferences/com.apple.finder.plist RecentMoveAndCopyDestinations -defaults delete ~/Library/Preferences/com.apple.finder.plist RecentSearches -defaults delete ~/Library/Preferences/com.apple.finder.plist SGTRecentFileSearches +$ defaults delete ~/Library/Preferences/com.apple.finder.plist FXDesktopVolumePositions +$ defaults delete ~/Library/Preferences/com.apple.finder.plist FXRecentFolders +$ defaults delete ~/Library/Preferences/com.apple.finder.plist RecentMoveAndCopyDestinations +$ defaults delete ~/Library/Preferences/com.apple.finder.plist RecentSearches +$ defaults delete ~/Library/Preferences/com.apple.finder.plist SGTRecentFileSearches ``` Additional diagnostic files may be found in the following directories - but caution should be taken before removing any, as it may break logging or cause other issues: -```console +``` /var/db/CoreDuet/ /var/db/diagnostics/ /var/db/systemstats/ @@ -1661,87 +1663,87 @@ Additional diagnostic files may be found in the following directories - but caut macOS stored preferred Wi-Fi data (including credentials) in nvram. To clear it, use the following commands: ```console -sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:current-network -sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-networks -sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-count +$ sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:current-network +$ sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-networks +$ sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-count ``` macOS may collect sensitive information about what you type, even if user dictionary and suggestions are off. To remove them, and prevent them from being created again, use the following commands: ```console -rm -rfv "~/Library/LanguageModeling/*" "~/Library/Spelling/*" "~/Library/Suggestions/*" -chmod -R 000 ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions -chflags -R uchg ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions +$ rm -rfv "~/Library/LanguageModeling/*" "~/Library/Spelling/*" "~/Library/Suggestions/*" +$ chmod -R 000 ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions +$ chflags -R uchg ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions ``` QuickLook application support metadata can be cleared and locked with the following commands: ```console -rm -rfv "~/Library/Application Support/Quick Look/*" -chmod -R 000 "~/Library/Application Support/Quick Look" -chflags -R uchg "~/Library/Application Support/Quick Look" +$ rm -rfv "~/Library/Application Support/Quick Look/*" +$ chmod -R 000 "~/Library/Application Support/Quick Look" +$ chflags -R uchg "~/Library/Application Support/Quick Look" ``` Document revision metadata is stored in `/.DocumentRevisions-V100` and can be cleared and locked with the following commands - caution should be taken as this may break some core Apple applications: ```console -sudo rm -rfv /.DocumentRevisions-V100/* -sudo chmod -R 000 /.DocumentRevisions-V100 -sudo chflags -R uchg /.DocumentRevisions-V100 +$ sudo rm -rfv /.DocumentRevisions-V100/* +$ sudo chmod -R 000 /.DocumentRevisions-V100 +$ sudo chflags -R uchg /.DocumentRevisions-V100 ``` Saved application state metadata may be cleared and locked with the following commands: ```console -rm -rfv "~/Library/Saved Application State/*" -rm -rfv "~/Library/Containers//Saved Application State" -chmod -R 000 "~/Library/Saved Application State/" -chmod -R 000 "~/Library/Containers//Saved Application State" -chflags -R uchg "~/Library/Saved Application State/" -chflags -R uchg "~/Library/Containers//Saved Application State" +$ rm -rfv "~/Library/Saved Application State/*" +$ rm -rfv "~/Library/Containers//Saved Application State" +$ chmod -R 000 "~/Library/Saved Application State/" +$ chmod -R 000 "~/Library/Containers//Saved Application State" +$ chflags -R uchg "~/Library/Saved Application State/" +$ chflags -R uchg "~/Library/Containers//Saved Application State" ``` Autosave metadata can be cleared and locked with the following commands: ```console -rm -rfv "~/Library/Containers//Data/Library/Autosave Information" -rm -rfv "~/Library/Autosave Information" -chmod -R 000 "~/Library/Containers//Data/Library/Autosave Information" -chmod -R 000 "~/Library/Autosave Information" -chflags -R uchg "~/Library/Containers//Data/Library/Autosave Information" -chflags -R uchg "~/Library/Autosave Information" +$ rm -rfv "~/Library/Containers//Data/Library/Autosave Information" +$ rm -rfv "~/Library/Autosave Information" +$ chmod -R 000 "~/Library/Containers//Data/Library/Autosave Information" +$ chmod -R 000 "~/Library/Autosave Information" +$ chflags -R uchg "~/Library/Containers//Data/Library/Autosave Information" +$ chflags -R uchg "~/Library/Autosave Information" ``` The Siri analytics database, which is created even if the Siri launch agent disabled, can be cleared and locked with the following commands: ```console -rm -rfv ~/Library/Assistant/SiriAnalytics.db -chmod -R 000 ~/Library/Assistant/SiriAnalytics.db -chflags -R uchg ~/Library/Assistant/SiriAnalytics.db +$ rm -rfv ~/Library/Assistant/SiriAnalytics.db +$ chmod -R 000 ~/Library/Assistant/SiriAnalytics.db +$ chflags -R uchg ~/Library/Assistant/SiriAnalytics.db ``` `~/Library/Preferences/com.apple.iTunes.plist` contains iTunes metadata. Recent iTunes search data may be cleared with the following command: ```console -defaults delete ~/Library/Preferences/com.apple.iTunes.plist recentSearches +$ defaults delete ~/Library/Preferences/com.apple.iTunes.plist recentSearches ``` If you do not use Apple ID-linked services, the following keys may be cleared, too, using the following commands: ```console -defaults delete ~/Library/Preferences/com.apple.iTunes.plist StoreUserInfo -defaults delete ~/Library/Preferences/com.apple.iTunes.plist WirelessBuddyID +$ defaults delete ~/Library/Preferences/com.apple.iTunes.plist StoreUserInfo +$ defaults delete ~/Library/Preferences/com.apple.iTunes.plist WirelessBuddyID ``` All media played in QuickTime Player can be found in: -```console +``` ~/Library/Containers/com.apple.QuickTimePlayerX/Data/Library/Preferences/com.apple.QuickTimePlayerX.plist ``` Additional metadata may exist in the following files: -```console +``` ~/Library/Containers/com.apple.appstore/Data/Library/Preferences/com.apple.commerce.knownclients.plist ~/Library/Preferences/com.apple.commerce.plist ~/Library/Preferences/com.apple.QuickTimePlayerX.plist From 9ea877a119e1794b961eb3ba645927f8ff327241 Mon Sep 17 00:00:00 2001 From: drduh Date: Fri, 18 Jan 2019 14:44:38 -0800 Subject: [PATCH 099/476] Mention hyperlink auditing beacons. Fix #326. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f54f9ccc..37402624 100755 --- a/README.md +++ b/README.md @@ -1223,7 +1223,7 @@ Safari syncs user's preferences and stored logins through the iCloud Keychain. S Safari follows a slower release cycle than Chrome and Firefox (3-4 minor releases, 1 major release, per year). Newer features are slower to be adopted to the stable channel. Although security updates in Safari are handled independent of the stable release schedule and issued automatically through the App store. The Safari channel that follows a six-week release cycle (similar to as Chrome and Firefox) is called [Safari Technology Preview](https://developer.apple.com/safari/technology-preview/) and it is the recommended option instead of the stable channel of Safari. -An excellent open source ad blocker for Safari that fully leverages Content blockers is [dgraham/Ka-Block](https://github.com/dgraham/Ka-Block). Ka-Block is focussed on user privacy. The only time the extension makes a network connection is when a new version of the extension is released. +An excellent open source ad blocker for Safari that fully leverages Content blockers is [dgraham/Ka-Block](https://github.com/dgraham/Ka-Block). Ka-Block is focussed on user privacy. The only time the extension makes a network connection is when a new version of the extension is released. See also [el1t/uBlock-Safari](https://github.com/el1t/uBlock-Safari/wiki/Disable-hyperlink-auditing-beacon) to disable hyperlink auditing beacons. #### Other Web browsers From a889f4ab4dc8860a7978221ba5e2848ec89a436a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Moureau?= <5954335+TraderStf@users.noreply.github.com> Date: Sat, 19 Jan 2019 12:51:37 +0100 Subject: [PATCH 100/476] 2 openvpn clients --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 37402624..d3aa9ca2 100755 --- a/README.md +++ b/README.md @@ -1446,6 +1446,8 @@ Also see this [technical overview](https://blog.timac.org/2018/0717-macos-vpn-ar Further, it is possible to run the contemporary Linux-based [Wireguard](https://www.wireguard.com/) VPN either [from a Linux VM](https://github.com/mrash/Wireguard-macOS-LinuxVM) or via a set of [cross platform tools](https://www.wireguard.com/xplatform/). +Other Open Source OpenVPN clients/GUI: [Eddie](https://github.com/AirVPN/Eddie), [Pritunl](https://client.pritunl.com) are not evaluated in this guide, so are neither recommended nor actively discouraged from use. + ## Viruses and malware There is an [ever-increasing](https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html) amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software! From d0e664e949bbc06d57bfda9f3d1c46e8e146bf8a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Moureau?= <5954335+TraderStf@users.noreply.github.com> Date: Sat, 19 Jan 2019 13:00:12 +0100 Subject: [PATCH 101/476] Lulu LuLu is the free, shared-source macOS firewall that aims to block unknown outgoing connections, unless explicitly approved by the user. https://objective-see.com/products/lulu.html --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 37402624..6429fa08 100755 --- a/README.md +++ b/README.md @@ -586,7 +586,7 @@ $ sudo pkill -HUP socketfilterfw ### Third party firewalls -Programs such as [Little Snitch](https://www.obdev.at/products/littlesnitch/index.html), [Hands Off](https://www.oneperiodic.com/products/handsoff/), [Radio Silence](https://radiosilenceapp.com/) and [Security Growler](https://pirate.github.io/security-growler/) provide a good balance of usability and security. +Programs such as [Little Snitch](https://www.obdev.at/products/littlesnitch/index.html), [Hands Off](https://www.oneperiodic.com/products/handsoff/), [Radio Silence](https://radiosilenceapp.com/), [LuLu](https://objective-see.com/products/lulu.html) and [Security Growler](https://pirate.github.io/security-growler/) provide a good balance of usability and security. Example of Little Snitch monitored session From 78b2d3e217be993fa5e5d7aae8b6b21a98ebfe0b Mon Sep 17 00:00:00 2001 From: drduh Date: Wed, 30 Jan 2019 19:31:48 -0800 Subject: [PATCH 102/476] Update license, grammar, style and dead links --- LICENSE | 3 +- README.md | 204 +++++++++++++++++++++--------------------------------- 2 files changed, 78 insertions(+), 129 deletions(-) diff --git a/LICENSE b/LICENSE index 20efd1b3..787231be 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ The MIT License (MIT) -Copyright (c) 2015 +Copyright (c) 2015-2019 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal @@ -19,4 +19,3 @@ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - diff --git a/README.md b/README.md index 37402624..b4f556fd 100755 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ This guide is provided on an 'as is' basis without any warranties of any kind. O If you wish to make a correction or improvement, please send a pull request or [open an issue](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues). -This guide is also available in [简体中文](https://github.com/xitu/macOS-Security-and-Privacy-Guide/blob/master/README-cn.md). +This guide is also available in [简体中文](https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/README-cn.md). - [Basics](#basics) - [Preparing and installing macOS](#preparing-and-installing-macos) @@ -45,7 +45,7 @@ This guide is also available in [简体中文](https://github.com/xitu/macOS-Sec - [Web](#web) - [Privoxy](#privoxy) - [Browser](#browser) - - [Google Chrome](#google-chrome) + - [Chrome](#chrome) - [Firefox](#firefox) - [Safari](#safari) - [Other Web browsers](#other-web-browsers) @@ -76,24 +76,24 @@ This guide is also available in [简体中文](https://github.com/xitu/macOS-Sec ## Basics -Here is an overview of basic, standard best security practices which apply on macOS: +Standard security best practices apply: * Create a [threat model](https://www.owasp.org/index.php/Application_Threat_Modeling) * What are you trying to protect and from whom? Is your adversary a [three letter agency](https://theintercept.com/document/2015/03/10/strawhorse-attacking-macos-ios-software-development-kit/) (if so, you may want to consider using [OpenBSD](https://www.openbsd.org/) instead); a nosy eavesdropper on the network; or a determined [apt](https://en.wikipedia.org/wiki/Advanced_persistent_threat) orchestrating a campaign against you? * [Recognize threats](https://www.usenix.org/system/files/1401_08-12_mickens.pdf) and how to reduce attack surface against them. * Keep the system up to date - * Patch, patch, patch the base system and third party software. - * macOS system updates can be completed using the App Store application, or the `softwareupdate` command-line utility - neither requires registering an Apple account. + * Patch the base operating system and all third party software. + * macOS system updates can be completed using the App Store application, or the `softwareupdate` command-line utility - neither requires registering an Apple account. Updates can also be downloaded directly from Apple's support site. * Subscribe to announcement mailing lists like [Apple security-announce](https://lists.apple.com/mailman/listinfo/security-announce). * Encrypt sensitive data at rest - * In addition to full disk encryption, consider creating one or several encrypted partitions or containers to store passwords, keys, personal documents, and other data, at rest. + * In addition to full disk encryption, consider creating one or several encrypted partitions or volumes to store passwords, cryptographic keys, personal documents, etc. at rest. * This will mitigate damage in case of compromise and data exfiltration. -* Frequent backups - * Create [regular backups](https://www.amazon.com/o/ASIN/0596102461/backupcentral) of your data and be ready to reimage in case of compromise. - * Always encrypt before copying backups to external media or the "cloud". +* Assure data availability + * Create [regular backups](https://www.amazon.com/o/ASIN/0596102461/backupcentral) of your data and be ready to format and re-install the operating system in case of compromise. + * Always encrypt locally before copying backups to external media or the "cloud". * Verify backups work by testing them regularly, for example by accessing certain files or performing a hash based comparison. * Click carefully @@ -116,7 +116,7 @@ An alternative way to install macOS is to first download **macOS Mojave** from t The macOS installation application is [code signed](https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW6), which should be verified to make sure you received a legitimate copy, using the `pkgutil --check-signature` or `codesign -dvv` commands. -Here are two example ways to verify the code signature and integrity of macOS application bundles: +To verify the code signature and integrity of macOS application bundles: ```console $ pkgutil --check-signature /Applications/Install\ macOS\ Mojave.app @@ -178,26 +178,22 @@ Install media now available at "/Volumes/Install macOS Mojave" ### Creating an install image -**Note** Apple's AutoDMG installer [does not appear to work](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/120) across OS versions. If you want to build a 10.14 image, for example, the following steps must be run on macOS verison 10.14! +**Note** Apple's AutoDMG installer [does not appear to work](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/120) across OS versions. If you want to build a 10.14 image, for example, the following steps must be performed on macOS 10.14! To create a **custom install image** which can be [restored](https://en.wikipedia.org/wiki/Apple_Software_Restore) to a Mac (using a USB-C cable and target disk mode, for example), use [MagerValp/AutoDMG](https://github.com/MagerValp/AutoDMG). #### Manual way -*Note* The following instructions appear to work only on macOS versions before 10.13. +**Note** The following instructions appear to work only on macOS versions before 10.13. -You will need to find the file `InstallESD.dmg`, which is also inside installation application. +Find `InstallESD.dmg` which is inside the installation application. Locate it in Terminal or with Finder, right click on the application bundle, select **Show Package Contents** and navigate to **Contents** > **SharedSupport** to find the file `InstallESD.dmg` -Locate it in Terminal or with Finder, right click on the application bundle, select **Show Package Contents** and navigate to **Contents** > **SharedSupport** to find the file `InstallESD.dmg` - -Before continuing, [verify](https://support.apple.com/en-us/HT201259) the file's integrity by comparing its SHA-256 hash with others found in this repository or elsewhere online. +Before continuing, [verify](https://support.apple.com/en-us/HT201259) the file's integrity by comparing its SHA-256 hash with others found in [InstallESD_Hashes.csv](https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/InstallESD_Hashes.csv). To determine which macOS versions and builds originally shipped with or are available for a Mac, see [HT204319](https://support.apple.com/en-us/HT204319). ```console $ shasum -a 256 InstallESD.dmg ``` -Both results should match a version of macOS in [InstallESD_Hashes.csv](https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/InstallESD_Hashes.csv). You can also search for hashes to ensure others are seeing the same. To determine which macOS versions and builds originally shipped with or are available for a Mac, see [HT204319](https://support.apple.com/en-us/HT204319). - Mount and install the operating system to a temporary image: ```console @@ -213,9 +209,9 @@ installer: OS Install started. [...] ``` -The installation will take a while, so be patient. You can use the command `tail -F /var/log/install.log` in another Terminal window to monitor progress or check for any failures. +The installation will take a while, so be patient. Use `tail -F /var/log/install.log` in another terminal to monitor progress and check for errors. -Once the installation completes successfully, detach, convert and verify the image: +Once the installation is complete, detach, convert and verify the image: ```console $ hdiutil detach /tmp/macos @@ -437,43 +433,15 @@ Turning on FileVault in System Preferences **after** installing macOS, rather th Additionally, the PRNG can be manually seeded with entropy by writing to /dev/random **before** enabling FileVault. This can be done by simply using the Mac for a little while before activating FileVault. -To manually seed entropy *before* enabling FileVault: - -```console -$ cat > /dev/random -[Type random letters for a long while, then press Control-D] -``` - -To test entropy and randomness quality, download and use [`ent`](http://www.fourmilab.ch/random/) with Homebrew, then: - -```console -$ dd if=/dev/random of=/tmp/random count=8192 - -$ ent /tmp/random -Entropy = 7.999952 bits per byte. - -Optimum compression would reduce the size -of this 4194304 byte file by 0 percent. - -Chi square distribution for 4194304 samples is 278.80, and randomly -would exceed this value 14.64 percent of the times. - -Arithmetic mean value of data bytes is 127.4922 (127.5 = random). -Monte Carlo value for Pi is 3.142499106 (error 0.03 percent). -Serial correlation coefficient is 0.000508 (totally uncorrelated = 0.0) -``` - -See [Entropy and Random Number Generators](https://calomel.org/entropy_random_number_generators.html) and [Fun with encryption and randomness](https://rsmith.home.xs4all.nl/howto/fun-with-encryption-and-randomness.html) for more information. - -It may also be possible to increase entropy with an external source, like [OneRNG](http://onerng.info/). +It may also be possible to increase entropy with an external source, like [OneRNG](http://onerng.info/). See [Entropy and Random Number Generators](https://calomel.org/entropy_random_number_generators.html) and [Fun with encryption and randomness](https://rsmith.home.xs4all.nl/howto/fun-with-encryption-and-randomness.html) for more information. Enable FileVault with `sudo fdesetup enable` or through **System Preferences** > **Security & Privacy** and reboot. -If you can remember your password, there's no reason to save the **recovery key**. However, your encrypted data will be lost forever if you can't remember the password or recovery key. +If you can remember the password, there's no reason to save the **recovery key**. However, all encrypted data will be lost forever if without either the password or recovery key. -To learn about how FileVault works, see the paper [Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption](https://eprint.iacr.org/2012/374.pdf) (pdf) and related [presentation](http://www.cl.cam.ac.uk/~osc22/docs/slides_fv2_ifip_2013.pdf) (pdf). Also see [IEEE Std 1619-2007 “The XTS-AES Tweakable Block Cipher”](http://libeccio.di.unisa.it/Crypto14/Lab/p1619.pdf) (pdf). +To learn about how FileVault works, see the paper [Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption](https://eprint.iacr.org/2012/374.pdf) (pdf) and related [presentation](http://www.cl.cam.ac.uk/~osc22/docs/slides_fv2_ifip_2013.pdf) (pdf). Also see [IEEE Std 1619-2007: The XTS-AES Tweakable Block Cipher](http://libeccio.di.unisa.it/Crypto14/Lab/p1619.pdf) (pdf). -**Optional** Enforce **hibernation** and evict FileVault keys from memory instead of traditional sleep to memory: +**Optional** Enforce system hibernation and evict FileVault keys from memory instead of traditional sleep to memory: ```console $ sudo pmset -a destroyfvkeyonstandby 1 @@ -500,7 +468,7 @@ Deploying FileVault 2](https://training.apple.com/pdf/WP_FileVault2.pdf) (pdf) a ## Firmware -Setting a firmware password prevents a Mac from starting up from any device other than your startup disk. It may also be set to be required on each boot. This may be useful for mitigating some attacks which require physical access to hardware. See [How to set a firmware password on your Mac](https://support.apple.com/en-au/HT204455) for official documentation. +Setting a firmware password prevents a Mac from starting up from any device other than the startup disk. It may also be set to be required on each boot. This may be useful for mitigating some attacks which require physical access to hardware. See [How to set a firmware password on your Mac](https://support.apple.com/en-au/HT204455) for official documentation. This feature [can be helpful if your laptop is lost or stolen](https://www.ftc.gov/news-events/blogs/techftc/2015/08/virtues-strong-enduser-device-controls), protects against Direct Memory Access (DMA) attacks which can read your FileVault passwords and inject kernel modules such as [pcileech](https://github.com/ufrisk/pcileech), as the only way to reset the firmware password is through an Apple Store, or by using an [SPI programmer](https://reverse.put.as/2016/06/25/apple-efi-firmware-passwords-and-the-scbo-myth/), such as [Bus Pirate](http://ho.ax/posts/2012/06/unbricking-a-macbook/) or other flash IC programmer. @@ -588,13 +556,9 @@ $ sudo pkill -HUP socketfilterfw Programs such as [Little Snitch](https://www.obdev.at/products/littlesnitch/index.html), [Hands Off](https://www.oneperiodic.com/products/handsoff/), [Radio Silence](https://radiosilenceapp.com/) and [Security Growler](https://pirate.github.io/security-growler/) provide a good balance of usability and security. -Example of Little Snitch monitored session - -*Example of Little Snitch-monitored session* - These programs are capable of monitoring and blocking **incoming** and **outgoing** network connections. However, they may require the use of a closed source [kernel extension](https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/KernelProgramming/Extend/Extend.html). -If the number of choices of allowing/blocking network connections is overwhelming, use **Silent Mode** with connections allowed, then periodically check your settings to gain understanding of what various applications are doing. +If the number of choices of allowing/blocking network connections is overwhelming, use **Silent Mode** with connections allowed, then periodically check the configuration to gain understanding of applications and what they are doing. It is worth noting that these firewalls can be bypassed by programs running as **root** or through [OS vulnerabilities](https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf) (pdf), but they are still worth having - just don't expect absolute protection. However, some malware actually [deletes itself](https://www.cnet.com/how-to/how-to-remove-the-flashback-malware-from-os-x/) and doesn't execute if Little Snitch, or other security software, is installed. @@ -701,13 +665,17 @@ You can also run [KnockKnock](https://github.com/synack/knockknock) that shows m For example, to learn what a system launch daemon or agent does, start with: - $ defaults read /System/Library/LaunchDaemons/com.apple.apsd.plist +```console +$ defaults read /System/Library/LaunchDaemons/com.apple.apsd.plist +``` Look at the `Program` or `ProgramArguments` section to see which binary is run, in this case `apsd`. To find more information about that, look at the man page with `man apsd` For example, if you're not interested in Apple Push Notifications, disable the service: - $ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist +```console +$ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist +``` **Note** Unloading services may break usability of some applications. Read the manual pages and use Google to make sure you understand what you're doing first. @@ -717,29 +685,35 @@ Use [Console](https://en.wikipedia.org/wiki/List_of_macOS_components#Console) an To view the status of services: - $ find /var/db/com.apple.xpc.launchd/ -type f -print -exec defaults read {} \; 2>/dev/null +```console +$ find /var/db/com.apple.xpc.launchd/ -type f -print -exec defaults read {} \; 2>/dev/null +``` Annotated lists of launch daemons and agents, the respective program executed, and the programs' hash sums are included in this repository. **(Optional)** Run the `read_launch_plists.py` script and `diff` output to check for any discrepancies on your system, e.g.: - $ diff <(python read_launch_plists.py) <(cat 16A323_launchd.csv) +```console +$ diff <(python read_launch_plists.py) <(cat 16A323_launchd.csv) +``` See also [cirrusj.github.io/Yosemite-Stop-Launch](https://cirrusj.github.io/Yosemite-Stop-Launch/) for descriptions of services and [Provisioning OS X and Disabling Unnecessary Services](https://vilimpoc.org/blog/2014/01/15/provisioning-os-x-and-disabling-unnecessary-services/) for another explanation. -Other persistent login items may exist in these locations (see [Mac OSX Startup](http://www.malicious-streams.com/article/Mac_OSX_Startup.pdf) (pdf)): +Persistent login items may also exist in these directories: -* `/System/Library/LaunchAgents` -* `/System/Library/LaunchDaemons` * `/Library/LaunchAgents` -* `~/Library/LaunchAgents` * `/Library/LaunchDaemons` -* `/System/Library/ScriptingAdditions` * `/Library/ScriptingAdditions` -* `/System/Library/StartupItems` * `/Library/StartupItems` +* `/System/Library/LaunchAgents` +* `/System/Library/LaunchDaemons` +* `/System/Library/ScriptingAdditions` +* `/System/Library/StartupItems` +* `~/Library/LaunchAgents` * `~/Library/Preferences/com.apple.loginitems.plist` +See [Mac OSX Startup](http://www.malicious-streams.com/article/Mac_OSX_Startup.pdf) (pdf) for more information. + ## Spotlight Suggestions Disable **Spotlight Suggestions** in both the Spotlight preferences and Safari's Search preferences to avoid your search queries being sent to Apple. @@ -758,11 +732,13 @@ For comparison to Windows 10, see > .zshrc`, then change your login shell to Z shell with `chsh -s /bin/zsh`, open a new Terminal window and run `brew update`. @@ -784,7 +760,8 @@ Use the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) to block known Edit the hosts file as root, for example with `sudo vi /etc/hosts`. The hosts file can also be managed with the GUI app [2ndalpha/gasmask](https://github.com/2ndalpha/gasmask). -To block a domain `A` record, append one of the following lines to `/etc/hosts`: +To block a domain `A` record, append any one of the following lines to `/etc/hosts`: + ``` 0 example.com 0.0.0.0 example.com @@ -1148,17 +1125,17 @@ The best tip to ensure secure browsing regardless your choice of Web Browser is Another important consideration about Web Browser security is Web Extensions. Web Extensions greatly increase the attack surface of the Web Browser. This is an issue that plagues Firefox and [Chrome](https://courses.csail.mit.edu/6.857/2016/files/24.pdf) alike. Luckily, Web Extensions can only access specific browser APIs that are being governed by their manifest. That means we can quickly audit their behavior and remove them if they request access to information they shouldn't (why would an Ad blocker require camera access?). In the interest of security, it is best to limit your use of Web Extensions. -[Google Chrome](https://www.google.com/chrome/browser/desktop/) , [Firefox](https://www.mozilla.org/en-US/firefox/new/) and [Safari](https://www.apple.com/safari/) are the Web Browsers that are being covered in this guide. Each Web Browser offers certain benefits and drawbacks regarding their security and privacy. It is best to make an informed choice before committing to one. +[Google Chrome](https://www.google.com/chrome/), [Mozilla Firefox](https://www.mozilla.org/en-US/firefox/new/), [Safari](https://www.apple.com/safari/), and [Tor Browser](https://www.torproject.org/projects/torbrowser.html.en) are covered in this guide. Each Web Browser offers certain benefits and drawbacks regarding their security and privacy. It is best to make an informed choice and not necessarily commit to only one. -#### Google Chrome +#### Chrome -[Google Chrome](https://www.google.com/chrome/browser/desktop/) is based on the Open Source [Chromium project](https://www.chromium.org/Home) with certain proprietary components. The proprietary components are the [following](https://fossbytes.com/difference-google-chrome-vs-chromium-browser/): +[Google Chrome](https://www.google.com/chrome/) is based on the open source [Chromium project](https://www.chromium.org/Home) with certain [proprietary components](https://fossbytes.com/difference-google-chrome-vs-chromium-browser/): * Automatic updates with GoogleSoftwareUpdateDaemon. * Usage tracking and crash reporting, which can be disabled through Chrome's settings. * Chrome Web Store. -* Adobe Flash Plugin - Chrome supports a Pepper API version of Adobe Flash which gets updated automatically with Chrome. -* Media Codec support. Adds support for proprietary codecs. +* Adobe Flash Plugin - supports a Pepper API version of Adobe Flash which gets updated automatically with Chrome. +* Media Codec support - adds support for proprietary codecs. * Chrome [PDF viewer](http://0xdabbad00.com/2013/01/13/most-secure-pdf-viewer-chrome-pdf-viewer/). * Non-optional tracking. Google Chrome installer includes a randomly generated token. The token is sent to Google after the installation completes in order to measure the success rate. The RLZ identifier stores information – in the form of encoded strings – like the source of chrome download and installation week. It doesn’t include any personal information and it’s used to measure the effectiveness of a promotional campaign. **Chrome downloaded from Google’s website doesn’t have the RLZ identifier**. The source code to decode the strings is made open by Google. @@ -1173,41 +1150,34 @@ Chrome has the largest share of global usage and is the preferred target platfor To improve the privacy and security posture of the browser, create at least three profiles, one for browsing **trusted** Web sites (email, banking), another for **mostly trusted** Web sites (link aggregators, news sites), and a third for a completely **cookie-less** and **script-less** experience. * One profile **without cookies or Javascript** enabled (e.g., turned off in `chrome://settings/content`) which should be the preferred profile to visiting untrusted Web sites. However, many pages will not load at all without Javascript enabled. +* One profile with [uBlock Origin](https://github.com/gorhill/uBlock). Use this profile for visiting sites which require Javascript and/or cookies. Other recommended extensions are [Privacy Badger](https://www.eff.org/privacybadger), [HTTPSEverywhere](https://www.eff.org/https-everywhere). +* One profile for secure and trusted browsing needs, such as banking and email only. -* One profile with [uMatrix](https://github.com/gorhill/uMatrix) or [uBlock Origin](https://github.com/gorhill/uBlock) (or both). Use this profile for visiting **mostly trusted** Web sites. Take time to learn how these firewall extensions work. Other frequently recommended extensions are [Privacy Badger](https://www.eff.org/privacybadger), [HTTPSEverywhere](https://www.eff.org/https-everywhere) and [CertPatrol](http://patrol.psyced.org/) (Firefox only). - -* One or more profile(s) for secure and trusted browsing needs, such as banking and email only. - -The idea is to separate and compartmentalize data so that an exploit or privacy violation in one "session" does not necessarily affect data in another. - -In each profile, visit `chrome://settings/content` and enable **Block sites from running Flash** so Flash applications do not run by default without explicit permission. +The idea is to separate and compartmentalize data so that an exploit or privacy violation in one "profile" does not necessarily affect data in another. -[Incognito](https://support.google.com/chrome/answer/7440301) mode in Chrome disables extensions, since extensions such as Ad blockers have access to Chrome's network requests. Extensions have to be enabled manually. Moreover, while in Incognito mode, Chrome does not use session data from previous sessions. Incognito mode is another option if you want to access sensitive information without setting up separate profiles. +In each profile, visit `chrome://settings/content` and enable **Block sites from running Flash** and disable any other undesired features. -Take some time to read through [Chromium Security](https://www.chromium.org/Home/chromium-security) and [Chromium Privacy](https://www.chromium.org/Home/chromium-privacy). +Read [Chromium Security](https://www.chromium.org/Home/chromium-security) and [Chromium Privacy](https://www.chromium.org/Home/chromium-privacy) for more detailed, technical information. -For example, you may wish to disable [DNS prefetching](https://www.chromium.org/developers/design-documents/dns-prefetching) (see also [DNS Prefetching and Its Privacy Implications](https://www.usenix.org/legacy/event/leet10/tech/full_papers/Krishnan.pdf) (pdf)). +Disable [DNS prefetching](https://www.chromium.org/developers/design-documents/dns-prefetching) (see also [DNS Prefetching and Its Privacy Implications](https://www.usenix.org/legacy/event/leet10/tech/full_papers/Krishnan.pdf) (pdf)). -It is best to remember that Google is an advertising company and its major source of revenue is AdSense. It makes sense that an advertising company would leverage its services to collect [information](https://www.google.com/policies/privacy/#infocollect) and [use](https://www.google.com/policies/privacy/#infouse) that information to maximize its profit. That means that while using [Google services](https://www.google.com/services/#?modal_active=none) certain personal information are being stored. Google is open about the data it stores and how it used them. Users can opt out from many of those services and see what type of information Google has stored from their [account settings](https://myaccount.google.com/privacy?pli=1). +Read [Google's privacy policy](https://www.google.com/policies/privacy/) and learn which [Google services](https://www.google.com/services/) collect personal information. Google is open about the data it stores and how it used them. Users can opt out from many of those services and see what type of information Google has stored from their [account settings](https://myaccount.google.com/privacy). #### Firefox -[Firefox](https://www.mozilla.org/en-US/firefox/new/) is an excellent browser as well as being completely open source. Currently, Firefox is in a renaissance period. It replaces major parts of its infrastructure and code base under projects [Quantum](https://wiki.mozilla.org/Quantum) and [Photon](https://wiki.mozilla.org/Firefox/Photon/Updates). Part of the Quantum project is to replace C++ code with [Rust](https://www.rust-lang.org/en-US/). Rust is a systems programming language with a focus on security and thread safety. It is expected that Rust adoption will greatly improve the overall security posture of Firefox. +[Mozilla Firefox](https://www.mozilla.org/en-US/firefox/new/) is an excellent browser as well as being completely open source. Currently, Firefox is in a renaissance period. It replaces major parts of its infrastructure and code base under projects [Quantum](https://wiki.mozilla.org/Quantum) and [Photon](https://wiki.mozilla.org/Firefox/Photon/Updates). Part of the Quantum project is to replace C++ code with [Rust](https://www.rust-lang.org/en-US/). Rust is a systems programming language with a focus on security and thread safety. It is expected that Rust adoption will greatly improve the overall security posture of Firefox. -Firefox offers a similar security model to Chrome. It offers a -[bounty](https://www.mozilla.org/en-US/security/bug-bounty/) program, although it is not a lucrative as Chrome's. Firefox follows a six-week release cycle similar to Chrome. +Firefox offers a similar security model to Chrome: it has a [bug bounty program](https://www.mozilla.org/en-US/security/bug-bounty/), although it is not a lucrative as Chrome's. Firefox follows a six-week release cycle similar to Chrome. See discussion in issues [#2](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/2) and [#90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) for more information about certain differences in Firefox and Chrome. -See discussion in issues [#2](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/2) and [#90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) for more information about certain differences in Firefox and Chrome. +Firefox supports user-supplied configuration files. See [drduh/config/user.js](https://github.com/drduh/config/blob/master/user.js), [pyllyukko/user.js](https://github.com/pyllyukko/user.js) and [ghacksuserjs/ghacks-user.js](https://github.com/ghacksuserjs/ghacks-user.js) for recommended preferences and hardening measures. Also see [NoScript](https://noscript.net/), an extension which allows whitelist-based, pre-emptive script blocking. -If using Firefox, see [TheCreeper/PrivacyFox](https://github.com/TheCreeper/PrivacyFox), [pyllyukko/user.js](https://github.com/pyllyukko/user.js) and [ghacksuserjs/ghacks-user.js](https://github.com/ghacksuserjs/ghacks-user.js/) for recommended privacy preferences and other hardening measures. Also be sure to check out [NoScript](https://noscript.net/) for Mozilla-based browsers, which allows whitelist-based, pre-emptive script blocking. +Firefox is focused on user privacy. It supports [tracking protection](https://developer.mozilla.org/en-US/Firefox/Privacy/Tracking_Protection) in Private Browsing mode. The tracking protection can be enabled for the default account, although it may break the browsing experience on some websites. Another feature for added privacy unique to Firefox is [Containers](https://testpilot.firefox.com/experiments/containers), similar to Chrome profiles. -Firefox is focussed on user privacy. It supports [tracking protection](https://developer.mozilla.org/en-US/Firefox/Privacy/Tracking_Protection) during Private browsing by default. The tracking protection can be enabled for the default account, although it may break the browsing experience on some websites. Another feature for added privacy unique to Firefox is [Containers](https://testpilot.firefox.com/experiments/containers). Containers lets you create profiles in Firefox for different activities, such as online shopping, travel planning, or checking work email. Containers store cookies separately, you can log into the same site with a different account in each Container, and online trackers can’t connect your browsing in one container to another. +Previous versions of Firefox used a [Web Extension SDK](https://developer.mozilla.org/en-US/Add-ons/Legacy_add_ons) that was quite invasive and offered immense freedom to developers. Sadly, that freedom also introduced a number of vulnerabilities in Firefox that greatly affected its users. You can find more information about vulnerabilities introduced by Firefox's legacy extensions in this [paper](https://www.exploit-db.com/docs/24541.pdf) (pdf). Currently, Firefox only supports Web Extensions through the [Web Extension Api](https://developer.mozilla.org/en-US/Add-ons/WebExtensions), which is very similar to Chrome's. -Previous versions of Firefox used a [Web Extension SDK](https://developer.mozilla.org/en-US/Add-ons/Legacy_add_ons) that was quite invasive and offered immense freedom to developers. Sadly, that freedom also introduced a number of vulnerabilities in Firefox that greatly affected its users. You can find more information about vulnerabilities introduced by Firefox's legacy extensions in this [paper](https://www.exploit-db.com/docs/24541.pdf). Currently, Firefox only supports Web Extensions through the [Web Extension Api](https://developer.mozilla.org/en-US/Add-ons/WebExtensions), which is very similar to Chrome's. +Submission of Web Extensions in Firefox is free. Web Extensions in Firefox most of the time are open source, although certain Web Extensions are proprietary. -Submission of Web Extensions in Firefox is free. Web Extensions in Firefox most of the time are Open Source, although certain Web Extensions are proprietary. - -**Note**: Similar to Chrome and Safari, Firefox allows account sync across multiple devices. While stored login passwords are encrypted, Firefox does not require a password to reveal their plain text format. Firefox only displays as yes/no prompt. This is an important security issue. Keep that in mind if you sign in to your Firefox account from devices that do not belong to you and leave them unattended. The [issue](https://bugzilla.mozilla.org/show_bug.cgi?id=1393493) has been raised among the Firefox community and hopefully will be resolved in the coming versions. +**Note** Similar to Chrome and Safari, Firefox allows account sync across multiple devices. While stored login passwords are encrypted, Firefox does not require a password to reveal their plain text format. Firefox only displays as yes/no prompt. This is an important security issue. Keep that in mind if you sign in to your Firefox account from devices that do not belong to you and leave them unattended. The [issue](https://bugzilla.mozilla.org/show_bug.cgi?id=1393493) has been raised among the Firefox community and hopefully will be resolved in the coming versions. #### Safari @@ -1219,7 +1189,7 @@ Similar to Chrome and Firefox, Safari offers an invite only [bounty program](htt Web Extensions in Safari have an additional option to use native code in the Safari's sandbox environment, in addition to Web Extension APIs. Web Extensions in Safari are also distributed through Apple's App store. App store submission comes with the added benefit of Web Extension code being audited by Apple. On the other hand App store submission comes at a steep cost. Yearly [developer subscription](https://developer.apple.com/support/compare-memberships/) fee costs 100 USD (in contrast to Chrome's 5 dollar lifetime fee and Firefox's free submission). The high cost is prohibitive for the majority of Open Source developers. As a result, Safari has very few extensions to choose from. However, you should keep the high cost in mind when installing extensions. It is expected that most Web Extensions will have some way of monetizing usage in order to cover developer costs. And be extra careful when the Web Extension's source code is not Open Source. On a side note, some Safari extensions are Open Source and freely available. Be grateful to those developers. -Safari syncs user's preferences and stored logins through the iCloud Keychain. Stored passwords are [encrypted](https://support.apple.com/en-gb/HT202303) with AES 256-bit encryption. In order to be viewed in plain text, a user must input the account password of the current device. This means that users can sync data across devices with added security. +Safari syncs user preferences and saved passwords with [iCloud Keychain](https://support.apple.com/en-gb/HT202303). In order to be viewed in plain text, a user must input the account password of the current device. This means that users can sync data across devices with added security. Safari follows a slower release cycle than Chrome and Firefox (3-4 minor releases, 1 major release, per year). Newer features are slower to be adopted to the stable channel. Although security updates in Safari are handled independent of the stable release schedule and issued automatically through the App store. The Safari channel that follows a six-week release cycle (similar to as Chrome and Firefox) is called [Safari Technology Preview](https://developer.apple.com/safari/technology-preview/) and it is the recommended option instead of the stable channel of Safari. @@ -1291,7 +1261,7 @@ If you want to know how OTR works, read the paper [Off-the-Record Communication, Tor is an anonymizing proxy which can be used for browsing the Web. -Download Tor Browser from the [offical Tor Project Web site](https://www.torproject.org/projects/torbrowser.html). +Download Tor Browser from [Tor Project](https://www.torproject.org/projects/torbrowser.html). Do **not** attempt to configure other browsers or applications to use Tor as you will likely make a mistake which will compromise your anonymity. @@ -1900,27 +1870,17 @@ Finally, WEP protection on wireless networks is [not secure](http://www.howtogee ## SSH -For outgoing ssh connections, use hardware or password-protected keys, [set up](http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/) remote hosts and consider [hashing](http://nms.csail.mit.edu/projects/ssh/) them for added privacy. - -Here are several [recommended options](https://www.freebsd.org/cgi/man.cgi?query=ssh_config&sektion=5) to add to `~/.ssh/config`: +For outgoing SSH connections, use hardware or password-protected keys, [set up](http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/) remote hosts and consider [hashing](http://nms.csail.mit.edu/projects/ssh/) them for added privacy. See [drduh/config/ssh_config](https://github.com/drduh/config/blob/master/ssh_config) for recommended client options. -``` -Host * - PasswordAuthentication no - ChallengeResponseAuthentication no - HashKnownHosts yes - VisualHostKey yes -``` +You can also use ssh to create an [encrypted tunnel](http://blog.trackets.com/2014/05/17/ssh-tunnel-local-and-remote-port-forwarding-explained-with-examples.html) to send traffic through, similar to a VPN. -**Note** [macOS Sierra permanently remembers SSH key passphrases by default](https://openradar.appspot.com/28394826). Append the option `UseKeyChain no` to turn this feature off. - -You can also use ssh to create an [encrypted tunnel](http://blog.trackets.com/2014/05/17/ssh-tunnel-local-and-remote-port-forwarding-explained-with-examples.html) to send your traffic through, which is similar to a VPN. - -For example, to use Privoxy on a remote host: +For example, to use Privoxy running on a remote host port 8118: ```console $ ssh -C -L 5555:127.0.0.1:8118 you@remote-host.tld + $ sudo networksetup -setwebproxy "Wi-Fi" 127.0.0.1 5555 + $ sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 5555 ``` @@ -1940,24 +1900,14 @@ $ sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist Or use the **System Preferences** > **Sharing** menu. -If you are going to enable sshd, at least disable password authentication and consider further [hardening](https://stribika.github.io/2015/01/04/secure-secure-shell.html) your configuration. - -To `/etc/sshd_config`, add: - -``` -PasswordAuthentication no -ChallengeResponseAuthentication no -UsePAM no -``` +If enabling sshd, be sure to disable password authentication and consider further [hardening](https://stribika.github.io/2015/01/04/secure-secure-shell.html) your configuration. See [drduh/config/sshd_config](https://github.com/drduh/config/blob/master/sshd_config) for recommended options. -Confirm whether sshd is enabled or disabled: +Confirm whether sshd is running: ```console $ sudo lsof -Pni TCP:22 ``` -See also [drduh/config/ssh_config](https://github.com/drduh/config/blob/master/ssh_config) and [drduh/config/sshd_config](https://github.com/drduh/config/blob/master/sshd_config). - ## Physical access Keep your Mac physically secure at all times. Don't leave it unattended in hotels and such. From 6edd8bb2508e9ef38dc478295addbf77fce876bd Mon Sep 17 00:00:00 2001 From: Ilya Novickov Date: Wed, 6 Feb 2019 10:34:00 +0700 Subject: [PATCH 103/476] Update DNSCrypt configuration instructions --- README.md | 38 +++++--------------------------------- 1 file changed, 5 insertions(+), 33 deletions(-) diff --git a/README.md b/README.md index 5b2135d9..32726879 100755 --- a/README.md +++ b/README.md @@ -810,39 +810,12 @@ If using in combination with Dnsmasq, find the file `homebrew.mxcl.dnscrypt-prox $ brew info dnscrypt-proxy ``` -which will show a location like `/usr/local/Cellar/dnscrypt-proxy/2.0.8`, and `homebrew.mxcl.dnscrypt-proxy.plist` is in this folder. +which will show a location like `/usr/local/etc/dnscrypt-proxy.toml` -Edit it to have the line: +Open it in a text editor, find the line starting with `listen_addresses =` and edit that line to use DNScrypt on a port other than 53, like 5355: ``` ---local-address=127.0.0.1:5355 -``` - -Below the line: - -``` -/usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy -``` - -dnscrypt - -*Append a local-address line to use DNScrypt on a port other than 53, like 5355* - -This can also be done using Homebrew, by installing `gnu-sed` and using the `gsed` command: - -```console -$ sudo gsed -i "/sbin\\/dnscrypt-proxy<\\/string>/a--local-address=127.0.0.1:5355<\\/string>\n" $(find ~/homebrew -name homebrew.mxcl.dnscrypt-proxy.plist) -``` -By default, the `resolvers-list` will point to the dnscrypt version specific resolvers file. When dnscrypt is updated, this version may no longer exist, and if it does, may point to an outdated file. This can be fixed by changing the resolvers file in `homebrew.mxcl.dnscrypt-proxy.plist` (found earlier using find) to the symlinked version in `/usr/local/share`: - -``` ---resolvers-list=/usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv -``` - -Below the line: - -``` -/usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy +listen_addresses = ['127.0.0.1:5355', '[::1]:5355'] ``` Start DNSCrypt: @@ -860,10 +833,9 @@ dnscrypt- 13415 nobody 6u IPv4 0x1773f85ff9f8bbef 0t0 UDP 127.0.0.1:5 ``` > By default, dnscrypt-proxy runs on localhost (127.0.0.1), port 53, -and under the "nobody" user using the dnscrypt.eu-dk DNSCrypt-enabled -resolver. If you would like to change these settings, you will have to edit the plist file (e.g., --resolver-address, --provider-name, --provider-key, etc.) +and under the "nobody" user using the resolvers specified in https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md. If you would like to change these settings, you will have to edit the configuration file (e.g. listen_addresses, user_name, urls, etc.) -This can be accomplished by editing `homebrew.mxcl.dnscrypt-proxy.plist` +This can be accomplished by editing `/usr/local/etc/dnscrypt-proxy.toml` as described above. You can run your own [dnscrypt server](https://github.com/Cofyc/dnscrypt-wrapper) (see also [drduh/Debian-Privacy-Server-Guide#dnscrypt](https://github.com/drduh/Debian-Privacy-Server-Guide#dnscrypt)) from a trusted location or use one of many [public servers](https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv) instead. From 21393f03813fa2a8fa242d05ddf2bed4933f2f93 Mon Sep 17 00:00:00 2001 From: Ilya Novickov Date: Wed, 6 Feb 2019 10:35:44 +0700 Subject: [PATCH 104/476] Update lsof output for DNSCrypt --- README.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 32726879..5575a853 100755 --- a/README.md +++ b/README.md @@ -827,9 +827,12 @@ $ sudo brew services restart dnscrypt-proxy Make sure DNSCrypt is running: ```console -$ sudo lsof -Pni UDP:5355 -COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME -dnscrypt- 13415 nobody 6u IPv4 0x1773f85ff9f8bbef 0t0 UDP 127.0.0.1:5355 +$ sudo lsof +c 15 -Pni UDP:5355 +COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME +dnscrypt-proxy 15244 nobody 7u IPv4 0x1337f85ff9f8beef 0t0 UDP 127.0.0.1:5355 +dnscrypt-proxy 15244 nobody 10u IPv6 0x1337f85ff9f8beef 0t0 UDP [::1]:5355 +dnscrypt-proxy 15244 nobody 12u IPv4 0x1337f85ff9f8beef 0t0 UDP 127.0.0.1:5355 +dnscrypt-proxy 15244 nobody 14u IPv6 0x1337f85ff9f8beef 0t0 UDP [::1]:5355 ``` > By default, dnscrypt-proxy runs on localhost (127.0.0.1), port 53, From 9b9b927d3cb834be6321ea586e1a4a25155eb3c1 Mon Sep 17 00:00:00 2001 From: juanjonol Date: Sun, 17 Feb 2019 18:21:43 +0100 Subject: [PATCH 105/476] Update InstallESD_Hashes.csv --- InstallESD_Hashes.csv | 1 + 1 file changed, 1 insertion(+) diff --git a/InstallESD_Hashes.csv b/InstallESD_Hashes.csv index 82b3bc51..72ec3e05 100644 --- a/InstallESD_Hashes.csv +++ b/InstallESD_Hashes.csv @@ -25,3 +25,4 @@ Version,Build,SHA-256,SHA-1 10.14,18A391,cdf15a36a082af2da1cc3ac913a6facb78894a5311c69d51fdfce706b83d8692,d29afb53d32d350453356d6025c4cbb2fb123985 10.14.1,18B75,84989fd343e4eeb1013703565eb54f652f2f89d3305fa952d85879d94606619a,635fdcb4a9baee1885825e9067d104d7aa0b9c2f 10.14.2,18C54,25a6c7d467fb72fed170dce786202f24c0120045c358902a19be8d3e106fe1a4,da00f1ccb5e0927ae4550fd8399160cc5f3a9b47 +10.14.3,18D109,cbf25956bb89860d01edfb1550b9a09f58d8c4c4fea6eaf64a16dd93236a437d,51493681f3e82bb78e22e97f38725ffc67f611cd From 3aba9695ef1ccda478b2d549c9fdee5be2089665 Mon Sep 17 00:00:00 2001 From: Ondrej Galbavy Date: Tue, 26 Mar 2019 17:32:21 +0100 Subject: [PATCH 106/476] Add macOS 10.14.4 hashes --- InstallESD_Hashes.csv | 1 + 1 file changed, 1 insertion(+) diff --git a/InstallESD_Hashes.csv b/InstallESD_Hashes.csv index 72ec3e05..78e6c3fd 100644 --- a/InstallESD_Hashes.csv +++ b/InstallESD_Hashes.csv @@ -26,3 +26,4 @@ Version,Build,SHA-256,SHA-1 10.14.1,18B75,84989fd343e4eeb1013703565eb54f652f2f89d3305fa952d85879d94606619a,635fdcb4a9baee1885825e9067d104d7aa0b9c2f 10.14.2,18C54,25a6c7d467fb72fed170dce786202f24c0120045c358902a19be8d3e106fe1a4,da00f1ccb5e0927ae4550fd8399160cc5f3a9b47 10.14.3,18D109,cbf25956bb89860d01edfb1550b9a09f58d8c4c4fea6eaf64a16dd93236a437d,51493681f3e82bb78e22e97f38725ffc67f611cd +10.14.4,18E226,b5b52ebf55fee7b5997b288255453f28f506421250485d37cf907f82950f85e8,458ea61e228defda08c0fe9dcd925db2e73e54f0 From 295df1726a91e86e5d4d49c032df3a50b87718a7 Mon Sep 17 00:00:00 2001 From: Elliot Jordan Date: Thu, 25 Apr 2019 14:56:37 -0700 Subject: [PATCH 107/476] Add build 18E227 --- InstallESD_Hashes.csv | 1 + 1 file changed, 1 insertion(+) diff --git a/InstallESD_Hashes.csv b/InstallESD_Hashes.csv index 78e6c3fd..15035861 100644 --- a/InstallESD_Hashes.csv +++ b/InstallESD_Hashes.csv @@ -27,3 +27,4 @@ Version,Build,SHA-256,SHA-1 10.14.2,18C54,25a6c7d467fb72fed170dce786202f24c0120045c358902a19be8d3e106fe1a4,da00f1ccb5e0927ae4550fd8399160cc5f3a9b47 10.14.3,18D109,cbf25956bb89860d01edfb1550b9a09f58d8c4c4fea6eaf64a16dd93236a437d,51493681f3e82bb78e22e97f38725ffc67f611cd 10.14.4,18E226,b5b52ebf55fee7b5997b288255453f28f506421250485d37cf907f82950f85e8,458ea61e228defda08c0fe9dcd925db2e73e54f0 +10.14.4,18E227,8b51a1695152fe61b0c3ba72fe91123c7c7cafda465e4b988d55fc291d6e5069,2f37bc2ea1bd74baf42c9fa93b4518e155bae62e From 9bbbe02a6fbd3bbcce6a272f92a81cbc171dfdff Mon Sep 17 00:00:00 2001 From: xujiazhe Date: Sun, 5 May 2019 14:44:37 +0800 Subject: [PATCH 108/476] Update README-cn.md --- README-cn.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README-cn.md b/README-cn.md index b8219cb7..ec0fcb89 100755 --- a/README-cn.md +++ b/README-cn.md @@ -90,7 +90,7 @@ * 注意钓鱼网站 * 最后,具有高安全意识的管理员能大大降低系统的安全风险。 - * 在安装新软件的时候,请加倍小心。始终选择[免费的软件](https://www.gnu.org/philosophy/free-sw.en.html)和开源的软件([当然了,macOS 不是开源的](https://superuser.com/questions/19492/is-mac-os-x-open-source)) + * 在安装新软件的时候,请加倍小心。始终选择[自由的软件](https://www.gnu.org/philosophy/free-sw.en.html)和开源的软件([当然了,macOS 不是开源的](https://superuser.com/questions/19492/is-mac-os-x-open-source)) ## 固件 From 18d7265f6609e0e41d5f3248c35aa499c2813550 Mon Sep 17 00:00:00 2001 From: Elliot Jordan Date: Mon, 13 May 2019 14:58:34 -0700 Subject: [PATCH 109/476] Add 10.14.5 hashes --- InstallESD_Hashes.csv | 1 + 1 file changed, 1 insertion(+) diff --git a/InstallESD_Hashes.csv b/InstallESD_Hashes.csv index 15035861..2c2178ba 100644 --- a/InstallESD_Hashes.csv +++ b/InstallESD_Hashes.csv @@ -28,3 +28,4 @@ Version,Build,SHA-256,SHA-1 10.14.3,18D109,cbf25956bb89860d01edfb1550b9a09f58d8c4c4fea6eaf64a16dd93236a437d,51493681f3e82bb78e22e97f38725ffc67f611cd 10.14.4,18E226,b5b52ebf55fee7b5997b288255453f28f506421250485d37cf907f82950f85e8,458ea61e228defda08c0fe9dcd925db2e73e54f0 10.14.4,18E227,8b51a1695152fe61b0c3ba72fe91123c7c7cafda465e4b988d55fc291d6e5069,2f37bc2ea1bd74baf42c9fa93b4518e155bae62e +10.14.5,18F132,96c324576490e012a4383f3410e5c53fc0ccbbd22356e577fc3fc59aae112910,29e5d1a30a1259b9ff849111fb0d6588937c629d From 3d575b78c7ebe6899844fd9f1ad30745febce1c2 Mon Sep 17 00:00:00 2001 From: drduh Date: Mon, 20 May 2019 20:51:57 -0700 Subject: [PATCH 110/476] Clean up Chrome section. Fix TOC and #332. --- README.md | 76 +++++++++++++++++++++++++------------------------------ 1 file changed, 35 insertions(+), 41 deletions(-) diff --git a/README.md b/README.md index 5575a853..7a13f7ff 100755 --- a/README.md +++ b/README.md @@ -6,52 +6,52 @@ A system is only as secure as its administrator is capable of making it. There i This guide is provided on an 'as is' basis without any warranties of any kind. Only **you** are responsible if you break anything or get in any sort of trouble by following this guide. -If you wish to make a correction or improvement, please send a pull request or [open an issue](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues). +To suggest an improvement, please send a pull request or [open an issue](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues). This guide is also available in [简体中文](https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/README-cn.md). - [Basics](#basics) - [Preparing and installing macOS](#preparing-and-installing-macos) - - [Verifying installation integrity](#verifying-installation-integrity) - - [Creating a bootable USB installer](#creating-a-bootable-usb-installer) - - [Creating an install image](#creating-an-install-image) - - [Manual way](#manual-way) - - [Target disk mode](#target-disk-mode) - - [Creating a recovery partition](#creating-a-recovery-partition) - - [Virtualization](#virtualization) + * [Verifying installation integrity](#verifying-installation-integrity) + * [Creating a bootable USB installer](#creating-a-bootable-usb-installer) + * [Creating an install image](#creating-an-install-image) + + [Manual way](#manual-way) + * [Target disk mode](#target-disk-mode) + * [Creating a recovery partition](#creating-a-recovery-partition) + * [Virtualization](#virtualization) - [First boot](#first-boot) - [System activation](#system-activation) - [Admin and standard user accounts](#admin-and-standard-user-accounts) - - [Caveats](#caveats) - - [Setup](#setup) + * [Caveats](#caveats) + * [Setup](#setup) - [Full disk encryption](#full-disk-encryption) - [Firmware](#firmware) - [Firewall](#firewall) - - [Application layer firewall](#application-layer-firewall) - - [Third party firewalls](#third-party-firewalls) - - [Kernel level packet filtering](#kernel-level-packet-filtering) + * [Application layer firewall](#application-layer-firewall) + * [Third party firewalls](#third-party-firewalls) + * [Kernel level packet filtering](#kernel-level-packet-filtering) - [Services](#services) - [Spotlight Suggestions](#spotlight-suggestions) - [Homebrew](#homebrew) - [DNS](#dns) - - [Hosts file](#hosts-file) - - [dnscrypt](#dnscrypt) - - [dnsmasq](#dnsmasq) + + [Hosts file](#hosts-file) + + [dnscrypt](#dnscrypt) + + [Dnsmasq](#dnsmasq) - [Test DNSSEC validation](#test-dnssec-validation) - [Captive portal](#captive-portal) - [Certificate authorities](#certificate-authorities) - [OpenSSL](#openssl) - [Curl](#curl) - [Web](#web) - - [Privoxy](#privoxy) - - [Browser](#browser) - - [Chrome](#chrome) - - [Firefox](#firefox) - - [Safari](#safari) - - [Other Web browsers](#other-web-browsers) - - [Web browsers and privacy](#web-browsers-and-privacy) - - [Plugins](#plugins) -- [PGP/GPG](#pgpgpg) + * [Privoxy](#privoxy) + * [Browser](#browser) + + [Chrome](#chrome) + + [Firefox](#firefox) + + [Safari](#safari) + + [Other Web browsers](#other-web-browsers) + + [Web browsers and privacy](#web-browsers-and-privacy) + * [Plugins](#plugins) +- [PGP/GPG](#pgp-gpg) - [OTR](#otr) - [Tor](#tor) - [VPN](#vpn) @@ -65,10 +65,10 @@ This guide is also available in [简体中文](https://github.com/drduh/macOS-Se - [SSH](#ssh) - [Physical access](#physical-access) - [System monitoring](#system-monitoring) - - [OpenBSM audit](#openbsm-audit) - - [DTrace](#dtrace) - - [Execution](#execution) - - [Network](#network) + * [OpenBSM audit](#openbsm-audit) + * [DTrace](#dtrace) + * [Execution](#execution) + * [Network](#network) - [Binary Whitelisting](#binary-whitelisting) - [Miscellaneous](#miscellaneous) - [Related software](#related-software) @@ -1114,28 +1114,22 @@ Another important consideration about Web Browser security is Web Extensions. We * Chrome [PDF viewer](http://0xdabbad00.com/2013/01/13/most-secure-pdf-viewer-chrome-pdf-viewer/). * Non-optional tracking. Google Chrome installer includes a randomly generated token. The token is sent to Google after the installation completes in order to measure the success rate. The RLZ identifier stores information – in the form of encoded strings – like the source of chrome download and installation week. It doesn’t include any personal information and it’s used to measure the effectiveness of a promotional campaign. **Chrome downloaded from Google’s website doesn’t have the RLZ identifier**. The source code to decode the strings is made open by Google. -Chrome offers [separate profiles](https://www.chromium.org/user-experience/multi-profiles), [sandboxing](https://www.chromium.org/developers/design-documents/sandbox), [frequent updates](https://googlechromereleases.blogspot.com/) (including Flash, although you should disable it - see below), and carries [impressive credentials](https://www.chromium.org/Home/chromium-security/brag-sheet). In addition, Google offers a very lucrative [bounty](https://www.google.com/about/appsecurity/chrome-rewards/) program for reporting vulnerabilities along with its own [Project Zero](https://googleprojectzero.blogspot.com). This means that a large number of highly talented and motivated people are constantly auditing Chrome's code base. - -Chrome offers account sync between multiple devices. Part of the sync data are stored website logins. The login passwords are encrypted and in order to access them, a user's Google account password is required. You can use your Google account to sign to your Chrome customized settings from other devices while retaining your the security of your passwords. +Chrome offers account sync between multiple devices. Part of the sync data are stored website credentials. The login passwords are encrypted and in order to access them, a user's Google account password is required. You can use your Google account to sign to your Chrome customized settings from other devices while retaining your the security of your passwords. Chrome's Web store for extensions requires a [5 dollar lifetime fee](https://developer.chrome.com/webstore/publish#pay-the-developer-signup-fee) in order to submit extensions. The low cost allows the development of many quality Open Source Web Extensions that do not aim to monetize through usage. Chrome has the largest share of global usage and is the preferred target platform for the majority of developers. Major technologies are based on Chrome's Open Source components, such as [node.js](https://nodejs.org/en/) which uses [Chrome's V8](https://developers.google.com/v8/) Engine and the [Electron](https://electron.atom.io/) framework, which is based on Chromium and node.js. Chrome's vast user base makes it the most attractive target for threat actors and security researchers. Despite under constants attacks, Chrome has retained an impressive security track record over the years. This is not a small feat. -To improve the privacy and security posture of the browser, create at least three profiles, one for browsing **trusted** Web sites (email, banking), another for **mostly trusted** Web sites (link aggregators, news sites), and a third for a completely **cookie-less** and **script-less** experience. +Chrome offers [separate profiles](https://www.chromium.org/user-experience/multi-profiles), [sandboxing](https://www.chromium.org/developers/design-documents/sandbox), [frequent updates](https://googlechromereleases.blogspot.com/) (including Flash, although you should disable it - see below), and carries [impressive credentials](https://www.chromium.org/Home/chromium-security/brag-sheet). In addition, Google offers a very lucrative [bounty](https://www.google.com/about/appsecurity/chrome-rewards/) program for reporting vulnerabilities along with its own [Project Zero](https://googleprojectzero.blogspot.com). This means that a large number of highly talented and motivated people are constantly auditing Chrome's code base. -* One profile **without cookies or Javascript** enabled (e.g., turned off in `chrome://settings/content`) which should be the preferred profile to visiting untrusted Web sites. However, many pages will not load at all without Javascript enabled. -* One profile with [uBlock Origin](https://github.com/gorhill/uBlock). Use this profile for visiting sites which require Javascript and/or cookies. Other recommended extensions are [Privacy Badger](https://www.eff.org/privacybadger), [HTTPSEverywhere](https://www.eff.org/https-everywhere). -* One profile for secure and trusted browsing needs, such as banking and email only. +Create separate Chrome profiles to reduce XSS risk and compartmentalize cookies/identities. In each profile, either disable Javascript in Chrome settings and manually whitelist allowed origins - or use [uBlock Origin](https://github.com/gorhill/uBlock) to manage Javascript and/or disable third-party scripts/frames. Also install [HTTPSEverywhere](https://www.eff.org/https-everywhere) to upgrade insecure connections. -The idea is to separate and compartmentalize data so that an exploit or privacy violation in one "profile" does not necessarily affect data in another. +Change the default search engine from Google to reduce additional tracking. -In each profile, visit `chrome://settings/content` and enable **Block sites from running Flash** and disable any other undesired features. +Disable [DNS prefetching](https://www.chromium.org/developers/design-documents/dns-prefetching) (see also [DNS Prefetching and Its Privacy Implications](https://www.usenix.org/legacy/event/leet10/tech/full_papers/Krishnan.pdf) (pdf)). Read [Chromium Security](https://www.chromium.org/Home/chromium-security) and [Chromium Privacy](https://www.chromium.org/Home/chromium-privacy) for more detailed, technical information. -Disable [DNS prefetching](https://www.chromium.org/developers/design-documents/dns-prefetching) (see also [DNS Prefetching and Its Privacy Implications](https://www.usenix.org/legacy/event/leet10/tech/full_papers/Krishnan.pdf) (pdf)). - Read [Google's privacy policy](https://www.google.com/policies/privacy/) and learn which [Google services](https://www.google.com/services/) collect personal information. Google is open about the data it stores and how it used them. Users can opt out from many of those services and see what type of information Google has stored from their [account settings](https://myaccount.google.com/privacy). #### Firefox @@ -1192,7 +1186,7 @@ Also be aware of [WebRTC](https://en.wikipedia.org/wiki/WebRTC#Concerns), which If they are necessary, only use them in a disposable virtual machine and subscribe to security announcements to make sure you're always patched. -See [Hacking Team Flash Zero-Day](https://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-zero-day-integrated-into-exploit-kits/), [Java Trojan BackDoor.Flashback](https://en.wikipedia.org/wiki/Trojan_BackDoor.Flashback), [Acrobat Reader: Security Vulnerabilities](https://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-497/Adobe-Acrobat-Reader.html), and [Angling for Silverlight Exploits](https://blogs.cisco.com/security/angling-for-silverlight-exploits), for example. +See [Hacking Team Flash Zero-Day](https://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-zero-day-integrated-into-exploit-kits/), [Java Trojan BackDoor.Flashback](https://en.wikipedia.org/wiki/Trojan_BackDoor.Flashback), [Acrobat Reader: Security Vulnerabilities](https://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-497/Adobe-Acrobat-Reader.html), and [Angling for Silverlight Exploits](https://blogs.cisco.com/security/angling-for-silverlight-exploits) for examples. ## PGP/GPG From 3d9fd6bec33adb78abb4591ed4a868e9d1010cfb Mon Sep 17 00:00:00 2001 From: Elliot Jordan Date: Fri, 16 Aug 2019 10:16:38 -0700 Subject: [PATCH 111/476] Add 10.14.6 and 10.13.6 hashes --- InstallESD_Hashes.csv | 3 +++ 1 file changed, 3 insertions(+) diff --git a/InstallESD_Hashes.csv b/InstallESD_Hashes.csv index 2c2178ba..6dc58ed2 100644 --- a/InstallESD_Hashes.csv +++ b/InstallESD_Hashes.csv @@ -22,6 +22,8 @@ Version,Build,SHA-256,SHA-1 10.13.3,17D47,438fc19055e56ac90fb485796d3aacc4059d241d79bc5c303220c4c2468a1f9d,726c7516fdbe33ae3f2384ba1ce7efcda4335776 10.13.4,17E199,fd33bb6f8a4132c2ba50808c0e1f92eb05b6c300d38e58287d5d7dec01a4cd65,2c72b22a45ea8f5a80bee91db8aba96dae8310ea 10.13.5,17F77,c4ff5048bafbf7f386cd6cb3b09b58112df607a526874c726d9b0c5ba2e61a4f,216b38acfb234b4e29c2dba41fd76814550b59e2 +10.13.6,17G65,e3de527616e5a0bc6c2120960b55b458d49822900b09fd8d4884479efdce1c65,69159caf25666ea1c5d466e158e075d947f6a9ee +10.13.6,17G2208,82489dfce5025a6ee4725f194ec014d2f962e8ab2ea7c15032b5b1ea02e76598,686d5b9e2797b9604e5f2c9eaf3e2dbb839a66da 10.14,18A391,cdf15a36a082af2da1cc3ac913a6facb78894a5311c69d51fdfce706b83d8692,d29afb53d32d350453356d6025c4cbb2fb123985 10.14.1,18B75,84989fd343e4eeb1013703565eb54f652f2f89d3305fa952d85879d94606619a,635fdcb4a9baee1885825e9067d104d7aa0b9c2f 10.14.2,18C54,25a6c7d467fb72fed170dce786202f24c0120045c358902a19be8d3e106fe1a4,da00f1ccb5e0927ae4550fd8399160cc5f3a9b47 @@ -29,3 +31,4 @@ Version,Build,SHA-256,SHA-1 10.14.4,18E226,b5b52ebf55fee7b5997b288255453f28f506421250485d37cf907f82950f85e8,458ea61e228defda08c0fe9dcd925db2e73e54f0 10.14.4,18E227,8b51a1695152fe61b0c3ba72fe91123c7c7cafda465e4b988d55fc291d6e5069,2f37bc2ea1bd74baf42c9fa93b4518e155bae62e 10.14.5,18F132,96c324576490e012a4383f3410e5c53fc0ccbbd22356e577fc3fc59aae112910,29e5d1a30a1259b9ff849111fb0d6588937c629d +10.14.6,18G84,c4f1c01c50e819f231f9a54d567672d3da162c4b9dc21c8c7719ca4e679ecac8,892c930f496ceeb88708fa7507f27dc5a6f036d9 From aca8d09ace899181859ab16513ec7130e91fd9d8 Mon Sep 17 00:00:00 2001 From: Elliot Jordan Date: Mon, 26 Aug 2019 15:46:10 -0700 Subject: [PATCH 112/476] Add hashes for 10.14.6 supplemental 2 --- InstallESD_Hashes.csv | 1 + 1 file changed, 1 insertion(+) diff --git a/InstallESD_Hashes.csv b/InstallESD_Hashes.csv index 6dc58ed2..113d91ba 100644 --- a/InstallESD_Hashes.csv +++ b/InstallESD_Hashes.csv @@ -32,3 +32,4 @@ Version,Build,SHA-256,SHA-1 10.14.4,18E227,8b51a1695152fe61b0c3ba72fe91123c7c7cafda465e4b988d55fc291d6e5069,2f37bc2ea1bd74baf42c9fa93b4518e155bae62e 10.14.5,18F132,96c324576490e012a4383f3410e5c53fc0ccbbd22356e577fc3fc59aae112910,29e5d1a30a1259b9ff849111fb0d6588937c629d 10.14.6,18G84,c4f1c01c50e819f231f9a54d567672d3da162c4b9dc21c8c7719ca4e679ecac8,892c930f496ceeb88708fa7507f27dc5a6f036d9 +10.14.6,18G95,ffa3fcc7e08b6134dca9f481f15aabce3fd80159951551dccdcd29df1a59e777,df554c1a284e0655ef643258ff2dddb491dc86e6 From be1ade784ca4e7670d4fd9a524212c6d6063d6bb Mon Sep 17 00:00:00 2001 From: drduh Date: Thu, 29 Aug 2019 11:56:34 -0700 Subject: [PATCH 113/476] Improve formatting, fix #316. --- README.md | 249 +++++++++++++++++++++++++++--------------------------- 1 file changed, 126 insertions(+), 123 deletions(-) diff --git a/README.md b/README.md index 7a13f7ff..18d50361 100755 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -This guide is a collection of techniques for improving the security and privacy of a modern Apple Macintosh computer ("MacBook") and macOS (formerly known as "OS X"). +This guide is a collection of techniques for improving the security and privacy of a modern Apple Macintosh computer ("MacBook") running a recent version of macOS (formerly known as "OS X"). -This guide is targeted to “power users” who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac. +This guide is targeted to power users who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac. A system is only as secure as its administrator is capable of making it. There is no one single technology, software, nor technique to guarantee perfect computer security; a modern operating system and computer is very complex, and requires numerous incremental changes to meaningfully improve one's security and privacy posture. @@ -45,16 +45,16 @@ This guide is also available in [简体中文](https://github.com/drduh/macOS-Se - [Web](#web) * [Privoxy](#privoxy) * [Browser](#browser) - + [Chrome](#chrome) + [Firefox](#firefox) + + [Chrome](#chrome) + [Safari](#safari) + [Other Web browsers](#other-web-browsers) + [Web browsers and privacy](#web-browsers-and-privacy) * [Plugins](#plugins) -- [PGP/GPG](#pgp-gpg) -- [OTR](#otr) - [Tor](#tor) - [VPN](#vpn) +- [PGP/GPG](#pgp-gpg) +- [OTR](#otr) - [Viruses and malware](#viruses-and-malware) - [System Integrity Protection](#system-integrity-protection) - [Gatekeeper and XProtect](#gatekeeper-and-xprotect) @@ -188,7 +188,9 @@ To create a **custom install image** which can be [restored](https://en.wikipedi Find `InstallESD.dmg` which is inside the installation application. Locate it in Terminal or with Finder, right click on the application bundle, select **Show Package Contents** and navigate to **Contents** > **SharedSupport** to find the file `InstallESD.dmg` -Before continuing, [verify](https://support.apple.com/en-us/HT201259) the file's integrity by comparing its SHA-256 hash with others found in [InstallESD_Hashes.csv](https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/InstallESD_Hashes.csv). To determine which macOS versions and builds originally shipped with or are available for a Mac, see [HT204319](https://support.apple.com/en-us/HT204319). +[Verify](https://support.apple.com/en-us/HT201259) file integrity by comparing its SHA-256 hash with others found in [InstallESD_Hashes.csv](https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/InstallESD_Hashes.csv) or [notpeter/apple-installer-checksums](https://github.com/notpeter/apple-installer-checksums). + +To determine which macOS versions and builds originally shipped with or are available for a Mac, see [HT204319](https://support.apple.com/en-us/HT204319). ```console $ shasum -a 256 InstallESD.dmg @@ -229,11 +231,11 @@ Preparing imaging engine... $ asr imagescan --source ~/sierra.dmg ``` -The file `sierra.dmg` is now ready to be applied over [Target Disk Mode](https://support.apple.com/en-us/HT201462), from a bootable USB installer, booting from the network or recovery mode. The image could be futher customized to include provisioned users, installed applications, preferences, for example. +The file `sierra.dmg` is now ready to be applied over [Target Disk Mode](https://support.apple.com/en-us/HT201462), from a bootable USB installer, booting from the network or recovery mode. The image could be further customized to include provisioned users, installed applications, preferences, for example. ### Target disk mode -To use **Target Disk Mode**, boot up the Mac you wish to image while holding the `T` key and connect it to another Mac using a USB-C, Thundrbolt or Firewire cable. +To use **Target Disk Mode**, boot up the Mac you wish to image while holding the `T` key and connect it to another Mac using a USB-C, Thunderbolt or Firewire cable. If you don't have another Mac, boot to a USB installer, with `sierra.dmg` and other required files copied to it, by holding the *Option* key at boot. @@ -297,19 +299,19 @@ Run `diskutil list` again to make sure `Recovery HD` now exists on `/dev/disk2`. ### Virtualization -To install macOS as a virtual machine (vm) using [VMware Fusion](https://www.vmware.com/products/fusion.html), follow the instructions above to create an image. You will **not** need to download and create a recovery partition manually. +To install macOS as a virtual machine (VM) using [VMware Fusion](https://www.vmware.com/products/fusion.html), follow the instructions above to create an image. You will **not** need to download and create a recovery partition manually. -For the Installation Method, select *Install macOS from the recovery partition*. Customize any memory or CPU requirements and complete setup. The guest vm should boot into [Recovery Mode](https://support.apple.com/en-us/HT201314) by default. +For the Installation Method, select *Install macOS from the recovery partition*. Customize any memory or CPU requirements and complete setup. The guest VM should boot into [Recovery Mode](https://support.apple.com/en-us/HT201314) by default. **Note** If the virtual machine does not boot due to a kernel panic, adjust the memory and process resource settings. -In Recovery Mode, select a language, then select Utilities > Terminal from the menubar. +In Recovery Mode, select a language, then select Utilities > Terminal from the menu bar. -In the guest vm, type `ifconfig | grep inet` - you should see a private address like `172.16.34.129` +In the guest VM, type `ifconfig | grep inet` - you should see a private address like `172.16.34.129` -On the host Mac, type `ifconfig | grep inet` - you should see a private gateway address like `172.16.34.1`. From the host Mac, you should be able to `ping 172.16.34.129` or the equivalent guest vm address. +On the host Mac, type `ifconfig | grep inet` - you should see a private gateway address like `172.16.34.1`. From the host Mac, you should be able to `ping 172.16.34.129` or the equivalent guest VM address. -From the host Mac, serve the installable image to the guest vm by editing `/etc/apache2/httpd.conf` and adding the following line to the top (using the gateway address assigned to the host Mac and port 80): +From the host Mac, serve the installable image to the guest VM by editing `/etc/apache2/httpd.conf` and adding the following line to the top (using the gateway address assigned to the host Mac and port 80): Listen 172.16.34.1:80 @@ -337,9 +339,9 @@ From the guest VM, install the disk image to the volume over the local network u When it's finished, stop the Apache Web server on the host Mac by pressing `Control` `C` at the `sudo httpd -X` window and remove the image copy with `sudo rm /Library/WebServer/Documents/sierra.dmg` -In the guest vm, select *Startup Disk* from the menubar top-left, select the hard drive and restart. You may wish to disable the Network Adapter in VMware to configure the guest vm initially. +In the guest VM, select *Startup Disk* from the menubar top-left, select the hard drive and restart. You may wish to disable the Network Adapter in VMware to configure the guest VM initially. -Take and Restore from saved guest vm snapshots before and after attempting risky browsing, for example, or use a guest vm to install and operate questionable software. +Take and Restore from saved guest VM snapshots before and after attempting risky browsing, for example, or use a guest VM to install and operate questionable software. ## First boot @@ -407,7 +409,7 @@ $ sudo dscl . -delete /Groups/admin GroupMembership $ sudo dscl . -delete /Groups/admin GroupMembers ``` -You can find the “GeneratedUID” of an account with: +To find the “GeneratedUID” of an account: ```console $ dscl . -read /Users/ GeneratedUID @@ -448,9 +450,9 @@ $ sudo pmset -a destroyfvkeyonstandby 1 $ sudo pmset -a hibernatemode 25 ``` -> All computers have firmware of some type—EFI, BIOS—to help in the discovery of hardware components and ultimately to properly bootstrap the computer using the desired OS instance. In the case of Apple hardware and the use of EFI, Apple stores relevant information within EFI to aid in the functionality of macOS. For example, the FileVault key is stored in EFI to transparently come out of standby mode. +> All computers have firmware of some type - EFI, BIOS - to help in the discovery of hardware components and ultimately to properly bootstrap the computer using the desired OS instance. In the case of Apple hardware and the use of EFI, Apple stores relevant information within EFI to aid in the functionality of macOS. For example, the FileVault key is stored in EFI to transparently come out of standby mode. -> Organizations especially sensitive to a high-attack environment, or potentially exposed to full device access when the device is in standby mode, should mitigate this risk by destroying the FileVault key in firmware. Doing so doesn’t destroy the use of FileVault, but simply requires the user to enter the password in order for the system to come out of standby mode. +> Organizations especially sensitive to a high-attack environment, or potentially exposed to full device access when the device is in standby mode, should mitigate this risk by destroying the FileVault key in firmware. Doing so doesn't destroy the use of FileVault, but simply requires the user to enter the password in order for the system to come out of standby mode. If you choose to evict FileVault keys in standby mode, you should also modify your standby and power nap settings. Otherwise, your machine may wake while in standby mode and then power off due to the absence of the FileVault key. See [issue #124](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/124) for more information. These settings can be changed with: @@ -464,7 +466,7 @@ $ sudo pmset -a autopoweroff 0 For more information, see [Best Practices for Deploying FileVault 2](https://training.apple.com/pdf/WP_FileVault2.pdf) (pdf) and paper [Lest We Remember: Cold Boot Attacks on Encryption Keys](https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf) (pdf) -**Note** APFS may make evicting FV keys redundant - see discussion and links in [issue #283](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/283). +**Note** APFS may make evicting FileVault keys redundant - see discussion and links in [issue #283](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/283). ## Firmware @@ -572,9 +574,11 @@ pf can also be controlled with a GUI application such as [IceFloor](http://www.h There are many books and articles on the subject of pf firewall. Here's is just one example of blocking traffic by IP address. -Add the following into a file called `pf.rules`, modifying `en0` to be your outbound network adapter: +Add the following into a file called `pf.rules`: ``` +wifi = "en0" +ether = "en7" set block-policy drop set fingerprints "/etc/pf.os" set ruleset-optimization basic @@ -583,21 +587,22 @@ scrub in all no-df table persist block in log block in log quick from no-route to any -pass out proto tcp from any to any keep state -pass out proto udp from any to any keep state -pass out proto icmp from any to any keep state -block log on en0 from {} to any -block log on en0 from any to {} +block log on $wifi from { } to any +block log on $wifi from any to { } +antispoof quick for { $wifi $ether } +pass out proto tcp from { $wifi $ether } to any keep state +pass out proto udp from { $wifi $ether } to any keep state +pass out proto icmp from $wifi to any keep state ``` Then use the following commands to manipulate the firewall: -* `sudo pfctl -e -f pf.rules` to enable the firewall +* `sudo pfctl -e -f pf.rules` to enable the firewall and load the configuration * `sudo pfctl -d` to disable the firewall -* `sudo pfctl -t blocklist -T add 1.2.3.4` to an IP address to the blocklist +* `sudo pfctl -t blocklist -T add 1.2.3.4` to add an IP address to the blocklist * `sudo pfctl -t blocklist -T show` to view the blocklist * `sudo ifconfig pflog0 create` to create an interface for logging -* `sudo tcpdump -ni pflog0` to view the filtered packets. +* `sudo tcpdump -ni pflog0` to view filtered packets Unless you're already familiar with packet filtering, spending too much time configuring pf is not recommended. It is also probably unnecessary if your Mac is behind a [NAT](https://www.grc.com/nat/nat.htm) on a secure home network. @@ -605,11 +610,15 @@ It is possible to use the pf firewall to block network access to entire ranges o Query [Merit RADb](http://www.radb.net/) for the list of networks in use by an autonomous system, like [Facebook](https://ipinfo.io/AS32934): - $ whois -h whois.radb.net '!gAS32934' +```console +$ whois -h whois.radb.net '!gAS32934' +``` Copy and paste the list of networks returned into the blocklist command: - $ sudo pfctl -t blocklist -T add 31.13.24.0/21 31.13.64.0/24 157.240.0.0/16 +```console +$ sudo pfctl -t blocklist -T add 31.13.24.0/21 31.13.64.0/24 157.240.0.0/16 +``` Confirm the addresses were added: @@ -661,7 +670,7 @@ You can also run [KnockKnock](https://github.com/synack/knockknock) that shows m * Use `sudo launchctl list` to view running system daemons * Specify the service name to examine it, e.g. `launchctl list com.apple.Maps.mapspushd` * Use `defaults read` to examine job plists in `/System/Library/LaunchDaemons` and `/System/Library/LaunchAgents` -* Use `man`, `strings` and Google to learn about what the agent/daemon runs +* Use `man` and `strings` to find out more about what an agent/daemon does For example, to learn what a system launch daemon or agent does, start with: @@ -726,11 +735,11 @@ See [fix-macosx.com](https://web.archive.org/web/20180817061520/https://fix-maco **Note** This Web site and instructions may no longer work on macOS Sierra - see [issue 164](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/164). -For comparison to Windows 10, see +For comparison to Windows 10, see ## Homebrew -Consider using [Homebrew](https://brew.sh/) to make software installations easier and to update userland tools (see [Apple’s great GPL purge](http://meta.ath0.com/2012/02/05/apples-great-gpl-purge/)). +Consider using [Homebrew](https://brew.sh/) to make software installations easier and to update userland tools (see [Apple's great GPL purge](http://meta.ath0.com/2012/02/05/apples-great-gpl-purge/)). **Note** If you have not already installed Xcode or Command Line Tools, use `xcode-select --install` to download and install them, or check Apple's developer site. @@ -760,7 +769,7 @@ Use the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) to block known Edit the hosts file as root, for example with `sudo vi /etc/hosts`. The hosts file can also be managed with the GUI app [2ndalpha/gasmask](https://github.com/2ndalpha/gasmask). -To block a domain `A` record, append any one of the following lines to `/etc/hosts`: +To block a domain by `A` record, append any one of the following lines to `/etc/hosts`: ``` 0 example.com @@ -853,7 +862,7 @@ $ dig +short -x 128.180.155.106.49321 d0wn-us-ns4 ``` -dnscrypt-proxy also has the capability to blacklist domains, including the use of wildcards. See the [Sample configuration file for dnscrypt-proxy](https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-proxy.conf) for the options. +dnscrypt-proxy also has the capability to blacklist domains, including the use of wild-cards. See the [Sample configuration file for dnscrypt-proxy](https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-proxy.conf) for the options. **Note** Applications and programs may resolve DNS using their own provided servers. If dnscrypt-proxy is used, it is possible to disable all other, non-dnscrypt DNS traffic with the following pf rules: @@ -866,7 +875,7 @@ See also [What is a DNS leak](https://dnsleaktest.com/what-is-a-dns-leak.html), #### Dnsmasq -Among other features, [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) is able to cache replies, prevent upstreaming queries for unqualified names, and block entire TLDs. +Among other features, [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) is able to cache replies, prevent upstream queries for unqualified names, and block entire top-level domain names. Use in combination with DNSCrypt to additionally encrypt outgoing DNS traffic. @@ -1007,7 +1016,7 @@ $ curl -o ~/.curlrc https://raw.githubusercontent.com/drduh/config/master/curlrc Consider using [Privoxy](https://www.privoxy.org/) as a local proxy to filter Web browsing traffic. -**Note** macOS proxy settings are not universal; apps and services may not honor system proxy settings. Ensure the app you wish to proxy is correctly configured and manually verify connections don't leak. Additionally, it may be possible to configure the *pf* firewall to transparently proxy all traffic. +**Note** macOS proxy settings are not universal; apps and services may not honor system proxy settings. Ensure the application you wish to proxy is correctly configured and manually verify connections don't leak. Additionally, it may be possible to configure the *pf* firewall to transparently proxy all traffic. A signed installation package for privoxy can be downloaded from [silvester.org.uk](https://silvester.org.uk/privoxy/OSX/) or [Sourceforge](https://sourceforge.net/projects/ijbswa/files/Macintosh%20%28OS%20X%29/). The signed package is [more secure](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/65) than the Homebrew version, and attracts full support from the Privoxy project. @@ -1090,7 +1099,7 @@ HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 ``` -You can replace ad images with pictures of kittens, for example, by starting the a local Web server and [redirecting blocked requests](https://www.privoxy.org/user-manual/actions-file.html#SET-IMAGE-BLOCKER) to localhost. +You can replace ad images with pictures of kittens, for example, by starting a local Web server and [redirecting blocked requests](https://www.privoxy.org/user-manual/actions-file.html#SET-IMAGE-BLOCKER) to localhost. ### Browser @@ -1100,7 +1109,25 @@ The best tip to ensure secure browsing regardless your choice of Web Browser is Another important consideration about Web Browser security is Web Extensions. Web Extensions greatly increase the attack surface of the Web Browser. This is an issue that plagues Firefox and [Chrome](https://courses.csail.mit.edu/6.857/2016/files/24.pdf) alike. Luckily, Web Extensions can only access specific browser APIs that are being governed by their manifest. That means we can quickly audit their behavior and remove them if they request access to information they shouldn't (why would an Ad blocker require camera access?). In the interest of security, it is best to limit your use of Web Extensions. -[Google Chrome](https://www.google.com/chrome/), [Mozilla Firefox](https://www.mozilla.org/en-US/firefox/new/), [Safari](https://www.apple.com/safari/), and [Tor Browser](https://www.torproject.org/projects/torbrowser.html.en) are covered in this guide. Each Web Browser offers certain benefits and drawbacks regarding their security and privacy. It is best to make an informed choice and not necessarily commit to only one. +[Mozilla Firefox](https://www.mozilla.org/en-US/firefox/new/), [Google Chrome](https://www.google.com/chrome/), [Safari](https://www.apple.com/safari/), and [Tor Browser](https://www.torproject.org/projects/torbrowser.html.en) are covered in this guide. Each Web Browser offers certain benefits and drawbacks regarding their security and privacy. It is best to make an informed choice and not necessarily commit to only one. + +#### Firefox + +[Mozilla Firefox](https://www.mozilla.org/en-US/firefox/new/) is an excellent browser as well as being completely open source. Currently, Firefox is in a renaissance period. It replaces major parts of its infrastructure and code base under projects [Quantum](https://wiki.mozilla.org/Quantum) and [Photon](https://wiki.mozilla.org/Firefox/Photon/Updates). Part of the Quantum project is to replace C++ code with [Rust](https://www.rust-lang.org/en-US/). Rust is a systems programming language with a focus on security and thread safety. It is expected that Rust adoption will greatly improve the overall security posture of Firefox. + +Firefox offers a similar security model to Chrome: it has a [bug bounty program](https://www.mozilla.org/en-US/security/bug-bounty/), although it is not a lucrative as Chrome's. Firefox follows a six-week release cycle similar to Chrome. See discussion in issues [#2](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/2) and [#90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) for more information about certain differences in Firefox and Chrome. + +Firefox supports user-supplied configuration files. See [drduh/config/user.js](https://github.com/drduh/config/blob/master/user.js), [pyllyukko/user.js](https://github.com/pyllyukko/user.js) and [ghacksuserjs/ghacks-user.js](https://github.com/ghacksuserjs/ghacks-user.js) for recommended preferences and hardening measures. Also see [NoScript](https://noscript.net/), an extension which allows whitelist-based, pre-emptive script blocking. + +Firefox is focused on user privacy. It supports [tracking protection](https://developer.mozilla.org/en-US/Firefox/Privacy/Tracking_Protection) in Private Browsing mode. The tracking protection can be enabled for the default account, although it may break the browsing experience on some websites. Another feature for added privacy unique to Firefox is [Containers](https://testpilot.firefox.com/experiments/containers), similar to Chrome profiles. + +Previous versions of Firefox used a [Web Extension SDK](https://developer.mozilla.org/en-US/Add-ons/Legacy_add_ons) that was quite invasive and offered immense freedom to developers. Sadly, that freedom also introduced a number of vulnerabilities in Firefox that greatly affected its users. You can find more information about vulnerabilities introduced by Firefox's legacy extensions in this [paper](https://www.exploit-db.com/docs/24541.pdf) (pdf). Currently, Firefox only supports Web Extensions through the [Web Extension Api](https://developer.mozilla.org/en-US/Add-ons/WebExtensions), which is very similar to Chrome's. + +Submission of Web Extensions in Firefox is free. Web Extensions in Firefox most of the time are open source, although certain Web Extensions are proprietary. + +**Note** Similar to Chrome and Safari, Firefox allows account sync across multiple devices. While stored login passwords are encrypted, Firefox does not require a password to reveal their plain text format. Firefox only displays as yes/no prompt. This is an important security issue. Keep that in mind if you sign in to your Firefox account from devices that do not belong to you and leave them unattended. The [issue](https://bugzilla.mozilla.org/show_bug.cgi?id=1393493) has been raised among the Firefox community and hopefully will be resolved in the coming versions. + +See [drduh/config/firefox.user.js](https://github.com/drduh/config/blob/master/firefox.user.js) for additional Firefox configuration options to improve security and privacy. #### Chrome @@ -1132,22 +1159,6 @@ Read [Chromium Security](https://www.chromium.org/Home/chromium-security) and [C Read [Google's privacy policy](https://www.google.com/policies/privacy/) and learn which [Google services](https://www.google.com/services/) collect personal information. Google is open about the data it stores and how it used them. Users can opt out from many of those services and see what type of information Google has stored from their [account settings](https://myaccount.google.com/privacy). -#### Firefox - -[Mozilla Firefox](https://www.mozilla.org/en-US/firefox/new/) is an excellent browser as well as being completely open source. Currently, Firefox is in a renaissance period. It replaces major parts of its infrastructure and code base under projects [Quantum](https://wiki.mozilla.org/Quantum) and [Photon](https://wiki.mozilla.org/Firefox/Photon/Updates). Part of the Quantum project is to replace C++ code with [Rust](https://www.rust-lang.org/en-US/). Rust is a systems programming language with a focus on security and thread safety. It is expected that Rust adoption will greatly improve the overall security posture of Firefox. - -Firefox offers a similar security model to Chrome: it has a [bug bounty program](https://www.mozilla.org/en-US/security/bug-bounty/), although it is not a lucrative as Chrome's. Firefox follows a six-week release cycle similar to Chrome. See discussion in issues [#2](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/2) and [#90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) for more information about certain differences in Firefox and Chrome. - -Firefox supports user-supplied configuration files. See [drduh/config/user.js](https://github.com/drduh/config/blob/master/user.js), [pyllyukko/user.js](https://github.com/pyllyukko/user.js) and [ghacksuserjs/ghacks-user.js](https://github.com/ghacksuserjs/ghacks-user.js) for recommended preferences and hardening measures. Also see [NoScript](https://noscript.net/), an extension which allows whitelist-based, pre-emptive script blocking. - -Firefox is focused on user privacy. It supports [tracking protection](https://developer.mozilla.org/en-US/Firefox/Privacy/Tracking_Protection) in Private Browsing mode. The tracking protection can be enabled for the default account, although it may break the browsing experience on some websites. Another feature for added privacy unique to Firefox is [Containers](https://testpilot.firefox.com/experiments/containers), similar to Chrome profiles. - -Previous versions of Firefox used a [Web Extension SDK](https://developer.mozilla.org/en-US/Add-ons/Legacy_add_ons) that was quite invasive and offered immense freedom to developers. Sadly, that freedom also introduced a number of vulnerabilities in Firefox that greatly affected its users. You can find more information about vulnerabilities introduced by Firefox's legacy extensions in this [paper](https://www.exploit-db.com/docs/24541.pdf) (pdf). Currently, Firefox only supports Web Extensions through the [Web Extension Api](https://developer.mozilla.org/en-US/Add-ons/WebExtensions), which is very similar to Chrome's. - -Submission of Web Extensions in Firefox is free. Web Extensions in Firefox most of the time are open source, although certain Web Extensions are proprietary. - -**Note** Similar to Chrome and Safari, Firefox allows account sync across multiple devices. While stored login passwords are encrypted, Firefox does not require a password to reveal their plain text format. Firefox only displays as yes/no prompt. This is an important security issue. Keep that in mind if you sign in to your Firefox account from devices that do not belong to you and leave them unattended. The [issue](https://bugzilla.mozilla.org/show_bug.cgi?id=1393493) has been raised among the Firefox community and hopefully will be resolved in the coming versions. - #### Safari [Safari](https://www.apple.com/safari/) is the default Web browser of macOS. It is also the most optimized browser for reducing battery use. Safari, like Chrome, has both Open Source and proprietary components. Safari is based on the open source Web Engine [WebKit](https://en.wikipedia.org/wiki/WebKit), which is ubiquitous among the macOS ecosystem. WebKit is used by Apple apps such as Mail, iTunes, iBooks, and the App Store. Chrome's [Blink](https://www.chromium.org/blink) engine is a fork of WebKit and both engines share a number of similarities. @@ -1188,51 +1199,13 @@ If they are necessary, only use them in a disposable virtual machine and subscri See [Hacking Team Flash Zero-Day](https://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-zero-day-integrated-into-exploit-kits/), [Java Trojan BackDoor.Flashback](https://en.wikipedia.org/wiki/Trojan_BackDoor.Flashback), [Acrobat Reader: Security Vulnerabilities](https://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-497/Adobe-Acrobat-Reader.html), and [Angling for Silverlight Exploits](https://blogs.cisco.com/security/angling-for-silverlight-exploits) for examples. -## PGP/GPG - -PGP is a standard for encrypting email end to end. That means only the chosen recipients can decrypt a message, unlike regular email which is read and forever archived by providers. - -GPG, or **GNU Privacy Guard**, is a GPL licensed program compliant with the standard. - -GPG is used to verify signatures of software you download and install, as well as [symmetrically](https://en.wikipedia.org/wiki/Symmetric-key_algorithm) or [asymmetrically](https://en.wikipedia.org/wiki/Public-key_cryptography) encrypt files and text. - -Install from Homebrew with `brew install gnupg`. - -If you prefer a graphical application, download and install [GPG Suite](https://gpgtools.org/). - -Download [drduh/config/gpg.conf](https://github.com/drduh/config/blob/master/gpg.conf) to use recommended settings: - -```console -$ curl -o ~/.gnupg/gpg.conf https://raw.githubusercontent.com/drduh/config/master/gpg.conf -``` - -See [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) to securely generate and store GPG keys. - -Read [online](https://alexcabal.com/creating-the-perfect-gpg-keypair/) [guides](https://security.stackexchange.com/questions/31594/what-is-a-good-general-purpose-gnupg-key-setup) and [practice](https://help.riseup.net/en/security/message-security/openpgp/best-practices) encrypting and decrypting email to yourself and your friends. Get them interested in this stuff! - -## OTR - -OTR stands for **off-the-record** and is a cryptographic protocol for encrypting and authenticating conversations over instant messaging. - -You can use OTR on top of any existing [XMPP](https://xmpp.org/about) chat service, even Google Hangouts (which only encrypts conversations between users and the server using TLS). - -The first time you start a conversation with someone new, you'll be asked to verify their public key fingerprint. Make sure to do this in person or by some other secure means (e.g. GPG encrypted mail). - -A popular macOS GUI client for XMPP and other chat protocols is [Adium](https://adium.im/). - -**Important** While popular, Adium does not appear to be actively developed and may have vulnerabilities. See additional discussion in [issue #299](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/299). - -Other XMPP clients include [profanity](http://www.profanity.im/) and [agl/xmpp-client](https://github.com/agl/xmpp-client). - -If you want to know how OTR works, read the paper [Off-the-Record Communication, or, Why Not To Use PGP](https://otr.cypherpunks.ca/otr-wpes.pdf) (pdf) - ## Tor Tor is an anonymizing proxy which can be used for browsing the Web. -Download Tor Browser from [Tor Project](https://www.torproject.org/projects/torbrowser.html). +Download Tor Browser from [Tor Project](https://www.torproject.org/download/). -Do **not** attempt to configure other browsers or applications to use Tor as you will likely make a mistake which will compromise your anonymity. +Do **not** attempt to configure other browsers or applications to use Tor as you may make a mistake which will compromise anonymity. Download both the `dmg` and `asc` signature files, then verify the disk image has been signed by Tor developers: @@ -1387,6 +1360,44 @@ Further, it is possible to run the contemporary Linux-based [Wireguard](https:// Other Open Source OpenVPN clients/GUI: [Eddie](https://github.com/AirVPN/Eddie), [Pritunl](https://client.pritunl.com) are not evaluated in this guide, so are neither recommended nor actively discouraged from use. +## PGP/GPG + +PGP is a standard for encrypting email end to end. That means only the chosen recipients can decrypt a message, unlike regular email which is read and forever archived by providers. + +GPG, or **GNU Privacy Guard**, is a GPL-licensed open source program compliant with the PGP standard. + +GPG is used to verify signatures of software you download and install, as well as [symmetrically](https://en.wikipedia.org/wiki/Symmetric-key_algorithm) or [asymmetrically](https://en.wikipedia.org/wiki/Public-key_cryptography) encrypt files and text. + +Install from Homebrew with `brew install gnupg`. + +If you prefer a graphical application, download and install [GPG Suite](https://gpgtools.org/). + +Download [drduh/config/gpg.conf](https://github.com/drduh/config/blob/master/gpg.conf) to use recommended settings: + +```console +$ curl -o ~/.gnupg/gpg.conf https://raw.githubusercontent.com/drduh/config/master/gpg.conf +``` + +See [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) to securely generate and store GPG keys. + +Read [online](https://alexcabal.com/creating-the-perfect-gpg-keypair/) [guides](https://security.stackexchange.com/questions/31594/what-is-a-good-general-purpose-gnupg-key-setup) and [practice](https://help.riseup.net/en/security/message-security/openpgp/best-practices) encrypting and decrypting email to yourself and your friends. Get them interested in this stuff! + +## OTR + +OTR stands for **off-the-record** and is a cryptographic protocol for encrypting and authenticating conversations over instant messaging. + +You can use OTR on top of any existing [XMPP](https://xmpp.org/about) chat service, even Google Hangouts (which only encrypts conversations between users and the server using TLS). + +The first time you start a conversation with someone new, you'll be asked to verify their public key fingerprint. Make sure to do this in person or by some other secure means (e.g. GPG encrypted mail). + +A popular macOS GUI client for XMPP and other chat protocols is [Adium](https://adium.im/). + +**Important** While popular, Adium does not appear to be actively developed and may have vulnerabilities. See additional discussion in [issue #299](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/299). + +Other XMPP clients include [profanity](http://www.profanity.im/) and [agl/xmpp-client](https://github.com/agl/xmpp-client). + +If you want to know how OTR works, read the paper [Off-the-Record Communication, or, Why Not To Use PGP](https://otr.cypherpunks.ca/otr-wpes.pdf) (pdf) + ## Viruses and malware There is an [ever-increasing](https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html) amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software! @@ -1403,13 +1414,11 @@ See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/soph Therefore, the best anti-virus is **Common Sense 2019**. See discussion in [issue #44](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/44). -CylancePROTECT may be worth running for the exploit mitigation features and (when locked down) is much harder to locally bypass than traditional AV, but it's effectiveness at detecting malware on macOS is questionable. It's core feature is an algorithm derived from a machine-learning process which aims to identify malware based on various characteristics of a binary executable. Cylance have a [whitepaper](https://www.cylance.com/content/dam/cylance/pdfs/data_sheets/CylancePROTECT.pdf) (pdf) with information about how it works. Single licenses are available from third party resellers such as [Cyberforce](https://cybrforce.com) or [Malware Managed](https://www.malwaremanaged.com) and there is also a home/personal edition in the works but it is currently only available for companies to make available to their employees. On macOS it complements Apple's built-in XProtect by continuously vmmap'ing the memory of active processes to watch for patterns that indicate bad things happening. - Local privilege escalation bugs are plenty on macOS, so always be careful when downloading and running untrusted programs or trusted programs from third party websites or downloaded over HTTP ([example](https://arstechnica.com/security/2015/08/0-day-bug-in-fully-patched-os-x-comes-under-active-exploit-to-hijack-macs/)). Subscribe to updates at [The Safe Mac](http://www.thesafemac.com/) and [Malwarebytes Blog](https://blog.malwarebytes.com/) for current Mac security news. -If you're unsure about whether an application or file is safe to open, upload it to [VirusTotal](https://www.virustotal.com/#/home/upload) to be scanned and to examine its behavior. +To scan an application with multiple AV products and examine its behavior, upload it to [VirusTotal](https://www.virustotal.com/#/home/upload). Also check out [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html) malware for macOS: [root installation for MacOS](https://github.com/hackedteam/vector-macos-root), [Support driver for Mac Agent](https://github.com/hackedteam/driver-macos) and [RCS Agent for Mac](https://github.com/hackedteam/core-macos), which is a good example of advanced malware with capabilities to hide from **userland** (e.g., `ps`, `ls`), for example. For more, see [A Brief Analysis of an RCS Implant Installer](https://objective-see.com/blog/blog_0x0D.html) and [reverse.put.as](https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/) @@ -1553,7 +1562,7 @@ $ sudo defaults delete /Library/Preferences/com.apple.iPod.plist Devices $ sudo rm -rfv /var/db/lockdown/* ``` -QuickLook thumbnail data can be cleared using the `qlmanage -r cache` command, but this writes to the file `resetreason` in the Quicklook directories, and states that the Quicklook cache was manually cleared. Disable the thumbnail cache with `qlmanage -r disablecache` +Quicklook thumbnail data can be cleared using the `qlmanage -r cache` command, but this writes to the file `resetreason` in the Quicklook directories, and states that the Quicklook cache was manually cleared. Disable the thumbnail cache with `qlmanage -r disablecache` It can also be manually cleared by getting the directory names with `getconf DARWIN_USER_CACHE_DIR` and `sudo getconf DARWIN_USER_CACHE_DIR`, then removing them: @@ -1601,7 +1610,7 @@ Additional diagnostic files may be found in the following directories - but caut /var/log/DiagnosticMessages/ ``` -macOS stored preferred Wi-Fi data (including credentials) in nvram. To clear it, use the following commands: +macOS stored preferred Wi-Fi data (including credentials) in NVRAM. To clear it, use the following commands: ```console $ sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:current-network @@ -1749,7 +1758,7 @@ In addition to passwords, ensure eligible online accounts, such as GitHub, Googl Look to [Yubikey](https://www.yubico.com/products/yubikey-hardware/yubikey-neo/) for a two factor and private key (e.g., ssh, gpg) hardware token. See [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) and [trmm.net/Yubikey](https://trmm.net/Yubikey). One of two Yubikey's slots can also be programmed to emit a long, static password (which can be used in combination with a short, memorized password, for example). -In Addition to Login and other pam modules you can use Yubikey to secure your login and sudo, here is a pdf guide from [Yubico](https://www.yubico.com/wp-content/uploads/2016/02/Yubico_YubiKeyMacOSXLogin_en.pdf). Yubikey are a bit pricey, there is cheaper alternative, but not as capable, [U2F Zero](https://www.u2fzero.com/). Here is a great guide to [set it up](https://microamps.gibsjose.com/u2f-authentication-on-os-x/) +In Addition to Login and other PAMs, you can use Yubikey to secure your login and sudo, here is a pdf guide from [Yubico](https://www.yubico.com/wp-content/uploads/2016/02/Yubico_YubiKeyMacOSXLogin_en.pdf). Yubikey are a bit pricey, there is cheaper alternative, but not as capable, [U2F Zero](https://www.u2fzero.com/). Here is a great guide to [set it up](https://microamps.gibsjose.com/u2f-authentication-on-os-x/) ## Backup @@ -1817,7 +1826,7 @@ See also the following applications and services: [Tresorit](https://www.tresori macOS remembers access points it has connected to. Like all wireless devices, the Mac will broadcast all access point names it remembers (e.g., *MyHomeNetwork*) each time it looks for a network, such as when waking from sleep. -This is a privacy risk, so remove networks from the list in **System Preferences** > **Network** > **Advanced** when they're no longer needed. +This is a privacy risk, so remove networks from the list in **System Preferences** > **Network** > **Advanced** when they are no longer needed. Also see [Signals from the Crowd: Uncovering Social Relationships through Smartphone Probes](https://conferences.sigcomm.org/imc/2013/papers/imc148-barberaSP106.pdf) (pdf) and [Wi-Fi told me everything about you](http://confiance-numerique.clermont-universite.fr/Slides/M-Cunche-2014.pdf) (pdf). @@ -1885,11 +1894,11 @@ Keep your Mac physically secure at all times. Don't leave it unattended in hotel A skilled attacker with unsupervised physical access to your computer can infect the boot ROM to install a keylogger and steal your password - see [Thunderstrike](https://trmm.net/Thunderstrike) for an example. -A helpful tool is [usbkill](https://github.com/hephaest0s/usbkill), which is *"an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer"*. +A helpful tool is [usbkill](https://github.com/hephaest0s/usbkill), which is an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer. Consider purchasing a [privacy filter](https://www.amazon.com/s/ref=nb_sb_noss_2?url=node%3D15782001&field-keywords=macbook) for your screen to thwart shoulder surfers. -Superglues or epoxy resins can also be used to disable physical access. [Nail polish](https://trmm.net/Glitter) and tamper-evidence seals can be applied to components to detect tampering. +Superglues or epoxy resins can also be used to disable physical access to computer ports. [Nail polish](https://trmm.net/Glitter) and tamper-evidence seals can be applied to components to detect tampering. ## System monitoring @@ -1916,15 +1925,11 @@ See articles on [ilostmynotes.blogspot.com](https://ilostmynotes.blogspot.com/20 **Note** [System Integrity Protection](https://github.com/drduh/macOS-Security-and-Privacy-Guide#system-integrity-protection) [interferes](https://internals.exposed/blog/dtrace-vs-sip.html) with DTrace, so it is not possible to use it in recent macOS versions without disabling SIP. -`iosnoop` monitors disk I/O - -`opensnoop` monitors file opens - -`execsnoop` monitors execution of processes - -`errinfo` monitors failed system calls - -`dtruss` monitors all system calls +* `iosnoop` monitors disk I/O +* `opensnoop` monitors file opens +* `execsnoop` monitors execution of processes +* `errinfo` monitors failed system calls +* `dtruss` monitors all system calls See `man -k dtrace` for more information. @@ -1950,7 +1955,7 @@ List contents of various network-related data structures: $ sudo netstat -atln ``` -You can also use [Wireshark](https://www.wireshark.org/) from the command line with `tshark`. +[Wireshark](https://www.wireshark.org/) can be used from the command line with `tshark`. Monitor DNS queries and replies: @@ -2221,7 +2226,7 @@ If you want to play **music** or watch **videos**, use [VLC media player](https: If you want to use **torrents**, use [Transmission](https://www.transmissionbt.com/download/) which is free and open source (note: like all software, even open source projects, [malware may still find its way in](http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/)). You may also wish to use a block list to avoid peering with known bad hosts - see [Which is the best blocklist for Transmission](https://giuliomac.wordpress.com/2014/02/19/best-blocklist-for-transmission/) and [johntyree/3331662](https://gist.github.com/johntyree/3331662). -Manage default file handlers with [duti](http://duti.org/), which can be installed with `brew install duti`. One reason to manage extensions is to prevent auto-mounting of remote filesystems in Finder (see [Protecting Yourself From Sparklegate](https://www.taoeffect.com/blog/2016/02/apologies-sky-kinda-falling-protecting-yourself-from-sparklegate/)). Here are several recommended handlers to manage: +Manage default file handlers with [duti](http://duti.org/), which can be installed with `brew install duti`. One reason to manage extensions is to prevent auto-mounting of remote filesystems in Finder (see [Protecting Yourself From Sparklegate](https://www.taoeffect.com/blog/2016/02/apologies-sky-kinda-falling-protecting-yourself-from-sparklegate/)). Here are several recommended file handlers to manage: ```console $ duti -s com.apple.Safari afp @@ -2293,18 +2298,18 @@ macOS comes with this line in `/etc/sudoers`: Defaults env_keep += "HOME MAIL" ``` -Which stops sudo from changing the HOME variable when you elevate privileges. This means it will execute as root the bash dotfiles in the non-root user's home directory when you run "sudo bash". It is adviseable to comment this line out to avoid a potentially easy way for malware or a local attacker to escalate privileges to root. +Which stops sudo from changing the HOME variable when you elevate privileges. This means it will execute as root the bash dotfiles in the non-root user's home directory when you run "sudo bash". It is advisable to comment this line out to avoid a potentially easy way for malware or a local attacker to escalate privileges to root. -If you want to retain the convenience of the root user having a non-root user's home directory, you can append an export line to /var/root/.bashrc, eg: +If you want to retain the convenience of the root user having a non-root user's home directory, you can append an export line to /var/root/.bashrc, e.g.: -``` +```console export HOME=/Users/blah ``` Set a [custom umask](https://support.apple.com/en-us/HT201684): ```console -sudo launchctl config user umask 077 +$ sudo launchctl config user umask 077 ``` Reboot, create a file in Finder and verify its permissions (macOS default allows 'group/other' read access): @@ -2321,8 +2326,6 @@ drwx------ 2 kevin staff 64 Dec 4 12:27 umask_testing_dir * [Dylib Hijack Scanner](https://objective-see.com/products/dhs.html) - Scan for applications that are either susceptible to dylib hijacking or have been hijacked. * [F-Secure XFENCE](https://campaigns.f-secure.com/xfence/) (formerly [Little Flocker](https://github.com/drduh/macOS-Security-and-Privacy-Guide/pull/237)) - "Little Snitch for files"; prevents applications from accessing files. * [Lockdown](https://objective-see.com/products/lockdown.html) - Audits and remediates security configuration settings. -* [Santa](https://github.com/google/santa) - A binary whitelisting/blacklisting system for macOS. -* [The Eclectic Light Company - Downloads](https://eclecticlight.co/downloads/) - A collection of useful diagnostics and control applications and utilities for macOS. * [Zentral](https://github.com/zentralopensource/zentral) - A log and configuration server for santa and osquery. Run audit and probes on inventory, events, logfiles, combine with point-in-time alerting. A full Framework and Django web server build on top of the elastic stack (formerly known as ELK stack). * [facebook/osquery](https://github.com/facebook/osquery) - Can be used to retrieve low level system information. Users can write SQL queries to retrieve system information. * [google/grr](https://github.com/google/grr) - Incident response framework focused on remote live forensics. @@ -2331,6 +2334,7 @@ drwx------ 2 kevin staff 64 Dec 4 12:27 umask_testing_dir * [libyal/libfvde](https://github.com/libyal/libfvde) - Library to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes. * [stronghold](https://github.com/alichtman/stronghold) - Securely and easily configure your Mac from the terminal. Inspired by this guide. * [yelp/osxcollector](https://github.com/yelp/osxcollector) - Forensic evidence collection & analysis toolkit for OS X. +* [The Eclectic Light Company - Downloads](https://eclecticlight.co/downloads/) - A collection of useful diagnostics and control applications and utilities for macOS. ## Additional resources @@ -2377,4 +2381,3 @@ drwx------ 2 kevin staff 64 Dec 4 12:27 umask_testing_dir * [Userland Persistence on Mac OS X](https://archive.org/details/joshpitts_shmoocon2015) * [iCloud security and privacy overview](https://support.apple.com/kb/HT4865) * [iSeeYou: Disabling the MacBook Webcam Indicator LED](https://jscholarship.library.jhu.edu/handle/1774.2/36569) - From 7ca73969a3af3c9b1071ee8558f79a2e376576c7 Mon Sep 17 00:00:00 2001 From: Joost-Wim Boekesteijn Date: Mon, 7 Oct 2019 21:17:20 +0200 Subject: [PATCH 114/476] add macOS Catalina 10.15 hashes --- InstallESD_Hashes.csv | 1 + 1 file changed, 1 insertion(+) diff --git a/InstallESD_Hashes.csv b/InstallESD_Hashes.csv index 113d91ba..59b945f6 100644 --- a/InstallESD_Hashes.csv +++ b/InstallESD_Hashes.csv @@ -33,3 +33,4 @@ Version,Build,SHA-256,SHA-1 10.14.5,18F132,96c324576490e012a4383f3410e5c53fc0ccbbd22356e577fc3fc59aae112910,29e5d1a30a1259b9ff849111fb0d6588937c629d 10.14.6,18G84,c4f1c01c50e819f231f9a54d567672d3da162c4b9dc21c8c7719ca4e679ecac8,892c930f496ceeb88708fa7507f27dc5a6f036d9 10.14.6,18G95,ffa3fcc7e08b6134dca9f481f15aabce3fd80159951551dccdcd29df1a59e777,df554c1a284e0655ef643258ff2dddb491dc86e6 +10.15,19A583,4409a34604f4443993debccf855b0896e594dc1fa09ebf2d632a7787b0083436,2faf7d456ce292662a058cb571a520acabe81ce7 \ No newline at end of file From 9f01ae2bb1d4ba57e03a1777250c07b639a966cb Mon Sep 17 00:00:00 2001 From: Joost-Wim Boekesteijn Date: Wed, 16 Oct 2019 09:58:13 +0200 Subject: [PATCH 115/476] add macOS Catalina 10.15 Supplemental Update hashes --- InstallESD_Hashes.csv | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/InstallESD_Hashes.csv b/InstallESD_Hashes.csv index 59b945f6..a955c70b 100644 --- a/InstallESD_Hashes.csv +++ b/InstallESD_Hashes.csv @@ -33,4 +33,5 @@ Version,Build,SHA-256,SHA-1 10.14.5,18F132,96c324576490e012a4383f3410e5c53fc0ccbbd22356e577fc3fc59aae112910,29e5d1a30a1259b9ff849111fb0d6588937c629d 10.14.6,18G84,c4f1c01c50e819f231f9a54d567672d3da162c4b9dc21c8c7719ca4e679ecac8,892c930f496ceeb88708fa7507f27dc5a6f036d9 10.14.6,18G95,ffa3fcc7e08b6134dca9f481f15aabce3fd80159951551dccdcd29df1a59e777,df554c1a284e0655ef643258ff2dddb491dc86e6 -10.15,19A583,4409a34604f4443993debccf855b0896e594dc1fa09ebf2d632a7787b0083436,2faf7d456ce292662a058cb571a520acabe81ce7 \ No newline at end of file +10.15,19A583,4409a34604f4443993debccf855b0896e594dc1fa09ebf2d632a7787b0083436,2faf7d456ce292662a058cb571a520acabe81ce7 +10.15,19A602,d62588185b524bc27902c6e0348fb36a9c071dc8e45df89caf9a45bc6731492d,65aed4389ce4a65d713affef388356d251d9eec3 \ No newline at end of file From 44867899d364f56ca76445ee224ddc4e14d1a8aa Mon Sep 17 00:00:00 2001 From: Jared Ledvina Date: Wed, 16 Oct 2019 10:13:31 -0400 Subject: [PATCH 116/476] Update macOS verification/install for Catalina --- README.md | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 18d50361..16cb9a81 100755 --- a/README.md +++ b/README.md @@ -119,8 +119,8 @@ The macOS installation application is [code signed](https://developer.apple.com/ To verify the code signature and integrity of macOS application bundles: ```console -$ pkgutil --check-signature /Applications/Install\ macOS\ Mojave.app -Package "Install macOS Mojave": +$ pkgutil --check-signature /Applications/Install\ macOS\ Catalina.app +Package "Install macOS Catalina": Status: signed by a certificate trusted by Mac OS X Certificate Chain: 1. Software Signing @@ -136,19 +136,19 @@ Package "Install macOS Mojave": Use the `codesign` command to examine an application's code signature: ```console -$ codesign -dvv /Applications/Install\ macOS\ Mojave.app -Executable=/Applications/Install macOS Mojave.app/Contents/MacOS/InstallAssistant_springboard -Identifier=com.apple.InstallAssistant.Mojave +$ codesign -dvv /Applications/Install\ macOS\ Catalina.app +Executable=/Applications/Install macOS Catalina.app/Contents/MacOS/InstallAssistant_springboard +Identifier=com.apple.InstallAssistant.Catalina Format=app bundle with Mach-O thin (x86_64) -CodeDirectory v=20100 size=274 flags=0x2000(library-validation) hashes=3+3 location=embedded -Platform identifier=5 -Signature size=4535 +CodeDirectory v=20100 size=276 flags=0x2000(library-validation) hashes=3+3 location=embedded +Platform identifier=9 +Signature size=4628 Authority=Software Signing Authority=Apple Code Signing Certification Authority Authority=Apple Root CA -Info.plist entries=34 +Info.plist entries=33 TeamIdentifier=not set -Sealed Resources version=2 rules=13 files=194 +Sealed Resources version=2 rules=13 files=234 Internal requirements count=1 size=84 ``` @@ -166,14 +166,14 @@ $ diskutil unmountDisk /dev/disk2 $ diskutil partitionDisk /dev/disk2 1 JHFS+ Installer 100% -$ cd /Applications/Install\ macOS\ Mojave.app +$ cd /Applications/Install\ macOS\ Catalina.app $ sudo ./Contents/Resources/createinstallmedia --volume /Volumes/Installer --nointeraction Erasing disk: 0%... 10%... 20%... 30%... 100% Copying to disk: 0%... 10%... 20%... 30%... 40%... 50%... 60%... 70%... 80%... 90%... 100% Making disk bootable... Copying boot files... -Install media now available at "/Volumes/Install macOS Mojave" +Install media now available at "/Volumes/Install macOS Catalina" ``` ### Creating an install image From 6834ad8edb1c76d6f0aba596af38afbd72941406 Mon Sep 17 00:00:00 2001 From: Joost-Wim Boekesteijn Date: Fri, 25 Oct 2019 14:45:29 +0200 Subject: [PATCH 117/476] update hashes for 10.15 build 19A603 --- InstallESD_Hashes.csv | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/InstallESD_Hashes.csv b/InstallESD_Hashes.csv index a955c70b..3f84e6dc 100644 --- a/InstallESD_Hashes.csv +++ b/InstallESD_Hashes.csv @@ -34,4 +34,5 @@ Version,Build,SHA-256,SHA-1 10.14.6,18G84,c4f1c01c50e819f231f9a54d567672d3da162c4b9dc21c8c7719ca4e679ecac8,892c930f496ceeb88708fa7507f27dc5a6f036d9 10.14.6,18G95,ffa3fcc7e08b6134dca9f481f15aabce3fd80159951551dccdcd29df1a59e777,df554c1a284e0655ef643258ff2dddb491dc86e6 10.15,19A583,4409a34604f4443993debccf855b0896e594dc1fa09ebf2d632a7787b0083436,2faf7d456ce292662a058cb571a520acabe81ce7 -10.15,19A602,d62588185b524bc27902c6e0348fb36a9c071dc8e45df89caf9a45bc6731492d,65aed4389ce4a65d713affef388356d251d9eec3 \ No newline at end of file +10.15,19A602,d62588185b524bc27902c6e0348fb36a9c071dc8e45df89caf9a45bc6731492d,65aed4389ce4a65d713affef388356d251d9eec3 +10.15,19A603,572f8ccc909762f9bc75019fa9729eefc3e2f85834e082aea926b1c7931f729a,5ac1070e34ecc02f66beb03a77198dd0dc3d3377 \ No newline at end of file From 15b19197a1d2e6d114004b73f1d3ab3eb76f4586 Mon Sep 17 00:00:00 2001 From: Moritz <22394314+movd@users.noreply.github.com> Date: Sat, 16 Nov 2019 08:19:30 +0100 Subject: [PATCH 118/476] Remove Warning on Adium, Add CoyIM The Adium client seems to be in active development again. Since October 2019 developers including original developers [are active again](https://hg.adium.im/adium). I also added CoyIM that is quite nice (built-in OTR and Tor-Support). --- README.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 16cb9a81..8e2e665f 100755 --- a/README.md +++ b/README.md @@ -1390,11 +1390,9 @@ You can use OTR on top of any existing [XMPP](https://xmpp.org/about) chat servi The first time you start a conversation with someone new, you'll be asked to verify their public key fingerprint. Make sure to do this in person or by some other secure means (e.g. GPG encrypted mail). -A popular macOS GUI client for XMPP and other chat protocols is [Adium](https://adium.im/). +A popular macOS GUI client for XMPP and other chat protocols is [Adium](https://adium.im/). -**Important** While popular, Adium does not appear to be actively developed and may have vulnerabilities. See additional discussion in [issue #299](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/299). - -Other XMPP clients include [profanity](http://www.profanity.im/) and [agl/xmpp-client](https://github.com/agl/xmpp-client). +Other XMPP clients include [profanity](http://www.profanity.im/) and [agl/xmpp-client](https://github.com/agl/xmpp-client). Another relatively new XMPP chat client is [CoyIM](https://coy.im/), it's focused and security and has built-in support for OTR and Tor. If you want to know how OTR works, read the paper [Off-the-Record Communication, or, Why Not To Use PGP](https://otr.cypherpunks.ca/otr-wpes.pdf) (pdf) From 916f15db5524f3eec3e2c9179f369fca04cdfe3e Mon Sep 17 00:00:00 2001 From: Joost-Wim Boekesteijn Date: Wed, 29 Jan 2020 10:00:47 +0100 Subject: [PATCH 119/476] Add hashes for 10.15.3 --- InstallESD_Hashes.csv | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/InstallESD_Hashes.csv b/InstallESD_Hashes.csv index 3f84e6dc..9c1972ba 100644 --- a/InstallESD_Hashes.csv +++ b/InstallESD_Hashes.csv @@ -35,4 +35,5 @@ Version,Build,SHA-256,SHA-1 10.14.6,18G95,ffa3fcc7e08b6134dca9f481f15aabce3fd80159951551dccdcd29df1a59e777,df554c1a284e0655ef643258ff2dddb491dc86e6 10.15,19A583,4409a34604f4443993debccf855b0896e594dc1fa09ebf2d632a7787b0083436,2faf7d456ce292662a058cb571a520acabe81ce7 10.15,19A602,d62588185b524bc27902c6e0348fb36a9c071dc8e45df89caf9a45bc6731492d,65aed4389ce4a65d713affef388356d251d9eec3 -10.15,19A603,572f8ccc909762f9bc75019fa9729eefc3e2f85834e082aea926b1c7931f729a,5ac1070e34ecc02f66beb03a77198dd0dc3d3377 \ No newline at end of file +10.15,19A603,572f8ccc909762f9bc75019fa9729eefc3e2f85834e082aea926b1c7931f729a,5ac1070e34ecc02f66beb03a77198dd0dc3d3377 +10.15.3,19D76,54bb26608f2916ca73f3482e8f4d5a98fc875d479482293840ec1b7a111c70f6,6ac088372d0bf0286d24ce55d9f0eb14a81d91c3 \ No newline at end of file From e055b92bc4ba46d2313792c8529f960e5a0d089e Mon Sep 17 00:00:00 2001 From: drduh Date: Wed, 5 Feb 2020 16:54:21 -0800 Subject: [PATCH 120/476] Reduce unqualified opinions --- README.md | 51 ++++++++++++++++++++++----------------------------- 1 file changed, 22 insertions(+), 29 deletions(-) diff --git a/README.md b/README.md index 8e2e665f..f1f3d317 100755 --- a/README.md +++ b/README.md @@ -89,7 +89,7 @@ Standard security best practices apply: * Encrypt sensitive data at rest * In addition to full disk encryption, consider creating one or several encrypted partitions or volumes to store passwords, cryptographic keys, personal documents, etc. at rest. - * This will mitigate damage in case of compromise and data exfiltration. + * This will mitigate damage in case of compromise and data theft. * Assure data availability * Create [regular backups](https://www.amazon.com/o/ASIN/0596102461/backupcentral) of your data and be ready to format and re-install the operating system in case of compromise. @@ -104,9 +104,9 @@ Standard security best practices apply: There are several ways to install macOS. -The simplest way is to boot into [Recovery Mode](https://support.apple.com/en-us/HT201314) by holding `Command` and `R` keys at boot. A system image can be downloaded and applied directly from Apple. However, this way exposes the serial number and other identifying information over the network in plaintext, which may not be desired for privacy reasons. +The simplest way is to boot into [Recovery Mode](https://support.apple.com/en-us/HT201314) by holding `Command` and `R` keys at boot. A system image can be downloaded and applied directly from Apple. However, this way exposes the serial number and other identifying information over the network in plain text, which may not be desired for privacy reasons. -PII is transmitted to Apple in plaintext when using macOS Recovery +PII is transmitted to Apple in plain text when using macOS Recovery *Packet capture of an unencrypted HTTP conversation during macOS recovery* @@ -511,7 +511,7 @@ See [LongSoft/UEFITool](https://github.com/LongSoft/UEFITool), [chipsec/chipsec] ## Firewall -There are several types of firewalls available for macOS which should be enabled. +There are several types of firewalls available for macOS. ### Application layer firewall @@ -658,7 +658,7 @@ To use pf to audit "phone home" behavior of user and system-level processes, see ## Services -**Note** [System Integrity Protection](https://github.com/drduh/macOS-Security-and-Privacy-Guide#system-integrity-protection) does not allow disabling system services on recent macOS versions. Either temporarily disable SIP or disable services from Recovery Mode. +**Note** [System Integrity Protection](https://github.com/drduh/macOS-Security-and-Privacy-Guide#system-integrity-protection) does not allow disabling system services on recent macOS versions. Either temporarily disable SIP or disable services from Recovery Mode. See [Issue 334](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/334) for more information. See [fix-macosx/yosemite-phone-home](https://github.com/fix-macosx/yosemite-phone-home), [l1k/osxparanoia](https://github.com/l1k/osxparanoia) and [karek314/macOS-home-call-drop](https://github.com/karek314/macOS-home-call-drop) for further recommendations. @@ -703,7 +703,7 @@ Annotated lists of launch daemons and agents, the respective program executed, a **(Optional)** Run the `read_launch_plists.py` script and `diff` output to check for any discrepancies on your system, e.g.: ```console -$ diff <(python read_launch_plists.py) <(cat 16A323_launchd.csv) +$ diff <(python read_launch_plists.py | sort ) <(cat 16A323_launchd.csv | sort ) ``` See also [cirrusj.github.io/Yosemite-Stop-Launch](https://cirrusj.github.io/Yosemite-Stop-Launch/) for descriptions of services and [Provisioning OS X and Disabling Unnecessary Services](https://vilimpoc.org/blog/2014/01/15/provisioning-os-x-and-disabling-unnecessary-services/) for another explanation. @@ -791,10 +791,8 @@ $ curl https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | sudo t $ wc -l /etc/hosts 65580 -$ egrep -ve "^#|^255.255.255|^0.0.0.0|^127.0.0.1|^0 " /etc/hosts | sort | uniq | sort -::1 localhost -fe80::1%lo0 localhost -[should not return any other IP addresses] +$ egrep -ve "^#|^255.255.255.255|^127.|^0.|^::1|^ff..::|^fe80::" /etc/hosts | sort | uniq | egrep -e "[1,2]|::" +[No output] ``` See `man hosts` and [FreeBSD Configuration Files](https://www.freebsd.org/doc/handbook/configtuning-configfiles.html) for more information. @@ -925,7 +923,7 @@ $ networksetup -getdnsservers "Wi-Fi" 127.0.0.1 ``` -**Note** Some VPN software overrides DNS settings on connect. See [issue #24](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/24) for more information. +**Note** Some VPN software overrides DNS settings on connect. See [issue #24](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/24) and [drduh/config/scripts/macos-dns.sh](https://github.com/drduh/config/). ##### Test DNSSEC validation @@ -1078,7 +1076,7 @@ $ curl -o homebrew/etc/privoxy/config https://raw.githubusercontent.com/drduh/co $ curl -o homebrew/etc/privoxy/user.action https://raw.githubusercontent.com/drduh/config/master/privoxy/user.action ``` -Restart Privoxy: and verify it's blocking and redirecting traffic: +Restart Privoxy and verify traffic is blocked or redirected: ```console $ sudo brew services restart privoxy @@ -1093,7 +1091,6 @@ $ ALL_PROXY=127.0.0.1:8118 curl imgur.com/ -IL HTTP/1.1 302 Local Redirect from Privoxy Location: https://imgur.com/ Content-Length: 0 -Date: Sun, 09 Oct 2016 18:48:19 GMT HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 @@ -1157,7 +1154,7 @@ Disable [DNS prefetching](https://www.chromium.org/developers/design-documents/d Read [Chromium Security](https://www.chromium.org/Home/chromium-security) and [Chromium Privacy](https://www.chromium.org/Home/chromium-privacy) for more detailed, technical information. -Read [Google's privacy policy](https://www.google.com/policies/privacy/) and learn which [Google services](https://www.google.com/services/) collect personal information. Google is open about the data it stores and how it used them. Users can opt out from many of those services and see what type of information Google has stored from their [account settings](https://myaccount.google.com/privacy). +Read [Google's privacy policy](https://www.google.com/policies/privacy/) and learn which [Google services](https://www.google.com/services/) collect personal information. Users can opt-out of services and see what type of information Google has stored in [account settings](https://myaccount.google.com/privacy). #### Safari @@ -1167,13 +1164,13 @@ Safari supports certain unique features that benefit user security and privacy. Similar to Chrome and Firefox, Safari offers an invite only [bounty program](https://developer.apple.com/bug-reporting/) for bug reporting to a select number of security researchers. The bounty program was announced during Apple's [presentation](https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf) at [BlackHat](https://www.blackhat.com/us-16/briefings.html#behind-the-scenes-of-ios-security) 2016. -Web Extensions in Safari have an additional option to use native code in the Safari's sandbox environment, in addition to Web Extension APIs. Web Extensions in Safari are also distributed through Apple's App store. App store submission comes with the added benefit of Web Extension code being audited by Apple. On the other hand App store submission comes at a steep cost. Yearly [developer subscription](https://developer.apple.com/support/compare-memberships/) fee costs 100 USD (in contrast to Chrome's 5 dollar lifetime fee and Firefox's free submission). The high cost is prohibitive for the majority of Open Source developers. As a result, Safari has very few extensions to choose from. However, you should keep the high cost in mind when installing extensions. It is expected that most Web Extensions will have some way of monetizing usage in order to cover developer costs. And be extra careful when the Web Extension's source code is not Open Source. On a side note, some Safari extensions are Open Source and freely available. Be grateful to those developers. +Web Extensions in Safari have an additional option to use native code in the Safari's sandbox environment, in addition to Web Extension APIs. Web Extensions in Safari are also distributed through Apple's App store. App store submission comes with the added benefit of Web Extension code being audited by Apple. On the other hand App store submission comes at a steep cost. Yearly [developer subscription](https://developer.apple.com/support/compare-memberships/) fee costs 100 USD (in contrast to Chrome's 5 dollar lifetime fee and Firefox's free submission). The high cost is prohibitive for the majority of Open Source developers. As a result, Safari has very few extensions to choose from. However, you should keep the high cost in mind when installing extensions. It is expected that most Web Extensions will have some way of monetizing usage in order to cover developer costs. Be wary of Web Extensions whose source code is not open. Safari syncs user preferences and saved passwords with [iCloud Keychain](https://support.apple.com/en-gb/HT202303). In order to be viewed in plain text, a user must input the account password of the current device. This means that users can sync data across devices with added security. Safari follows a slower release cycle than Chrome and Firefox (3-4 minor releases, 1 major release, per year). Newer features are slower to be adopted to the stable channel. Although security updates in Safari are handled independent of the stable release schedule and issued automatically through the App store. The Safari channel that follows a six-week release cycle (similar to as Chrome and Firefox) is called [Safari Technology Preview](https://developer.apple.com/safari/technology-preview/) and it is the recommended option instead of the stable channel of Safari. -An excellent open source ad blocker for Safari that fully leverages Content blockers is [dgraham/Ka-Block](https://github.com/dgraham/Ka-Block). Ka-Block is focussed on user privacy. The only time the extension makes a network connection is when a new version of the extension is released. See also [el1t/uBlock-Safari](https://github.com/el1t/uBlock-Safari/wiki/Disable-hyperlink-auditing-beacon) to disable hyperlink auditing beacons. +An excellent open source ad blocker for Safari that fully leverages content blockers is [dgraham/Ka-Block](https://github.com/dgraham/Ka-Block). See also [el1t/uBlock-Safari](https://github.com/el1t/uBlock-Safari/wiki/Disable-hyperlink-auditing-beacon) to disable hyperlink auditing beacons. #### Other Web browsers @@ -1346,7 +1343,7 @@ It is a good idea to use a VPN with outgoing network traffic (*not* **split tunn Don't just blindly sign up for a VPN service without understanding the full implications and how your traffic will be routed. If you don't understand how the VPN works or are not familiar with the software used, you are probably better off without it. -When choosing a VPN service or setting up your own, be sure to research the protocols, key exchange algorithms, authentication mechanisms, and type of encryption being used. Some protocols, such as [PPTP](https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security), should be avoided in favor of [OpenVPN](https://en.wikipedia.org/wiki/OpenVPN), for example. Strong cryptographic algorithms like AES-256, RSA-4096, SHA-256 should be preferred. +When choosing a VPN service or setting up your own, be sure to research the protocols, key exchange algorithms, authentication mechanisms, and type of encryption being used. Some protocols, such as [PPTP](https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security), should be avoided in favor of [OpenVPN](https://en.wikipedia.org/wiki/OpenVPN) or Linux-based [Wireguard](https://www.wireguard.com/) [on a Linux VM](https://github.com/mrash/Wireguard-macOS-LinuxVM) or via a set of [cross platform tools](https://www.wireguard.com/xplatform/). Some clients may send traffic over the next available interface when VPN is interrupted or disconnected. See [scy/8122924](https://gist.github.com/scy/8122924) for an example on how to allow traffic only over VPN. @@ -1356,9 +1353,7 @@ It may be worthwhile to consider the geographical location of the VPN provider. Also see this [technical overview](https://blog.timac.org/2018/0717-macos-vpn-architecture/) of the macOS built-in VPN L2TP/IPSec and IKEv2 client. -Further, it is possible to run the contemporary Linux-based [Wireguard](https://www.wireguard.com/) VPN either [from a Linux VM](https://github.com/mrash/Wireguard-macOS-LinuxVM) or via a set of [cross platform tools](https://www.wireguard.com/xplatform/). - -Other Open Source OpenVPN clients/GUI: [Eddie](https://github.com/AirVPN/Eddie), [Pritunl](https://client.pritunl.com) are not evaluated in this guide, so are neither recommended nor actively discouraged from use. +Other open source OpenVPN clients/GUI: [Eddie](https://github.com/AirVPN/Eddie), [Pritunl](https://client.pritunl.com) are not evaluated in this guide, so are neither recommended nor actively discouraged from use. ## PGP/GPG @@ -1410,7 +1405,7 @@ You could periodically run a tool like [Knock Knock](https://github.com/synack/k See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sophailv2.pdf) (pdf), [Analysis and Exploitation of an ESET Vulnerability](https://googleprojectzero.blogspot.ro/2015/06/analysis-and-exploitation-of-eset.html), [a trivial Avast RCE](https://code.google.com/p/google-security-research/issues/detail?id=546), [Popular Security Software Came Under Relentless NSA and GCHQ Attacks](https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/), [How Israel Caught Russian Hackers Scouring the World for U.S. Secrets](https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html) and [AVG: "Web TuneUP" extension multiple critical vulnerabilities](https://code.google.com/p/google-security-research/issues/detail?id=675). -Therefore, the best anti-virus is **Common Sense 2019**. See discussion in [issue #44](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/44). +Therefore, the best anti-virus is **Common Sense 2020**. See discussion in [issue #44](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/44). Local privilege escalation bugs are plenty on macOS, so always be careful when downloading and running untrusted programs or trusted programs from third party websites or downloaded over HTTP ([example](https://arstechnica.com/security/2015/08/0-day-bug-in-fully-patched-os-x-comes-under-active-exploit-to-hijack-macs/)). @@ -1418,7 +1413,7 @@ Subscribe to updates at [The Safe Mac](http://www.thesafemac.com/) and [Malwareb To scan an application with multiple AV products and examine its behavior, upload it to [VirusTotal](https://www.virustotal.com/#/home/upload). -Also check out [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html) malware for macOS: [root installation for MacOS](https://github.com/hackedteam/vector-macos-root), [Support driver for Mac Agent](https://github.com/hackedteam/driver-macos) and [RCS Agent for Mac](https://github.com/hackedteam/core-macos), which is a good example of advanced malware with capabilities to hide from **userland** (e.g., `ps`, `ls`), for example. For more, see [A Brief Analysis of an RCS Implant Installer](https://objective-see.com/blog/blog_0x0D.html) and [reverse.put.as](https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/) +Also check out [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html) malware for macOS: [root installation for MacOS](https://github.com/hackedteam/vector-macos-root), [Support driver for Mac Agent](https://github.com/hackedteam/driver-macos) and [RCS Agent for Mac](https://github.com/hackedteam/core-macos), which is a good example of advanced malware with capabilities to hide from userland (e.g., `ps`, `ls`). For more, see [A Brief Analysis of an RCS Implant Installer](https://objective-see.com/blog/blog_0x0D.html) and [reverse.put.as](https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/) ## System Integrity Protection @@ -1754,7 +1749,7 @@ Alternatively, you can manage an encrypted passwords file yourself with GnuPG (s In addition to passwords, ensure eligible online accounts, such as GitHub, Google accounts, banking, have [two factor authentication](https://en.wikipedia.org/wiki/Two-factor_authentication) enabled. -Look to [Yubikey](https://www.yubico.com/products/yubikey-hardware/yubikey-neo/) for a two factor and private key (e.g., ssh, gpg) hardware token. See [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) and [trmm.net/Yubikey](https://trmm.net/Yubikey). One of two Yubikey's slots can also be programmed to emit a long, static password (which can be used in combination with a short, memorized password, for example). +[Yubikey](https://www.yubico.com/products/yubikey-hardware/) offers affordable hardware tokens. See [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) and [trmm.net/Yubikey](https://trmm.net/Yubikey). One of two Yubikey's slots can also be programmed to emit a long, static password (which can be used in combination with a short, memorized password, for example). In Addition to Login and other PAMs, you can use Yubikey to secure your login and sudo, here is a pdf guide from [Yubico](https://www.yubico.com/wp-content/uploads/2016/02/Yubico_YubiKeyMacOSXLogin_en.pdf). Yubikey are a bit pricey, there is cheaper alternative, but not as capable, [U2F Zero](https://www.u2fzero.com/). Here is a great guide to [set it up](https://microamps.gibsjose.com/u2f-authentication-on-os-x/) @@ -1838,13 +1833,11 @@ You may want to [spoof the MAC address](https://en.wikipedia.org/wiki/MAC_spoofi $ sudo ifconfig en0 ether $(openssl rand -hex 6 | sed 's%\(..\)%\1:%g; s%.$%%') ``` -It is also good to know that macOS will store Wi-Fi SSIDs and passwords in NVRAM, because Recovery Mode needs access to restore from the Internet. Be sure to either clear NVRAM or de-authenticate your Mac from your Apple account, which will clear the NVRAM, before passing a Mac along. (Resetting the SMC will clear some of the NVRAM, but not all.) +macOS stores Wi-Fi SSIDs and passwords in NVRAM in order for Recovery Mode to access the Internet. Be sure to either clear NVRAM or de-authenticate your Mac from your Apple account, which will clear the NVRAM, before passing a Mac along. Resetting the SMC will clear some of the NVRAM, but not all. **Note** MAC addresses will reset to hardware defaults on each boot. -Also see [feross/SpoofMAC](https://github.com/feross/SpoofMAC). - -Finally, WEP protection on wireless networks is [not secure](http://www.howtogeek.com/167783/htg-explains-the-difference-between-wep-wpa-and-wpa2-wireless-encryption-and-why-it-matters/) and you should favor connecting to **WPA2** protected networks only to mitigate the risk of passive eavesdroppers. +Finally, WEP protection on wireless networks is [not secure](http://www.howtogeek.com/167783/htg-explains-the-difference-between-wep-wpa-and-wpa2-wireless-encryption-and-why-it-matters/) and you should only connect to **WPA2** protected networks when possible. ## SSH @@ -1888,7 +1881,7 @@ $ sudo lsof -Pni TCP:22 ## Physical access -Keep your Mac physically secure at all times. Don't leave it unattended in hotels and such. +Keep your Mac physically secure at all times. Don't leave it unattended in hotels and other public spaces. A skilled attacker with unsupervised physical access to your computer can infect the boot ROM to install a keylogger and steal your password - see [Thunderstrike](https://trmm.net/Thunderstrike) for an example. @@ -2224,7 +2217,7 @@ If you want to play **music** or watch **videos**, use [VLC media player](https: If you want to use **torrents**, use [Transmission](https://www.transmissionbt.com/download/) which is free and open source (note: like all software, even open source projects, [malware may still find its way in](http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/)). You may also wish to use a block list to avoid peering with known bad hosts - see [Which is the best blocklist for Transmission](https://giuliomac.wordpress.com/2014/02/19/best-blocklist-for-transmission/) and [johntyree/3331662](https://gist.github.com/johntyree/3331662). -Manage default file handlers with [duti](http://duti.org/), which can be installed with `brew install duti`. One reason to manage extensions is to prevent auto-mounting of remote filesystems in Finder (see [Protecting Yourself From Sparklegate](https://www.taoeffect.com/blog/2016/02/apologies-sky-kinda-falling-protecting-yourself-from-sparklegate/)). Here are several recommended file handlers to manage: +Manage default file handlers with [duti](http://duti.org/), which can be installed with `brew install duti`. One reason to manage extensions is to prevent auto-mounting of remote file systems in Finder (see [Protecting Yourself From Sparklegate](https://www.taoeffect.com/blog/2016/02/apologies-sky-kinda-falling-protecting-yourself-from-sparklegate/)). Here are several recommended file handlers to manage: ```console $ duti -s com.apple.Safari afp From 2f46781afc36db07187a72314438984ec8681bcc Mon Sep 17 00:00:00 2001 From: drduh Date: Wed, 5 Feb 2020 16:59:00 -0800 Subject: [PATCH 121/476] Refactor launchd script, sort and update comments --- LICENSE | 2 +- README.md | 2 +- launchd/comments.csv | 1035 ++++++++++++++++----------------- launchd/read_launch_plists.py | 179 +++--- 4 files changed, 601 insertions(+), 617 deletions(-) mode change 100755 => 100644 launchd/read_launch_plists.py diff --git a/LICENSE b/LICENSE index 787231be..e0454915 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ The MIT License (MIT) -Copyright (c) 2015-2019 +Copyright (c) 2015-2020 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index f1f3d317..9a83766a 100755 --- a/README.md +++ b/README.md @@ -923,7 +923,7 @@ $ networksetup -getdnsservers "Wi-Fi" 127.0.0.1 ``` -**Note** Some VPN software overrides DNS settings on connect. See [issue #24](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/24) and [drduh/config/scripts/macos-dns.sh](https://github.com/drduh/config/). +**Note** Some VPN software overrides DNS settings on connect. See [issue #24](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/24) and [drduh/config/scripts/macos-dns.sh](https://github.com/drduh/config/blob/master/scripts/macos-dns.sh). ##### Test DNSSEC validation diff --git a/launchd/comments.csv b/launchd/comments.csv index 63da20ce..0e308bd6 100644 --- a/launchd/comments.csv +++ b/launchd/comments.csv @@ -1,524 +1,511 @@ -Label,Comment -com.apple.postgres,Legacy or server app -com.apple.bootpd,DHCP/BOOTP/NetBoot server -com.apple.afpfs_afpLoad, -com.apple.afpfs_checkafp, -com.apple.airplaydiagnostics.server.mac,Apple Internal Diagnostic Tool -com.apple.AirPlayXPCHelper, -com.apple.airport.wps, -com.apple.airportd, -com.apple.akd, -com.apple.alf,Apple Application Firewall -com.apple.AppleFileServer,Apple File Server (AFP) -com.apple.appleseed.fbahelperd, -com.apple.applessdstatistics, -com.apple.apsd,Apple Push Notification service daemon -com.apple.aslmanager,Manages rotated files and ASL data written by the syslogd server -com.apple.AssetCacheLocatorService, -com.apple.atrun, -com.apple.audio.coreaudiod,daemon used for Core Audio related purposes -com.apple.audio.systemsoundserverd, -com.apple.auditd, -com.apple.autofsd, -com.apple.automountd, -com.apple.avbdeviced, -com.apple.awacsd, -com.apple.awdd, -com.apple.backupd-auto, -com.apple.backupd, -com.apple.blued, -com.apple.bluetoothaudiod, -com.apple.bluetoothReporter, -com.apple.bnepd, -com.apple.bsd.dirhelper, -com.apple.cache_delete, -com.apple.cfprefsd.xpc.daemon, -com.apple.cloudfamilyrestrictionsd, -com.apple.cmio.AppleCameraAssistant, -com.apple.cmio.AVCAssistant, -com.apple.cmio.IIDCVideoAssistant, -com.apple.cmio.iOSScreenCaptureAssistant, -com.apple.cmio.VDCAssistant, -com.apple.colorsyncd, -com.apple.CommCenterRootHelper, -com.apple.comsat, -com.apple.configd, -com.apple.configureLocalKDC, -com.apple.corecaptured, -com.apple.coreduetd, -com.apple.CoreRAID, -com.apple.coreservices.appleevents, -com.apple.coreservices.appleid.passwordcheck, -com.apple.coreservices.launchservicesd, -com.apple.coreservices.sharedfilelistd, -com.apple.coreservicesd, -com.apple.corestorage.corestoraged, -com.apple.corestorage.corestoragehelperd, -com.apple.coresymbolicationd, -com.apple.CrashReporterSupportHelper, -com.apple.csrutil.report, -com.apple.ctkd, -com.apple.cvmsServ, -com.apple.DesktopServicesHelper, -com.apple.diagnostic.uuidpathd, -com.apple.diagnosticd, -com.apple.diskarbitrationd, -com.apple.diskmanagementd, -com.apple.diskmanagementstartup, -com.apple.displaypolicyd, -com.apple.distnoted.xpc.daemon, -com.apple.dnsextd, -com.apple.dpaudiothru, -com.apple.dpd, -com.apple.dspluginhelperd, -com.apple.DumpGPURestart, -com.apple.DumpPanic, -com.apple.dvdplayback.setregion, -com.apple.dynamic_pager, -com.apple.eapolcfg_auth, -com.apple.efax, -com.apple.efilogin-helper, -com.apple.emlog, -com.apple.emond.aslmanager, -com.apple.emond, -com.apple.AEServer, -com.apple.familycontrols, -com.apple.FileCoordination, -com.apple.FileSyncAgent.sshd, -com.apple.findmymacd, -com.apple.findmymacmessenger,iCloud Find My Mac feature daemon -com.apple.firmwaresyncd, -com.apple.fontd, -com.apple.fontmover, -com.apple.FontWorker, -com.apple.fseventsd, -com.apple.ftp-proxy, -com.apple.GameController.gamecontrollerd, -com.apple.getty, -com.apple.gkreport, -com.apple.GSSCred, -com.apple.gssd, -com.apple.hdiejectd, -com.apple.hidd, -com.apple.icloud.findmydeviced, -com.apple.iconservices.iconservicesagent, -com.apple.iconservices.iconservicesd, -com.apple.IFCStart, -com.apple.ifdreader, -com.apple.installandsetup.systemmigrationd, -com.apple.installd, -com.apple.IOAccelMemoryInfoCollector, -com.apple.IOBluetoothUSBDFU, -com.apple.kcproxy, -com.apple.kdumpd, -com.apple.Kerberos.digest-service, -com.apple.Kerberos.kadmind, -com.apple.Kerberos.kcm, -com.apple.Kerberos.kdc, -com.apple.Kerberos.kpasswdd, -com.apple.KernelEventAgent,Responsible for displaying disk full and unresponsive file server messages -com.apple.kextd, -com.apple.kuncd, -com.apple.locate, -com.apple.locationd,Location daemon -com.apple.lockd, -com.apple.logd, -com.apple.logind, -com.apple.loginwindow.LFVTracer, -com.apple.loginwindow, -com.apple.logkextloadsd, -com.apple.lsd, -com.apple.ManagedClient.cloudconfigurationd, -com.apple.ManagedClient.enroll, -com.apple.ManagedClient, -com.apple.ManagedClient.startup, -com.apple.mbsystemadministration, -com.apple.mbusertrampoline, -com.apple.mdmclient.daemon, -com.apple.mdmclient.daemon.runatboot, -com.apple.mDNSResponder.reloaded, -com.apple.mDNSResponderHelper.reloaded, -com.apple.metadata.mds.index, -com.apple.metadata.mds, -com.apple.metadata.mds.scan, -com.apple.metadata.mds.spindump, -com.apple.MobileFileIntegrity, -com.apple.MRTd, -com.apple.msrpc.echosvc, -com.apple.msrpc.lsarpc, -com.apple.msrpc.mdssvc, -com.apple.msrpc.netlogon, -com.apple.msrpc.srvsvc, -com.apple.msrpc.wkssvc, -com.apple.mtmd, -com.apple.mtmfs, -com.apple.nehelper, -com.apple.nesessionmanager, -com.apple.netauth.sys.auth, -com.apple.netauth.sys.gui, -com.apple.netbiosd,netbiosd is responsible for interacting with NetBIOS networks. -com.apple.NetBootClientStatus, -com.apple.networkd,network daemon -com.apple.networkd_privileged, -com.apple.NetworkDiagnostics, -com.apple.nlcd, -com.apple.NetworkSharing, -com.apple.newsyslog, -com.apple.nfsconf, -com.apple.nfsd, -com.apple.nis.ypbind, -com.apple.noticeboard.state, -com.apple.notifyd, -com.apple.nsurlsessiond_privileged, -com.apple.nsurlstoraged, -com.apple.ocspd,"Performs caching and network fetching of CRLs and OCSP responses, used by Security.framework during certificate verification" -com.apple.odproxyd, -com.apple.ODSAgent, -com.apple.opendirectoryd, -com.apple.PasswordService, -com.apple.PCIELaneConfigTool, -com.apple.periodic-daily, -com.apple.periodic-monthly, -com.apple.periodic-weekly, -com.apple.pfctl, -com.apple.pfd, -com.apple.platform.ptmd, -com.apple.powerd, -com.apple.powerd.swd, -com.apple.preferences.timezone.admintool, -com.apple.preferences.timezone.auto, -com.apple.printtool.daemon, -com.apple.racoon,Built-in VPN key management daemon -com.apple.RemoteDesktop.PrivilegeProxy, -com.apple.RemotePairTool, -com.apple.ReportCrash.Root, -com.apple.ReportPanicService, -com.apple.revisiond, -com.apple.RFBEventHelper, -com.apple.rootless.init, -com.apple.rpcbind, -com.apple.sandboxd, -com.apple.SCHelper, -com.apple.screensharing, -com.apple.scsid, -com.apple.secinitd, -com.apple.security.agent.login, -com.apple.security.authhost, -com.apple.security.FDERecoveryAgent, -com.apple.security.syspolicy, -com.apple.securityd, -com.apple.securityd_service, -com.apple.sessionlogoutd, -com.apple.smb.preferences, -com.apple.smbd, -com.apple.softwareupdate_download_service, -com.apple.softwareupdatecheck.initial, -com.apple.softwareupdated, -com.apple.speech.speechsynthesisd, -com.apple.spindump, -com.apple.statd.notify, -com.apple.storagekitd, -com.apple.storeaccountd.daemon, -com.apple.storeagent.daemon, -com.apple.storeassetd.daemon, -com.apple.storedownloadd.daemon, -com.apple.storereceiptinstaller, -com.apple.SubmitDiagInfo,Sends diagnostic information to Apple -com.apple.suhelperd, -com.apple.symptomsd, -com.apple.sysdiagnose, -com.apple.syslogd, -com.apple.sysmond, -com.apple.system_installd, -com.apple.systemkeychain, -com.apple.systempreferences.install, -com.apple.systemstats.analysis, -com.apple.systemstats.daily, -com.apple.systemstatsd, -com.apple.taskgated-helper, -com.apple.taskgated, -com.apple.tccd.system, -com.apple.thermald,Thermal management daemon -com.apple.TMCacheDelete, -com.apple.trustd, -com.apple.TrustEvaluationAgent.system, -com.apple.ucupdate.plist, -com.apple.uninstalld, -com.apple.unmountassistant.sysagent, -com.apple.updateEFIDesktopPicture, -com.apple.usbd, -com.apple.usbmuxd, -com.apple.UserEventAgent-System, -com.apple.UserNotificationCenter, -com.apple.uucp, -com.apple.var-db-dslocal-backup, -com.apple.vsdbutil, -com.apple.warmd, -com.apple.watchdogd, -com.apple.wdhelper, -com.apple.wifid, -com.apple.WindowServer, -com.apple.wirelessproxd, -com.apple.WirelessRadioManagerd-osx, -com.apple.wwand, -com.apple.xpc.smd, -com.apple.xpc.uscwoap, -com.apple.xsan, -com.apple.xsandaily, -com.apple.xscertadmin, -com.apple.xscertd-helper, -com.apple.xscertd, -com.vix.cron, -com.apple.rexecd, -com.apple.fingerd, -com.apple.ftpd, -com.apple.rlogind, -com.apple.ntalkd, -org.apache.httpd, -org.cups.cups-lpd, -org.cups.cupsd, -org.net-snmp.snmpd, -org.ntp.ntpd,Wrapper for ntpdate/ntpd called by launchd -org.openldap.slapd,Slapd is the stand-alone LDAP daemon. -org.postfix.master, -org.postfix.newaliases, -com.apple.rshd,Remote shell server -com.openssh.sshd,Wrapper for OpenSSH SSH daemon called by launchd -com.apple.telnetd, -com.apple.tftpd,TFTP server daemon -com.apple.accountsd, -com.apple.AddressBook.abd, -com.apple.AddressBook.AssistantService, -com.apple.AddressBook.SourceSync, -com.apple.AirPlayUIAgent, -com.apple.AirPortBaseStationAgent, -com.apple.akd, -com.apple.alf.useragent,Apple Application Firewall (User Process) -com.apple.aos.migrate, -com.apple.AOSHeartbeat, -com.apple.AOSPushRelay, -com.apple.AppleGraphicsWarning, -com.apple.appleseed.seedusaged, -com.apple.appsleep, -com.apple.appstoreupdateagent, -com.apple.apsctl, -com.apple.askpermissiond, -com.apple.AskPermissionUI, -com.apple.AssetCacheLocatorService, -com.apple.assistant_service, -com.apple.assistantd, -com.apple.AssistiveControl, -com.apple.BezelUIServer, -com.apple.bird,Documents in the Cloud feature daemon -com.apple.bluetoothUIServer, -com.apple.btsa, -com.apple.CalendarAgent, -com.apple.CallHistoryPluginHelper, -com.apple.CallHistorySyncHelper, -com.apple.cdpd, -com.apple.cfnetwork.AuthBrokerAgent, -com.apple.cfnetwork.cfnetworkagent, -com.apple.cfprefsd.xpc.agent, -com.apple.cloudd, -com.apple.cloudfamilyrestrictionsd, -com.apple.cloudpaird, -com.apple.cloudphotosd, -com.apple.cmfsyncagent, -com.apple.CommCenter, -com.apple.ContainerRepairAgent, -com.apple.CoreAuthentication.daemon, -com.apple.coredata.externalrecordswriter, -com.apple.CoreLocationAgent, -com.apple.CoreRAIDAgent, -com.apple.coreservices.appleid.authentication, -com.apple.coreservices.useractivityd, -com.apple.coreservices.sharedfilelistd, -com.apple.coreservices.uiagent, -com.apple.csuseragent, -com.apple.ctkd, -com.apple.cvmsCompAgent3600_i386, -com.apple.cvmsCompAgent3600_i386_1, -com.apple.cvmsCompAgent3600_x86_64, -com.apple.cvmsCompAgent3600_x86_64_1, -com.apple.cvmsCompAgent_i386, -com.apple.cvmsCompAgent_i386_1, -com.apple.cvmsCompAgent_x86_64, -com.apple.cvmsCompAgent_x86_64_1, -com.apple.cvmsCompAgentLegacy_i386, -com.apple.cvmsCompAgentLegacy_i386_1, -com.apple.cvmsCompAgentLegacy_x86_64, -com.apple.cvmsCompAgentLegacy_x86_64_1, -com.apple.DiagnosticReportCleanup.plist, -com.apple.diagnostics_agent, -com.apple.DictationIM, -com.apple.DiskArbitrationAgent, -com.apple.distnoted.xpc.agent, -com.apple.Dock.agent, -com.apple.dt.CommandLineTools.installondemand, -com.apple.EscrowSecurityAlert, -com.apple.familycircled, -com.apple.familycontrols.useragent, -com.apple.familynotificationd, -com.apple.FileStatsAgent, -com.apple.FileSyncAgent.PHD, -com.apple.FilesystemUI, -com.apple.Finder,Finder -com.apple.findmymacmessenger,iCloud Find My Mac feature daemon -com.apple.FolderActionsDispatcher, -com.apple.followupd, -com.apple.FollowUpUI, -com.apple.fontd, -com.apple.FontRegistryUIAgent, -com.apple.ATS.FontValidator, -com.apple.ATS.FontValidatorConduit, -com.apple.FontWorker, -com.apple.FTCleanup, -com.apple.gamed, -com.apple.helpd, -com.apple.icdd, -com.apple.icloud.findmydeviced.findmydevice-user-agent, -com.apple.icloud.fmfd, -com.apple.iCloudUserNotificationsd, -com.apple.iconservices.iconservicesagent, -com.apple.identityservicesd, -com.apple.idsfoundation.IDSRemoteURLConnectionAgent, -com.apple.imagent, -com.apple.imavagent, -com.apple.imklaunchagent, -com.apple.IMLoggingAgent, -com.apple.imcore.imtransferagent, -com.apple.installandsetup.migrationhelper.user, -com.apple.installd.user, -com.apple.isst, -com.apple.java.InstallOnDemand, -com.apple.java.updateSharing, -com.apple.lateragent, -com.apple.locationmenu, -com.apple.lsd, -com.apple.ManagedClientAgent.agent, -com.apple.ManagedClientAgent.enrollagent, -com.apple.Maps.mapspushd, -com.apple.maspushagent, -com.apple.mbbackgrounduseragent, -com.apple.mbfloagent, -com.apple.mbuseragent, -com.apple.mdmclient.agent, -com.apple.mdworker.32bit, -com.apple.mdworker.bundles, -com.apple.mdworker.isolation, -com.apple.mdworker.lsb, -com.apple.mdworker.mail, -com.apple.mdworker.shared, -com.apple.mdworker.single, -com.apple.mdworker.sizing, -com.apple.metadata.mdbulkimport, -com.apple.metadata.mdflagwriter, -com.apple.metadata.mdwrite, -com.apple.metadata.SpotlightNetHelper, -com.apple.midiserver, -com.apple.MRTa, -com.apple.navd, -com.apple.neagent, -com.apple.netauth.user.auth, -com.apple.netauth.user.gui, -com.apple.NetworkDiagnostics, -com.apple.noticeboard.agent, -com.apple.notificationcenterui.agent, -com.apple.nsurlsessiond, -com.apple.nsurlstoraged, -com.apple.PackageKit.InstallStatus, -com.apple.parentalcontrols.check, -com.apple.pboard, -com.apple.pbs,Services menu daemon -com.apple.PCIESlotCheck, -com.apple.photolibraryd, -com.apple.PhotoLibraryMigrationUtility.XPC, -com.apple.pictd, -com.apple.pluginkit.pkd, -com.apple.pluginkit.pkreporter, -com.apple.powerchime, -com.apple.printtool.agent, -com.apple.printuitool.agent, -com.apple.PubSub.Agent, -com.apple.quicklook.32bit, -com.apple.quicklook.config, -com.apple.quicklook, -com.apple.quicklook.ui.helper, -com.apple.rcd, -com.apple.recentsd, -com.apple.RemoteDesktop.agent, -com.apple.ReportCrash,Analyzes crashing processes and saves a crash report to disk -com.apple.ReportCrash.Self, -com.apple.ReportGPURestart, -com.apple.ReportPanic, -com.apple.reversetemplated, -com.apple.rtcreportingd, -com.apple.Safari.SafeBrowsing.Service, -com.apple.SafariCloudHistoryPushAgent, -com.apple.safaridavclient, -com.apple.SafariNotificationAgent, -com.apple.SafariPlugInUpdateNotifier, -com.apple.scopedbookmarksagent.xpc, -com.apple.ScreenReaderUIServer, -com.apple.screensharing.agent, -com.apple.screensharing.MessagesAgent, -com.apple.scrod, -com.apple.secd, -com.apple.secinitd, -com.apple.security.agent, -com.apple.security.cloudkeychainproxy3, -com.apple.security.DiskUnmountWatcher, -com.apple.security.idskeychainsyncingproxy, -com.apple.security.keychain-circle-notification, -com.apple.sharingd,"Sharing Daemon that enables AirDrop, Handoff, Instant Hotspot, Shared Computers, and Remote Disc in the Finder" -com.apple.soagent, -com.apple.SocialPushAgent, -com.apple.softwareupdate_notify_agent, -com.apple.speech.speechdatainstallerd, -com.apple.speech.speechsynthesisd, -com.apple.speech.synthesisserver, -com.apple.spindump_agent, -com.apple.spotlight.IndexAgent, -com.apple.Spotlight, -com.apple.ssinvitationagent, -com.apple.storeaccountd, -com.apple.storeassetd, -com.apple.storedownloadd, -com.apple.storeinappd, -com.apple.storelegacy, -com.apple.storeuid, -com.apple.suggestd, -com.apple.swcd, -com.apple.syncdefaultsd, -com.apple.syncservices.SyncServer, -com.apple.syncservices.uihandler, -com.apple.systemprofiler, -com.apple.SystemUIServer.agent, -com.apple.talagent, -com.apple.tccd, -com.apple.telephonyutilities.callservicesd, -com.apple.thermaltrap, -com.apple.tiswitcher, -com.apple.TMHelperAgent, -com.apple.TMHelperAgent.SetupOffer, -com.apple.trustd.agent, -com.apple.TrustEvaluationAgent, -com.apple.universalaccessAuthWarn, -com.apple.universalaccesscontrol, -com.apple.universalaccessd, -com.apple.unmountassistant.useragent, -com.apple.USBAgent, -com.apple.UserEventAgent-Aqua, -com.apple.UserEventAgent-LoginWindow, -com.apple.usernoted, -com.apple.UserNotificationCenterAgent-LoginWindow, -com.apple.UserNotificationCenterAgent, -com.apple.VoiceOver, -com.apple.warmd_agent, -com.apple.webinspectord, -com.apple.WebKit.PluginAgent, -com.apple.wifi.WiFiAgent, -com.apple.xpc.loginitemregisterd, -com.apple.xpc.otherbsd, -com.apple.ZoomWindow, -org.openbsd.ssh-agent, \ No newline at end of file +Label,Comment +com.apple.accountsd, +com.apple.AddressBook.abd, +com.apple.AddressBook.AssistantService, +com.apple.AddressBook.SourceSync, +com.apple.AEServer, +com.apple.afpfs_afpLoad, +com.apple.afpfs_checkafp, +com.apple.airplaydiagnostics.server.mac,Apple Internal Diagnostic Tool +com.apple.AirPlayUIAgent, +com.apple.AirPlayXPCHelper,AirPlay daemon +com.apple.AirPortBaseStationAgent, +com.apple.airportd, +com.apple.airport.wps, +com.apple.akd, +com.apple.alf,Apple Application Firewall +com.apple.alf.useragent,Apple Application Firewall (User Process) +com.apple.AOSHeartbeat, +com.apple.aos.migrate, +com.apple.AOSPushRelay, +com.apple.AppleFileServer,Apple File Server (AFP) +com.apple.AppleGraphicsWarning, +com.apple.appleseed.fbahelperd,Feedback +com.apple.appleseed.seedusaged,Feedback +com.apple.applessdstatistics, +com.apple.appsleep, +com.apple.appstoreupdateagent, +com.apple.apsctl, +com.apple.apsd,Apple Push Notification service daemon - used by Facetime/Messages +com.apple.askpermissiond, +com.apple.AskPermissionUI, +com.apple.aslmanager,Manages rotated files and ASL data written by the syslogd server +com.apple.AssetCacheLocatorService, +com.apple.assistantd, +com.apple.assistant_service,Siri +com.apple.AssistiveControl, +com.apple.atrun, +com.apple.ATS.FontValidator, +com.apple.ATS.FontValidatorConduit, +com.apple.audio.coreaudiod,daemon used for Core Audio related purposes +com.apple.audio.systemsoundserverd, +com.apple.auditd, +com.apple.autofsd, +com.apple.automountd, +com.apple.avbdeviced, +com.apple.awacsd,Apple Wide Area Connectivity Service daemon +com.apple.awdd,Diagnostics and usage +com.apple.backupd, +com.apple.backupd-auto, +com.apple.BezelUIServer, +com.apple.bird,Documents in the Cloud feature daemon +com.apple.blued,Bluetooth +com.apple.bluetoothaudiod, +com.apple.bluetoothReporter, +com.apple.bluetoothUIServer, +com.apple.bnepd, +com.apple.bootpd,DHCP/BOOTP/NetBoot server +com.apple.bsd.dirhelper, +com.apple.btsa, +com.apple.cache_delete, +com.apple.CalendarAgent, +com.apple.CallHistoryPluginHelper,iCloud call history +com.apple.CallHistorySyncHelper,iCloud call history +com.apple.cdpd, +com.apple.cfnetwork.AuthBrokerAgent, +com.apple.cfnetwork.cfnetworkagent, +com.apple.cfprefsd.xpc.agent, +com.apple.cfprefsd.xpc.daemon, +com.apple.cloudd, +com.apple.cloudfamilyrestrictionsd, +com.apple.cloudpaird, +com.apple.cloudphotosd,iCloud photo sync +com.apple.cmfsyncagent, +com.apple.cmio.AppleCameraAssistant, +com.apple.cmio.AVCAssistant, +com.apple.cmio.IIDCVideoAssistant,iSight +com.apple.cmio.iOSScreenCaptureAssistant, +com.apple.cmio.VDCAssistant, +com.apple.colorsyncd, +com.apple.CommCenter, +com.apple.CommCenterRootHelper, +com.apple.comsat, +com.apple.configd, +com.apple.configureLocalKDC, +com.apple.ContainerRepairAgent, +com.apple.CoreAuthentication.daemon, +com.apple.corecaptured, +com.apple.coredata.externalrecordswriter, +com.apple.coreduetd, +com.apple.CoreLocationAgent, +com.apple.CoreRAID, +com.apple.CoreRAIDAgent, +com.apple.coreservices.appleevents, +com.apple.coreservices.appleid.authentication, +com.apple.coreservices.appleid.passwordcheck, +com.apple.coreservicesd, +com.apple.coreservices.launchservicesd, +com.apple.coreservices.sharedfilelistd, +com.apple.coreservices.uiagent, +com.apple.coreservices.useractivityd, +com.apple.corestorage.corestoraged, +com.apple.corestorage.corestoragehelperd, +com.apple.coresymbolicationd, +com.apple.CrashReporterSupportHelper,Crash reporter +com.apple.csrutil.report, +com.apple.csuseragent, +com.apple.ctkd, +com.apple.cvmsCompAgent3600_i386, +com.apple.cvmsCompAgent3600_i386_1, +com.apple.cvmsCompAgent3600_x86_64, +com.apple.cvmsCompAgent3600_x86_64_1, +com.apple.cvmsCompAgent_i386, +com.apple.cvmsCompAgent_i386_1, +com.apple.cvmsCompAgentLegacy_i386, +com.apple.cvmsCompAgentLegacy_i386_1, +com.apple.cvmsCompAgentLegacy_x86_64, +com.apple.cvmsCompAgentLegacy_x86_64_1, +com.apple.cvmsCompAgent_x86_64, +com.apple.cvmsCompAgent_x86_64_1, +com.apple.cvmsServ, +com.apple.DesktopServicesHelper, +com.apple.diagnosticd, +com.apple.DiagnosticReportCleanup.plist, +com.apple.diagnostics_agent, +com.apple.diagnostic.uuidpathd, +com.apple.DictationIM,Dictation daemon +com.apple.DiskArbitrationAgent, +com.apple.diskarbitrationd, +com.apple.diskmanagementd, +com.apple.diskmanagementstartup, +com.apple.displaypolicyd, +com.apple.distnoted.xpc.agent, +com.apple.distnoted.xpc.daemon, +com.apple.dnsextd, +com.apple.Dock.agent, +com.apple.dpaudiothru, +com.apple.dpd, +com.apple.dspluginhelperd, +com.apple.dt.CommandLineTools.installondemand, +com.apple.DumpGPURestart, +com.apple.DumpPanic, +com.apple.dvdplayback.setregion, +com.apple.dynamic_pager, +com.apple.eapolcfg_auth, +com.apple.efax, +com.apple.efilogin-helper, +com.apple.emlog, +com.apple.emond, +com.apple.emond.aslmanager, +com.apple.EscrowSecurityAlert, +com.apple.familycircled, +com.apple.familycontrols,Parental controls +com.apple.familycontrols.useragent, +com.apple.familynotificationd,Family notifications +com.apple.FileCoordination, +com.apple.FileStatsAgent, +com.apple.FileSyncAgent.PHD, +com.apple.FileSyncAgent.sshd, +com.apple.FilesystemUI, +com.apple.Finder,Finder +com.apple.findmymacd,Find My mac daemon +com.apple.findmymacmessenger,iCloud Find My Mac feature daemon +com.apple.fingerd, +com.apple.firmwaresyncd, +com.apple.FolderActionsDispatcher, +com.apple.followupd, +com.apple.FollowUpUI, +com.apple.fontd, +com.apple.fontmover, +com.apple.FontRegistryUIAgent, +com.apple.FontWorker, +com.apple.fseventsd, +com.apple.FTCleanup, +com.apple.ftpd,FTP +com.apple.ftp-proxy, +com.apple.GameController.gamecontrollerd, +com.apple.gamed,Game Center +com.apple.getty, +com.apple.gkreport, +com.apple.GSSCred, +com.apple.gssd, +com.apple.hdiejectd, +com.apple.helpd, +com.apple.hidd, +com.apple.icdd, +com.apple.icloud.findmydeviced, +com.apple.icloud.findmydeviced.findmydevice-user-agent, +com.apple.icloud.fmfd, +com.apple.iCloudUserNotificationsd, +com.apple.iconservices.iconservicesagent, +com.apple.iconservices.iconservicesd, +com.apple.identityservicesd,iCloud authentication +com.apple.idsfoundation.IDSRemoteURLConnectionAgent, +com.apple.IFCStart, +com.apple.ifdreader, +com.apple.imagent,Facetime and Messages +com.apple.imavagent, +com.apple.imcore.imtransferagent, +com.apple.imklaunchagent, +com.apple.IMLoggingAgent, +com.apple.installandsetup.migrationhelper.user, +com.apple.installandsetup.systemmigrationd, +com.apple.installd, +com.apple.installd.user, +com.apple.IOAccelMemoryInfoCollector, +com.apple.IOBluetoothUSBDFU, +com.apple.isst, +com.apple.java.InstallOnDemand, +com.apple.java.updateSharing, +com.apple.kcproxy, +com.apple.kdumpd, +com.apple.Kerberos.digest-service, +com.apple.Kerberos.kadmind, +com.apple.Kerberos.kcm, +com.apple.Kerberos.kdc, +com.apple.Kerberos.kpasswdd, +com.apple.KernelEventAgent,Responsible for displaying disk full and unresponsive file server messages +com.apple.kextd, +com.apple.kuncd, +com.apple.lateragent, +com.apple.locate, +com.apple.locationd,Location daemon +com.apple.locationmenu, +com.apple.lockd, +com.apple.logd, +com.apple.logind, +com.apple.loginwindow, +com.apple.loginwindow.LFVTracer, +com.apple.logkextloadsd, +com.apple.lsd, +com.apple.ManagedClient,User management daemon +com.apple.ManagedClientAgent.agent, +com.apple.ManagedClientAgent.enrollagent, +com.apple.ManagedClient.cloudconfigurationd, +com.apple.ManagedClient.enroll, +com.apple.ManagedClient.startup, +com.apple.Maps.mapspushd, +com.apple.maspushagent, +com.apple.mbbackgrounduseragent, +com.apple.mbfloagent, +com.apple.mbsystemadministration, +com.apple.mbuseragent, +com.apple.mbusertrampoline, +com.apple.mdmclient.agent, +com.apple.mdmclient.daemon, +com.apple.mdmclient.daemon.runatboot, +com.apple.mDNSResponderHelper.reloaded, +com.apple.mDNSResponder.reloaded, +com.apple.mdworker.32bit, +com.apple.mdworker.bundles, +com.apple.mdworker.isolation, +com.apple.mdworker.lsb, +com.apple.mdworker.mail, +com.apple.mdworker.shared, +com.apple.mdworker.single, +com.apple.mdworker.sizing, +com.apple.metadata.mdbulkimport, +com.apple.metadata.mdflagwriter, +com.apple.metadata.mds, +com.apple.metadata.mds.index, +com.apple.metadata.mds.scan, +com.apple.metadata.mds.spindump, +com.apple.metadata.mdwrite, +com.apple.metadata.SpotlightNetHelper, +com.apple.midiserver, +com.apple.MobileFileIntegrity, +com.apple.MRTa, +com.apple.MRTd, +com.apple.msrpc.echosvc, +com.apple.msrpc.lsarpc, +com.apple.msrpc.mdssvc, +com.apple.msrpc.netlogon, +com.apple.msrpc.srvsvc, +com.apple.msrpc.wkssvc, +com.apple.mtmd, +com.apple.mtmfs, +com.apple.navd, +com.apple.neagent, +com.apple.nehelper, +com.apple.nesessionmanager, +com.apple.netauth.sys.auth, +com.apple.netauth.sys.gui, +com.apple.netauth.user.auth, +com.apple.netauth.user.gui, +com.apple.netbiosd,Used to share files with Windows hosts +com.apple.NetBootClientStatus, +com.apple.NetworkDiagnostics, +com.apple.networkd,network daemon +com.apple.networkd_privileged, +com.apple.NetworkSharing, +com.apple.newsyslog, +com.apple.nfsconf, +com.apple.nfsd, +com.apple.nis.ypbind, +com.apple.nlcd, +com.apple.noticeboard.agent, +com.apple.noticeboard.state, +com.apple.notificationcenterui.agent, +com.apple.notifyd, +com.apple.nsurlsessiond, +com.apple.nsurlsessiond_privileged, +com.apple.nsurlstoraged, +com.apple.ntalkd, +com.apple.ocspd,"Performs caching and network fetching of CRLs and OCSP responses, used by Security.framework during certificate verification" +com.apple.odproxyd, +com.apple.ODSAgent, +com.apple.opendirectoryd, +com.apple.PackageKit.InstallStatus, +com.apple.parentalcontrols.check, +com.apple.PasswordService, +com.apple.pboard, +com.apple.pbs,Services menu daemon +com.apple.PCIELaneConfigTool, +com.apple.PCIESlotCheck, +com.apple.periodic-daily, +com.apple.periodic-monthly, +com.apple.periodic-weekly, +com.apple.pfctl, +com.apple.pfd, +com.apple.photolibraryd, +com.apple.PhotoLibraryMigrationUtility.XPC, +com.apple.pictd, +com.apple.platform.ptmd, +com.apple.pluginkit.pkd, +com.apple.pluginkit.pkreporter, +com.apple.postgres,Legacy or server app +com.apple.powerchime, +com.apple.powerd, +com.apple.powerd.swd, +com.apple.preferences.timezone.admintool, +com.apple.preferences.timezone.auto, +com.apple.printtool.agent, +com.apple.printtool.daemon, +com.apple.printuitool.agent, +com.apple.PubSub.Agent, +com.apple.quicklook, +com.apple.quicklook.32bit, +com.apple.quicklook.config, +com.apple.quicklook.ui.helper, +com.apple.racoon,Built-in VPN key management daemon +com.apple.rcd, +com.apple.recentsd, +com.apple.RemoteDesktop.agent,ARD +com.apple.RemoteDesktop.PrivilegeProxy,ARD +com.apple.RemotePairTool,Remote device pairing +com.apple.RemoteUI,Remote control +com.apple.ReportCrash,Analyzes crashing processes and saves a crash report to disk +com.apple.ReportCrash.Root, +com.apple.ReportCrash.Self, +com.apple.ReportGPURestart, +com.apple.ReportPanic, +com.apple.ReportPanicService, +com.apple.reversetemplated, +com.apple.revisiond, +com.apple.rexecd, +com.apple.RFBEventHelper, +com.apple.rlogind, +com.apple.rootless.init, +com.apple.rpcbind, +com.apple.rshd,Remote shell server +com.apple.rtcreportingd,Home Sharing +com.apple.SafariCloudHistoryPushAgent, +com.apple.safaridavclient, +com.apple.SafariNotificationAgent,Safari notifications +com.apple.SafariPlugInUpdateNotifier, +com.apple.Safari.SafeBrowsing.Service, +com.apple.sandboxd, +com.apple.SCHelper, +com.apple.scopedbookmarksagent.xpc, +com.apple.ScreenReaderUIServer, +com.apple.screensharing,Screen Sharing daemon +com.apple.screensharing.agent, +com.apple.screensharing.MessagesAgent, +com.apple.scrod, +com.apple.scsid, +com.apple.secd, +com.apple.secinitd, +com.apple.security.agent, +com.apple.security.agent.login, +com.apple.security.authhost, +com.apple.security.cloudkeychainproxy3, +com.apple.securityd, +com.apple.security.DiskUnmountWatcher, +com.apple.securityd_service, +com.apple.security.FDERecoveryAgent, +com.apple.security.idskeychainsyncingproxy, +com.apple.security.keychain-circle-notification, +com.apple.security.syspolicy, +com.apple.sessionlogoutd, +com.apple.sharingd,"Sharing Daemon that enables AirDrop, Handoff, Instant Hotspot, Shared Computers, and Remote Disc in the Finder" +com.apple.smbd, +com.apple.smb.preferences, +com.apple.soagent, +com.apple.SocialPushAgent, +com.apple.softwareupdatecheck.initial, +com.apple.softwareupdated, +com.apple.softwareupdate_download_service, +com.apple.softwareupdate_notify_agent, +com.apple.speech.speechdatainstallerd, +com.apple.speech.speechsynthesisd, +com.apple.speech.synthesisserver, +com.apple.spindump, +com.apple.spindump_agent, +com.apple.Spotlight, +com.apple.spotlight.IndexAgent, +com.apple.ssinvitationagent, +com.apple.statd.notify, +com.apple.storagekitd, +com.apple.storeaccountd, +com.apple.storeaccountd.daemon, +com.apple.storeagent.daemon, +com.apple.storeassetd, +com.apple.storeassetd.daemon, +com.apple.storedownloadd, +com.apple.storedownloadd.daemon, +com.apple.storeinappd, +com.apple.storelegacy, +com.apple.storereceiptinstaller, +com.apple.storeuid, +com.apple.SubmitDiagInfo,Sends diagnostic information to Apple +com.apple.suggestd, +com.apple.suhelperd, +com.apple.swcd, +com.apple.symptomsd, +com.apple.syncdefaultsd, +com.apple.syncservices.SyncServer, +com.apple.syncservices.uihandler, +com.apple.sysdiagnose, +com.apple.syslogd, +com.apple.sysmond, +com.apple.system_installd, +com.apple.systemkeychain, +com.apple.systempreferences.install, +com.apple.systemprofiler, +com.apple.systemstats.analysis, +com.apple.systemstatsd, +com.apple.systemstats.daily, +com.apple.SystemUIServer.agent, +com.apple.talagent, +com.apple.taskgated, +com.apple.taskgated-helper, +com.apple.tccd, +com.apple.tccd.system, +com.apple.telephonyutilities.callservicesd, +com.apple.telnetd, +com.apple.tftpd,TFTP server daemon +com.apple.thermald,Thermal management daemon +com.apple.thermaltrap, +com.apple.tiswitcher, +com.apple.TMCacheDelete, +com.apple.TMHelperAgent, +com.apple.TMHelperAgent.SetupOffer, +com.apple.trustd,Certificate validation +com.apple.trustd.agent, +com.apple.TrustEvaluationAgent, +com.apple.TrustEvaluationAgent.system, +com.apple.ucupdate.plist, +com.apple.uninstalld, +com.apple.universalaccessAuthWarn, +com.apple.universalaccesscontrol, +com.apple.universalaccessd, +com.apple.unmountassistant.sysagent, +com.apple.unmountassistant.useragent, +com.apple.updateEFIDesktopPicture, +com.apple.USBAgent, +com.apple.usbd, +com.apple.usbmuxd, +com.apple.UserEventAgent-Aqua, +com.apple.UserEventAgent-LoginWindow, +com.apple.UserEventAgent-System, +com.apple.usernoted, +com.apple.UserNotificationCenterAgent, +com.apple.UserNotificationCenterAgent-LoginWindow, +com.apple.UserNotificationCenter,Notification Center +com.apple.uucp, +com.apple.var-db-dslocal-backup, +com.apple.VoiceOver, +com.apple.vsdbutil, +com.apple.warmd, +com.apple.warmd_agent, +com.apple.watchdogd, +com.apple.wdhelper, +com.apple.webinspectord, +com.apple.WebKit.PluginAgent, +com.apple.wifid, +com.apple.wifi.WiFiAgent, +com.apple.WindowServer, +com.apple.wirelessproxd, +com.apple.WirelessRadioManagerd-osx, +com.apple.wwand, +com.apple.xpc.loginitemregisterd, +com.apple.xpc.otherbsd, +com.apple.xpc.smd, +com.apple.xpc.uscwoap, +com.apple.xsan, +com.apple.xsandaily, +com.apple.xscertadmin, +com.apple.xscertd, +com.apple.xscertd-helper, +com.apple.ZoomWindow, +com.openssh.sshd,Wrapper for OpenSSH SSH daemon called by launchd +com.vix.cron, +org.apache.httpd,Apache HTTP server +org.cups.cupsd,CUPS print server +org.cups.cups-lpd, +org.net-snmp.snmpd,SNMP diagnostics +org.ntp.ntpd,Wrapper for ntpdate/ntpd called by launchd +org.openbsd.ssh-agent, +org.openldap.slapd,Slapd is the stand-alone LDAP daemon. +org.postfix.master, +org.postfix.newaliases, diff --git a/launchd/read_launch_plists.py b/launchd/read_launch_plists.py old mode 100755 new mode 100644 index a6a3015a..1d04ecfe --- a/launchd/read_launch_plists.py +++ b/launchd/read_launch_plists.py @@ -1,6 +1,8 @@ -#!/usr/bin/env python -# -# This script reads system launch daemon and agent plists. +""" +https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/launchd/read_launch_plists.py + +Reads macOS system launch daemon and agent property lists. +""" import glob import hashlib @@ -9,99 +11,94 @@ import subprocess import csv -header ='filename,label,program,sha256,runatload,comment' -location = '/System/Library/Launch%s/*.plist' -comments = {} +HEADER = "filename,label,program,sha256,runatload,comment" +PLIST_LOCATION = "/System/Library/Launch%s/*.plist" +PLIST_TYPES = ["Daemons", "Agents"] + def LoadPlist(filename): - """Plists can be read with plistlib.""" - # creating our own data - data = None - - try: - p = subprocess.Popen( - ['/usr/bin/plutil', '-convert', 'xml1', '-o', '-', filename], - stdout=subprocess.PIPE, stderr=subprocess.PIPE) - out_data, err_data = p.communicate() - except IOError as e: - # file could not be found - print(e) - - if(p.returncode == 0): - data = plistlib.readPlistFromString(out_data) - - return data - - -def GetStatus(plist): - """Plists may have a RunAtLoad key.""" - try: - return plist['RunAtLoad'] - except KeyError: - return 'False' - - -def GetLabel(plist): - """Plists have a label.""" - try: - return plist['Label'] - except KeyError: - return 'False' + """Returns plists read with plistlib.""" + try: + proc = subprocess.Popen( + ["/usr/bin/plutil", "-convert", "xml1", "-o", "-", filename], + stdout=subprocess.PIPE, stderr=subprocess.PIPE) + out_data, err_data = proc.communicate() + except IOError as io_error: + print(io_error, err_data) + + if proc.returncode == 0: + return plistlib.readPlistFromString(out_data) + + return None + + +def GetPlistValue(plist, value): + """Returns the value of a plist dictionary, or False.""" + try: + return plist[value] + except KeyError: + return False def GetProgram(plist): - """Plists have either a Program or ProgramArguments key, - if the executable requires command line options. - """ - try: - return "['%s']" % plist['Program'], HashFile(plist['Program']) - except KeyError: - return plist['ProgramArguments'], HashFile(plist['ProgramArguments']) - - -def HashFile(f): - """Returns SHA-256 hash of a given file.""" - if type(f) is list: - f = f[0] - try: - return hashlib.sha256(open(f,'rb').read()).hexdigest() - except: - return 'UNKNOWN' - - -def GetComment(plist): - """docstring for GetComment""" - global comments - label = plist['Label'] - comment = None - if label in comments: - comment = comments[label] - return comment + """Returns a plist's Program or ProgramArguments key and hash.""" + try: + return "['%s']" % plist["Program"], HashFile(plist["Program"]) + except KeyError: + try: + return plist["ProgramArguments"], HashFile(plist["ProgramArguments"]) + except KeyError: + return ("NO PROGRAM DEFINED", "UNKNOWN FILE HASH") + return None + + +def HashFile(filename): + """Returns SHA-256 hash of a given file.""" + if isinstance(filename, list): + filename = filename[0] + try: + return hashlib.sha256( + open(filename, "rb").read()).hexdigest() + except IOError: + return "UNKNOWN FILE HASH" + + +def GetComment(plist, comments): + """Get comment for a given property list.""" + try: + label = plist["Label"] + except KeyError: + return None + + if label in comments: + return comments[label] + return None def main(): - """Main function.""" - print(header) - - global comments - - csvfile = os.path.join(os.path.dirname( - os.path.realpath(__file__)), 'comments.csv') - - with open(csvfile, 'rb') as f: - reader = csv.reader(f) - comments = {rows[0]:rows[1] for rows in reader} - - for kind in ['Daemons', 'Agents']: - for filename in glob.glob(location % kind): - if not filename.endswith('com.apple.jetsamproperties.Mac.plist'): - p = LoadPlist(filename) - if p: - e = (filename, GetLabel(p), '"%s",%s' % GetProgram(p), GetStatus(p), '"%s"' % GetComment(p)) - print('%s,%s,%s,%s,%s' % e) - else: - print('Could not load %s' % filename) - - -if __name__ == '__main__': - main() + """Main function.""" + print(HEADER) + + comments_file = os.path.join( + os.path.dirname(os.path.realpath(__file__)), "comments.csv") + + with open(comments_file, "rb") as c_file: + reader = csv.reader(c_file) + comments = {rows[0]:rows[1] for rows in reader} + + for ptype in PLIST_TYPES: + for filename in glob.glob(PLIST_LOCATION % ptype): + prop = LoadPlist(filename) + if prop: + print("%s,%s,%s,%s,%s" % ( + filename, + GetPlistValue(prop, "Label"), + '"%s",%s' % GetProgram(prop), + GetPlistValue(prop, "RunAtLoad"), + '"%s"' % GetComment(prop, comments))) + else: + print("Could not load %s" % filename) + + +if __name__ == "__main__": + main() From 7aa6381c6abcf115a0544e6943735812846545ac Mon Sep 17 00:00:00 2001 From: drduh Date: Wed, 5 Feb 2020 17:17:00 -0800 Subject: [PATCH 122/476] Mention Chrome DNS and new firmwarepasswd option. Fix 354. Fix 350. --- README.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 9a83766a..8d4482c6 100755 --- a/README.md +++ b/README.md @@ -499,12 +499,16 @@ Enter password: Correct ``` -Note, a firmware password may be bypassed by a determined attacker or Apple, with physical access to the computer. +A firmware password may be bypassed by a determined attacker or Apple, with physical access to the computer. Using a Dediprog SF600 to dump and flash a 2013 MacBook SPI Flash chip to remove a firmware password, sans Apple *Using a [Dediprog SF600](http://www.dediprog.com/pd/spi-flash-solution/sf600) to dump and flash a 2013 MacBook SPI Flash chip to remove a firmware password, sans Apple* +As of macOS 10.15 Catalina, the `firmwarepasswd` program has a new option `-disable-reset-capability`. According to [Apple's new Platform Security page](https://support.apple.com/en-gb/guide/security/sec28382c9ca/web), this effectively prevents any firmware password resets, even by Apple themselves: + +> For users who want no one but themselves to remove their Firmware Password by software means, the -disable-reset-capability option has been added to the firmwarepasswd command-line tool in macOS 10.15. Before setting this option, users must to acknowledge that if the password is forgotten and needs removal, the user must bear the cost of the motherboard replacement necessary to achieve this. + Newer Mac models (Mac Pro, iMac Pro, Macbook with TouchBar) with [Apple T2](https://en.wikipedia.org/wiki/Apple-designed_processors#Apple_T2) chips, which provide a secure enclave for encrypted keys, lessen the risk of EFI firmware attacks. See [this blog post](http://michaellynn.github.io/2018/07/27/booting-secure/) for more information. See [LongSoft/UEFITool](https://github.com/LongSoft/UEFITool), [chipsec/chipsec](https://github.com/chipsec/chipsec) and discussion in [issue #213](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/213) for more information. @@ -1150,7 +1154,7 @@ Create separate Chrome profiles to reduce XSS risk and compartmentalize cookies/ Change the default search engine from Google to reduce additional tracking. -Disable [DNS prefetching](https://www.chromium.org/developers/design-documents/dns-prefetching) (see also [DNS Prefetching and Its Privacy Implications](https://www.usenix.org/legacy/event/leet10/tech/full_papers/Krishnan.pdf) (pdf)). +Disable [DNS prefetching](https://www.chromium.org/developers/design-documents/dns-prefetching) (see also [DNS Prefetching and Its Privacy Implications](https://www.usenix.org/legacy/event/leet10/tech/full_papers/Krishnan.pdf) (pdf)). Note that Chrome [may attempt](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/350) to resolve DNS using Google's `8.8.8.8` and `8.8.4.4` public nameservers. Read [Chromium Security](https://www.chromium.org/Home/chromium-security) and [Chromium Privacy](https://www.chromium.org/Home/chromium-privacy) for more detailed, technical information. From e223b9765a8d2c7895c09e2f7ee0d29b1a0f0479 Mon Sep 17 00:00:00 2001 From: William Entriken Date: Thu, 6 Feb 2020 17:10:24 -0500 Subject: [PATCH 123/476] Simple backup techniques for #347 --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 8d4482c6..efce5489 100755 --- a/README.md +++ b/README.md @@ -1817,6 +1817,14 @@ $ hdiutil eject /Volumes/secretStuff "disk4" ejected. ``` +With `hdiutil` you are also able to add the option `-type SPARSE-BUNDLE`. With these sparse bundles you may achieve faster backups because after the first run, the updated information and some padding needs to be transferred. + +A simple way to synchronize this encrypted folder to another server is using rsync: + +```console +rsync --recursive --times --progress --delete --verbose --stats MyEncryptedDrive.sparsebundle user@server:/path/to/backup +``` + See also the following applications and services: [Tresorit](https://www.tresorit.com), [SpiderOak](https://www.spideroak.com/), [Arq](https://www.arqbackup.com/), [Espionage](https://www.espionageapp.com/), and [restic](https://restic.github.io/). ## Wi-Fi From 980ea3ad9b19462b24b2731e120b88ea9bb5c36e Mon Sep 17 00:00:00 2001 From: William Entriken Date: Thu, 6 Feb 2020 17:16:36 -0500 Subject: [PATCH 124/476] =?UTF-8?q?=E5=8A=A0=E5=A4=87=E4=BB=BD=E7=9A=84?= =?UTF-8?q?=E6=8E=A8=E8=8D=90?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README-cn.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README-cn.md b/README-cn.md index ec0fcb89..8fd834c4 100755 --- a/README-cn.md +++ b/README-cn.md @@ -1457,6 +1457,14 @@ $ xattr -l ~/Downloads/TorBrowser-6.0.5-osx64_en-US.dmg $ hdiutil create ~/Desktop/encrypted.dmg -encryption -size 1g -volname "Name" -fs JHFS+ +这个 `hdiutil` 也会用 `-type SPARSE-BUNDLE` 模式。这一些sparse bundle可以让你加快备份。应为第一次所有的数据要传过去。但是第二、三等次只用传你改变的数据。 + +你可以用 `rsync` 传你的加密过的数据: + +```console +rsync --recursive --times --progress --delete --verbose --stats MyEncryptedDrive.sparsebundle user@server:/path/to/backup +``` + 也可以考虑使用下面的应用和服务:[SpiderOak](https://spideroak.com/)、[Arq](https://www.arqbackup.com/)、[Espionage](https://www.espionageapp.com/) 和 [restic](https://restic.github.io/)。 ## Wi-Fi From c714225aa47becdb6824dae769b821b1f77e7295 Mon Sep 17 00:00:00 2001 From: drduh Date: Sun, 3 May 2020 14:26:41 -0700 Subject: [PATCH 125/476] Update privoxy download url to fix #366 --- README.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index efce5489..7f39a3c8 100755 --- a/README.md +++ b/README.md @@ -785,7 +785,13 @@ To block a domain by `A` record, append any one of the following lines to `/etc/ There are many lists of domains available online which you can paste in, just make sure each line starts with `0`, `0.0.0.0`, `127.0.0.1`, and the line `127.0.0.1 localhost` is included. -For hosts lists, see [someonewhocares.org](https://someonewhocares.org/hosts/zero/hosts), [l1k/osxparanoia/blob/master/hosts](https://github.com/l1k/osxparanoia/blob/master/hosts) and [StevenBlack/hosts](https://github.com/StevenBlack/hosts). +Here are some popular and useful hosts lists: + +* [jmdugan/blocklists](https://github.com/jmdugan/blocklists) +* [l1k/osxparanoia](https://github.com/l1k/osxparanoia/blob/master/hosts) +* [Sinfonietta/hostfiles](https://github.com/Sinfonietta/hostfiles) +* [StevenBlack/hosts](https://github.com/StevenBlack/hosts) +* [someonewhocares.org](https://someonewhocares.org/hosts/zero/hosts) Append a list of hosts with the `tee` command and confirm only non-routable addresses or comments were added: @@ -976,6 +982,8 @@ The risk of a [man in the middle](https://en.wikipedia.org/wiki/Man-in-the-middl ## OpenSSL +**Note** This section [may be out of date](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/356). + The version of OpenSSL in Sierra is `0.9.8zh` which is [not current](https://apple.stackexchange.com/questions/200582/why-is-apple-using-an-older-version-of-openssl). It doesn't support TLS 1.1 or newer, elliptic curve ciphers, and [more](https://stackoverflow.com/questions/27502215/difference-between-openssl-09-8z-and-1-0-1). Since Apple's official supported TLS library on macOS is [Secure Transport](https://developer.apple.com/documentation/security/secure_transport), OpenSSL **deprecated** is considered deprecated (according to the [Cryptographic Services Guide](https://developer.apple.com/library/mac/documentation/Security/Conceptual/cryptoservices/GeneralPurposeCrypto/GeneralPurposeCrypto.html). Apple's version of OpenSSL may also have patches which may [surprise you](https://hynek.me/articles/apple-openssl-verification-surprises/). @@ -1020,7 +1028,7 @@ Consider using [Privoxy](https://www.privoxy.org/) as a local proxy to filter We **Note** macOS proxy settings are not universal; apps and services may not honor system proxy settings. Ensure the application you wish to proxy is correctly configured and manually verify connections don't leak. Additionally, it may be possible to configure the *pf* firewall to transparently proxy all traffic. -A signed installation package for privoxy can be downloaded from [silvester.org.uk](https://silvester.org.uk/privoxy/OSX/) or [Sourceforge](https://sourceforge.net/projects/ijbswa/files/Macintosh%20%28OS%20X%29/). The signed package is [more secure](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/65) than the Homebrew version, and attracts full support from the Privoxy project. +A signed installation package for privoxy can be downloaded from [silvester.org.uk](https://silvester.org.uk/privoxy/Macintosh%20%28OS%20X%29/) or [Sourceforge](https://sourceforge.net/projects/ijbswa/files/Macintosh%20%28OS%20X%29/). The signed package is [more secure](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/65) than the Homebrew version, and attracts full support from the Privoxy project. Alternatively, install and start privoxy using Homebrew: @@ -1893,9 +1901,9 @@ $ sudo lsof -Pni TCP:22 ## Physical access -Keep your Mac physically secure at all times. Don't leave it unattended in hotels and other public spaces. +Keep your Mac physically secure at all times. Don't leave it unattended in public spaces, such as hotels. -A skilled attacker with unsupervised physical access to your computer can infect the boot ROM to install a keylogger and steal your password - see [Thunderstrike](https://trmm.net/Thunderstrike) for an example. +A skilled attacker with unsupervised physical access to your computer can infect the boot ROM to install a keylogger and steal your password, for example - see [Thunderstrike](https://trmm.net/Thunderstrike). A helpful tool is [usbkill](https://github.com/hephaest0s/usbkill), which is an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer. From 0e9c9a76ca7849911b7136100d3d2c4c5569c5f3 Mon Sep 17 00:00:00 2001 From: Joost-Wim Boekesteijn Date: Thu, 28 May 2020 13:08:45 +0200 Subject: [PATCH 126/476] add Catalina 10.15.5 build 19F96 hashes --- InstallESD_Hashes.csv | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/InstallESD_Hashes.csv b/InstallESD_Hashes.csv index 9c1972ba..cb5228a1 100644 --- a/InstallESD_Hashes.csv +++ b/InstallESD_Hashes.csv @@ -36,4 +36,5 @@ Version,Build,SHA-256,SHA-1 10.15,19A583,4409a34604f4443993debccf855b0896e594dc1fa09ebf2d632a7787b0083436,2faf7d456ce292662a058cb571a520acabe81ce7 10.15,19A602,d62588185b524bc27902c6e0348fb36a9c071dc8e45df89caf9a45bc6731492d,65aed4389ce4a65d713affef388356d251d9eec3 10.15,19A603,572f8ccc909762f9bc75019fa9729eefc3e2f85834e082aea926b1c7931f729a,5ac1070e34ecc02f66beb03a77198dd0dc3d3377 -10.15.3,19D76,54bb26608f2916ca73f3482e8f4d5a98fc875d479482293840ec1b7a111c70f6,6ac088372d0bf0286d24ce55d9f0eb14a81d91c3 \ No newline at end of file +10.15.3,19D76,54bb26608f2916ca73f3482e8f4d5a98fc875d479482293840ec1b7a111c70f6,6ac088372d0bf0286d24ce55d9f0eb14a81d91c3 +10.15.5,19F96,833aa44561e9883f7a2e3b4861617c3d14905a6b612cc4352f9adbee49657c9f,18b35ba4b4a1bdefeccaddf50da749f6cb3b2ad5 \ No newline at end of file From e0344d37f6545a777ce4a6c139b9d6331f111ade Mon Sep 17 00:00:00 2001 From: Kaibin Yang <44992049+SkyYkb@users.noreply.github.com> Date: Thu, 30 Jul 2020 22:42:29 +0800 Subject: [PATCH 127/476] Update README-cn.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 修复几个小问题 - Mac的键盘修饰键`Option`不是`Alt` - 命令应该使用代码块,便于阅读 - beta被写成了beat --- README-cn.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README-cn.md b/README-cn.md index 8fd834c4..612f229c 100755 --- a/README-cn.md +++ b/README-cn.md @@ -112,11 +112,11 @@ 7. 选择 Apple 菜单,并且选择重新启动或者关闭计算机。 -这个固件密码会在下一次启动后激活。为了验证这个密码,在启动过程中按住 `Alt` 键 - 按照提示输入密码。 +这个固件密码会在下一次启动后激活。为了验证这个密码,在启动过程中按住 `Option` 键 - 按照提示输入密码。 当启动进操作系统以后。固件密码也能通过 `firmwarepasswd` 工具管理。例如,从另一个模式启动的时候可以这样: -$ sudo firmwarepasswd -setpasswd -setmode command +`$ sudo firmwarepasswd -setpasswd -setmode command` 输入一个密码然后重启。 @@ -1278,7 +1278,7 @@ listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes 看看[恶意软件驻留在 Mac OS X 的方法](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) 和[恶意软件在 OS X Yosemite 后台运行](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite)了解各种恶意软件的功能和危害。 -你可以定期运行 [Knock Knock](https://github.com/synack/knockknock) 这样的工具来检查在持续运行的应用(比如脚本,二进制程序)。但这种方法可能已经过时了。[Block Block](https://objective-see.com/products/blockblock.html) 和 [Ostiarius](https://objective-see.com/products/ostiarius.html) 这样的应用可能还有些帮助。可以在 [issue #90](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/90) 中查看相关警告。除此之外,使用 [Little Flocker](https://www.littleflocker.com/) 也能保护部分文件系统免遭非法写入,类似 Little Snitch 保护网络 (注意,该软件目前是 beat 版本,[谨慎使用](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/pull/128))。 +你可以定期运行 [Knock Knock](https://github.com/synack/knockknock) 这样的工具来检查在持续运行的应用(比如脚本,二进制程序)。但这种方法可能已经过时了。[Block Block](https://objective-see.com/products/blockblock.html) 和 [Ostiarius](https://objective-see.com/products/ostiarius.html) 这样的应用可能还有些帮助。可以在 [issue #90](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/90) 中查看相关警告。除此之外,使用 [Little Flocker](https://www.littleflocker.com/) 也能保护部分文件系统免遭非法写入,类似 Little Snitch 保护网络 (注意,该软件目前是 beta 版本,[谨慎使用](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/pull/128))。 **反病毒**软件是把双刃剑 -- 对于**高级**用户没什么用,却可能面临更多复杂攻击的威胁。然而对于 Mac **新手**用户可能是有用的,可以检测到“各种”恶意软件。不过也要考到额外的处理开销。 From 57131db11011d9d300237ef6b7632f1376c58f46 Mon Sep 17 00:00:00 2001 From: juanjonol Date: Tue, 18 Aug 2020 15:12:04 +0200 Subject: [PATCH 128/476] Update InstallESD_Hashes.csv --- InstallESD_Hashes.csv | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/InstallESD_Hashes.csv b/InstallESD_Hashes.csv index cb5228a1..15b5ff55 100644 --- a/InstallESD_Hashes.csv +++ b/InstallESD_Hashes.csv @@ -37,4 +37,5 @@ Version,Build,SHA-256,SHA-1 10.15,19A602,d62588185b524bc27902c6e0348fb36a9c071dc8e45df89caf9a45bc6731492d,65aed4389ce4a65d713affef388356d251d9eec3 10.15,19A603,572f8ccc909762f9bc75019fa9729eefc3e2f85834e082aea926b1c7931f729a,5ac1070e34ecc02f66beb03a77198dd0dc3d3377 10.15.3,19D76,54bb26608f2916ca73f3482e8f4d5a98fc875d479482293840ec1b7a111c70f6,6ac088372d0bf0286d24ce55d9f0eb14a81d91c3 -10.15.5,19F96,833aa44561e9883f7a2e3b4861617c3d14905a6b612cc4352f9adbee49657c9f,18b35ba4b4a1bdefeccaddf50da749f6cb3b2ad5 \ No newline at end of file +10.15.5,19F96,833aa44561e9883f7a2e3b4861617c3d14905a6b612cc4352f9adbee49657c9f,18b35ba4b4a1bdefeccaddf50da749f6cb3b2ad5 +10.15.6,19G2021,f4a4874fab03cab52cfd73135d53226c5c8b72fb58b798e61b951a88c69b5f0d,d9be22bfc3220c17cc024ef52a14216e157f42f2 From b2b2bf6efd69ea7e323e9c74719765ed5647c25d Mon Sep 17 00:00:00 2001 From: Kevin Layer Date: Sat, 22 Aug 2020 10:34:35 -0700 Subject: [PATCH 129/476] README.md: fix single-user mode URL The original one is a 404 now. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7f39a3c8..98c824f5 100755 --- a/README.md +++ b/README.md @@ -692,7 +692,7 @@ $ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist **Note** Unloading services may break usability of some applications. Read the manual pages and use Google to make sure you understand what you're doing first. -Be careful about disabling any system daemons you don't understand, as it may render your system unbootable. If you break your Mac, use [single user mode](https://support.apple.com/en-us/HT201573) to fix it. +Be careful about disabling any system daemons you don't understand, as it may render your system unbootable. If you break your Mac, use [single user mode](https://support.apple.com/guide/mac-help/start-up-your-mac-in-single-user-mode-mchlp1720/mac) to fix it. Use [Console](https://en.wikipedia.org/wiki/List_of_macOS_components#Console) and [Activity Monitor](https://support.apple.com/en-us/HT201464) applications if you notice your Mac heating up, feeling sluggish, or generally misbehaving, as it may have resulted from your tinkering. From 31f017f07d81f98bc29900e7515e8fc691d5a929 Mon Sep 17 00:00:00 2001 From: Mike Dettmer Date: Sat, 22 Aug 2020 14:56:14 -0400 Subject: [PATCH 130/476] README.md: fix minor typo in safari feature section --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7f39a3c8..a9c15bea 100755 --- a/README.md +++ b/README.md @@ -1172,7 +1172,7 @@ Read [Google's privacy policy](https://www.google.com/policies/privacy/) and lea [Safari](https://www.apple.com/safari/) is the default Web browser of macOS. It is also the most optimized browser for reducing battery use. Safari, like Chrome, has both Open Source and proprietary components. Safari is based on the open source Web Engine [WebKit](https://en.wikipedia.org/wiki/WebKit), which is ubiquitous among the macOS ecosystem. WebKit is used by Apple apps such as Mail, iTunes, iBooks, and the App Store. Chrome's [Blink](https://www.chromium.org/blink) engine is a fork of WebKit and both engines share a number of similarities. -Safari supports certain unique features that benefit user security and privacy. [Content blockers](https://webkit.org/blog/3476/content-blockers-first-look/) enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory user, security, and privacy. Safari 11 introduced an [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/) system. This feature automatically removes tracking data stored in Safari after a period of non-interaction by the user from the tracker's website. +Safari supports certain unique features that benefit user security and privacy. [Content blockers](https://webkit.org/blog/3476/content-blockers-first-look/) enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory use, security, and privacy. Safari 11 introduced an [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/) system. This feature automatically removes tracking data stored in Safari after a period of non-interaction by the user from the tracker's website. Similar to Chrome and Firefox, Safari offers an invite only [bounty program](https://developer.apple.com/bug-reporting/) for bug reporting to a select number of security researchers. The bounty program was announced during Apple's [presentation](https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf) at [BlackHat](https://www.blackhat.com/us-16/briefings.html#behind-the-scenes-of-ios-security) 2016. From 653f83a771ba50997848a27df5a46b08b4d82800 Mon Sep 17 00:00:00 2001 From: drduh Date: Sun, 30 Aug 2020 14:01:05 -0700 Subject: [PATCH 131/476] Update knockknock URL to fix #375. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 65a042a3..1a478fbc 100755 --- a/README.md +++ b/README.md @@ -668,7 +668,7 @@ See [fix-macosx/yosemite-phone-home](https://github.com/fix-macosx/yosemite-phon Services on macOS are managed by **launchd**. See [launchd.info](http://launchd.info/), as well as [Apple's Daemons and Services Programming Guide](https://developer.apple.com/library/mac/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html) and [Technical Note TN2083](https://developer.apple.com/library/mac/technotes/tn2083/_index.html) -You can also run [KnockKnock](https://github.com/synack/knockknock) that shows more information about startup items. +You can also run [KnockKnock](https://objective-see.com/products/knockknock.html) that shows more information about startup items. * Use `launchctl list` to view running user agents * Use `sudo launchctl list` to view running system daemons From b637b3197599f4e64506e12c9535a6c04c083781 Mon Sep 17 00:00:00 2001 From: drduh Date: Sun, 30 Aug 2020 21:01:56 +0000 Subject: [PATCH 132/476] Create FUNDING.yml --- .github/FUNDING.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 .github/FUNDING.yml diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 00000000..92cbba99 --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1 @@ +github: [drduh] From 4c11e87e0e78adc0171a8ecbdd3c04e277f8cabe Mon Sep 17 00:00:00 2001 From: Hannes Braun <37622889+hannesbraun@users.noreply.github.com> Date: Tue, 15 Sep 2020 16:52:08 +0200 Subject: [PATCH 133/476] Fix PGP/GPG link in table of contents --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1a478fbc..ffc78df0 100755 --- a/README.md +++ b/README.md @@ -53,7 +53,7 @@ This guide is also available in [简体中文](https://github.com/drduh/macOS-Se * [Plugins](#plugins) - [Tor](#tor) - [VPN](#vpn) -- [PGP/GPG](#pgp-gpg) +- [PGP/GPG](#pgpgpg) - [OTR](#otr) - [Viruses and malware](#viruses-and-malware) - [System Integrity Protection](#system-integrity-protection) From ec14f6a4a8f66ae536a13f568bc4a086e00f84ee Mon Sep 17 00:00:00 2001 From: Anonymous Planet <74728592+AnonymousPlanet@users.noreply.github.com> Date: Tue, 6 Jul 2021 08:30:00 +0000 Subject: [PATCH 134/476] Adding information to disable Gatekeeper service --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index ffc78df0..67754bd3 100755 --- a/README.md +++ b/README.md @@ -1467,6 +1467,12 @@ $ :>~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 $ sudo chflags schg ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 ``` +Alternatively, you can also disable Gatekeeper using the following command: + +```sudo spctl --master-disable``` + +(See and for reference) + ## Metadata and artifacts macOS attaches metadata ([HFS+ extended attributes](https://en.wikipedia.org/wiki/Extended_file_attributes#OS_X)) to downloaded files, which can be viewed with the `mdls` and `xattr` commands: From e312d2f0834633d7cda11bbf862e688e4c00e623 Mon Sep 17 00:00:00 2001 From: AnonyPla <86740652+AnonyPla@users.noreply.github.com> Date: Fri, 23 Jul 2021 03:12:42 +0000 Subject: [PATCH 135/476] Set theme jekyll-theme-hacker --- _config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_config.yml b/_config.yml index 2f7efbea..fc24e7a6 100644 --- a/_config.yml +++ b/_config.yml @@ -1 +1 @@ -theme: jekyll-theme-minimal \ No newline at end of file +theme: jekyll-theme-hacker \ No newline at end of file From 3beb38be98872ebc7d89856c29569dcec3eaee8b Mon Sep 17 00:00:00 2001 From: Neyts Zupan Date: Tue, 27 Jul 2021 20:07:18 +0100 Subject: [PATCH 136/476] Add Pareto Security app to Related software section --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index ffc78df0..8c6ac53c 100755 --- a/README.md +++ b/README.md @@ -2346,6 +2346,7 @@ drwx------ 2 kevin staff 64 Dec 4 12:27 umask_testing_dir * [stronghold](https://github.com/alichtman/stronghold) - Securely and easily configure your Mac from the terminal. Inspired by this guide. * [yelp/osxcollector](https://github.com/yelp/osxcollector) - Forensic evidence collection & analysis toolkit for OS X. * [The Eclectic Light Company - Downloads](https://eclecticlight.co/downloads/) - A collection of useful diagnostics and control applications and utilities for macOS. +* [Pareto Security](https://github.com/paretoSecurity/pareto-mac/) - A MenuBar app to automatically audit your Mac for basic security hygiene. ## Additional resources From 80229d9e703b736f58668515c2ee140152dc36cc Mon Sep 17 00:00:00 2001 From: Neyts Zupan Date: Fri, 10 Sep 2021 21:15:15 +0100 Subject: [PATCH 137/476] Pareto Security app now has a proper website --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 029172c0..b22dfd1a 100755 --- a/README.md +++ b/README.md @@ -2352,7 +2352,7 @@ drwx------ 2 kevin staff 64 Dec 4 12:27 umask_testing_dir * [stronghold](https://github.com/alichtman/stronghold) - Securely and easily configure your Mac from the terminal. Inspired by this guide. * [yelp/osxcollector](https://github.com/yelp/osxcollector) - Forensic evidence collection & analysis toolkit for OS X. * [The Eclectic Light Company - Downloads](https://eclecticlight.co/downloads/) - A collection of useful diagnostics and control applications and utilities for macOS. -* [Pareto Security](https://github.com/paretoSecurity/pareto-mac/) - A MenuBar app to automatically audit your Mac for basic security hygiene. +* [Pareto Security](https://paretosecurity.app/) - A MenuBar app to automatically audit your Mac for basic security hygiene. ## Additional resources From c64568e510774ca7aa1dddc21fd1d19b19c5e0dc Mon Sep 17 00:00:00 2001 From: Gary Johnson <1448547+johnsoga@users.noreply.github.com> Date: Sat, 15 Jan 2022 00:23:36 -0500 Subject: [PATCH 138/476] Update Installation Instructions This commit updates broadly the sections referencing how to download and install macOS. This commit updates those sections to reference the latest version of macOS which macOS 12 Monterey. --- README.md | 64 ++++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 44 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index b22dfd1a..1b075614 100755 --- a/README.md +++ b/README.md @@ -110,7 +110,19 @@ The simplest way is to boot into [Recovery Mode](https://support.apple.com/en-us *Packet capture of an unencrypted HTTP conversation during macOS recovery* -An alternative way to install macOS is to first download **macOS Mojave** from the [App Store](https://itunes.apple.com/us/app/macos-mojave/id1398502828) or elsewhere, and create a custom installable system image. +An alternative way to install macOS is to first download the latest version of macOS (**Latest: macOS Monterey**) from Apple via the [App Store](https://apps.apple.com/us/app/macos-monterey/id1576738294) and create a custom installable system image. + +### Getting macOS + +Apple's [documentation](https://support.apple.com/en-us/HT211683) provides details for getting older versions of macOS. + +* macOS Monterey (12): (App Store)[https://apps.apple.com/us/app/macos-monterey/id1576738294] +* macOS Big Sur (11): (App Store)[https://apps.apple.com/us/app/macos-big-sur/id1526878132] +* macOS Catalina (10.15): (App Store)[https://apps.apple.com/us/app/macos-catalina/id1466841314] +* macOS Mojave(10.14): (App Store)[https://apps.apple.com/us/app/macos-mojave/id1398502828] +* macOS High Sierra(10.13): (App Store)[https://apps.apple.com/us/app/macos-high-sierra/id1246284741] +* macOS Sierra (10.12): (Direct Link)[http://updates-http.cdn-apple.com/2019/cert/061-39476-20191023-48f365f4-0015-4c41-9f44-39d3d2aca067/InstallOS.dmg] + ### Verifying installation integrity @@ -119,37 +131,47 @@ The macOS installation application is [code signed](https://developer.apple.com/ To verify the code signature and integrity of macOS application bundles: ```console -$ pkgutil --check-signature /Applications/Install\ macOS\ Catalina.app -Package "Install macOS Catalina": - Status: signed by a certificate trusted by Mac OS X +$ pkgutil --check-signature /Applications/Install\ macOS\ Monterey.app +Package "Install macOS Monterey": + Status: signed by a certificate trusted by macOS Certificate Chain: 1. Software Signing - SHA1 fingerprint: 01 3E 27 87 74 8A 74 10 3D 62 D2 CD BF 77 A1 34 55 17 C4 82 - ----------------------------------------------------------------------------- + Expires: 2026-10-24 17:39:41 +0000 + SHA256 Fingerprint: + D8 4D B9 6A F8 C2 E6 0A C4 C8 51 A2 1E C4 60 F6 F8 4E 02 35 BE B1 + 7D 24 A7 87 12 B9 B0 21 ED 57 + ------------------------------------------------------------------------ 2. Apple Code Signing Certification Authority - SHA1 fingerprint: 1D 01 00 78 A6 1F 4F A4 69 4A FF 4D B1 AC 26 6C E1 B4 59 46 - ----------------------------------------------------------------------------- + Expires: 2026-10-24 17:39:41 +0000 + SHA256 Fingerprint: + 5B DA B1 28 8F C1 68 92 FE F5 0C 65 8D B5 4F 1E 2E 19 CF 8F 71 CC + 55 F7 7D E2 B9 5E 05 1E 25 62 + ------------------------------------------------------------------------ 3. Apple Root CA - SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60 + Expires: 2035-02-09 21:40:36 +0000 + SHA256 Fingerprint: + B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C + 68 C5 BE 91 B5 A1 10 01 F0 24 ``` Use the `codesign` command to examine an application's code signature: ```console -$ codesign -dvv /Applications/Install\ macOS\ Catalina.app -Executable=/Applications/Install macOS Catalina.app/Contents/MacOS/InstallAssistant_springboard -Identifier=com.apple.InstallAssistant.Catalina -Format=app bundle with Mach-O thin (x86_64) -CodeDirectory v=20100 size=276 flags=0x2000(library-validation) hashes=3+3 location=embedded -Platform identifier=9 -Signature size=4628 +$ codesign -dvv /Applications/Install\ macOS\ Monterey.app +Executable=/Applications/Install macOS Monterey.app/Contents/MacOS/InstallAssistant_springboard +Identifier=com.apple.InstallAssistant.macOSMonterey +Format=app bundle with Mach-O universal (x86_64 arm64) +CodeDirectory v=20400 size=641 flags=0x2000(library-validation) hashes=13+3 location=embedded +Platform identifier=13 +Signature size=4523 Authority=Software Signing Authority=Apple Code Signing Certification Authority Authority=Apple Root CA -Info.plist entries=33 +Signed Time=Dec 1, 2021 at 1:10:31 AM +Info.plist entries=32 TeamIdentifier=not set -Sealed Resources version=2 rules=13 files=234 -Internal requirements count=1 size=84 +Sealed Resources version=2 rules=2 files=0 +Internal requirements count=1 size=88 ``` ### Creating a bootable USB installer @@ -166,7 +188,7 @@ $ diskutil unmountDisk /dev/disk2 $ diskutil partitionDisk /dev/disk2 1 JHFS+ Installer 100% -$ cd /Applications/Install\ macOS\ Catalina.app +$ cd /Applications/Install\ macOS\ Monterey.app $ sudo ./Contents/Resources/createinstallmedia --volume /Volumes/Installer --nointeraction Erasing disk: 0%... 10%... 20%... 30%... 100% @@ -176,6 +198,8 @@ Copying boot files... Install media now available at "/Volumes/Install macOS Catalina" ``` +Apple also has [guide](https://support.apple.com/guide/disk-utility/erase-and-reformat-a-storage-device-dskutl14079/mac) on doing this via the GUI Disk Utility + ### Creating an install image **Note** Apple's AutoDMG installer [does not appear to work](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/120) across OS versions. If you want to build a 10.14 image, for example, the following steps must be performed on macOS 10.14! From 8a6e0e68da1f71ca70f7229df0470bf358cd6eaf Mon Sep 17 00:00:00 2001 From: JBMagination Date: Wed, 30 Mar 2022 10:42:33 -0400 Subject: [PATCH 139/476] Add/fix version links --- README.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 1b075614..2febd553 100755 --- a/README.md +++ b/README.md @@ -116,13 +116,14 @@ An alternative way to install macOS is to first download the latest version of m Apple's [documentation](https://support.apple.com/en-us/HT211683) provides details for getting older versions of macOS. -* macOS Monterey (12): (App Store)[https://apps.apple.com/us/app/macos-monterey/id1576738294] -* macOS Big Sur (11): (App Store)[https://apps.apple.com/us/app/macos-big-sur/id1526878132] -* macOS Catalina (10.15): (App Store)[https://apps.apple.com/us/app/macos-catalina/id1466841314] -* macOS Mojave(10.14): (App Store)[https://apps.apple.com/us/app/macos-mojave/id1398502828] -* macOS High Sierra(10.13): (App Store)[https://apps.apple.com/us/app/macos-high-sierra/id1246284741] -* macOS Sierra (10.12): (Direct Link)[http://updates-http.cdn-apple.com/2019/cert/061-39476-20191023-48f365f4-0015-4c41-9f44-39d3d2aca067/InstallOS.dmg] - +* macOS Monterey (12): [App Store](https://apps.apple.com/us/app/macos-monterey/id1576738294) +* macOS Big Sur (11): [App Store](https://apps.apple.com/us/app/macos-big-sur/id1526878132) +* macOS Catalina (10.15): [App Store](https://apps.apple.com/us/app/macos-catalina/id1466841314) +* macOS Mojave (10.14): [App Store](https://apps.apple.com/us/app/macos-mojave/id1398502828) +* macOS High Sierra (10.13): [App Store](https://apps.apple.com/us/app/macos-high-sierra/id1246284741) +* macOS Sierra (10.12): [Direct Link](http://updates-http.cdn-apple.com/2019/cert/061-39476-20191023-48f365f4-0015-4c41-9f44-39d3d2aca067/InstallOS.dmg) +* OS X El Capitan (10.11): [Direct Link](http://updates-http.cdn-apple.com/2019/cert/061-41424-20191024-218af9ec-cf50-4516-9011-228c78eda3d2/InstallMacOSX.dmg) +* OS X Yosemite (10.10): [Direct Link](http://updates-http.cdn-apple.com/2019/cert/061-41343-20191023-02465f92-3ab5-4c92-bfe2-b725447a070d/InstallMacOSX.dmg) ### Verifying installation integrity From add392af62ae80a0071166eef9cd871063545934 Mon Sep 17 00:00:00 2001 From: JBMagination Date: Wed, 30 Mar 2022 11:02:30 -0400 Subject: [PATCH 140/476] Add indicator of direct links being exclusively HTTP --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 2febd553..78cdfa5e 100755 --- a/README.md +++ b/README.md @@ -121,9 +121,9 @@ Apple's [documentation](https://support.apple.com/en-us/HT211683) provides detai * macOS Catalina (10.15): [App Store](https://apps.apple.com/us/app/macos-catalina/id1466841314) * macOS Mojave (10.14): [App Store](https://apps.apple.com/us/app/macos-mojave/id1398502828) * macOS High Sierra (10.13): [App Store](https://apps.apple.com/us/app/macos-high-sierra/id1246284741) -* macOS Sierra (10.12): [Direct Link](http://updates-http.cdn-apple.com/2019/cert/061-39476-20191023-48f365f4-0015-4c41-9f44-39d3d2aca067/InstallOS.dmg) -* OS X El Capitan (10.11): [Direct Link](http://updates-http.cdn-apple.com/2019/cert/061-41424-20191024-218af9ec-cf50-4516-9011-228c78eda3d2/InstallMacOSX.dmg) -* OS X Yosemite (10.10): [Direct Link](http://updates-http.cdn-apple.com/2019/cert/061-41343-20191023-02465f92-3ab5-4c92-bfe2-b725447a070d/InstallMacOSX.dmg) +* macOS Sierra (10.12): [Direct Link](http://updates-http.cdn-apple.com/2019/cert/061-39476-20191023-48f365f4-0015-4c41-9f44-39d3d2aca067/InstallOS.dmg) (HTTP) +* OS X El Capitan (10.11): [Direct Link](http://updates-http.cdn-apple.com/2019/cert/061-41424-20191024-218af9ec-cf50-4516-9011-228c78eda3d2/InstallMacOSX.dmg) (HTTP) +* OS X Yosemite (10.10): [Direct Link](http://updates-http.cdn-apple.com/2019/cert/061-41343-20191023-02465f92-3ab5-4c92-bfe2-b725447a070d/InstallMacOSX.dmg) (HTTP) ### Verifying installation integrity From 0edb89f33a415c54c63080273badb9e1666c71c1 Mon Sep 17 00:00:00 2001 From: Unitiser Date: Sun, 1 May 2022 15:42:17 -0400 Subject: [PATCH 141/476] Update README.md --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index 78cdfa5e..3e5f32f5 100755 --- a/README.md +++ b/README.md @@ -112,6 +112,13 @@ The simplest way is to boot into [Recovery Mode](https://support.apple.com/en-us An alternative way to install macOS is to first download the latest version of macOS (**Latest: macOS Monterey**) from Apple via the [App Store](https://apps.apple.com/us/app/macos-monterey/id1576738294) and create a custom installable system image. +This can also be done from the Terminal using the commands outlined in [OSXDaily](https://osxdaily.com/2020/04/13/how-download-full-macos-installer-terminal/). + +``` +softwareupdate --list-full-installers +softwareupdate --fetch-full-installer --full-installer-version x.x.x +``` + ### Getting macOS Apple's [documentation](https://support.apple.com/en-us/HT211683) provides details for getting older versions of macOS. From a51612010b5a58e50530290108c624166816b7f5 Mon Sep 17 00:00:00 2001 From: beerisgood Date: Sun, 21 Aug 2022 22:11:34 +0200 Subject: [PATCH 142/476] clearing NVRAM part updated only needed for Intel-based Macs --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3e5f32f5..2f64eb9b 100755 --- a/README.md +++ b/README.md @@ -379,7 +379,7 @@ Take and Restore from saved guest VM snapshots before and after attempting risky **Note** Before setting up macOS, consider disconnecting networking and configuring a firewall(s) first. However, [late 2016 MacBooks](https://www.ifixit.com/Device/MacBook_Pro_15%22_Late_2016_Touch_Bar) with Touch Bar hardware [require online OS activation](https://onemoreadmin.wordpress.com/2016/11/27/the-untouchables-apples-new-os-activation-for-touch-bar-macbook-pros/) (also see next section). -On first boot, hold `Command` `Option` `P` `R` keys to [clear NVRAM](https://support.apple.com/en-us/HT204063). +(Intel-based Mac only) On first boot, hold `Command` `Option` `P` `R` keys to [clear NVRAM](https://support.apple.com/en-us/HT204063). When macOS first starts, you'll be greeted by **Setup Assistant**. From df5afea4656a31a822cc802098761735b1f15dce Mon Sep 17 00:00:00 2001 From: beerisgood Date: Mon, 22 Aug 2022 12:53:30 +0200 Subject: [PATCH 143/476] outdated "DNS - hosts file" part replaced with DNS profiles using the hosts file for filtering etc. is not a sensible or safe way and causes more problems than it solves. also a long list reduces performance and "thanks" to IPv6 the whole management is too cumbersome and not recommended for normal users --- README.md | 48 +++++++++++++++--------------------------------- 1 file changed, 15 insertions(+), 33 deletions(-) diff --git a/README.md b/README.md index 2f64eb9b..f85c4f63 100755 --- a/README.md +++ b/README.md @@ -799,47 +799,29 @@ You may also wish to enable [additional security options](https://github.com/drd ## DNS -#### Hosts file +#### DNS profiles -Use the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) to block known malware, advertising or otherwise unwanted domains. +Since macOS 11 there is a very simple solution via "DNS configuration profiles" to: +- to be able to use encrypted DNS +- filter malware etc. via DNS +- use of DNSSEC +- easy recovery to default settings -Edit the hosts file as root, for example with `sudo vi /etc/hosts`. The hosts file can also be managed with the GUI app [2ndalpha/gasmask](https://github.com/2ndalpha/gasmask). +and all this without having to install a program or make cumbersome lists or settings. -To block a domain by `A` record, append any one of the following lines to `/etc/hosts`: -``` -0 example.com -0.0.0.0 example.com -127.0.0.1 example.com -``` - -**Note** IPv6 uses the `AAAA` DNS record type, rather than `A` record type, so you may also want to block those connections by *also* including `::1 example.com` entries, like shown [here](https://someonewhocares.org/hosts/ipv6/). - -There are many lists of domains available online which you can paste in, just make sure each line starts with `0`, `0.0.0.0`, `127.0.0.1`, and the line `127.0.0.1 localhost` is included. - -Here are some popular and useful hosts lists: +you can use ready-made profiles that can be easily installed via double-click and do not require any further work. +Providers of such profiles are e.g:: +- [Quad9](https://support.quad9.net/hc/en-us/articles/4814293189773-Setup-MacOS-and-DNS-over-HTTPS-or-DNS-over-TLS) (Malware filtering only + DNSSEC) +- [AdGuard](https://adguard-dns.io/en/public-dns.html) - see Method #2: Configure AdGuard DNS manually -> macOS (filtering depends on your choice) +- [NextDNS](https://nextdns.io/) (filtering depends on your choice) -* [jmdugan/blocklists](https://github.com/jmdugan/blocklists) -* [l1k/osxparanoia](https://github.com/l1k/osxparanoia/blob/master/hosts) -* [Sinfonietta/hostfiles](https://github.com/Sinfonietta/hostfiles) -* [StevenBlack/hosts](https://github.com/StevenBlack/hosts) -* [someonewhocares.org](https://someonewhocares.org/hosts/zero/hosts) +**Note:** all three offer digitally signed profiles, but only Quad9 offers an Apple signed profile. -Append a list of hosts with the `tee` command and confirm only non-routable addresses or comments were added: - -```console -$ curl https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | sudo tee -a /etc/hosts - -$ wc -l /etc/hosts -65580 - -$ egrep -ve "^#|^255.255.255.255|^127.|^0.|^::1|^ff..::|^fe80::" /etc/hosts | sort | uniq | egrep -e "[1,2]|::" -[No output] -``` +besides the ready-made profiles, you can also assemble [one yourself](https://dns.notjakob.com). +However, these profiles then do not have a signature and this is also criticized by macOS - even if the function of the profile is not affected. -See `man hosts` and [FreeBSD Configuration Files](https://www.freebsd.org/doc/handbook/configtuning-configfiles.html) for more information. -See the [dnsmasq](#dnsmasq) section of this guide for more hosts blocking options. #### dnscrypt From 9902f087353d2be4d47d4ef6ebc41a4f80632cdc Mon Sep 17 00:00:00 2001 From: halo Date: Thu, 1 Sep 2022 09:28:10 +0200 Subject: [PATCH 144/476] Remove suggestion to remove admin from FileVault There appears to be no good reason to do so. See #408 --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 2f64eb9b..fcd76e1c 100755 --- a/README.md +++ b/README.md @@ -420,7 +420,7 @@ Utilities like `sudo` have [weaknesses that can be exploited](https://bogner.sh/ It is considered a best practice by [Apple](https://help.apple.com/machelp/mac/10.12/index.html#/mh11389) and [others](https://csrc.nist.gov/publications/drafts/800-179/sp800_179_draft.pdf) (pdf) (p. 41–42) to use a separate standard account for day-to-day work and use the admin account for installations and system configuration. -It is not strictly required to ever log into the admin account via the macOS login screen. The system will prompt for authentication when required and Terminal can do the rest. To that end, Apple provides some [recommendations](https://support.apple.com/HT203998) for hiding the admin account and its home directory. This can be an elegant solution to avoid having a visible 'ghost' account. The admin account can also be [removed from FileVault](https://apple.stackexchange.com/a/94373) for additional hardening. +It is not strictly required to ever log into the admin account via the macOS login screen. When a Terminal command requires administrator privileges, the system will prompt for authentication and Terminal then continues using those privileges. To that end, Apple provides some [recommendations](https://support.apple.com/HT203998) for hiding the admin account and its home directory. This can be an elegant solution to avoid having a visible 'ghost' account. ### Caveats @@ -1429,7 +1429,7 @@ You can use OTR on top of any existing [XMPP](https://xmpp.org/about) chat servi The first time you start a conversation with someone new, you'll be asked to verify their public key fingerprint. Make sure to do this in person or by some other secure means (e.g. GPG encrypted mail). -A popular macOS GUI client for XMPP and other chat protocols is [Adium](https://adium.im/). +A popular macOS GUI client for XMPP and other chat protocols is [Adium](https://adium.im/). Other XMPP clients include [profanity](http://www.profanity.im/) and [agl/xmpp-client](https://github.com/agl/xmpp-client). Another relatively new XMPP chat client is [CoyIM](https://coy.im/), it's focused and security and has built-in support for OTR and Tor. @@ -1499,7 +1499,7 @@ $ :>~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 $ sudo chflags schg ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 ``` -Alternatively, you can also disable Gatekeeper using the following command: +Alternatively, you can also disable Gatekeeper using the following command: ```sudo spctl --master-disable``` From b9187964f71648a9f0310e69ee8c04046704b788 Mon Sep 17 00:00:00 2001 From: beerisgood Date: Fri, 21 Oct 2022 16:01:32 +0200 Subject: [PATCH 145/476] dead links removed & https version for three links added --- README.md | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 2f64eb9b..9494be49 100755 --- a/README.md +++ b/README.md @@ -2392,25 +2392,20 @@ drwx------ 2 kevin staff 64 Dec 4 12:27 umask_testing_dir * [Auditing and Exploiting Apple IPC](https://googleprojectzero.blogspot.com/2015/09/revisiting-apple-ipc-1-distributed_28.html) * [CIS Benchmarks](https://www.cisecurity.org/benchmark/apple_os/) * [Demystifying the DMG File Format](http://newosxbook.com/DMG.html) -* [Demystifying the i-Device NVMe NAND (New storage used by Apple)](http://ramtin-amin.fr/#nvmepcie) * [Developing Mac OSX kernel rootkits](http://phrack.org/issues/66/16.html#article) -* [DoD Security Technical Implementation Guides for Mac OS](http://iase.disa.mil/stigs/os/mac/Pages/mac-os.aspx) * [EFF Surveillance Self-Defense Guide](https://ssd.eff.org/) -* [Extracting FileVault 2 Keys with Volatility](https://tribalchicken.com.au/security/extracting-filevault-2-keys-with-volatility/) -* [Fuzzing the macOS WindowServer for Exploitable Vulnerabilities](http://blog.ret2.io/2018/07/25/pwn2own-2018-safari-sandbox/) +* [Fuzzing the macOS WindowServer for Exploitable Vulnerabilities](https://blog.ret2.io/2018/07/25/pwn2own-2018-safari-sandbox/) * [Hacker News discussion 2](https://news.ycombinator.com/item?id=13023823) * [Hacker News discussion](https://news.ycombinator.com/item?id=10148077) -* [Harden the World: Mac OSX 10.11 El Capitan](http://docs.hardentheworld.org/OS/OSX_10.11_El_Capitan/) +* [Harden the World: Mac OSX 10.11 El Capitan](https://docs.hardentheworld.org/OS/OSX_10.11_El_Capitan/) * [Hidden backdoor API to root privileges in Apple OS X](https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/) * [How to Switch to the Mac](https://taoofmac.com/space/HOWTO/Switch) -* [How to make macOS Spotlight fuck the fuck off and do your bidding](https://m4.rkw.io/blog/how-to-make-macos-spotlight-fuck-the-fuck-off-and-do-your-bidding.html) * [IOKit kernel code execution exploit](https://code.google.com/p/google-security-research/issues/detail?id=135) * [IPv6 Hardening Guide for OS X](http://www.insinuator.net/2015/02/ipv6-hardening-guide-for-os-x/) * [Mac Developer Library: Secure Coding Guide](https://developer.apple.com/library/mac/documentation/Security/Conceptual/SecureCodingGuide/Introduction.html) * [Mac Forensics: Mac OS X and the HFS+ File System](https://cet4861.pbworks.com/w/file/fetch/71245694/mac.forensics.craiger-burke.IFIP.06.pdf) (pdf) * [Mac OS X Forensics - Technical Report](https://www.ma.rhul.ac.uk/static/techrep/2015/RHUL-MA-2015-8.pdf) (pdf) * [Mac OS X and iOS Internals: To the Apple's Core by Jonathan Levin](https://www.amazon.com/Mac-OS-iOS-Internals-Apples/dp/1118057651) -* [MacAdmins on Slack](https://macadmins.herokuapp.com/) * [MacOS Hardening Guide - Appendix of \*OS Internals: Volume III - Security & Insecurity Internals](http://newosxbook.com/files/moxii3/AppendixA.pdf) (pdf) * [Managing Macs at Google Scale (LISA '13)](https://www.usenix.org/conference/lisa13/managing-macs-google-scale) * [OS X 10.10 Yosemite: The Ars Technica Review](https://arstechnica.com/apple/2014/10/os-x-10-10/) @@ -2422,8 +2417,7 @@ drwx------ 2 kevin staff 64 Dec 4 12:27 umask_testing_dir * [Remote code execution, git, and OS X](https://rachelbythebay.com/w/2016/04/17/unprotected/) * [Reverse Engineering Mac OS X blog](https://reverse.put.as/) * [Reverse Engineering Resources](http://samdmarshall.com/re.html) -* [Security Configuration For Mac OS X Version 10.6 Snow Leopard](https://www.apple.com/support/security/guides/docs/SnowLeopard_Security_Config_v10.6.pdf) (pdf) -* [The EFI boot process](http://web.archive.org/web/20160508052211/http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/efi-boot-process.html) +* [The EFI boot process](https://web.archive.org/web/20160508052211/http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/efi-boot-process.html) * [The Great DOM Fuzz-off of 2017](https://googleprojectzero.blogspot.be/2017/09/the-great-dom-fuzz-off-of-2017.html) * [The Intel Mac boot process](http://refit.sourceforge.net/info/boot_process.html) * [The macOS Phishing Easy Button: AppleScript Dangers](https://duo.com/blog/the-macos-phishing-easy-button-applescript-dangers) From 34d263afde9a2b4ec7f9170ba4d8a22e217d297c Mon Sep 17 00:00:00 2001 From: Michael Altfield Date: Mon, 26 Dec 2022 12:39:56 -0600 Subject: [PATCH 146/476] added BusKill Laptop Kill Cord as defence against physical attacks --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fcd76e1c..10b99dd8 100755 --- a/README.md +++ b/README.md @@ -1943,7 +1943,7 @@ Keep your Mac physically secure at all times. Don't leave it unattended in publi A skilled attacker with unsupervised physical access to your computer can infect the boot ROM to install a keylogger and steal your password, for example - see [Thunderstrike](https://trmm.net/Thunderstrike). -A helpful tool is [usbkill](https://github.com/hephaest0s/usbkill), which is an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer. +To protect against physical theft during use, you can use an anti-forensic tool like [BusKill](https://github.com/buskill/buskill-app) or [usbkill](https://github.com/hephaest0s/usbkill). Both respond to USB events and can immediately shutdown your computer if your device is physically separated from you. Consider purchasing a [privacy filter](https://www.amazon.com/s/ref=nb_sb_noss_2?url=node%3D15782001&field-keywords=macbook) for your screen to thwart shoulder surfers. From 0277e613fd3f4241e95d6a903f5f499bda740b4d Mon Sep 17 00:00:00 2001 From: John Wyles <16948+johnwyles@users.noreply.github.com> Date: Wed, 19 Apr 2023 22:24:27 +0000 Subject: [PATCH 147/476] Update README.md for macOS Ventura --- README.md | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index f4897cda..f540b31a 100755 --- a/README.md +++ b/README.md @@ -110,19 +110,21 @@ The simplest way is to boot into [Recovery Mode](https://support.apple.com/en-us *Packet capture of an unencrypted HTTP conversation during macOS recovery* -An alternative way to install macOS is to first download the latest version of macOS (**Latest: macOS Monterey**) from Apple via the [App Store](https://apps.apple.com/us/app/macos-monterey/id1576738294) and create a custom installable system image. +An alternative way to install macOS is to first download the latest version of macOS (**Latest: macOS Ventura**) from Apple via the [App Store](https://apps.apple.com/us/app/macos-ventura/id1638787999) and create a custom installable system image. This can also be done from the Terminal using the commands outlined in [OSXDaily](https://osxdaily.com/2020/04/13/how-download-full-macos-installer-terminal/). ``` softwareupdate --list-full-installers -softwareupdate --fetch-full-installer --full-installer-version x.x.x +# latest is 13.3.1 +softwareupdate -d --fetch-full-installer --full-installer-version 13.3.1 ``` ### Getting macOS Apple's [documentation](https://support.apple.com/en-us/HT211683) provides details for getting older versions of macOS. +* macOS Ventura (13): [App Store](https://apps.apple.com/us/app/macos-ventura/id1638787999) * macOS Monterey (12): [App Store](https://apps.apple.com/us/app/macos-monterey/id1576738294) * macOS Big Sur (11): [App Store](https://apps.apple.com/us/app/macos-big-sur/id1526878132) * macOS Catalina (10.15): [App Store](https://apps.apple.com/us/app/macos-catalina/id1466841314) @@ -139,8 +141,8 @@ The macOS installation application is [code signed](https://developer.apple.com/ To verify the code signature and integrity of macOS application bundles: ```console -$ pkgutil --check-signature /Applications/Install\ macOS\ Monterey.app -Package "Install macOS Monterey": +$ pkgutil --check-signature /Applications/Install\ macOS\ Ventura.app +Package "Install macOS Ventura": Status: signed by a certificate trusted by macOS Certificate Chain: 1. Software Signing @@ -165,17 +167,17 @@ Package "Install macOS Monterey": Use the `codesign` command to examine an application's code signature: ```console -$ codesign -dvv /Applications/Install\ macOS\ Monterey.app -Executable=/Applications/Install macOS Monterey.app/Contents/MacOS/InstallAssistant_springboard -Identifier=com.apple.InstallAssistant.macOSMonterey +$ codesign -dvv /Applications/Install\ macOS\ Ventura.app +Executable=/Applications/Install macOS Ventura.app/Contents/MacOS/InstallAssistant_springboard +Identifier=com.apple.InstallAssistant.macOSVentura Format=app bundle with Mach-O universal (x86_64 arm64) -CodeDirectory v=20400 size=641 flags=0x2000(library-validation) hashes=13+3 location=embedded -Platform identifier=13 +CodeDirectory v=20400 size=640 flags=0x2000(library-validation) hashes=13+3 location=embedded +Platform identifier=14 Signature size=4523 Authority=Software Signing Authority=Apple Code Signing Certification Authority Authority=Apple Root CA -Signed Time=Dec 1, 2021 at 1:10:31 AM +Signed Time=Mar 22, 2023 at 16:09:45 Info.plist entries=32 TeamIdentifier=not set Sealed Resources version=2 rules=2 files=0 @@ -196,7 +198,7 @@ $ diskutil unmountDisk /dev/disk2 $ diskutil partitionDisk /dev/disk2 1 JHFS+ Installer 100% -$ cd /Applications/Install\ macOS\ Monterey.app +$ cd /Applications/Install\ macOS\ Ventura.app $ sudo ./Contents/Resources/createinstallmedia --volume /Volumes/Installer --nointeraction Erasing disk: 0%... 10%... 20%... 30%... 100% From 730d81128635c20238c862c70ff7509030160504 Mon Sep 17 00:00:00 2001 From: Mike McQuaid Date: Tue, 4 Jul 2023 14:19:08 +0100 Subject: [PATCH 148/476] README: various Homebrew tweaks. --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index f4897cda..3222fe11 100755 --- a/README.md +++ b/README.md @@ -787,11 +787,11 @@ $ mkdir homebrew && curl -L https://github.com/Homebrew/brew/tarball/master | ta Edit `PATH` in your shell or shell rc file to use `~/homebrew/bin` and `~/homebrew/sbin`. For example, `echo 'PATH=$PATH:~/homebrew/sbin:~/homebrew/bin' >> .zshrc`, then change your login shell to Z shell with `chsh -s /bin/zsh`, open a new Terminal window and run `brew update`. -Homebrew uses SSL/TLS to talk with GitHub and verifies integrity of downloaded packages, so it's [fairly secure](https://github.com/Homebrew/homebrew/issues/18036). +Homebrew uses SSL/TLS to talk with GitHub and verifies integrity of downloaded packages, so it's [fairly secure](https://brew.sh/2022/05/17/homebrew-security-audit/). -Remember to periodically run `brew update` and `brew upgrade` on trusted and secure networks to download and install software updates. To get information on a package before installation, run `brew info ` and check its recipe online. +Remember to periodically run `brew upgrade` on trusted and secure networks to download and install software updates. To get information on a package before installation, run `brew info ` and check its formula online. -According to [Homebrew's Anonymous Aggregate User Behaviour Analytics](https://github.com/Homebrew/brew/blob/master/docs/Analytics.md), Homebrew gathers anonymous aggregate user behaviour analytics and reporting these to Google Analytics. +According to [Homebrew's Anonymous Analytics](https://docs.brew.sh/Analytics), Homebrew gathers anonymous analytics and reports these to a self-hosted InfluxDB instance. To opt out of Homebrew's analytics, you can set `export HOMEBREW_NO_ANALYTICS=1` in your environment or shell rc file, or use `brew analytics off`. From 5c0383dc1cbcd5c262803b9080722aca8dfd657b Mon Sep 17 00:00:00 2001 From: drduh Date: Sun, 13 Aug 2023 13:37:09 -0700 Subject: [PATCH 149/476] Update URL to fix #427 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c36e8d22..c96104df 100755 --- a/README.md +++ b/README.md @@ -759,7 +759,7 @@ Persistent login items may also exist in these directories: * `~/Library/LaunchAgents` * `~/Library/Preferences/com.apple.loginitems.plist` -See [Mac OSX Startup](http://www.malicious-streams.com/article/Mac_OSX_Startup.pdf) (pdf) for more information. +See [Mac OSX Startup](https://web.archive.org/web/20200415041603/http://www.malicious-streams.com/article/Mac_OSX_Startup.pdf) (pdf) for more information. ## Spotlight Suggestions From da88db1a60596f4d8156c75e8faede5de9de6ce2 Mon Sep 17 00:00:00 2001 From: beerisgood Date: Fri, 18 Aug 2023 15:17:44 +0200 Subject: [PATCH 150/476] original hosts part re-added (for now) --- README.md | 42 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index f85c4f63..01234661 100755 --- a/README.md +++ b/README.md @@ -809,7 +809,6 @@ Since macOS 11 there is a very simple solution via "DNS configuration profiles" and all this without having to install a program or make cumbersome lists or settings. - you can use ready-made profiles that can be easily installed via double-click and do not require any further work. Providers of such profiles are e.g:: - [Quad9](https://support.quad9.net/hc/en-us/articles/4814293189773-Setup-MacOS-and-DNS-over-HTTPS-or-DNS-over-TLS) (Malware filtering only + DNSSEC) @@ -822,6 +821,47 @@ besides the ready-made profiles, you can also assemble [one yourself](https://dn However, these profiles then do not have a signature and this is also criticized by macOS - even if the function of the profile is not affected. +#### Hosts file + + Use the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) to block known malware, advertising or otherwise unwanted domains. + + Edit the hosts file as root, for example with `sudo vi /etc/hosts`. The hosts file can also be managed with the GUI app [2ndalpha/gasmask](https://github.com/2ndalpha/gasmask). + + To block a domain by `A` record, append any one of the following lines to `/etc/hosts`: + + ``` + 0 example.com + 0.0.0.0 example.com + 127.0.0.1 example.com + ``` + + **Note** IPv6 uses the `AAAA` DNS record type, rather than `A` record type, so you may also want to block those connections by *also* including `::1 example.com` entries, like shown [here](https://someonewhocares.org/hosts/ipv6/). + + There are many lists of domains available online which you can paste in, just make sure each line starts with `0`, `0.0.0.0`, `127.0.0.1`, and the line `127.0.0.1 localhost` is included. + + Here are some popular and useful hosts lists: + + * [jmdugan/blocklists](https://github.com/jmdugan/blocklists) + * [l1k/osxparanoia](https://github.com/l1k/osxparanoia/blob/master/hosts) + * [Sinfonietta/hostfiles](https://github.com/Sinfonietta/hostfiles) + * [StevenBlack/hosts](https://github.com/StevenBlack/hosts) + * [someonewhocares.org](https://someonewhocares.org/hosts/zero/hosts) + + Append a list of hosts with the `tee` command and confirm only non-routable addresses or comments were added: + + ```console + $ curl https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | sudo tee -a /etc/hosts + + $ wc -l /etc/hosts + 65580 + + $ egrep -ve "^#|^255.255.255.255|^127.|^0.|^::1|^ff..::|^fe80::" /etc/hosts | sort | uniq | egrep -e "[1,2]|::" + [No output] + ``` + + See `man hosts` and [FreeBSD Configuration Files](https://www.freebsd.org/doc/handbook/configtuning-configfiles.html) for more information. + + See the [dnsmasq](#dnsmasq) section of this guide for more hosts blocking options. #### dnscrypt From 6933c624b1c571c15461961ee7bed6fed16bd40a Mon Sep 17 00:00:00 2001 From: Lennart Haack Date: Wed, 27 Sep 2023 08:07:24 +0200 Subject: [PATCH 151/476] Update README.md Added swiftGuard to category 'Physical access'. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c96104df..9280d38c 100755 --- a/README.md +++ b/README.md @@ -1945,7 +1945,7 @@ Keep your Mac physically secure at all times. Don't leave it unattended in publi A skilled attacker with unsupervised physical access to your computer can infect the boot ROM to install a keylogger and steal your password, for example - see [Thunderstrike](https://trmm.net/Thunderstrike). -To protect against physical theft during use, you can use an anti-forensic tool like [BusKill](https://github.com/buskill/buskill-app) or [usbkill](https://github.com/hephaest0s/usbkill). Both respond to USB events and can immediately shutdown your computer if your device is physically separated from you. +To protect against physical theft during use, you can use an anti-forensic tool like [BusKill](https://github.com/buskill/buskill-app), [usbkill](https://github.com/hephaest0s/usbkill) or [swiftGuard](https://github.com/Lennolium/swiftGuard) (updated usbkill, with graphical user interface). All respond to USB events and can immediately shutdown your computer if your device is physically separated from you or an unauthorized device is connected. Consider purchasing a [privacy filter](https://www.amazon.com/s/ref=nb_sb_noss_2?url=node%3D15782001&field-keywords=macbook) for your screen to thwart shoulder surfers. From 12d6b51335847d86d8807a4c898e1002028abbd3 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 5 Dec 2023 15:50:47 -0600 Subject: [PATCH 152/476] Remove dead links --- README.md | 67 ++++++++++++++++++++----------------------------------- 1 file changed, 24 insertions(+), 43 deletions(-) diff --git a/README.md b/README.md index 0e583b87..7feea763 100755 --- a/README.md +++ b/README.md @@ -222,9 +222,7 @@ To create a **custom install image** which can be [restored](https://en.wikipedi Find `InstallESD.dmg` which is inside the installation application. Locate it in Terminal or with Finder, right click on the application bundle, select **Show Package Contents** and navigate to **Contents** > **SharedSupport** to find the file `InstallESD.dmg` -[Verify](https://support.apple.com/en-us/HT201259) file integrity by comparing its SHA-256 hash with others found in [InstallESD_Hashes.csv](https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/InstallESD_Hashes.csv) or [notpeter/apple-installer-checksums](https://github.com/notpeter/apple-installer-checksums). - -To determine which macOS versions and builds originally shipped with or are available for a Mac, see [HT204319](https://support.apple.com/en-us/HT204319). +Verify file integrity by comparing its SHA-256 hash with others found in [InstallESD_Hashes.csv](https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/InstallESD_Hashes.csv) or [notpeter/apple-installer-checksums](https://github.com/notpeter/apple-installer-checksums). ```console $ shasum -a 256 InstallESD.dmg @@ -379,7 +377,7 @@ Take and Restore from saved guest VM snapshots before and after attempting risky ## First boot -**Note** Before setting up macOS, consider disconnecting networking and configuring a firewall(s) first. However, [late 2016 MacBooks](https://www.ifixit.com/Device/MacBook_Pro_15%22_Late_2016_Touch_Bar) with Touch Bar hardware [require online OS activation](https://onemoreadmin.wordpress.com/2016/11/27/the-untouchables-apples-new-os-activation-for-touch-bar-macbook-pros/) (also see next section). +**Note** Before setting up macOS, consider disconnecting networking and configuring a firewall(s) first. However, late 2016 MacBooks with Touch Bar hardware [require online OS activation](https://onemoreadmin.wordpress.com/2016/11/27/the-untouchables-apples-new-os-activation-for-touch-bar-macbook-pros/) (also see next section). (Intel-based Mac only) On first boot, hold `Command` `Option` `P` `R` keys to [clear NVRAM](https://support.apple.com/en-us/HT204063). @@ -387,7 +385,7 @@ When macOS first starts, you'll be greeted by **Setup Assistant**. When creating the first account, use a [strong password](https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength) without a hint. -If you enter your real name at the account setup process, be aware that your [computer's name and local hostname](https://support.apple.com/kb/PH18720) will comprise that name (e.g., *John Appleseed's MacBook*) and thus will appear on local networks and in various preference files. +If you enter your real name at the account setup process, be aware that your computer's name and local hostname will comprise that name (e.g., *John Appleseed's MacBook*) and thus will appear on local networks and in various preference files. Both should be verified and updated as needed in **System Preferences > Sharing** or with the following commands after installation: @@ -475,7 +473,7 @@ Enable FileVault with `sudo fdesetup enable` or through **System Preferences** > If you can remember the password, there's no reason to save the **recovery key**. However, all encrypted data will be lost forever if without either the password or recovery key. -To learn about how FileVault works, see the paper [Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption](https://eprint.iacr.org/2012/374.pdf) (pdf) and related [presentation](http://www.cl.cam.ac.uk/~osc22/docs/slides_fv2_ifip_2013.pdf) (pdf). Also see [IEEE Std 1619-2007: The XTS-AES Tweakable Block Cipher](http://libeccio.di.unisa.it/Crypto14/Lab/p1619.pdf) (pdf). +To learn about how FileVault works, see the paper [Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption](https://eprint.iacr.org/2012/374.pdf) (pdf) and related [presentation](http://www.cl.cam.ac.uk/~osc22/docs/slides_fv2_ifip_2013.pdf) (pdf). Also see IEEE Std 1619-2007: The XTS-AES Tweakable Block Cipher. **Optional** Enforce system hibernation and evict FileVault keys from memory instead of traditional sleep to memory: @@ -497,8 +495,7 @@ $ sudo pmset -a standbydelay 0 $ sudo pmset -a autopoweroff 0 ``` -For more information, see [Best Practices for -Deploying FileVault 2](https://training.apple.com/pdf/WP_FileVault2.pdf) (pdf) and paper [Lest We Remember: Cold Boot Attacks on Encryption Keys](https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf) (pdf) +For more information, see paper [Lest We Remember: Cold Boot Attacks on Encryption Keys](https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf) (pdf) **Note** APFS may make evicting FileVault keys redundant - see discussion and links in [issue #283](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/283). @@ -506,7 +503,7 @@ Deploying FileVault 2](https://training.apple.com/pdf/WP_FileVault2.pdf) (pdf) a Setting a firmware password prevents a Mac from starting up from any device other than the startup disk. It may also be set to be required on each boot. This may be useful for mitigating some attacks which require physical access to hardware. See [How to set a firmware password on your Mac](https://support.apple.com/en-au/HT204455) for official documentation. -This feature [can be helpful if your laptop is lost or stolen](https://www.ftc.gov/news-events/blogs/techftc/2015/08/virtues-strong-enduser-device-controls), protects against Direct Memory Access (DMA) attacks which can read your FileVault passwords and inject kernel modules such as [pcileech](https://github.com/ufrisk/pcileech), as the only way to reset the firmware password is through an Apple Store, or by using an [SPI programmer](https://reverse.put.as/2016/06/25/apple-efi-firmware-passwords-and-the-scbo-myth/), such as [Bus Pirate](http://ho.ax/posts/2012/06/unbricking-a-macbook/) or other flash IC programmer. +This feature can be helpful if your laptop is lost or stolen, protects against Direct Memory Access (DMA) attacks which can read your FileVault passwords and inject kernel modules such as [pcileech](https://github.com/ufrisk/pcileech), as the only way to reset the firmware password is through an Apple Store, or by using an [SPI programmer](https://reverse.put.as/2016/06/25/apple-efi-firmware-passwords-and-the-scbo-myth/), such as [Bus Pirate](http://ho.ax/posts/2012/06/unbricking-a-macbook/) or other flash IC programmer. 1. Start up pressing `Command` and `R` keys to boot to [Recovery Mode](https://support.apple.com/en-au/HT201314) mode. 1. When the Recovery window appears, choose **Firmware Password Utility** from the Utilities menu. @@ -594,7 +591,7 @@ $ sudo pkill -HUP socketfilterfw ### Third party firewalls -Programs such as [Little Snitch](https://www.obdev.at/products/littlesnitch/index.html), [Hands Off](https://www.oneperiodic.com/products/handsoff/), [Radio Silence](https://radiosilenceapp.com/), [LuLu](https://objective-see.com/products/lulu.html) and [Security Growler](https://pirate.github.io/security-growler/) provide a good balance of usability and security. +Programs such as [Little Snitch](https://www.obdev.at/products/littlesnitch/index.html), [Radio Silence](https://radiosilenceapp.com/), [LuLu](https://objective-see.com/products/lulu.html) and [Security Growler](https://pirate.github.io/security-growler/) provide a good balance of usability and security. These programs are capable of monitoring and blocking **incoming** and **outgoing** network connections. However, they may require the use of a closed source [kernel extension](https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/KernelProgramming/Extend/Extend.html). @@ -698,7 +695,7 @@ To use pf to audit "phone home" behavior of user and system-level processes, see **Note** [System Integrity Protection](https://github.com/drduh/macOS-Security-and-Privacy-Guide#system-integrity-protection) does not allow disabling system services on recent macOS versions. Either temporarily disable SIP or disable services from Recovery Mode. See [Issue 334](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/334) for more information. -See [fix-macosx/yosemite-phone-home](https://github.com/fix-macosx/yosemite-phone-home), [l1k/osxparanoia](https://github.com/l1k/osxparanoia) and [karek314/macOS-home-call-drop](https://github.com/karek314/macOS-home-call-drop) for further recommendations. +See [fix-macosx/yosemite-phone-home](https://github.com/fix-macosx/yosemite-phone-home), [l1k/osxparanoia](https://github.com/l1k/osxparanoia) for further recommendations. Services on macOS are managed by **launchd**. See [launchd.info](http://launchd.info/), as well as [Apple's Daemons and Services Programming Guide](https://developer.apple.com/library/mac/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html) and [Technical Note TN2083](https://developer.apple.com/library/mac/technotes/tn2083/_index.html) @@ -773,8 +770,6 @@ See [fix-macosx.com](https://web.archive.org/web/20180817061520/https://fix-maco **Note** This Web site and instructions may no longer work on macOS Sierra - see [issue 164](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/164). -For comparison to Windows 10, see - ## Homebrew Consider using [Homebrew](https://brew.sh/) to make software installations easier and to update userland tools (see [Apple's great GPL purge](http://meta.ath0.com/2012/02/05/apples-great-gpl-purge/)). @@ -913,7 +908,7 @@ and under the "nobody" user using the resolvers specified in https://raw.githubu This can be accomplished by editing `/usr/local/etc/dnscrypt-proxy.toml` as described above. -You can run your own [dnscrypt server](https://github.com/Cofyc/dnscrypt-wrapper) (see also [drduh/Debian-Privacy-Server-Guide#dnscrypt](https://github.com/drduh/Debian-Privacy-Server-Guide#dnscrypt)) from a trusted location or use one of many [public servers](https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv) instead. +You can run your own [dnscrypt server](https://github.com/Cofyc/dnscrypt-wrapper) (see also [drduh/Debian-Privacy-Server-Guide#dnscrypt](https://github.com/drduh/Debian-Privacy-Server-Guide#dnscrypt)) from a trusted location or use one of many public servers instead. Confirm outgoing DNS traffic is encrypted: @@ -926,7 +921,7 @@ $ dig +short -x 128.180.155.106.49321 d0wn-us-ns4 ``` -dnscrypt-proxy also has the capability to blacklist domains, including the use of wild-cards. See the [Sample configuration file for dnscrypt-proxy](https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-proxy.conf) for the options. +dnscrypt-proxy also has the capability to blacklist domains, including the use of wild-cards. **Note** Applications and programs may resolve DNS using their own provided servers. If dnscrypt-proxy is used, it is possible to disable all other, non-dnscrypt DNS traffic with the following pf rules: @@ -935,7 +930,7 @@ block drop quick on !lo0 proto udp from any to any port = 53 block drop quick on !lo0 proto tcp from any to any port = 53 ``` -See also [What is a DNS leak](https://dnsleaktest.com/what-is-a-dns-leak.html), the [mDNSResponder manual page](https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/mDNSResponder.8.html) and [ipv6-test.com](http://ipv6-test.com/). +See also [What is a DNS leak](https://dnsleaktest.com/what-is-a-dns-leak.html) and [ipv6-test.com](http://ipv6-test.com/). #### Dnsmasq @@ -1124,16 +1119,6 @@ $ scutil --proxy } ``` -Visit in a browser, or with Curl: - -```console -$ ALL_PROXY=127.0.0.1:8118 curl -I http://p.p/ -HTTP/1.1 200 OK -Content-Length: 2401 -Content-Type: text/html -Cache-Control: no-cache -``` - Privoxy already comes with many good rules, however you can also write your own. Download [drduh/config/privoxy/config](https://github.com/drduh/config/blob/master/privoxy/config) and [drduh/config/privoxy/user.action](https://github.com/drduh/config/blob/master/privoxy/user.action) to get started: @@ -1182,11 +1167,11 @@ Another important consideration about Web Browser security is Web Extensions. We Firefox offers a similar security model to Chrome: it has a [bug bounty program](https://www.mozilla.org/en-US/security/bug-bounty/), although it is not a lucrative as Chrome's. Firefox follows a six-week release cycle similar to Chrome. See discussion in issues [#2](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/2) and [#90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) for more information about certain differences in Firefox and Chrome. -Firefox supports user-supplied configuration files. See [drduh/config/user.js](https://github.com/drduh/config/blob/master/user.js), [pyllyukko/user.js](https://github.com/pyllyukko/user.js) and [ghacksuserjs/ghacks-user.js](https://github.com/ghacksuserjs/ghacks-user.js) for recommended preferences and hardening measures. Also see [NoScript](https://noscript.net/), an extension which allows whitelist-based, pre-emptive script blocking. +Firefox supports user-supplied configuration files. See [pyllyukko/user.js](https://github.com/pyllyukko/user.js) and [ghacksuserjs/ghacks-user.js](https://github.com/ghacksuserjs/ghacks-user.js) for recommended preferences and hardening measures. Also see [NoScript](https://noscript.net/), an extension which allows whitelist-based, pre-emptive script blocking. Firefox is focused on user privacy. It supports [tracking protection](https://developer.mozilla.org/en-US/Firefox/Privacy/Tracking_Protection) in Private Browsing mode. The tracking protection can be enabled for the default account, although it may break the browsing experience on some websites. Another feature for added privacy unique to Firefox is [Containers](https://testpilot.firefox.com/experiments/containers), similar to Chrome profiles. -Previous versions of Firefox used a [Web Extension SDK](https://developer.mozilla.org/en-US/Add-ons/Legacy_add_ons) that was quite invasive and offered immense freedom to developers. Sadly, that freedom also introduced a number of vulnerabilities in Firefox that greatly affected its users. You can find more information about vulnerabilities introduced by Firefox's legacy extensions in this [paper](https://www.exploit-db.com/docs/24541.pdf) (pdf). Currently, Firefox only supports Web Extensions through the [Web Extension Api](https://developer.mozilla.org/en-US/Add-ons/WebExtensions), which is very similar to Chrome's. +Previous versions of Firefox used a Web Extension SDK that was quite invasive and offered immense freedom to developers. Sadly, that freedom also introduced a number of vulnerabilities in Firefox that greatly affected its users. Currently, Firefox only supports Web Extensions through the [Web Extension Api](https://developer.mozilla.org/en-US/Add-ons/WebExtensions), which is very similar to Chrome's. Submission of Web Extensions in Firefox is free. Web Extensions in Firefox most of the time are open source, although certain Web Extensions are proprietary. @@ -1399,7 +1384,7 @@ This can be done by setting up your own [Tor relay](https://www.torproject.org/d For extra security, use Tor inside a [VirtualBox](https://www.virtualbox.org/wiki/Downloads) or [VMware](https://www.vmware.com/products/fusion) virtualized [GNU/Linux](http://www.brianlinkletter.com/installing-debian-linux-in-a-virtualbox-virtual-machine/) or [BSD](https://www.openbsd.org/faq/faq4.html) machine. -Finally, remember the Tor network provides [anonymity](https://www.privateinternetaccess.com/blog/2013/10/how-does-privacy-differ-from-anonymity-and-why-are-both-important/), which is not necessarily synonymous with privacy. The Tor network does not guarantee protection against a global observer capable of traffic analysis and [correlation](https://blog.torproject.org/category/tags/traffic-correlation). See also [Seeking Anonymity in an Internet Panopticon](http://bford.info/pub/net/panopticon-cacm.pdf) (pdf) and [Traffic Correlation on Tor by Realistic Adversaries](http://www.ohmygodel.com/publications/usersrouted-ccs13.pdf) (pdf). +Finally, remember the Tor network provides [anonymity](https://www.privateinternetaccess.com/blog/2013/10/how-does-privacy-differ-from-anonymity-and-why-are-both-important/), which is not necessarily synonymous with privacy. The Tor network does not guarantee protection against a global observer capable of traffic analysis and correlation. See also [Seeking Anonymity in an Internet Panopticon](http://bford.info/pub/net/panopticon-cacm.pdf) (pdf) and [Traffic Correlation on Tor by Realistic Adversaries](http://www.ohmygodel.com/publications/usersrouted-ccs13.pdf) (pdf). Also see [Invisible Internet Project (I2P)](https://geti2p.net/en/about/intro) and its [Tor comparison](https://geti2p.net/en/comparison/tor). @@ -1455,7 +1440,7 @@ The first time you start a conversation with someone new, you'll be asked to ver A popular macOS GUI client for XMPP and other chat protocols is [Adium](https://adium.im/). -Other XMPP clients include [profanity](http://www.profanity.im/) and [agl/xmpp-client](https://github.com/agl/xmpp-client). Another relatively new XMPP chat client is [CoyIM](https://coy.im/), it's focused and security and has built-in support for OTR and Tor. +Other XMPP clients include [agl/xmpp-client](https://github.com/agl/xmpp-client) and [CoyIM](https://coy.im/), which is focused on security and has built-in support for OTR and Tor. If you want to know how OTR works, read the paper [Off-the-Record Communication, or, Why Not To Use PGP](https://otr.cypherpunks.ca/otr-wpes.pdf) (pdf) @@ -1467,7 +1452,7 @@ Some malware comes bundled with both legitimate software, such as the [Java bund See [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) and [Malware Persistence on OS X Yosemite](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite) to learn about how garden-variety malware functions. -You could periodically run a tool like [Knock Knock](https://github.com/synack/knockknock) to examine persistent applications (e.g. scripts, binaries). But by then, it is probably too late. Maybe applications such as [Block Block](https://objective-see.com/products/blockblock.html) and [Ostiarius](https://objective-see.com/products/ostiarius.html) will help. See warnings and caveats in [issue #90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) first, however. An open-source alternative could be [maclaunch.sh](https://github.com/hazcod/maclaunch). +Maybe applications such as [Block Block](https://objective-see.com/products/blockblock.html) and [Ostiarius](https://objective-see.com/products/ostiarius.html) will help. See warnings and caveats in [issue #90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) first, however. An open-source alternative could be [maclaunch.sh](https://github.com/hazcod/maclaunch). **Anti-virus** programs are a double-edged sword -- not so useful for **advanced** users and will likely increase attack surface against sophisticated threats; however possibly useful for catching "garden variety" malware on **novice** users' Macs. There is also the additional processing overhead to consider when using "active" scanning features. @@ -1503,7 +1488,7 @@ Some MacBook hardware has shipped with [SIP disabled](https://appleinsider.com/a Both offer trivial protection against common risks and are fine at default settings. -See also [Mac Malware Guide : How does Mac OS X protect me?](http://www.thesafemac.com/mmg-builtin/) and [Gatekeeper, XProtect and the Quarantine attribute](https://ilostmynotes.blogspot.com/2012/06/gatekeeper-xprotect-and-quarantine.html). +See also [Gatekeeper, XProtect and the Quarantine attribute](https://ilostmynotes.blogspot.com/2012/06/gatekeeper-xprotect-and-quarantine.html). **Note** Quarantine stores information about downloaded files in `~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2`, which may pose a privacy risk. To examine the file, simply use `strings` or the following command: @@ -1513,9 +1498,7 @@ $ echo 'SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQua sqlite3 /Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 ``` -See [here](https://www.zoharbabin.com/hey-mac-i-dont-appreciate-you-spying-on-me-hidden-downloads-log-in-os-x/) for more information. - -To permanently disable this feature, [clear the file](https://superuser.com/questions/90008/how-to-clear-the-contents-of-a-file-from-the-command-line) and [make it immutable](http://hints.macworld.com/article.php?story=20031017061722471): +To permanently disable this feature, [clear the file](https://superuser.com/questions/90008/how-to-clear-the-contents-of-a-file-from-the-command-line) and make it immutable: ```console $ :>~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 @@ -1817,15 +1800,15 @@ J%MMDbAgGdP}zrSQO!3mrP3$w!.[Ng_xx-_[C<3g You can also generate passwords, even memorable ones, using **Keychain Access** password assistant, or a command line equivalent like [anders/pwgen](https://github.com/anders/pwgen). -Keychains are encrypted with a [PBKDF2 derived key](https://en.wikipedia.org/wiki/PBKDF2) and are a _pretty safe_ place to store credentials. See also [Breaking into the OS X keychain](http://juusosalonen.com/post/30923743427/breaking-into-the-os-x-keychain). Also be aware that Keychain [does not encrypt](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/118) the names corresponding to password entries. +Keychains are encrypted with a [PBKDF2 derived key](https://en.wikipedia.org/wiki/PBKDF2) and are a _pretty safe_ place to store credentials. Also be aware that Keychain [does not encrypt](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/118) the names corresponding to password entries. Alternatively, you can manage an encrypted passwords file yourself with GnuPG (see [drduh/Purse](https://github.com/drduh/Purse) and [drduh/pwd.sh](https://github.com/drduh/pwd.sh) for example). In addition to passwords, ensure eligible online accounts, such as GitHub, Google accounts, banking, have [two factor authentication](https://en.wikipedia.org/wiki/Two-factor_authentication) enabled. -[Yubikey](https://www.yubico.com/products/yubikey-hardware/) offers affordable hardware tokens. See [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) and [trmm.net/Yubikey](https://trmm.net/Yubikey). One of two Yubikey's slots can also be programmed to emit a long, static password (which can be used in combination with a short, memorized password, for example). +[Yubikey](https://www.yubico.com/products/) offers affordable hardware tokens. See [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) and [trmm.net/Yubikey](https://trmm.net/Yubikey). One of two Yubikey's slots can also be programmed to emit a long, static password (which can be used in combination with a short, memorized password, for example). -In Addition to Login and other PAMs, you can use Yubikey to secure your login and sudo, here is a pdf guide from [Yubico](https://www.yubico.com/wp-content/uploads/2016/02/Yubico_YubiKeyMacOSXLogin_en.pdf). Yubikey are a bit pricey, there is cheaper alternative, but not as capable, [U2F Zero](https://www.u2fzero.com/). Here is a great guide to [set it up](https://microamps.gibsjose.com/u2f-authentication-on-os-x/) +In Addition to Login and other PAMs, you can use Yubikey to secure your login and sudo, here is a pdf guide from [Yubico](https://www.yubico.com/wp-content/uploads/2016/02/Yubico_YubiKeyMacOSXLogin_en.pdf). Yubikey are a bit pricey, there is cheaper alternative, but not as capable, [U2F Zero](https://www.u2fzero.com/). ## Backup @@ -1996,7 +1979,7 @@ See articles on [ilostmynotes.blogspot.com](https://ilostmynotes.blogspot.com/20 ### DTrace -**Note** [System Integrity Protection](https://github.com/drduh/macOS-Security-and-Privacy-Guide#system-integrity-protection) [interferes](https://internals.exposed/blog/dtrace-vs-sip.html) with DTrace, so it is not possible to use it in recent macOS versions without disabling SIP. +**Note** [System Integrity Protection](https://github.com/drduh/macOS-Security-and-Privacy-Guide#system-integrity-protection) interferes with DTrace, so it is not possible to use it in recent macOS versions without disabling SIP. * `iosnoop` monitors disk I/O * `opensnoop` monitors file opens @@ -2361,9 +2344,9 @@ $ sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulti [Disable Handoff](https://apple.stackexchange.com/questions/151481/why-is-my-macbook-visibile-on-bluetooth-after-yosemite-install) and Bluetooth features, if they aren't necessary. -Consider [sandboxing](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/sandbox-exec.1.html) your applications. See [fG! Sandbox Guide](https://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v0.1.pdf) (pdf) and [s7ephen/OSX-Sandbox--Seatbelt--Profiles](https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles). +Consider sandboxing your applications. See [fG! Sandbox Guide](https://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v0.1.pdf) (pdf) and [s7ephen/OSX-Sandbox--Seatbelt--Profiles](https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles). -Did you know Apple has not shipped a computer with TPM since [2006](http://osxbook.com/book/bonus/chapter10/tpm/)? +Did you know Apple has not shipped a computer with TPM since 2006? macOS comes with this line in `/etc/sudoers`: @@ -2397,7 +2380,6 @@ drwx------ 2 kevin staff 64 Dec 4 12:27 umask_testing_dir * [CISOfy/lynis](https://github.com/CISOfy/lynis) - Cross-platform security auditing tool and assists with compliance testing and system hardening. * [Dylib Hijack Scanner](https://objective-see.com/products/dhs.html) - Scan for applications that are either susceptible to dylib hijacking or have been hijacked. -* [F-Secure XFENCE](https://campaigns.f-secure.com/xfence/) (formerly [Little Flocker](https://github.com/drduh/macOS-Security-and-Privacy-Guide/pull/237)) - "Little Snitch for files"; prevents applications from accessing files. * [Lockdown](https://objective-see.com/products/lockdown.html) - Audits and remediates security configuration settings. * [Zentral](https://github.com/zentralopensource/zentral) - A log and configuration server for santa and osquery. Run audit and probes on inventory, events, logfiles, combine with point-in-time alerting. A full Framework and Django web server build on top of the elastic stack (formerly known as ELK stack). * [facebook/osquery](https://github.com/facebook/osquery) - Can be used to retrieve low level system information. Users can write SQL queries to retrieve system information. @@ -2428,7 +2410,6 @@ drwx------ 2 kevin staff 64 Dec 4 12:27 umask_testing_dir * [IPv6 Hardening Guide for OS X](http://www.insinuator.net/2015/02/ipv6-hardening-guide-for-os-x/) * [Mac Developer Library: Secure Coding Guide](https://developer.apple.com/library/mac/documentation/Security/Conceptual/SecureCodingGuide/Introduction.html) * [Mac Forensics: Mac OS X and the HFS+ File System](https://cet4861.pbworks.com/w/file/fetch/71245694/mac.forensics.craiger-burke.IFIP.06.pdf) (pdf) -* [Mac OS X Forensics - Technical Report](https://www.ma.rhul.ac.uk/static/techrep/2015/RHUL-MA-2015-8.pdf) (pdf) * [Mac OS X and iOS Internals: To the Apple's Core by Jonathan Levin](https://www.amazon.com/Mac-OS-iOS-Internals-Apples/dp/1118057651) * [MacOS Hardening Guide - Appendix of \*OS Internals: Volume III - Security & Insecurity Internals](http://newosxbook.com/files/moxii3/AppendixA.pdf) (pdf) * [Managing Macs at Google Scale (LISA '13)](https://www.usenix.org/conference/lisa13/managing-macs-google-scale) From 78415ca1249474f255e7acf63d3e64fb8f78edda Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 5 Dec 2023 15:59:27 -0600 Subject: [PATCH 153/476] fix --- README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/README.md b/README.md index 7feea763..2fc02ddb 100755 --- a/README.md +++ b/README.md @@ -1119,6 +1119,16 @@ $ scutil --proxy } ``` +Visit in a browser, or with Curl: + +```console +$ ALL_PROXY=127.0.0.1:8118 curl -I http://p.p/ +HTTP/1.1 200 OK +Content-Length: 2401 +Content-Type: text/html +Cache-Control: no-cache +``` + Privoxy already comes with many good rules, however you can also write your own. Download [drduh/config/privoxy/config](https://github.com/drduh/config/blob/master/privoxy/config) and [drduh/config/privoxy/user.action](https://github.com/drduh/config/blob/master/privoxy/user.action) to get started: From cfb118deacd174b42eab59bb46cadd73b38a78f9 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 10 Dec 2023 17:41:57 -0600 Subject: [PATCH 154/476] Add new apple verification link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2fc02ddb..e4acff0e 100755 --- a/README.md +++ b/README.md @@ -222,7 +222,7 @@ To create a **custom install image** which can be [restored](https://en.wikipedi Find `InstallESD.dmg` which is inside the installation application. Locate it in Terminal or with Finder, right click on the application bundle, select **Show Package Contents** and navigate to **Contents** > **SharedSupport** to find the file `InstallESD.dmg` -Verify file integrity by comparing its SHA-256 hash with others found in [InstallESD_Hashes.csv](https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/InstallESD_Hashes.csv) or [notpeter/apple-installer-checksums](https://github.com/notpeter/apple-installer-checksums). +[Verify](https://support.apple.com/en-us/102130) file integrity by comparing its SHA-256 hash with others found in [InstallESD_Hashes.csv](https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/InstallESD_Hashes.csv) or [notpeter/apple-installer-checksums](https://github.com/notpeter/apple-installer-checksums). ```console $ shasum -a 256 InstallESD.dmg From 12ffa8b69a872ed58cc22cec29570792111254d4 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 10 Dec 2023 17:51:13 -0600 Subject: [PATCH 155/476] remove extra text with no link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e4acff0e..45af4595 100755 --- a/README.md +++ b/README.md @@ -473,7 +473,7 @@ Enable FileVault with `sudo fdesetup enable` or through **System Preferences** > If you can remember the password, there's no reason to save the **recovery key**. However, all encrypted data will be lost forever if without either the password or recovery key. -To learn about how FileVault works, see the paper [Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption](https://eprint.iacr.org/2012/374.pdf) (pdf) and related [presentation](http://www.cl.cam.ac.uk/~osc22/docs/slides_fv2_ifip_2013.pdf) (pdf). Also see IEEE Std 1619-2007: The XTS-AES Tweakable Block Cipher. +To learn about how FileVault works, see the paper [Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption](https://eprint.iacr.org/2012/374.pdf) (pdf) and related [presentation](http://www.cl.cam.ac.uk/~osc22/docs/slides_fv2_ifip_2013.pdf) (pdf). **Optional** Enforce system hibernation and evict FileVault keys from memory instead of traditional sleep to memory: From 285c5e059248707daf5531567b40984304edf844 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 10 Dec 2023 18:03:33 -0600 Subject: [PATCH 156/476] fix knockknock --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 45af4595..0ac3076b 100755 --- a/README.md +++ b/README.md @@ -1462,7 +1462,7 @@ Some malware comes bundled with both legitimate software, such as the [Java bund See [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) and [Malware Persistence on OS X Yosemite](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite) to learn about how garden-variety malware functions. -Maybe applications such as [Block Block](https://objective-see.com/products/blockblock.html) and [Ostiarius](https://objective-see.com/products/ostiarius.html) will help. See warnings and caveats in [issue #90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) first, however. An open-source alternative could be [maclaunch.sh](https://github.com/hazcod/maclaunch). +You could periodically run a tool like [KnockKnock]https://objective-see.org/products/knockknock.html) to examine persistent applications (e.g. scripts, binaries). But by then, it is probably too late. Maybe applications such as [BlockBlock](https://objective-see.com/products/blockblock.html) and [Ostiarius](https://objective-see.com/products/ostiarius.html) will help. See warnings and caveats in [issue #90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) first, however. An open-source alternative could be [maclaunch.sh](https://github.com/hazcod/maclaunch). **Anti-virus** programs are a double-edged sword -- not so useful for **advanced** users and will likely increase attack surface against sophisticated threats; however possibly useful for catching "garden variety" malware on **novice** users' Macs. There is also the additional processing overhead to consider when using "active" scanning features. From b3bc8d8f4bceee388b6a6d9ad68f85506e59286d Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 10 Dec 2023 18:26:24 -0600 Subject: [PATCH 157/476] remove info for outdated version of macos --- README.md | 49 ------------------------------------------------- 1 file changed, 49 deletions(-) diff --git a/README.md b/README.md index 0ac3076b..8ea869ef 100755 --- a/README.md +++ b/README.md @@ -216,55 +216,6 @@ Apple also has [guide](https://support.apple.com/guide/disk-utility/erase-and-re To create a **custom install image** which can be [restored](https://en.wikipedia.org/wiki/Apple_Software_Restore) to a Mac (using a USB-C cable and target disk mode, for example), use [MagerValp/AutoDMG](https://github.com/MagerValp/AutoDMG). -#### Manual way - -**Note** The following instructions appear to work only on macOS versions before 10.13. - -Find `InstallESD.dmg` which is inside the installation application. Locate it in Terminal or with Finder, right click on the application bundle, select **Show Package Contents** and navigate to **Contents** > **SharedSupport** to find the file `InstallESD.dmg` - -[Verify](https://support.apple.com/en-us/102130) file integrity by comparing its SHA-256 hash with others found in [InstallESD_Hashes.csv](https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/InstallESD_Hashes.csv) or [notpeter/apple-installer-checksums](https://github.com/notpeter/apple-installer-checksums). - -```console -$ shasum -a 256 InstallESD.dmg -``` - -Mount and install the operating system to a temporary image: - -```console -$ hdiutil attach -mountpoint /tmp/InstallESD ./InstallESD.dmg - -$ hdiutil create -size 32g -type SPARSE -fs HFS+J -volname "macOS" -uid 0 -gid 80 -mode 1775 /tmp/macos.sparseimage - -$ hdiutil attach -mountpoint /tmp/macos -owners on /tmp/macos.sparseimage - -$ sudo installer -pkg /tmp/InstallESD/Packages/OSInstall.mpkg -tgt /tmp/macos -verbose -installer: OS Install started. -############# -[...] -``` - -The installation will take a while, so be patient. Use `tail -F /var/log/install.log` in another terminal to monitor progress and check for errors. - -Once the installation is complete, detach, convert and verify the image: - -```console -$ hdiutil detach /tmp/macos -"disk4" unmounted. -"disk4" ejected. - -$ hdiutil detach /tmp/InstallESD -"disk3" unmounted. -"disk3" ejected. - -$ hdiutil convert -format UDZO /tmp/macos.sparseimage -o ~/sierra.dmg -Preparing imaging engine... -[...] - -$ asr imagescan --source ~/sierra.dmg -``` - -The file `sierra.dmg` is now ready to be applied over [Target Disk Mode](https://support.apple.com/en-us/HT201462), from a bootable USB installer, booting from the network or recovery mode. The image could be further customized to include provisioned users, installed applications, preferences, for example. - ### Target disk mode To use **Target Disk Mode**, boot up the Mac you wish to image while holding the `T` key and connect it to another Mac using a USB-C, Thunderbolt or Firewire cable. From 7ce626621cb8812f3b10903250b965c3e1205d63 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Dec 2023 13:53:12 -0600 Subject: [PATCH 158/476] remove link to deleted section --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 8ea869ef..43a9b5dd 100755 --- a/README.md +++ b/README.md @@ -15,7 +15,6 @@ This guide is also available in [简体中文](https://github.com/drduh/macOS-Se * [Verifying installation integrity](#verifying-installation-integrity) * [Creating a bootable USB installer](#creating-a-bootable-usb-installer) * [Creating an install image](#creating-an-install-image) - + [Manual way](#manual-way) * [Target disk mode](#target-disk-mode) * [Creating a recovery partition](#creating-a-recovery-partition) * [Virtualization](#virtualization) From 1bac21b265bf5d5db9016975136d73688cfd8277 Mon Sep 17 00:00:00 2001 From: drduh Date: Sat, 10 Feb 2024 10:01:38 -0800 Subject: [PATCH 159/476] Remove safari tech preview, clean up dns profiles and formatting --- README.md | 54 +++++++++++++++++------------------------------------- 1 file changed, 17 insertions(+), 37 deletions(-) diff --git a/README.md b/README.md index 43a9b5dd..cd6c8287 100755 --- a/README.md +++ b/README.md @@ -207,7 +207,7 @@ Copying boot files... Install media now available at "/Volumes/Install macOS Catalina" ``` -Apple also has [guide](https://support.apple.com/guide/disk-utility/erase-and-reformat-a-storage-device-dskutl14079/mac) on doing this via the GUI Disk Utility +[Disk Utility](https://support.apple.com/guide/disk-utility/erase-and-reformat-a-storage-device-dskutl14079/mac) can also be used to configure the storage device. ### Creating an install image @@ -249,12 +249,11 @@ The **Disk Utility** application may also be used to erase the connected disk an To transfer any files, copy them to a shared folder like `/Users/Shared` on the mounted disk image, e.g. `cp Xcode_8.0.dmg /Volumes/macOS/Users/Shared` Finished restore install from USB recovery boot - *Finished restore install from USB recovery boot* ### Creating a recovery partition -**Unless** you have built the image with [AutoDMG](https://github.com/MagerValp/AutoDMG), or installed macOS to a second partition on the same Mac, you will need to create a recovery partition in order to use full disk encryption. You can do so using [MagerValp/Create-Recovery-Partition-Installer](https://github.com/MagerValp/Create-Recovery-Partition-Installer) or manually by following these steps: +**Unless** you have built the image with [AutoDMG](https://github.com/MagerValp/AutoDMG), or installed macOS to a second partition on the same Mac, you will need to create a recovery partition in order to use full disk encryption. You can do so using [MagerValp/Create-Recovery-Partition-Installer](https://github.com/MagerValp/Create-Recovery-Partition-Installer) or by following these steps: Download [RecoveryHDUpdate.dmg](https://support.apple.com/downloads/DL1464/en_US/RecoveryHDUpdate.dmg) and verify its integrity: @@ -281,7 +280,7 @@ Run `diskutil list` again to make sure `Recovery HD` now exists on `/dev/disk2`. ### Virtualization -To install macOS as a virtual machine (VM) using [VMware Fusion](https://www.vmware.com/products/fusion.html), follow the instructions above to create an image. You will **not** need to download and create a recovery partition manually. +To install macOS as a virtual machine (VM) using [VMware Fusion](https://www.vmware.com/products/fusion.html), follow the instructions above to create an image. You will **not** need to download and create a recovery partition. For the Installation Method, select *Install macOS from the recovery partition*. Customize any memory or CPU requirements and complete setup. The guest VM should boot into [Recovery Mode](https://support.apple.com/en-us/HT201314) by default. @@ -327,7 +326,7 @@ Take and Restore from saved guest VM snapshots before and after attempting risky ## First boot -**Note** Before setting up macOS, consider disconnecting networking and configuring a firewall(s) first. However, late 2016 MacBooks with Touch Bar hardware [require online OS activation](https://onemoreadmin.wordpress.com/2016/11/27/the-untouchables-apples-new-os-activation-for-touch-bar-macbook-pros/) (also see next section). +**Note** Before setting up macOS, consider disconnecting networking and configuring a firewall(s) first. However, late 2016 MacBooks with Touch Bar hardware [require online OS activation](https://onemoreadmin.wordpress.com/2016/11/27/the-untouchables-apples-new-os-activation-for-touch-bar-macbook-pros/) (see next section). (Intel-based Mac only) On first boot, hold `Command` `Option` `P` `R` keys to [clear NVRAM](https://support.apple.com/en-us/HT204063). @@ -374,7 +373,7 @@ It is not strictly required to ever log into the admin account via the macOS log ### Caveats -* Only administrators can install applications in `/Applications` (local directory). Finder and Installer will prompt a standard user with an authentication dialog. Many applications can be installed in `~/Applications` instead (the directory can be created manually). As a rule of thumb: applications that do not require admin access – or do not complain about not being installed in `/Applications` – should be installed in the user directory, the rest in the local directory. Mac App Store applications are still installed in `/Applications` and require no additional authentication. +* Only administrators can install applications in `/Applications` (local directory). Finder and Installer will prompt a standard user with an authentication dialog. Many applications can be installed in `~/Applications` instead (the directory can be created). As a rule of thumb: applications that do not require admin access – or do not complain about not being installed in `/Applications` – should be installed in the user directory, the rest in the local directory. Mac App Store applications are still installed in `/Applications` and require no additional authentication. * `sudo` is not available in shells of the standard user, which requires using `su` or `login` to enter a shell of the admin account. This can make some maneuvers trickier and requires some basic experience with command-line interfaces. * System Preferences and several system utilities (e.g. Wi-Fi Diagnostics) will require root privileges for full functionality. Many panels in System Preferences are locked and need to be unlocked separately by clicking on the lock icon. Some applications will simply prompt for authentication upon opening, others must be opened by an admin account directly to get access to all functions (e.g. Console). * There are third-party applications that will not work correctly because they assume that the user account is an admin. These programs may have to be executed by logging into the admin account, or by using the `open` utility. @@ -415,9 +414,7 @@ See `man 4 random` for more information. Turning on FileVault in System Preferences **after** installing macOS, rather than creating an encrypted partition for the installation first, is [more secure](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/230), because more PRNG entropy is available then. -Additionally, the PRNG can be manually seeded with entropy by writing to /dev/random **before** enabling FileVault. This can be done by simply using the Mac for a little while before activating FileVault. - -It may also be possible to increase entropy with an external source, like [OneRNG](http://onerng.info/). See [Entropy and Random Number Generators](https://calomel.org/entropy_random_number_generators.html) and [Fun with encryption and randomness](https://rsmith.home.xs4all.nl/howto/fun-with-encryption-and-randomness.html) for more information. +It may be possible to increase entropy with an external source, like [OneRNG](http://onerng.info/). See [Entropy and Random Number Generators](https://calomel.org/entropy_random_number_generators.html) and [Fun with encryption and randomness](https://rsmith.home.xs4all.nl/howto/fun-with-encryption-and-randomness.html) for more information. Enable FileVault with `sudo fdesetup enable` or through **System Preferences** > **Security & Privacy** and reboot. @@ -483,7 +480,6 @@ Correct A firmware password may be bypassed by a determined attacker or Apple, with physical access to the computer. Using a Dediprog SF600 to dump and flash a 2013 MacBook SPI Flash chip to remove a firmware password, sans Apple - *Using a [Dediprog SF600](http://www.dediprog.com/pd/spi-flash-solution/sf600) to dump and flash a 2013 MacBook SPI Flash chip to remove a firmware password, sans Apple* As of macOS 10.15 Catalina, the `firmwarepasswd` program has a new option `-disable-reset-capability`. According to [Apple's new Platform Security page](https://support.apple.com/en-gb/guide/security/sec28382c9ca/web), this effectively prevents any firmware password resets, even by Apple themselves: @@ -616,7 +612,7 @@ ALTQ related functions disabled 157.240.0.0/16 ``` -Confirm network traffic is blocked to those addresses (note that DNS requests will still work): +Confirm network traffic is blocked to those addresses (DNS requests will still work): ```console $ dig a +short facebook.com @@ -748,25 +744,9 @@ You may also wish to enable [additional security options](https://github.com/drd #### DNS profiles -Since macOS 11 there is a very simple solution via "DNS configuration profiles" to: -- to be able to use encrypted DNS -- filter malware etc. via DNS -- use of DNSSEC -- easy recovery to default settings - -and all this without having to install a program or make cumbersome lists or settings. - -you can use ready-made profiles that can be easily installed via double-click and do not require any further work. -Providers of such profiles are e.g:: -- [Quad9](https://support.quad9.net/hc/en-us/articles/4814293189773-Setup-MacOS-and-DNS-over-HTTPS-or-DNS-over-TLS) (Malware filtering only + DNSSEC) -- [AdGuard](https://adguard-dns.io/en/public-dns.html) - see Method #2: Configure AdGuard DNS manually -> macOS (filtering depends on your choice) -- [NextDNS](https://nextdns.io/) (filtering depends on your choice) - -**Note:** all three offer digitally signed profiles, but only Quad9 offers an Apple signed profile. - -besides the ready-made profiles, you can also assemble [one yourself](https://dns.notjakob.com). -However, these profiles then do not have a signature and this is also criticized by macOS - even if the function of the profile is not affected. +macOS 11 introduced "DNS configuration profiles" to configure encrypted DNS, filter domains and use DNSSEC. +DNS profiles [can be created](https://dns.notjakob.com/) or obtained from providers such as [Quad9](https://docs.quad9.net/), [AdGuard](https://adguard-dns.io/en/public-dns.html) and [NextDNS](https://nextdns.io/). #### Hosts file @@ -1027,7 +1007,7 @@ $ curl -o ~/.curlrc https://raw.githubusercontent.com/drduh/config/master/curlrc Consider using [Privoxy](https://www.privoxy.org/) as a local proxy to filter Web browsing traffic. -**Note** macOS proxy settings are not universal; apps and services may not honor system proxy settings. Ensure the application you wish to proxy is correctly configured and manually verify connections don't leak. Additionally, it may be possible to configure the *pf* firewall to transparently proxy all traffic. +**Note** macOS proxy settings are not universal; apps and services may not honor system proxy settings. Ensure the application you wish to proxy is correctly configured and verify connections don't leak. Additionally, it may be possible to configure the *pf* firewall to transparently proxy all traffic. A signed installation package for privoxy can be downloaded from [silvester.org.uk](https://silvester.org.uk/privoxy/Macintosh%20%28OS%20X%29/) or [Sourceforge](https://sourceforge.net/projects/ijbswa/files/Macintosh%20%28OS%20X%29/). The signed package is [more secure](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/65) than the Homebrew version, and attracts full support from the Privoxy project. @@ -1127,7 +1107,7 @@ Another important consideration about Web Browser security is Web Extensions. We Firefox offers a similar security model to Chrome: it has a [bug bounty program](https://www.mozilla.org/en-US/security/bug-bounty/), although it is not a lucrative as Chrome's. Firefox follows a six-week release cycle similar to Chrome. See discussion in issues [#2](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/2) and [#90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) for more information about certain differences in Firefox and Chrome. -Firefox supports user-supplied configuration files. See [pyllyukko/user.js](https://github.com/pyllyukko/user.js) and [ghacksuserjs/ghacks-user.js](https://github.com/ghacksuserjs/ghacks-user.js) for recommended preferences and hardening measures. Also see [NoScript](https://noscript.net/), an extension which allows whitelist-based, pre-emptive script blocking. +Firefox supports user-supplied configuration files. See See [drduh/config/firefox.user.js](https://github.com/drduh/config/blob/master/firefox.user.js) and [arkenfox/user.js](https://github.com/arkenfox/user.js) for recommended preferences and hardening measures. Also see [NoScript](https://noscript.net/), an extension which allows selective script blocking. Firefox is focused on user privacy. It supports [tracking protection](https://developer.mozilla.org/en-US/Firefox/Privacy/Tracking_Protection) in Private Browsing mode. The tracking protection can be enabled for the default account, although it may break the browsing experience on some websites. Another feature for added privacy unique to Firefox is [Containers](https://testpilot.firefox.com/experiments/containers), similar to Chrome profiles. @@ -1159,7 +1139,7 @@ Chrome has the largest share of global usage and is the preferred target platfor Chrome offers [separate profiles](https://www.chromium.org/user-experience/multi-profiles), [sandboxing](https://www.chromium.org/developers/design-documents/sandbox), [frequent updates](https://googlechromereleases.blogspot.com/) (including Flash, although you should disable it - see below), and carries [impressive credentials](https://www.chromium.org/Home/chromium-security/brag-sheet). In addition, Google offers a very lucrative [bounty](https://www.google.com/about/appsecurity/chrome-rewards/) program for reporting vulnerabilities along with its own [Project Zero](https://googleprojectzero.blogspot.com). This means that a large number of highly talented and motivated people are constantly auditing Chrome's code base. -Create separate Chrome profiles to reduce XSS risk and compartmentalize cookies/identities. In each profile, either disable Javascript in Chrome settings and manually whitelist allowed origins - or use [uBlock Origin](https://github.com/gorhill/uBlock) to manage Javascript and/or disable third-party scripts/frames. Also install [HTTPSEverywhere](https://www.eff.org/https-everywhere) to upgrade insecure connections. +Create separate Chrome profiles to reduce XSS risk and compartmentalize cookies/identities. In each profile, either disable Javascript in Chrome settings and configure allowed origins - or use [uBlock Origin](https://github.com/gorhill/uBlock) to manage Javascript. Change the default search engine from Google to reduce additional tracking. @@ -1181,7 +1161,7 @@ Web Extensions in Safari have an additional option to use native code in the Saf Safari syncs user preferences and saved passwords with [iCloud Keychain](https://support.apple.com/en-gb/HT202303). In order to be viewed in plain text, a user must input the account password of the current device. This means that users can sync data across devices with added security. -Safari follows a slower release cycle than Chrome and Firefox (3-4 minor releases, 1 major release, per year). Newer features are slower to be adopted to the stable channel. Although security updates in Safari are handled independent of the stable release schedule and issued automatically through the App store. The Safari channel that follows a six-week release cycle (similar to as Chrome and Firefox) is called [Safari Technology Preview](https://developer.apple.com/safari/technology-preview/) and it is the recommended option instead of the stable channel of Safari. +Safari follows a slower release cycle than Chrome and Firefox (3-4 minor releases, 1 major release, per year). Newer features are slower to be adopted to the stable channel. Security updates in Safari are handled independent of the stable release schedule and are installed through the App Store. An excellent open source ad blocker for Safari that fully leverages content blockers is [dgraham/Ka-Block](https://github.com/dgraham/Ka-Block). See also [el1t/uBlock-Safari](https://github.com/el1t/uBlock-Safari/wiki/Disable-hyperlink-auditing-beacon) to disable hyperlink auditing beacons. @@ -1247,7 +1227,7 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290 Subkey fingerprint: 1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2 ``` -Make sure `Good signature from "Tor Browser Developers (signing key) "` appears in the output. The warning about the key not being certified is benign, as it has not yet been manually assigned trust. +Make sure `Good signature from "Tor Browser Developers (signing key) "` appears in the output. The warning about the key not being certified is benign, as it has not yet been assigned trust. See [How to verify signatures for packages](https://www.torproject.org/docs/verifying-signatures.html) for more information. @@ -1574,7 +1554,7 @@ $ sudo rm -rfv /var/db/lockdown/* Quicklook thumbnail data can be cleared using the `qlmanage -r cache` command, but this writes to the file `resetreason` in the Quicklook directories, and states that the Quicklook cache was manually cleared. Disable the thumbnail cache with `qlmanage -r disablecache` -It can also be manually cleared by getting the directory names with `getconf DARWIN_USER_CACHE_DIR` and `sudo getconf DARWIN_USER_CACHE_DIR`, then removing them: +It can also be cleared by getting the directory names with `getconf DARWIN_USER_CACHE_DIR` and `sudo getconf DARWIN_USER_CACHE_DIR`, then removing them: ```console $ rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive @@ -2014,7 +1994,7 @@ Also see the simple networking monitoring application [BonzaiThePenguin/Loading] [google/santa](https://github.com/google/santa/) is a security software developed for Google's corporate Macintosh fleet and open sourced. -> Santa is a binary whitelisting/blacklisting system for macOS. It consists of a kernel extension that monitors for executions, a userland daemon that makes execution decisions based on the contents of a SQLite database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server. +> Santa is a binary and file access authorization system for macOS. It consists of a system extension that monitors for executions, a daemon that makes execution decisions based on the contents of a local database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server. Santa uses the [Kernel Authorization API](https://developer.apple.com/library/content/technotes/tn2127/_index.html) to monitor and allow/disallow binaries from executing in the kernel. Binaries can be white- or black-listed by unique hash or signing developer certificate. Santa can be used to only allow trusted code execution, or to blacklist known malware from executing on a Mac, similar to Bit9 software for Windows. @@ -2159,7 +2139,7 @@ Hello World It's allowed and works! -Applications can also be whitelisted by developer certificate (so that new binary versions will not need to be manually whitelisted on each update). For example, download and run Google Chrome - it will be blocked by Santa in "Lockdown" mode: +Applications can also be allowed by developer certificate. For example, download and run Google Chrome - it will be blocked by Santa in "Lockdown" mode: ```console $ curl -sO https://dl.google.com/chrome/mac/stable/GGRO/googlechrome.dmg From f00f1a7fd1dcbab1150ed7d5e8902bc1220b73ee Mon Sep 17 00:00:00 2001 From: drduh Date: Sat, 10 Feb 2024 10:21:53 -0800 Subject: [PATCH 160/476] clean up dnscrypt section --- README.md | 58 ++++++++++++++++--------------------------------------- 1 file changed, 17 insertions(+), 41 deletions(-) diff --git a/README.md b/README.md index cd6c8287..bef7e107 100755 --- a/README.md +++ b/README.md @@ -249,11 +249,12 @@ The **Disk Utility** application may also be used to erase the connected disk an To transfer any files, copy them to a shared folder like `/Users/Shared` on the mounted disk image, e.g. `cp Xcode_8.0.dmg /Volumes/macOS/Users/Shared` Finished restore install from USB recovery boot + *Finished restore install from USB recovery boot* ### Creating a recovery partition -**Unless** you have built the image with [AutoDMG](https://github.com/MagerValp/AutoDMG), or installed macOS to a second partition on the same Mac, you will need to create a recovery partition in order to use full disk encryption. You can do so using [MagerValp/Create-Recovery-Partition-Installer](https://github.com/MagerValp/Create-Recovery-Partition-Installer) or by following these steps: +**Unless** you have built the image with [AutoDMG](https://github.com/MagerValp/AutoDMG), or installed macOS to a second partition on the same Mac, you will need to create a recovery partition in order to use full disk encryption. You can do so using [MagerValp/Create-Recovery-Partition-Installer](https://github.com/MagerValp/Create-Recovery-Partition-Installer) or the following steps. Download [RecoveryHDUpdate.dmg](https://support.apple.com/downloads/DL1464/en_US/RecoveryHDUpdate.dmg) and verify its integrity: @@ -276,7 +277,9 @@ $ /tmp/recovery/RecoveryHDUpdate.pkg/Scripts/Tools/dmtest ensureRecoveryPartitio Creating recovery partition: finished ``` -Run `diskutil list` again to make sure `Recovery HD` now exists on `/dev/disk2`. Eject the disk with `hdiutil unmount /Volumes/macOS` and power down the target disk mode-booted Mac. +Run `diskutil list` again to make sure `Recovery HD` now exists on `/dev/disk2` + +Eject the disk with `hdiutil unmount /Volumes/macOS` and power down the target disk mode-booted Mac. ### Virtualization @@ -390,7 +393,7 @@ $ sudo dscl . -delete /Groups/admin GroupMembership $ sudo dscl . -delete /Groups/admin GroupMembers ``` -To find the “GeneratedUID” of an account: +To find the **GeneratedUID** of an account: ```console $ dscl . -read /Users/ GeneratedUID @@ -430,7 +433,7 @@ $ sudo pmset -a hibernatemode 25 ``` > All computers have firmware of some type - EFI, BIOS - to help in the discovery of hardware components and ultimately to properly bootstrap the computer using the desired OS instance. In the case of Apple hardware and the use of EFI, Apple stores relevant information within EFI to aid in the functionality of macOS. For example, the FileVault key is stored in EFI to transparently come out of standby mode. - +> > Organizations especially sensitive to a high-attack environment, or potentially exposed to full device access when the device is in standby mode, should mitigate this risk by destroying the FileVault key in firmware. Doing so doesn't destroy the use of FileVault, but simply requires the user to enter the password in order for the system to come out of standby mode. If you choose to evict FileVault keys in standby mode, you should also modify your standby and power nap settings. Otherwise, your machine may wake while in standby mode and then power off due to the absence of the FileVault key. See [issue #124](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/124) for more information. These settings can be changed with: @@ -480,6 +483,7 @@ Correct A firmware password may be bypassed by a determined attacker or Apple, with physical access to the computer. Using a Dediprog SF600 to dump and flash a 2013 MacBook SPI Flash chip to remove a firmware password, sans Apple + *Using a [Dediprog SF600](http://www.dediprog.com/pd/spi-flash-solution/sf600) to dump and flash a 2013 MacBook SPI Flash chip to remove a firmware password, sans Apple* As of macOS 10.15 Catalina, the `firmwarepasswd` program has a new option `-disable-reset-capability`. According to [Apple's new Platform Security page](https://support.apple.com/en-gb/guide/security/sec28382c9ca/web), this effectively prevents any firmware password resets, even by Apple themselves: @@ -551,7 +555,7 @@ For more on how Little Snitch works, see the [Network Kernel Extensions Programm A highly customizable, powerful, but also most complicated firewall exists in the kernel. It can be controlled with `pfctl` and various configuration files. -pf can also be controlled with a GUI application such as [IceFloor](http://www.hanynet.com/icefloor/) or [Murus](https://www.murusfirewall.com/). +pf can also be controlled with a GUI application such as [IceFloor](https://www.hanynet.com/icefloor/) or [Murus](https://www.murusfirewall.com/). There are many books and articles on the subject of pf firewall. Here's is just one example of blocking traffic by IP address. @@ -585,11 +589,11 @@ Then use the following commands to manipulate the firewall: * `sudo ifconfig pflog0 create` to create an interface for logging * `sudo tcpdump -ni pflog0` to view filtered packets -Unless you're already familiar with packet filtering, spending too much time configuring pf is not recommended. It is also probably unnecessary if your Mac is behind a [NAT](https://www.grc.com/nat/nat.htm) on a secure home network. +Unless you're already familiar with packet filtering, spending too much time configuring pf is not recommended. It is also probably unnecessary if your Mac is behind a [NAT](https://www.grc.com/nat/nat.htm) on a private home network. It is possible to use the pf firewall to block network access to entire ranges of network addresses, for example to a whole organization: -Query [Merit RADb](http://www.radb.net/) for the list of networks in use by an autonomous system, like [Facebook](https://ipinfo.io/AS32934): +Query [Merit RADb](https://www.radb.net/) for the list of networks in use by an autonomous system, like [Facebook](https://ipinfo.io/AS32934): ```console $ whois -h whois.radb.net '!gAS32934' @@ -643,7 +647,7 @@ To use pf to audit "phone home" behavior of user and system-level processes, see See [fix-macosx/yosemite-phone-home](https://github.com/fix-macosx/yosemite-phone-home), [l1k/osxparanoia](https://github.com/l1k/osxparanoia) for further recommendations. -Services on macOS are managed by **launchd**. See [launchd.info](http://launchd.info/), as well as [Apple's Daemons and Services Programming Guide](https://developer.apple.com/library/mac/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html) and [Technical Note TN2083](https://developer.apple.com/library/mac/technotes/tn2083/_index.html) +Services on macOS are managed by **launchd**. See [launchd.info](https://launchd.info/), as well as [Apple's Daemons and Services Programming Guide](https://developer.apple.com/library/mac/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html) and [Technical Note TN2083](https://developer.apple.com/library/mac/technotes/tn2083/_index.html) You can also run [KnockKnock](https://objective-see.com/products/knockknock.html) that shows more information about startup items. @@ -681,12 +685,6 @@ $ find /var/db/com.apple.xpc.launchd/ -type f -print -exec defaults read {} \; 2 Annotated lists of launch daemons and agents, the respective program executed, and the programs' hash sums are included in this repository. -**(Optional)** Run the `read_launch_plists.py` script and `diff` output to check for any discrepancies on your system, e.g.: - -```console -$ diff <(python read_launch_plists.py | sort ) <(cat 16A323_launchd.csv | sort ) -``` - See also [cirrusj.github.io/Yosemite-Stop-Launch](https://cirrusj.github.io/Yosemite-Stop-Launch/) for descriptions of services and [Provisioning OS X and Disabling Unnecessary Services](https://vilimpoc.org/blog/2014/01/15/provisioning-os-x-and-disabling-unnecessary-services/) for another explanation. Persistent login items may also exist in these directories: @@ -786,17 +784,13 @@ DNS profiles [can be created](https://dns.notjakob.com/) or obtained from provid [No output] ``` - See `man hosts` and [FreeBSD Configuration Files](https://www.freebsd.org/doc/handbook/configtuning-configfiles.html) for more information. - - See the [dnsmasq](#dnsmasq) section of this guide for more hosts blocking options. - #### dnscrypt -To encrypt outgoing DNS traffic, consider using [jedisct1/dnscrypt-proxy](https://github.com/jedisct1/dnscrypt-proxy). In combination with dnsmasq and DNSSEC, the integrity and authenticity of DNS traffic is greatly improved. +To encrypt DNS traffic, consider using [DNSCrypt/dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy). Used in combination with dnsmasq and DNSSEC, the integrity of DNS traffic can be significantly improved. [JayBrown/DNSCrypt-Menu](https://github.com/JayBrown/DNSCrypt-Menu) and [jedisct1/bitbar-dnscrypt-proxy-switcher](https://github.com/jedisct1/bitbar-dnscrypt-proxy-switcher) provide a graphical user interface to dnscrypt. -Install dnscrypt from Homebrew and follow the instructions to configure and start `dnscrypt-proxy`: +Install DNSCrypt from Homebrew and follow the instructions to configure and start `dnscrypt-proxy`: ```console $ brew install dnscrypt-proxy @@ -833,25 +827,7 @@ dnscrypt-proxy 15244 nobody 12u IPv4 0x1337f85ff9f8beef 0t0 UDP 127.0.0 dnscrypt-proxy 15244 nobody 14u IPv6 0x1337f85ff9f8beef 0t0 UDP [::1]:5355 ``` -> By default, dnscrypt-proxy runs on localhost (127.0.0.1), port 53, -and under the "nobody" user using the resolvers specified in https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md. If you would like to change these settings, you will have to edit the configuration file (e.g. listen_addresses, user_name, urls, etc.) - -This can be accomplished by editing `/usr/local/etc/dnscrypt-proxy.toml` as described above. - -You can run your own [dnscrypt server](https://github.com/Cofyc/dnscrypt-wrapper) (see also [drduh/Debian-Privacy-Server-Guide#dnscrypt](https://github.com/drduh/Debian-Privacy-Server-Guide#dnscrypt)) from a trusted location or use one of many public servers instead. - -Confirm outgoing DNS traffic is encrypted: - -```console -$ sudo tcpdump -qtni en0 -IP 10.8.8.8.59636 > 107.181.168.52: UDP, length 512 -IP 107.181.168.52 > 10.8.8.8.59636: UDP, length 368 - -$ dig +short -x 128.180.155.106.49321 -d0wn-us-ns4 -``` - -dnscrypt-proxy also has the capability to blacklist domains, including the use of wild-cards. +> By default, dnscrypt-proxy runs on localhost (127.0.0.1), port 53, balancing traffic across a set of resolvers. If you would like to change these settings, you will have to edit the configuration file: $HOMEBREW_PREFIX/etc/dnscrypt-proxy.toml **Note** Applications and programs may resolve DNS using their own provided servers. If dnscrypt-proxy is used, it is possible to disable all other, non-dnscrypt DNS traffic with the following pf rules: @@ -1019,7 +995,7 @@ $ brew install privoxy $ brew services start privoxy ``` -By default, privoxy listens on localhost, TCP port 8118. +Privoxy listens on local TCP port 8118 by default. Set the system **HTTP** proxy for your active network interface `127.0.0.1` and `8118` (This can be done through **System Preferences > Network > Advanced > Proxies**): @@ -1392,7 +1368,7 @@ Some malware comes bundled with both legitimate software, such as the [Java bund See [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) and [Malware Persistence on OS X Yosemite](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite) to learn about how garden-variety malware functions. -You could periodically run a tool like [KnockKnock]https://objective-see.org/products/knockknock.html) to examine persistent applications (e.g. scripts, binaries). But by then, it is probably too late. Maybe applications such as [BlockBlock](https://objective-see.com/products/blockblock.html) and [Ostiarius](https://objective-see.com/products/ostiarius.html) will help. See warnings and caveats in [issue #90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) first, however. An open-source alternative could be [maclaunch.sh](https://github.com/hazcod/maclaunch). +You could periodically run a tool like [KnockKnock](https://objective-see.org/products/knockknock.html) to examine persistent applications (e.g. scripts, binaries). But by then, it is probably too late. Maybe applications such as [BlockBlock](https://objective-see.com/products/blockblock.html) and [Ostiarius](https://objective-see.com/products/ostiarius.html) will help. See warnings and caveats in [issue #90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) first, however. An open-source alternative could be [maclaunch.sh](https://github.com/hazcod/maclaunch). **Anti-virus** programs are a double-edged sword -- not so useful for **advanced** users and will likely increase attack surface against sophisticated threats; however possibly useful for catching "garden variety" malware on **novice** users' Macs. There is also the additional processing overhead to consider when using "active" scanning features. From 9ebfad7cccc2d153568dbe18baba316de2314e5f Mon Sep 17 00:00:00 2001 From: drduh Date: Sat, 10 Feb 2024 10:39:23 -0800 Subject: [PATCH 161/476] grammar, remove obsolete curl/vpn notes --- README.md | 67 +++++++++++++++++++++---------------------------------- 1 file changed, 26 insertions(+), 41 deletions(-) diff --git a/README.md b/README.md index bef7e107..6a60c069 100755 --- a/README.md +++ b/README.md @@ -40,7 +40,6 @@ This guide is also available in [简体中文](https://github.com/drduh/macOS-Se - [Captive portal](#captive-portal) - [Certificate authorities](#certificate-authorities) - [OpenSSL](#openssl) -- [Curl](#curl) - [Web](#web) * [Privoxy](#privoxy) * [Browser](#browser) @@ -135,7 +134,7 @@ Apple's [documentation](https://support.apple.com/en-us/HT211683) provides detai ### Verifying installation integrity -The macOS installation application is [code signed](https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW6), which should be verified to make sure you received a legitimate copy, using the `pkgutil --check-signature` or `codesign -dvv` commands. +The macOS installation application is [code signed](https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW6), which should be verified using the commands `pkgutil --check-signature` or `codesign -dvv` To verify the code signature and integrity of macOS application bundles: @@ -277,7 +276,7 @@ $ /tmp/recovery/RecoveryHDUpdate.pkg/Scripts/Tools/dmtest ensureRecoveryPartitio Creating recovery partition: finished ``` -Run `diskutil list` again to make sure `Recovery HD` now exists on `/dev/disk2` +Run `diskutil list` again to confirm `Recovery HD` now exists on `/dev/disk2` Eject the disk with `hdiutil unmount /Volumes/macOS` and power down the target disk mode-booted Mac. @@ -484,13 +483,13 @@ A firmware password may be bypassed by a determined attacker or Apple, with phys Using a Dediprog SF600 to dump and flash a 2013 MacBook SPI Flash chip to remove a firmware password, sans Apple -*Using a [Dediprog SF600](http://www.dediprog.com/pd/spi-flash-solution/sf600) to dump and flash a 2013 MacBook SPI Flash chip to remove a firmware password, sans Apple* +*Using a [Dediprog SF600](https://www.dediprog.com/product/sf600) to dump and flash a 2013 MacBook SPI Flash chip to remove a firmware password, sans Apple* -As of macOS 10.15 Catalina, the `firmwarepasswd` program has a new option `-disable-reset-capability`. According to [Apple's new Platform Security page](https://support.apple.com/en-gb/guide/security/sec28382c9ca/web), this effectively prevents any firmware password resets, even by Apple themselves: +As of macOS 10.15, the `firmwarepasswd` program has a new option `-disable-reset-capability`. According to [Apple's new Platform Security page](https://support.apple.com/en-gb/guide/security/sec28382c9ca/web), this effectively prevents any firmware password resets, even by Apple themselves: > For users who want no one but themselves to remove their Firmware Password by software means, the -disable-reset-capability option has been added to the firmwarepasswd command-line tool in macOS 10.15. Before setting this option, users must to acknowledge that if the password is forgotten and needs removal, the user must bear the cost of the motherboard replacement necessary to achieve this. -Newer Mac models (Mac Pro, iMac Pro, Macbook with TouchBar) with [Apple T2](https://en.wikipedia.org/wiki/Apple-designed_processors#Apple_T2) chips, which provide a secure enclave for encrypted keys, lessen the risk of EFI firmware attacks. See [this blog post](http://michaellynn.github.io/2018/07/27/booting-secure/) for more information. +Newer Mac models (Mac Pro, iMac Pro, Macbook with TouchBar) with [Apple T2](https://en.wikipedia.org/wiki/Apple-designed_processors#Apple_T2) chips, which provide a secure enclave for encrypted keys, lessen the risk of EFI firmware attacks. See [this blog post](https://michaellynn.github.io/2018/07/27/booting-secure/) for more information. See [LongSoft/UEFITool](https://github.com/LongSoft/UEFITool), [chipsec/chipsec](https://github.com/chipsec/chipsec) and discussion in [issue #213](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/213) for more information. @@ -760,29 +759,29 @@ DNS profiles [can be created](https://dns.notjakob.com/) or obtained from provid 127.0.0.1 example.com ``` - **Note** IPv6 uses the `AAAA` DNS record type, rather than `A` record type, so you may also want to block those connections by *also* including `::1 example.com` entries, like shown [here](https://someonewhocares.org/hosts/ipv6/). +**Note** IPv6 uses the `AAAA` DNS record type, rather than `A` record type, so you may also want to block those connections by *also* including `::1 example.com` entries, like shown [here](https://someonewhocares.org/hosts/ipv6/). - There are many lists of domains available online which you can paste in, just make sure each line starts with `0`, `0.0.0.0`, `127.0.0.1`, and the line `127.0.0.1 localhost` is included. +There are many lists of domains available online which you can paste in, just make sure each line starts with `0`, `0.0.0.0`, `127.0.0.1`, and the line `127.0.0.1 localhost` is included. - Here are some popular and useful hosts lists: +Here are some popular and useful hosts lists: - * [jmdugan/blocklists](https://github.com/jmdugan/blocklists) - * [l1k/osxparanoia](https://github.com/l1k/osxparanoia/blob/master/hosts) - * [Sinfonietta/hostfiles](https://github.com/Sinfonietta/hostfiles) - * [StevenBlack/hosts](https://github.com/StevenBlack/hosts) - * [someonewhocares.org](https://someonewhocares.org/hosts/zero/hosts) +* [jmdugan/blocklists](https://github.com/jmdugan/blocklists) +* [l1k/osxparanoia](https://github.com/l1k/osxparanoia/blob/master/hosts) +* [Sinfonietta/hostfiles](https://github.com/Sinfonietta/hostfiles) +* [StevenBlack/hosts](https://github.com/StevenBlack/hosts) +* [someonewhocares.org](https://someonewhocares.org/hosts/zero/hosts) - Append a list of hosts with the `tee` command and confirm only non-routable addresses or comments were added: +Append a list of hosts with the `tee` command and confirm only non-routable addresses or comments were added: - ```console - $ curl https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | sudo tee -a /etc/hosts +```console +$ curl https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | sudo tee -a /etc/hosts - $ wc -l /etc/hosts - 65580 +$ wc -l /etc/hosts +65580 - $ egrep -ve "^#|^255.255.255.255|^127.|^0.|^::1|^ff..::|^fe80::" /etc/hosts | sort | uniq | egrep -e "[1,2]|::" - [No output] - ``` +$ egrep -ve "^#|^255.255.255.255|^127.|^0.|^::1|^ff..::|^fe80::" /etc/hosts | sort | uniq | egrep -e "[1,2]|::" +[No output] +``` #### dnscrypt @@ -816,7 +815,7 @@ Start DNSCrypt: $ sudo brew services restart dnscrypt-proxy ``` -Make sure DNSCrypt is running: +Confirm DNSCrypt is running: ```console $ sudo lsof +c 15 -Pni UDP:5355 @@ -842,7 +841,7 @@ See also [What is a DNS leak](https://dnsleaktest.com/what-is-a-dns-leak.html) a Among other features, [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) is able to cache replies, prevent upstream queries for unqualified names, and block entire top-level domain names. -Use in combination with DNSCrypt to additionally encrypt outgoing DNS traffic. +Use in combination with DNSCrypt to additionally encrypt DNS traffic. If you don't wish to use DNSCrypt, you should at least use DNS [not provided](http://bcn.boulder.co.us/~neal/ietf/verisign-abuse.html) [by your ISP](http://hackercodex.com/guide/how-to-stop-isp-dns-server-hijacking/). Two popular alternatives are [Google DNS](https://developers.google.com/speed/public-dns/) and [OpenDNS](https://www.opendns.com/home-internet-security/). @@ -874,7 +873,7 @@ To set Dnsmasq as your local DNS server, open **System Preferences** > **Network $ sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1 ``` -Make sure Dnsmasq is correctly configured: +Confirm Dnsmasq is configured: ```console $ scutil --dns | head @@ -914,7 +913,7 @@ $ dig www.dnssec-failed.org When macOS connects to new networks, it checks for Internet connectivity and may launch a Captive Portal assistant utility application. -An attacker could trigger the utility and direct a Mac to a site with malware without user interaction, so it's best to disable this feature and log in to captive portals using your regular Web browser by navigating to a non-secure HTTP page and accepting a redirect to the captive portal login interface (after disabling any custom proxy or DNS settings). +It is possible to trigger the utility and direct a Mac to malware without user interaction, so it's best to disable this feature and log in to captive portals using your regular Web browser by navigating to a non-secure HTTP page and accepting a redirect to the captive portal login interface (after disabling any custom proxy or DNS settings). ```console $ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active -bool false @@ -965,18 +964,6 @@ SSL-Session: See also [Comparison of TLS implementations](https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations), [How's My SSL](https://www.howsmyssl.com/) and [Qualys SSL Labs Tools](https://www.ssllabs.com/projects/). -## Curl - -The version of Curl which comes with macOS uses [Secure Transport](https://developer.apple.com/library/mac/documentation/Security/Reference/secureTransportRef/) for SSL/TLS validation. - -If you prefer to use OpenSSL, install with `brew install curl --with-openssl` and ensure it's the default with `brew link --force curl` - -Download [drduh/config/curlrc](https://github.com/drduh/config/blob/master/curlrc) or see the [man page](https://curl.haxx.se/docs/manpage.html): - -```console -$ curl -o ~/.curlrc https://raw.githubusercontent.com/drduh/config/master/curlrc -``` - ## Web ### Privoxy @@ -1308,8 +1295,6 @@ Also see [Invisible Internet Project (I2P)](https://geti2p.net/en/about/intro) a Unencrypted network traffic is being actively monitored and possibly tampered with. Encrypted traffic still exposes [connection metadata](https://security.stackexchange.com/questions/142833/does-https-encrypt-metadata#142855) and could be used to infer behavior or specific actions. -It is a good idea to use a VPN with outgoing network traffic (*not* **split tunnel**) together with a trustworthy provider. [drduh/Debian-Privacy-Server-Guide](https://github.com/drduh/Debian-Privacy-Server-Guide) is one of many available guides for setting up a personal VPN server. - Don't just blindly sign up for a VPN service without understanding the full implications and how your traffic will be routed. If you don't understand how the VPN works or are not familiar with the software used, you are probably better off without it. When choosing a VPN service or setting up your own, be sure to research the protocols, key exchange algorithms, authentication mechanisms, and type of encryption being used. Some protocols, such as [PPTP](https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security), should be avoided in favor of [OpenVPN](https://en.wikipedia.org/wiki/OpenVPN) or Linux-based [Wireguard](https://www.wireguard.com/) [on a Linux VM](https://github.com/mrash/Wireguard-macOS-LinuxVM) or via a set of [cross platform tools](https://www.wireguard.com/xplatform/). @@ -1352,7 +1337,7 @@ OTR stands for **off-the-record** and is a cryptographic protocol for encrypting You can use OTR on top of any existing [XMPP](https://xmpp.org/about) chat service, even Google Hangouts (which only encrypts conversations between users and the server using TLS). -The first time you start a conversation with someone new, you'll be asked to verify their public key fingerprint. Make sure to do this in person or by some other secure means (e.g. GPG encrypted mail). +The first time you start a conversation with someone new, you'll be asked to verify their public key fingerprint. Do this in person or by other secure means, such as GPG. A popular macOS GUI client for XMPP and other chat protocols is [Adium](https://adium.im/). From 57d7717b157f06c7f39e485180b233de5ac78705 Mon Sep 17 00:00:00 2001 From: drduh Date: Sat, 10 Feb 2024 18:42:51 +0000 Subject: [PATCH 162/476] Delete CNAME --- CNAME | 1 - 1 file changed, 1 deletion(-) delete mode 100644 CNAME diff --git a/CNAME b/CNAME deleted file mode 100644 index 68db904c..00000000 --- a/CNAME +++ /dev/null @@ -1 +0,0 @@ -macos.duh.to \ No newline at end of file From e5d8585f32e4c035161a3be2d6b37e6a4c0117ae Mon Sep 17 00:00:00 2001 From: drduh Date: Sat, 10 Feb 2024 10:44:35 -0800 Subject: [PATCH 163/476] update metadata --- CNAME | 1 - LICENSE | 2 +- _config.yml | 1 - 3 files changed, 1 insertion(+), 3 deletions(-) delete mode 100644 CNAME delete mode 100644 _config.yml diff --git a/CNAME b/CNAME deleted file mode 100644 index 68db904c..00000000 --- a/CNAME +++ /dev/null @@ -1 +0,0 @@ -macos.duh.to \ No newline at end of file diff --git a/LICENSE b/LICENSE index e0454915..de682fe8 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ The MIT License (MIT) -Copyright (c) 2015-2020 +Copyright (c) 2015 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/_config.yml b/_config.yml deleted file mode 100644 index fc24e7a6..00000000 --- a/_config.yml +++ /dev/null @@ -1 +0,0 @@ -theme: jekyll-theme-hacker \ No newline at end of file From be0f053134650ec8158d0c884215409a2ec25dd5 Mon Sep 17 00:00:00 2001 From: drduh Date: Sat, 10 Feb 2024 10:58:10 -0800 Subject: [PATCH 164/476] refresh browsers --- README.md | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 6a60c069..d0abd986 100755 --- a/README.md +++ b/README.md @@ -839,13 +839,13 @@ See also [What is a DNS leak](https://dnsleaktest.com/what-is-a-dns-leak.html) a #### Dnsmasq -Among other features, [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) is able to cache replies, prevent upstream queries for unqualified names, and block entire top-level domain names. +Among other features, [dnsmasq](https://www.thekelleys.org.uk/dnsmasq/doc.html) is able to cache replies, prevent upstream queries for unqualified names, and block entire top-level domain names. Use in combination with DNSCrypt to additionally encrypt DNS traffic. -If you don't wish to use DNSCrypt, you should at least use DNS [not provided](http://bcn.boulder.co.us/~neal/ietf/verisign-abuse.html) [by your ISP](http://hackercodex.com/guide/how-to-stop-isp-dns-server-hijacking/). Two popular alternatives are [Google DNS](https://developers.google.com/speed/public-dns/) and [OpenDNS](https://www.opendns.com/home-internet-security/). +If you don't wish to use DNSCrypt, you should at least use DNS [not provided](https://bcn.boulder.co.us/~neal/ietf/verisign-abuse.html) [by your ISP](https://hackercodex.com/guide/how-to-stop-isp-dns-server-hijacking/). Two popular alternatives are [Google DNS](https://developers.google.com/speed/public-dns/) and [OpenDNS](https://www.opendns.com/home-internet-security/). -**(Optional)** [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity. All answers from DNSSEC protected zones are digitally signed. The signed records are authenticated via a chain of trust, starting with a set of verified public keys for the DNS root-zone. The current root-zone trust anchors may be downloaded [from IANA website](https://www.iana.org/dnssec/files). There are a number of resources on DNSSEC, but probably the best one is [dnssec.net website](http://www.dnssec.net). +**(Optional)** [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity. All answers from DNSSEC protected zones are digitally signed. The signed records are authenticated via a chain of trust, starting with a set of verified public keys for the DNS root-zone. The current root-zone trust anchors may be downloaded [from IANA website](https://www.iana.org/dnssec/files). There are a number of resources on DNSSEC, but probably the best one is [dnssec.net website](https://www.dnssec.net). Install Dnsmasq (DNSSEC is optional): @@ -1056,23 +1056,25 @@ You can replace ad images with pictures of kittens, for example, by starting a l ### Browser -The Web browser poses the largest security and privacy risk, as its fundamental job is to download and execute untrusted code from the Internet. This is an important statement. The unique use case of Web Browsers of operation in hostile environments, has forced them to adopt certain impressive security features. The cornerstone of Web Browser security is the Same Origin Policy ([SOP](https://en.wikipedia.org/wiki/Same-origin_policy)). In a few words, SOP prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model (DOM). If SOP is compromised, the security of the whole Web Browser is compromised. +The Web browser likely poses the largest security and privacy risk, as its fundamental job is to download and execute untrusted code from the Internet. -The best tip to ensure secure browsing regardless your choice of Web Browser is proper security hygiene. The majority of Web Browser exploits require social engineering attacks to achieve native code execution. Always be mindful of the links you click and be extra careful when websites ask you to download and install software. 99% percent of the time that software is malware. +An important property of modern browsers Same Origin Policy ([SOP](https://en.wikipedia.org/wiki/Same-origin_policy)) which prevents a malicious script on one page from obtaining access to sensitive data on another web page through the Document Object Model (DOM). If SOP is compromised, the security of the entire browser is compromised. -Another important consideration about Web Browser security is Web Extensions. Web Extensions greatly increase the attack surface of the Web Browser. This is an issue that plagues Firefox and [Chrome](https://courses.csail.mit.edu/6.857/2016/files/24.pdf) alike. Luckily, Web Extensions can only access specific browser APIs that are being governed by their manifest. That means we can quickly audit their behavior and remove them if they request access to information they shouldn't (why would an Ad blocker require camera access?). In the interest of security, it is best to limit your use of Web Extensions. +Many browser exploits are based on social engineering as a means of gaining persistence. Always be mindful of opening untrusted sites and especially mindful when downloading new software. -[Mozilla Firefox](https://www.mozilla.org/en-US/firefox/new/), [Google Chrome](https://www.google.com/chrome/), [Safari](https://www.apple.com/safari/), and [Tor Browser](https://www.torproject.org/projects/torbrowser.html.en) are covered in this guide. Each Web Browser offers certain benefits and drawbacks regarding their security and privacy. It is best to make an informed choice and not necessarily commit to only one. +Another important consideration about browser security are extensions. This is an issue affecting Firefox and [Chrome](https://courses.csail.mit.edu/6.857/2016/files/24.pdf) alike. The use of browser extensions should be limited to only critically necessary ones published by trustworthy developers. + +[Mozilla Firefox](https://www.mozilla.org/en-US/firefox/new/), [Google Chrome](https://www.google.com/chrome/), [Safari](https://www.apple.com/safari/), and [Tor Browser](https://www.torproject.org/projects/torbrowser.html.en) are all recommended browsers for their own unique and individual purposes. #### Firefox -[Mozilla Firefox](https://www.mozilla.org/en-US/firefox/new/) is an excellent browser as well as being completely open source. Currently, Firefox is in a renaissance period. It replaces major parts of its infrastructure and code base under projects [Quantum](https://wiki.mozilla.org/Quantum) and [Photon](https://wiki.mozilla.org/Firefox/Photon/Updates). Part of the Quantum project is to replace C++ code with [Rust](https://www.rust-lang.org/en-US/). Rust is a systems programming language with a focus on security and thread safety. It is expected that Rust adoption will greatly improve the overall security posture of Firefox. +[Mozilla Firefox](https://www.mozilla.org/en-US/firefox/new/) is a popular open source browser. Firefox recently replaced major parts of its infrastructure and code base under projects [Quantum](https://wiki.mozilla.org/Quantum) and [Photon](https://wiki.mozilla.org/Firefox/Photon/Updates). Part of the Quantum project is to replace C++ code with [Rust](https://www.rust-lang.org/en-US/). Rust is a systems programming language with a focus on security and thread safety. It is expected that Rust adoption will greatly improve the overall security posture of Firefox. -Firefox offers a similar security model to Chrome: it has a [bug bounty program](https://www.mozilla.org/en-US/security/bug-bounty/), although it is not a lucrative as Chrome's. Firefox follows a six-week release cycle similar to Chrome. See discussion in issues [#2](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/2) and [#90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) for more information about certain differences in Firefox and Chrome. +Firefox offers a similar security model to Chrome: it has a [bug bounty program](https://www.mozilla.org/en-US/security/bug-bounty/), although it is not a lucrative. Firefox follows a six-week release cycle similar to Chrome. See discussion in issues [#2](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/2) and [#90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) for more information about certain differences in Firefox and Chrome. Firefox supports user-supplied configuration files. See See [drduh/config/firefox.user.js](https://github.com/drduh/config/blob/master/firefox.user.js) and [arkenfox/user.js](https://github.com/arkenfox/user.js) for recommended preferences and hardening measures. Also see [NoScript](https://noscript.net/), an extension which allows selective script blocking. -Firefox is focused on user privacy. It supports [tracking protection](https://developer.mozilla.org/en-US/Firefox/Privacy/Tracking_Protection) in Private Browsing mode. The tracking protection can be enabled for the default account, although it may break the browsing experience on some websites. Another feature for added privacy unique to Firefox is [Containers](https://testpilot.firefox.com/experiments/containers), similar to Chrome profiles. +Firefox [focused on user privacy](https://www.mozilla.org/en-US/firefox/privacy/). It supports [tracking protection](https://developer.mozilla.org/en-US/docs/Web/Privacy/Firefox_tracking_protection) in Private Browsing mode. The tracking protection can be enabled for the default account, although it may break the browsing experience on some websites. Another feature similar to Chrome profiles is [Firefox Multi-Account Containers](https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/). Previous versions of Firefox used a Web Extension SDK that was quite invasive and offered immense freedom to developers. Sadly, that freedom also introduced a number of vulnerabilities in Firefox that greatly affected its users. Currently, Firefox only supports Web Extensions through the [Web Extension Api](https://developer.mozilla.org/en-US/Add-ons/WebExtensions), which is very similar to Chrome's. From 44d1f4c92fee25079f8a32c48ef059f9a0449097 Mon Sep 17 00:00:00 2001 From: drduh Date: Sat, 10 Feb 2024 11:37:35 -0800 Subject: [PATCH 165/476] more browser cleanup --- README.md | 73 +++++++++++++++++++++++-------------------------------- 1 file changed, 30 insertions(+), 43 deletions(-) diff --git a/README.md b/README.md index d0abd986..661c331b 100755 --- a/README.md +++ b/README.md @@ -1060,7 +1060,7 @@ The Web browser likely poses the largest security and privacy risk, as its funda An important property of modern browsers Same Origin Policy ([SOP](https://en.wikipedia.org/wiki/Same-origin_policy)) which prevents a malicious script on one page from obtaining access to sensitive data on another web page through the Document Object Model (DOM). If SOP is compromised, the security of the entire browser is compromised. -Many browser exploits are based on social engineering as a means of gaining persistence. Always be mindful of opening untrusted sites and especially mindful when downloading new software. +Many browser exploits are based on social engineering as a means of gaining persistence. Always be mindful of opening untrusted sites and especially careful when downloading new software. Another important consideration about browser security are extensions. This is an issue affecting Firefox and [Chrome](https://courses.csail.mit.edu/6.857/2016/files/24.pdf) alike. The use of browser extensions should be limited to only critically necessary ones published by trustworthy developers. @@ -1076,33 +1076,26 @@ Firefox supports user-supplied configuration files. See See [drduh/config/firefo Firefox [focused on user privacy](https://www.mozilla.org/en-US/firefox/privacy/). It supports [tracking protection](https://developer.mozilla.org/en-US/docs/Web/Privacy/Firefox_tracking_protection) in Private Browsing mode. The tracking protection can be enabled for the default account, although it may break the browsing experience on some websites. Another feature similar to Chrome profiles is [Firefox Multi-Account Containers](https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/). -Previous versions of Firefox used a Web Extension SDK that was quite invasive and offered immense freedom to developers. Sadly, that freedom also introduced a number of vulnerabilities in Firefox that greatly affected its users. Currently, Firefox only supports Web Extensions through the [Web Extension Api](https://developer.mozilla.org/en-US/Add-ons/WebExtensions), which is very similar to Chrome's. - -Submission of Web Extensions in Firefox is free. Web Extensions in Firefox most of the time are open source, although certain Web Extensions are proprietary. - -**Note** Similar to Chrome and Safari, Firefox allows account sync across multiple devices. While stored login passwords are encrypted, Firefox does not require a password to reveal their plain text format. Firefox only displays as yes/no prompt. This is an important security issue. Keep that in mind if you sign in to your Firefox account from devices that do not belong to you and leave them unattended. The [issue](https://bugzilla.mozilla.org/show_bug.cgi?id=1393493) has been raised among the Firefox community and hopefully will be resolved in the coming versions. - -See [drduh/config/firefox.user.js](https://github.com/drduh/config/blob/master/firefox.user.js) for additional Firefox configuration options to improve security and privacy. +Previous versions of Firefox used a Web Extension SDK that was quite invasive and offered immense freedom to developers. Sadly, that freedom also introduced a number of vulnerabilities in Firefox that greatly affected its users. Currently, Firefox only supports Web Extensions through the [Web Extension Api](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions), which is very similar to Chrome. Submission of Web Extensions in Firefox is free. Web Extensions in Firefox most of the time are open source, although certain Web Extensions are proprietary. #### Chrome [Google Chrome](https://www.google.com/chrome/) is based on the open source [Chromium project](https://www.chromium.org/Home) with certain [proprietary components](https://fossbytes.com/difference-google-chrome-vs-chromium-browser/): -* Automatic updates with GoogleSoftwareUpdateDaemon. -* Usage tracking and crash reporting, which can be disabled through Chrome's settings. -* Chrome Web Store. -* Adobe Flash Plugin - supports a Pepper API version of Adobe Flash which gets updated automatically with Chrome. -* Media Codec support - adds support for proprietary codecs. -* Chrome [PDF viewer](http://0xdabbad00.com/2013/01/13/most-secure-pdf-viewer-chrome-pdf-viewer/). +* Automatic updates with GoogleSoftwareUpdateDaemon +* Usage tracking and crash reporting, which can be disabled through Chrome's settings +* Media Codec support for proprietary codecs +* Chrome Web Store +* PDF viewer * Non-optional tracking. Google Chrome installer includes a randomly generated token. The token is sent to Google after the installation completes in order to measure the success rate. The RLZ identifier stores information – in the form of encoded strings – like the source of chrome download and installation week. It doesn’t include any personal information and it’s used to measure the effectiveness of a promotional campaign. **Chrome downloaded from Google’s website doesn’t have the RLZ identifier**. The source code to decode the strings is made open by Google. Chrome offers account sync between multiple devices. Part of the sync data are stored website credentials. The login passwords are encrypted and in order to access them, a user's Google account password is required. You can use your Google account to sign to your Chrome customized settings from other devices while retaining your the security of your passwords. -Chrome's Web store for extensions requires a [5 dollar lifetime fee](https://developer.chrome.com/webstore/publish#pay-the-developer-signup-fee) in order to submit extensions. The low cost allows the development of many quality Open Source Web Extensions that do not aim to monetize through usage. +Chrome's Web Store for extensions requires a [5 USD lifetime fee](https://developer.chrome.com/webstore/publish#pay-the-developer-signup-fee) in order to submit extensions. The low cost allows the development of many quality Open Source Web Extensions that do not aim to monetize through usage. Chrome has the largest share of global usage and is the preferred target platform for the majority of developers. Major technologies are based on Chrome's Open Source components, such as [node.js](https://nodejs.org/en/) which uses [Chrome's V8](https://developers.google.com/v8/) Engine and the [Electron](https://electron.atom.io/) framework, which is based on Chromium and node.js. Chrome's vast user base makes it the most attractive target for threat actors and security researchers. Despite under constants attacks, Chrome has retained an impressive security track record over the years. This is not a small feat. -Chrome offers [separate profiles](https://www.chromium.org/user-experience/multi-profiles), [sandboxing](https://www.chromium.org/developers/design-documents/sandbox), [frequent updates](https://googlechromereleases.blogspot.com/) (including Flash, although you should disable it - see below), and carries [impressive credentials](https://www.chromium.org/Home/chromium-security/brag-sheet). In addition, Google offers a very lucrative [bounty](https://www.google.com/about/appsecurity/chrome-rewards/) program for reporting vulnerabilities along with its own [Project Zero](https://googleprojectzero.blogspot.com). This means that a large number of highly talented and motivated people are constantly auditing Chrome's code base. +Chrome offers [separate profiles](https://www.chromium.org/user-experience/multi-profiles), [robust sandboxing](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md), [frequent updates](https://chromereleases.googleblog.com/), and carries [impressive credentials](https://www.chromium.org/Home/chromium-security/brag-sheet). In addition, Google offers a very lucrative [bounty program](https://bughunters.google.com/about/rules/5745167867576320/chrome-vulnerability-reward-program-rules) for reporting vulnerabilities, along with its own [Project Zero](https://googleprojectzero.blogspot.com/) team. This means that a large number of highly talented and motivated people are constantly auditing and securing Chrome code. Create separate Chrome profiles to reduce XSS risk and compartmentalize cookies/identities. In each profile, either disable Javascript in Chrome settings and configure allowed origins - or use [uBlock Origin](https://github.com/gorhill/uBlock) to manage Javascript. @@ -1110,39 +1103,39 @@ Change the default search engine from Google to reduce additional tracking. Disable [DNS prefetching](https://www.chromium.org/developers/design-documents/dns-prefetching) (see also [DNS Prefetching and Its Privacy Implications](https://www.usenix.org/legacy/event/leet10/tech/full_papers/Krishnan.pdf) (pdf)). Note that Chrome [may attempt](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/350) to resolve DNS using Google's `8.8.8.8` and `8.8.4.4` public nameservers. -Read [Chromium Security](https://www.chromium.org/Home/chromium-security) and [Chromium Privacy](https://www.chromium.org/Home/chromium-privacy) for more detailed, technical information. - -Read [Google's privacy policy](https://www.google.com/policies/privacy/) and learn which [Google services](https://www.google.com/services/) collect personal information. Users can opt-out of services and see what type of information Google has stored in [account settings](https://myaccount.google.com/privacy). +Read [Chromium Security](https://www.chromium.org/Home/chromium-security) and [Chromium Privacy](https://www.chromium.org/Home/chromium-privacy) for more information. Read [Google's privacy policy](https://policies.google.com/privacy) to understand how personal information is collected and used. #### Safari -[Safari](https://www.apple.com/safari/) is the default Web browser of macOS. It is also the most optimized browser for reducing battery use. Safari, like Chrome, has both Open Source and proprietary components. Safari is based on the open source Web Engine [WebKit](https://en.wikipedia.org/wiki/WebKit), which is ubiquitous among the macOS ecosystem. WebKit is used by Apple apps such as Mail, iTunes, iBooks, and the App Store. Chrome's [Blink](https://www.chromium.org/blink) engine is a fork of WebKit and both engines share a number of similarities. +[Safari](https://www.apple.com/safari/) is the default browser on macOS. It is also the most optimized browser for reducing battery use. Safari, like Chrome, has both Open Source and proprietary components. Safari is based on the open source Web Engine [WebKit](https://en.wikipedia.org/wiki/WebKit), which is ubiquitous among the macOS ecosystem. WebKit is used by Apple apps such as Mail, iTunes, iBooks, and the App Store. Chrome's [Blink](https://www.chromium.org/blink) engine is a fork of WebKit and both engines share a number of similarities. -Safari supports certain unique features that benefit user security and privacy. [Content blockers](https://webkit.org/blog/3476/content-blockers-first-look/) enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory use, security, and privacy. Safari 11 introduced an [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/) system. This feature automatically removes tracking data stored in Safari after a period of non-interaction by the user from the tracker's website. +Safari supports certain unique features that benefit user security and privacy. [Content blockers](https://webkit.org/blog/3476/content-blockers-first-look/) enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory use, security, and privacy. Safari 11 introduced [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/), whihc removes tracking data stored in Safari after a period of non-interaction by the user from the tracker's website. -Similar to Chrome and Firefox, Safari offers an invite only [bounty program](https://developer.apple.com/bug-reporting/) for bug reporting to a select number of security researchers. The bounty program was announced during Apple's [presentation](https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf) at [BlackHat](https://www.blackhat.com/us-16/briefings.html#behind-the-scenes-of-ios-security) 2016. +Similar to Chrome and Firefox, Safari offers an invite-only [bounty program](https://developer.apple.com/bug-reporting/) for bug reporting to a select number of security researchers. The bounty program was announced during Apple's [presentation](https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf) at [BlackHat](https://www.blackhat.com/us-16/briefings.html#behind-the-scenes-of-ios-security) 2016. -Web Extensions in Safari have an additional option to use native code in the Safari's sandbox environment, in addition to Web Extension APIs. Web Extensions in Safari are also distributed through Apple's App store. App store submission comes with the added benefit of Web Extension code being audited by Apple. On the other hand App store submission comes at a steep cost. Yearly [developer subscription](https://developer.apple.com/support/compare-memberships/) fee costs 100 USD (in contrast to Chrome's 5 dollar lifetime fee and Firefox's free submission). The high cost is prohibitive for the majority of Open Source developers. As a result, Safari has very few extensions to choose from. However, you should keep the high cost in mind when installing extensions. It is expected that most Web Extensions will have some way of monetizing usage in order to cover developer costs. Be wary of Web Extensions whose source code is not open. +Web Extensions in Safari have an additional option to use native code in the Safari's sandbox environment, in addition to Web Extension APIs. Web Extensions in Safari are also distributed through Apple's App store. App store submission comes with the added benefit of Web Extension code being audited by Apple. On the other hand App store submission comes at a steep cost. Yearly [developer subscription](https://developer.apple.com/support/compare-memberships/) fee costs 100 USD (in contrast to Chrome's 5 USD fee and Firefox's free submission). The high cost is prohibitive for the majority of Open Source developers. As a result, Safari has very few extensions to choose from. However, you should keep the high cost in mind when installing extensions. It is expected that most Web Extensions will have some way of monetizing usage in order to cover developer costs. Be wary of Web Extensions whose source code is not open. Safari syncs user preferences and saved passwords with [iCloud Keychain](https://support.apple.com/en-gb/HT202303). In order to be viewed in plain text, a user must input the account password of the current device. This means that users can sync data across devices with added security. Safari follows a slower release cycle than Chrome and Firefox (3-4 minor releases, 1 major release, per year). Newer features are slower to be adopted to the stable channel. Security updates in Safari are handled independent of the stable release schedule and are installed through the App Store. -An excellent open source ad blocker for Safari that fully leverages content blockers is [dgraham/Ka-Block](https://github.com/dgraham/Ka-Block). See also [el1t/uBlock-Safari](https://github.com/el1t/uBlock-Safari/wiki/Disable-hyperlink-auditing-beacon) to disable hyperlink auditing beacons. +An example of using Safari content blockers is available at [dgraham/Ka-Block](https://github.com/dgraham/Ka-Block). + +See also [el1t/uBlock-Safari](https://github.com/el1t/uBlock-Safari/wiki/Disable-hyperlink-auditing-beacon) to disable hyperlink auditing beacons. #### Other Web browsers -Many Chromium-derived browsers are not recommended. They are usually [closed source](http://yro.slashdot.org/comments.pl?sid=4176879&cid=44774943), [poorly maintained](https://plus.google.com/+JustinSchuh/posts/69qw9wZVH8z), [have bugs](https://code.google.com/p/google-security-research/issues/detail?id=679), and make dubious claims to protect privacy. See [The Private Life of Chromium Browsers](https://web.archive.org/web/20180517132144/http://thesimplecomputer.info/the-private-life-of-chromium-browsers). +Many Chromium-derived browsers are not recommended. They are usually [closed source](https://yro.slashdot.org/comments.pl?sid=4176879&cid=44774943), [poorly maintained](https://plus.google.com/+JustinSchuh/posts/69qw9wZVH8z), [have bugs](https://code.google.com/p/google-security-research/issues/detail?id=679), and make dubious claims to protect privacy. See [The Private Life of Chromium Browsers](https://web.archive.org/web/20180517132144/http://thesimplecomputer.info/the-private-life-of-chromium-browsers). Other miscellaneous browsers, such as [Brave](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/94), are not evaluated in this guide, so are neither recommended nor actively discouraged from use. #### Web browsers and privacy -All Web Browsers retain certain information about our browsing habits. That information is used for a number of reasons. One of them is to improve the overall performance of the Web Browser. Most Web Browsers offer prediction services to resolve typos or URL redirections, store analytics data of browsing patterns, crash reports and black listing of known malicious servers. Those options can be turned on and off from each Web browser's settings panel. +Web browsers reveal information in several ways, for example through the [Navigator](https://developer.mozilla.org/en-US/docs/Web/API/Navigator) interface, which may include information such as the browser version, operating system, site permissions, and the device's battery level. Many websites also use [canvas fingerprinting](https://en.wikipedia.org/wiki/Canvas_fingerprinting) to uniquely identify users across sessions. -Since Web browsers execute untrusted code from the server, it is important to understand what type of information can be accessed. The [Navigator](https://developer.mozilla.org/en-US/docs/Web/API/Navigator) interface gives access to information about the Web Browser's user agent. Those include information such as the operating system, Web sites' permissions, and the device's battery level. For more information about security conscious browsing and what type of information is being "leaked" by your browser, see [HowTo: Privacy & Security Conscious Browsing](https://gist.github.com/atcuno/3425484ac5cce5298932), [browserleaks.com](https://www.browserleaks.com/) and [EFF Panopticlick](https://panopticlick.eff.org/). +For more information about security conscious browsing and what data is sent by your browser, see [HowTo: Privacy & Security Conscious Browsing](https://gist.github.com/atcuno/3425484ac5cce5298932), [browserleaks.com](https://browserleaks.com/), [Am I Unique?](https://amiunique.org/fingerprint) and [EFF Cover Your Tracks](https://coveryourtracks.eff.org/) resources. -To hinder third party trackers, it is recommended to **disable third-party cookies** in Web browser settings. A third party cookie is a cookie associated with a file requested by a different domain than the one the user is currently viewing. Most of the time third-party cookies are used to create browsing profiles by tracking a user's movement on the web. Disabling third-party cookies prevents HTTP responses and scripts from other domains from setting cookies. Moreover, cookies are removed from requests to domains that are not the document origin domain, so cookies are only sent to the current site that is being viewed. +To hinder third party trackers, it is recommended to **disable third-party cookies** altogether. A third party cookie is a cookie associated with a file requested by a different domain than the one the user is currently viewing. Most of the time third-party cookies are used to create browsing profiles by tracking a user's movement on the web. Disabling third-party cookies prevents HTTP responses and scripts from other domains from setting cookies. Moreover, cookies are removed from requests to domains that are not the document origin domain, so cookies are only sent to the current site that is being viewed. Also be aware of [WebRTC](https://en.wikipedia.org/wiki/WebRTC#Concerns), which may reveal your local or public (if connected to VPN) IP address(es). In Firefox and Chrome/Chromium this can be disabled with extensions such as [uBlock Origin](https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address) and [rentamob/WebRTC-Leak-Prevent](https://github.com/rentamob/WebRTC-Leak-Prevent). Disabling WebRTC in Safari is only possible with a [system hack](https://github.com/JayBrown/Disable-and-toggle-WebRTC-in-macOS-Safari). @@ -1156,7 +1149,7 @@ See [Hacking Team Flash Zero-Day](https://blog.trendmicro.com/trendlabs-security ## Tor -Tor is an anonymizing proxy which can be used for browsing the Web. +Tor is an anonymizing network which can be used for browsing the Web with additional privacy. Tor Browser is a modified version of Firefox with a proxy to access the Tor network. Download Tor Browser from [Tor Project](https://www.torproject.org/download/). @@ -1194,7 +1187,7 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290 Make sure `Good signature from "Tor Browser Developers (signing key) "` appears in the output. The warning about the key not being certified is benign, as it has not yet been assigned trust. -See [How to verify signatures for packages](https://www.torproject.org/docs/verifying-signatures.html) for more information. +See [How can I verify Tor Browser's signature?](https://support.torproject.org/) for more information. To finish installing Tor Browser, open the disk image and drag the it into the Applications folder, or with: @@ -1271,7 +1264,7 @@ $ openssl x509 -inform der -in codesign0 -fingerprint -sha256 -noout SHA256 Fingerprint=B5:0D:47:F0:3E:CB:42:B6:68:1C:6F:38:06:2B:C2:9F:41:FA:D6:54:F1:29:D3:E4:DD:9C:C7:49:35:FF:F5:D9 ``` -Tor traffic is **encrypted** to the [exit node](https://en.wikipedia.org/wiki/Tor_(anonymity_network)#Exit_node_eavesdropping) (i.e., cannot be read by a passive network eavesdropper), but Tor use **can** be identified - for example, TLS handshake "hostnames" will show up in plaintext: +Tor traffic is **encrypted** to the [exit node](https://en.wikipedia.org/wiki/Tor_(network)#Exit_node_eavesdropping) (i.e., cannot be read by a passive network eavesdropper), but Tor use **can** be identified - for example, TLS handshake "hostnames" will show up in plaintext: ```console $ sudo tcpdump -An "tcp" | grep "www" @@ -1281,24 +1274,20 @@ listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes .6....m.....>...:.........|../* Z....W....X=..6...C../....................................0...0..0.......'....F./0.. *.H........0%1#0!..U....www.b6zazzahl3h3faf4x2.com0...160402000000Z..170317000000Z0'1%0#..U....www.tm3ddrghe22wgqna5u8g.net0..0.. ``` -See [Tor Protocol Specification](https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt) and [Tor/TLSHistory](https://trac.torproject.org/projects/tor/wiki/org/projects/Tor/TLSHistory) for more information. +See [Tor Protocol Specification](https://spec.torproject.org/tor-spec/) and [Tor/TLSHistory](https://gitlab.torproject.org/legacy/trac/-/wikis/org/projects/Tor/TLSHistory) for more information. -You may wish to additionally obfuscate Tor traffic using a [pluggable transport](https://www.torproject.org/docs/pluggable-transports.html), such as [Yawning/obfs4proxy](https://github.com/Yawning/obfs4) or [SRI-CSL/stegotorus](https://github.com/SRI-CSL/stegotorus). +You may wish to additionally obfuscate Tor traffic using a [pluggable transport](https://tb-manual.torproject.org/circumvention/). -This can be done by setting up your own [Tor relay](https://www.torproject.org/docs/tor-relay-debian.html) or finding an existing private or public [bridge](https://www.torproject.org/docs/bridges.html.en#RunningABridge) to serve as an obfuscating entry node. +This can be done by setting up your own [Tor relay](https://support.torproject.org/relay-operators/) or finding an existing private or [public bridge](https://bridges.torproject.org/) to serve as an obfuscating entry node. -For extra security, use Tor inside a [VirtualBox](https://www.virtualbox.org/wiki/Downloads) or [VMware](https://www.vmware.com/products/fusion) virtualized [GNU/Linux](http://www.brianlinkletter.com/installing-debian-linux-in-a-virtualbox-virtual-machine/) or [BSD](https://www.openbsd.org/faq/faq4.html) machine. +For extra security, use Tor inside a [VirtualBox](https://www.virtualbox.org/wiki/Downloads) or [VMware](https://www.vmware.com/products/fusion.html) virtualized [GNU/Linux](https://www.brianlinkletter.com/2012/10/installing-debian-linux-in-a-virtualbox-virtual-machine/) or [OpenBSD](https://www.openbsd.org/faq/faq4.html) instance. -Finally, remember the Tor network provides [anonymity](https://www.privateinternetaccess.com/blog/2013/10/how-does-privacy-differ-from-anonymity-and-why-are-both-important/), which is not necessarily synonymous with privacy. The Tor network does not guarantee protection against a global observer capable of traffic analysis and correlation. See also [Seeking Anonymity in an Internet Panopticon](http://bford.info/pub/net/panopticon-cacm.pdf) (pdf) and [Traffic Correlation on Tor by Realistic Adversaries](http://www.ohmygodel.com/publications/usersrouted-ccs13.pdf) (pdf). +Finally, remember the Tor network provides [anonymity](https://www.privateinternetaccess.com/blog/2013/10/how-does-privacy-differ-from-anonymity-and-why-are-both-important/), which is not necessarily synonymous with privacy. The Tor network does not guarantee protection against a global observer capable of traffic analysis and correlation. See also [Seeking Anonymity in an Internet Panopticon](https://bford.info/pub/net/panopticon-cacm.pdf) (pdf) and [Traffic Correlation on Tor by Realistic Adversaries](https://www.ohmygodel.com/publications/usersrouted-ccs13.pdf) (pdf). Also see [Invisible Internet Project (I2P)](https://geti2p.net/en/about/intro) and its [Tor comparison](https://geti2p.net/en/comparison/tor). ## VPN -Unencrypted network traffic is being actively monitored and possibly tampered with. Encrypted traffic still exposes [connection metadata](https://security.stackexchange.com/questions/142833/does-https-encrypt-metadata#142855) and could be used to infer behavior or specific actions. - -Don't just blindly sign up for a VPN service without understanding the full implications and how your traffic will be routed. If you don't understand how the VPN works or are not familiar with the software used, you are probably better off without it. - When choosing a VPN service or setting up your own, be sure to research the protocols, key exchange algorithms, authentication mechanisms, and type of encryption being used. Some protocols, such as [PPTP](https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security), should be avoided in favor of [OpenVPN](https://en.wikipedia.org/wiki/OpenVPN) or Linux-based [Wireguard](https://www.wireguard.com/) [on a Linux VM](https://github.com/mrash/Wireguard-macOS-LinuxVM) or via a set of [cross platform tools](https://www.wireguard.com/xplatform/). Some clients may send traffic over the next available interface when VPN is interrupted or disconnected. See [scy/8122924](https://gist.github.com/scy/8122924) for an example on how to allow traffic only over VPN. @@ -1309,11 +1298,9 @@ It may be worthwhile to consider the geographical location of the VPN provider. Also see this [technical overview](https://blog.timac.org/2018/0717-macos-vpn-architecture/) of the macOS built-in VPN L2TP/IPSec and IKEv2 client. -Other open source OpenVPN clients/GUI: [Eddie](https://github.com/AirVPN/Eddie), [Pritunl](https://client.pritunl.com) are not evaluated in this guide, so are neither recommended nor actively discouraged from use. - ## PGP/GPG -PGP is a standard for encrypting email end to end. That means only the chosen recipients can decrypt a message, unlike regular email which is read and forever archived by providers. +PGP is a standard for signing and encrypting data (especially email) end-to-end, so only the sender and recipient can access it. GPG, or **GNU Privacy Guard**, is a GPL-licensed open source program compliant with the PGP standard. From 8af09b66b652ce627feac0318788569e44c1bc4f Mon Sep 17 00:00:00 2001 From: drduh Date: Sat, 10 Feb 2024 11:52:05 -0800 Subject: [PATCH 166/476] reduce SIP, fix multiple command syntax --- README.md | 183 ++++++++++++++++++++---------------------------------- 1 file changed, 66 insertions(+), 117 deletions(-) diff --git a/README.md b/README.md index 661c331b..e3c73953 100755 --- a/README.md +++ b/README.md @@ -1344,12 +1344,10 @@ See [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/co You could periodically run a tool like [KnockKnock](https://objective-see.org/products/knockknock.html) to examine persistent applications (e.g. scripts, binaries). But by then, it is probably too late. Maybe applications such as [BlockBlock](https://objective-see.com/products/blockblock.html) and [Ostiarius](https://objective-see.com/products/ostiarius.html) will help. See warnings and caveats in [issue #90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) first, however. An open-source alternative could be [maclaunch.sh](https://github.com/hazcod/maclaunch). -**Anti-virus** programs are a double-edged sword -- not so useful for **advanced** users and will likely increase attack surface against sophisticated threats; however possibly useful for catching "garden variety" malware on **novice** users' Macs. There is also the additional processing overhead to consider when using "active" scanning features. +**Anti-virus** programs are generally a double-edged sword: they may catch "garden variety" malware, but also may increase the attack surface for sophisticated adversaries due to their privileged operating mode. See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sophailv2.pdf) (pdf), [Analysis and Exploitation of an ESET Vulnerability](https://googleprojectzero.blogspot.ro/2015/06/analysis-and-exploitation-of-eset.html), [a trivial Avast RCE](https://code.google.com/p/google-security-research/issues/detail?id=546), [Popular Security Software Came Under Relentless NSA and GCHQ Attacks](https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/), [How Israel Caught Russian Hackers Scouring the World for U.S. Secrets](https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html) and [AVG: "Web TuneUP" extension multiple critical vulnerabilities](https://code.google.com/p/google-security-research/issues/detail?id=675). -Therefore, the best anti-virus is **Common Sense 2020**. See discussion in [issue #44](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/44). - Local privilege escalation bugs are plenty on macOS, so always be careful when downloading and running untrusted programs or trusted programs from third party websites or downloaded over HTTP ([example](https://arstechnica.com/security/2015/08/0-day-bug-in-fully-patched-os-x-comes-under-active-exploit-to-hijack-macs/)). Subscribe to updates at [The Safe Mac](http://www.thesafemac.com/) and [Malwarebytes Blog](https://blog.malwarebytes.com/) for current Mac security news. @@ -1360,15 +1358,7 @@ Also check out [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hac ## System Integrity Protection -[System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) is a security feature since OS X 10.11 "El Capitan". It is enabled by default, but [can be disabled](https://derflounder.wordpress.com/2015/10/01/system-integrity-protection-adding-another-layer-to-apples-security-model/), which may be necessary to change some system settings, such as deleting root certificate authorities or unloading certain launch daemons. Keep this feature on, as it is by default. - -From [What's New in OS X 10.11](https://developer.apple.com/library/prerelease/mac/releasenotes/MacOSX/WhatsNewInOSX/Articles/MacOSX10_11.html): - -> A new security policy that applies to every running process, including privileged code and code that runs out of the sandbox. The policy extends additional protections to components on disk and at run-time, only allowing system binaries to be modified by the system installer and software updates. Code injection and runtime attachments to system binaries are no longer permitted. - -Also see [What is the “rootless” feature in El Capitan, really?](https://apple.stackexchange.com/questions/193368/what-is-the-rootless-feature-in-el-capitan-really) - -Some MacBook hardware has shipped with [SIP disabled](https://appleinsider.com/articles/16/11/17/system-integrity-protection-disabled-by-default-on-some-touch-bar-macbook-pros). To verify SIP is enabled, use the command `csrutil status`, which should return: `System Integrity Protection status: enabled.` Otherwise, [enable SIP](https://developer.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html) through Recovery Mode. +To verify SIP is enabled, use the command `csrutil status`, which should return: `System Integrity Protection status: enabled.` Otherwise, [enable SIP](https://developer.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html) through Recovery Mode. ## Gatekeeper and XProtect @@ -1376,8 +1366,6 @@ Some MacBook hardware has shipped with [SIP disabled](https://appleinsider.com/a **XProtect** prevents the execution of known bad files and outdated plugin versions, but does nothing to cleanup or stop existing malware. -Both offer trivial protection against common risks and are fine at default settings. - See also [Gatekeeper, XProtect and the Quarantine attribute](https://ilostmynotes.blogspot.com/2012/06/gatekeeper-xprotect-and-quarantine.html). **Note** Quarantine stores information about downloaded files in `~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2`, which may pose a privacy risk. To examine the file, simply use `strings` or the following command: @@ -1487,19 +1475,19 @@ $ sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist SCOAudioDe `/var/spool/cups` contains the CUPS printer job cache. To clear it, use the commands: ```console -$ sudo rm -rfv /var/spool/cups/c0* -$ sudo rm -rfv /var/spool/cups/tmp/* -$ sudo rm -rfv /var/spool/cups/cache/job.cache* +sudo rm -rfv /var/spool/cups/c0* +sudo rm -rfv /var/spool/cups/tmp/* +sudo rm -rfv /var/spool/cups/cache/job.cache* ``` To clear the list of iOS devices connected, use: ```console -$ sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect" -$ sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist Devices -$ sudo defaults delete /Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect" -$ sudo defaults delete /Library/Preferences/com.apple.iPod.plist Devices -$ sudo rm -rfv /var/db/lockdown/* +sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect" +sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist Devices +sudo defaults delete /Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect" +sudo defaults delete /Library/Preferences/com.apple.iPod.plist Devices +sudo rm -rfv /var/db/lockdown/* ``` Quicklook thumbnail data can be cleared using the `qlmanage -r cache` command, but this writes to the file `resetreason` in the Quicklook directories, and states that the Quicklook cache was manually cleared. Disable the thumbnail cache with `qlmanage -r disablecache` @@ -1507,25 +1495,25 @@ Quicklook thumbnail data can be cleared using the `qlmanage -r cache` command, b It can also be cleared by getting the directory names with `getconf DARWIN_USER_CACHE_DIR` and `sudo getconf DARWIN_USER_CACHE_DIR`, then removing them: ```console -$ rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive -$ rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite -$ rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-shm -$ rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-wal -$ rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/resetreason -$ rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.data +rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive +rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite +rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-shm +rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-wal +rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/resetreason +rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.data ``` Similarly, for the root user: ```console -$ sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandler -$ sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive -$ sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite -$ sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-shm -$ sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-wal -$ sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/resetreason -$ sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.data -$ sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandler +sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandler +sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive +sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite +sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-shm +sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-wal +sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/resetreason +sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.data +sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandler ``` Also see ['quicklook' cache may leak encrypted data](https://objective-see.com/blog/blog_0x30.html). @@ -1533,11 +1521,11 @@ Also see ['quicklook' cache may leak encrypted data](https://objective-see.com/b To clear Finder preferences: ```console -$ defaults delete ~/Library/Preferences/com.apple.finder.plist FXDesktopVolumePositions -$ defaults delete ~/Library/Preferences/com.apple.finder.plist FXRecentFolders -$ defaults delete ~/Library/Preferences/com.apple.finder.plist RecentMoveAndCopyDestinations -$ defaults delete ~/Library/Preferences/com.apple.finder.plist RecentSearches -$ defaults delete ~/Library/Preferences/com.apple.finder.plist SGTRecentFileSearches +defaults delete ~/Library/Preferences/com.apple.finder.plist FXDesktopVolumePositions +defaults delete ~/Library/Preferences/com.apple.finder.plist FXRecentFolders +defaults delete ~/Library/Preferences/com.apple.finder.plist RecentMoveAndCopyDestinations +defaults delete ~/Library/Preferences/com.apple.finder.plist RecentSearches +defaults delete ~/Library/Preferences/com.apple.finder.plist SGTRecentFileSearches ``` Additional diagnostic files may be found in the following directories - but caution should be taken before removing any, as it may break logging or cause other issues: @@ -1553,76 +1541,76 @@ Additional diagnostic files may be found in the following directories - but caut macOS stored preferred Wi-Fi data (including credentials) in NVRAM. To clear it, use the following commands: ```console -$ sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:current-network -$ sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-networks -$ sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-count +sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:current-network +sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-networks +sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-count ``` macOS may collect sensitive information about what you type, even if user dictionary and suggestions are off. To remove them, and prevent them from being created again, use the following commands: ```console -$ rm -rfv "~/Library/LanguageModeling/*" "~/Library/Spelling/*" "~/Library/Suggestions/*" -$ chmod -R 000 ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions -$ chflags -R uchg ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions +rm -rfv "~/Library/LanguageModeling/*" "~/Library/Spelling/*" "~/Library/Suggestions/*" +chmod -R 000 ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions +chflags -R uchg ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions ``` QuickLook application support metadata can be cleared and locked with the following commands: ```console -$ rm -rfv "~/Library/Application Support/Quick Look/*" -$ chmod -R 000 "~/Library/Application Support/Quick Look" -$ chflags -R uchg "~/Library/Application Support/Quick Look" +rm -rfv "~/Library/Application Support/Quick Look/*" +chmod -R 000 "~/Library/Application Support/Quick Look" +chflags -R uchg "~/Library/Application Support/Quick Look" ``` Document revision metadata is stored in `/.DocumentRevisions-V100` and can be cleared and locked with the following commands - caution should be taken as this may break some core Apple applications: ```console -$ sudo rm -rfv /.DocumentRevisions-V100/* -$ sudo chmod -R 000 /.DocumentRevisions-V100 -$ sudo chflags -R uchg /.DocumentRevisions-V100 +sudo rm -rfv /.DocumentRevisions-V100/* +sudo chmod -R 000 /.DocumentRevisions-V100 +sudo chflags -R uchg /.DocumentRevisions-V100 ``` Saved application state metadata may be cleared and locked with the following commands: ```console -$ rm -rfv "~/Library/Saved Application State/*" -$ rm -rfv "~/Library/Containers//Saved Application State" -$ chmod -R 000 "~/Library/Saved Application State/" -$ chmod -R 000 "~/Library/Containers//Saved Application State" -$ chflags -R uchg "~/Library/Saved Application State/" -$ chflags -R uchg "~/Library/Containers//Saved Application State" +rm -rfv "~/Library/Saved Application State/*" +rm -rfv "~/Library/Containers//Saved Application State" +chmod -R 000 "~/Library/Saved Application State/" +chmod -R 000 "~/Library/Containers//Saved Application State" +chflags -R uchg "~/Library/Saved Application State/" +chflags -R uchg "~/Library/Containers//Saved Application State" ``` Autosave metadata can be cleared and locked with the following commands: ```console -$ rm -rfv "~/Library/Containers//Data/Library/Autosave Information" -$ rm -rfv "~/Library/Autosave Information" -$ chmod -R 000 "~/Library/Containers//Data/Library/Autosave Information" -$ chmod -R 000 "~/Library/Autosave Information" -$ chflags -R uchg "~/Library/Containers//Data/Library/Autosave Information" -$ chflags -R uchg "~/Library/Autosave Information" +rm -rfv "~/Library/Containers//Data/Library/Autosave Information" +rm -rfv "~/Library/Autosave Information" +chmod -R 000 "~/Library/Containers//Data/Library/Autosave Information" +chmod -R 000 "~/Library/Autosave Information" +chflags -R uchg "~/Library/Containers//Data/Library/Autosave Information" +chflags -R uchg "~/Library/Autosave Information" ``` The Siri analytics database, which is created even if the Siri launch agent disabled, can be cleared and locked with the following commands: ```console -$ rm -rfv ~/Library/Assistant/SiriAnalytics.db -$ chmod -R 000 ~/Library/Assistant/SiriAnalytics.db -$ chflags -R uchg ~/Library/Assistant/SiriAnalytics.db +rm -rfv ~/Library/Assistant/SiriAnalytics.db +chmod -R 000 ~/Library/Assistant/SiriAnalytics.db +chflags -R uchg ~/Library/Assistant/SiriAnalytics.db ``` `~/Library/Preferences/com.apple.iTunes.plist` contains iTunes metadata. Recent iTunes search data may be cleared with the following command: ```console -$ defaults delete ~/Library/Preferences/com.apple.iTunes.plist recentSearches +defaults delete ~/Library/Preferences/com.apple.iTunes.plist recentSearches ``` If you do not use Apple ID-linked services, the following keys may be cleared, too, using the following commands: ```console -$ defaults delete ~/Library/Preferences/com.apple.iTunes.plist StoreUserInfo -$ defaults delete ~/Library/Preferences/com.apple.iTunes.plist WirelessBuddyID +defaults delete ~/Library/Preferences/com.apple.iTunes.plist StoreUserInfo +defaults delete ~/Library/Preferences/com.apple.iTunes.plist WirelessBuddyID ``` All media played in QuickTime Player can be found in: @@ -1641,60 +1629,21 @@ Additional metadata may exist in the following files: ## Passwords -Generate strong passwords with several programs or directly from [`/dev/urandom`](https://github.com/jedisct1/libsodium/issues/594): +Generate strong passwords using any of the following utilities: ```console -$ openssl rand -base64 30 -qb8ZWbUU2Ri3FOAPY/1wKSFAJwMXmpQM4mZU4YbO +openssl rand -base64 30 -$ gpg --gen-random -a 0 90 | fold -w 40 -3e+kfHOvovHVXxZYPgu+OOWQ1g1ttbljr+kNGv7f -loD//RsjUXYGIjfPM/bT0itsoEstyGLVUsFns8wP -zYM8VRBga+TsnxWrS7lWKfH1uvVPowzkq9kXCdvJ +gpg --gen-random -a 0 90 | fold -w 40 -$ LANG=C tr -dc 'A-F0-9' < /dev/urandom | fold -w 40 | head -n 5 -45D0371481EE5E5A5C1F68EA59E69F9CA52CB321 -A30B37A00302643921F205621B145E7EAF520164 -B6EF38A2DA1D0586D20105502AFFF0468EA5F16A -029D6EA9F76CD64D3356E342EA154BEFEBE23387 -07F468F0569579A0A06471247CABC4F4C1386E24 - -$ tr -dc '[:alnum:]' < /dev/urandom | fold -w 40 | head -n5 -zmj8S0iuxud8y8YHjzdg7Hefu6U1KAYBiLl3aE8v -nCNpuMkWohTjQHntTzbiLQJG5zLzEHWSWaYSwjtm -R2L6M909S3ih852IkJqQFMDawCiHcpPBxlllAPrt -aZOXKVUmxhzQwVSYb6nqAbGTVMFSJOLf094bFZAb -HfgwSNlkVBXwIPQST6E6x6vDNCCasMLSSOoTUfSK - -$ tr -dc '[:lower:]' < /dev/urandom | fold -w 40 | head -n5 -gfvkanntxutzwxficgvavbwdvttexdezdftvvtmn -lgrsuiugwkqbtbkyggcbpbqlynwbiyxzlabstqcf -ufctdlsbyonkowzpmotxiksnsbwdzkjrjsupoqvr -hjwibdjxtmuvqricljayzkgdfztcmapsgwsubggr -bjstlmvwjczakgeetkbmwbjnidbeaerhaonpkacg - -$ tr -dc '[:upper:]' < /dev/urandom | fold -w 40 | head -n5 -EUHZMAOBOLNFXUNNDSTLJTPDCPVQBPUEQOLRZUQZ -HVNVKBEPAAYMXRCGVCNEZLFHNUYMRYPTWPWOOZVM -TAHEUPQJTSYQVJVYSKLURESMKWEZONXLUDHWQODB -PRDITWMAXXZLTRXEEOGOSGAWUXYDGDRJYRHUWICM -VHERIQBLBPHSIUZSGYZRDHTNAPUGJMRODIKBWZRJ - -$ tr -dc '[:graph:]' < /dev/urandom | fold -w 40 | head -n5 -n\T2|zUz:\C,@z9!#p3!B/[t6m:B94}q&t(^)Ol~ -J%MMDbAgGdP}zrSQO!3mrP3$w!.[Ng_xx-_[C<3g -^)6V&*<2"ZOgU.mBd]iInvFKiT Date: Sat, 10 Feb 2024 13:04:33 -0800 Subject: [PATCH 167/476] remove openssl, obsolete links, add signal --- README.md | 108 +++++++++++++++++++----------------------------------- 1 file changed, 38 insertions(+), 70 deletions(-) diff --git a/README.md b/README.md index e3c73953..4d95da39 100755 --- a/README.md +++ b/README.md @@ -39,7 +39,6 @@ This guide is also available in [简体中文](https://github.com/drduh/macOS-Se - [Test DNSSEC validation](#test-dnssec-validation) - [Captive portal](#captive-portal) - [Certificate authorities](#certificate-authorities) -- [OpenSSL](#openssl) - [Web](#web) * [Privoxy](#privoxy) * [Browser](#browser) @@ -733,9 +732,9 @@ Remember to periodically run `brew upgrade` on trusted and secure networks to do According to [Homebrew's Anonymous Analytics](https://docs.brew.sh/Analytics), Homebrew gathers anonymous analytics and reports these to a self-hosted InfluxDB instance. -To opt out of Homebrew's analytics, you can set `export HOMEBREW_NO_ANALYTICS=1` in your environment or shell rc file, or use `brew analytics off`. +To opt out of Homebrew's analytics, you can set `export HOMEBREW_NO_ANALYTICS=1` in your environment or shell rc file, or use `brew analytics off` -You may also wish to enable [additional security options](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/138), such as `HOMEBREW_NO_INSECURE_REDIRECT=1` and `HOMEBREW_CASK_OPTS=--require-sha`. +You may also wish to enable [additional security options](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/138), such as `HOMEBREW_NO_INSECURE_REDIRECT=1` and `HOMEBREW_CASK_OPTS=--require-sha` ## DNS @@ -749,7 +748,9 @@ DNS profiles [can be created](https://dns.notjakob.com/) or obtained from provid Use the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) to block known malware, advertising or otherwise unwanted domains. - Edit the hosts file as root, for example with `sudo vi /etc/hosts`. The hosts file can also be managed with the GUI app [2ndalpha/gasmask](https://github.com/2ndalpha/gasmask). + Edit the hosts file as root, for example with `sudo vi /etc/hosts` + +The hosts file can also be managed with the GUI app [2ndalpha/gasmask](https://github.com/2ndalpha/gasmask). To block a domain by `A` record, append any one of the following lines to `/etc/hosts`: @@ -835,7 +836,7 @@ block drop quick on !lo0 proto udp from any to any port = 53 block drop quick on !lo0 proto tcp from any to any port = 53 ``` -See also [What is a DNS leak](https://dnsleaktest.com/what-is-a-dns-leak.html) and [ipv6-test.com](http://ipv6-test.com/). +See also [What is a DNS leak](https://dnsleaktest.com/what-is-a-dns-leak.html) and [ipv6-test.com](http://ipv6-test.com/) #### Dnsmasq @@ -936,34 +937,6 @@ Disable certificate authorities through Keychain Access by marking them as **Nev The risk of a [man in the middle](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) attack in which a coerced or compromised certificate authority trusted by your system issues a fake/rogue SSL certificate is quite low, but still [possible](https://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates). -## OpenSSL - -**Note** This section [may be out of date](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/356). - -The version of OpenSSL in Sierra is `0.9.8zh` which is [not current](https://apple.stackexchange.com/questions/200582/why-is-apple-using-an-older-version-of-openssl). It doesn't support TLS 1.1 or newer, elliptic curve ciphers, and [more](https://stackoverflow.com/questions/27502215/difference-between-openssl-09-8z-and-1-0-1). - -Since Apple's official supported TLS library on macOS is [Secure Transport](https://developer.apple.com/documentation/security/secure_transport), OpenSSL **deprecated** is considered deprecated (according to the [Cryptographic Services Guide](https://developer.apple.com/library/mac/documentation/Security/Conceptual/cryptoservices/GeneralPurposeCrypto/GeneralPurposeCrypto.html). Apple's version of OpenSSL may also have patches which may [surprise you](https://hynek.me/articles/apple-openssl-verification-surprises/). - -If you're going to use OpenSSL on your Mac, download and install a recent version of OpenSSL with `brew install openssl`. Note, linking brew to be used in favor of `/usr/bin/openssl` may interfere with built-in software. See [issue #39](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/39). - -Compare the TLS protocol and cipher between the homebrew version and the system version of OpenSSL: - -```console -$ ~/homebrew/bin/openssl version; echo | ~/homebrew/bin/openssl s_client -connect github.com:443 2>&1 | grep -A2 SSL-Session -OpenSSL 1.0.2j 26 Sep 2016 -SSL-Session: - Protocol : TLSv1.2 - Cipher : ECDHE-RSA-AES128-GCM-SHA256 - -$ /usr/bin/openssl version; echo | /usr/bin/openssl s_client -connect github.com:443 2>&1 | grep -A2 SSL-Session -OpenSSL 0.9.8zh 14 Jan 2016 -SSL-Session: - Protocol : TLSv1 - Cipher : AES128-SHA -``` - -See also [Comparison of TLS implementations](https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations), [How's My SSL](https://www.howsmyssl.com/) and [Qualys SSL Labs Tools](https://www.ssllabs.com/projects/). - ## Web ### Privoxy @@ -1322,6 +1295,8 @@ Read [online](https://alexcabal.com/creating-the-perfect-gpg-keypair/) [guides]( ## OTR +**Note** Strongly consider using [Signal](https://github.com/signalapp/Signal-Desktop) instead. + OTR stands for **off-the-record** and is a cryptographic protocol for encrypting and authenticating conversations over instant messaging. You can use OTR on top of any existing [XMPP](https://xmpp.org/about) chat service, even Google Hangouts (which only encrypts conversations between users and the server using TLS). @@ -1465,11 +1440,11 @@ Other metadata and artifacts may be found in the directories including, but not `/Library/Preferences/com.apple.Bluetooth.plist` contains Bluetooth metadata, including device history. If Bluetooth is not used, the metadata can be cleared with: ```console -$ sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist DeviceCache -$ sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist IDSPairedDevices -$ sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist PANDevices -$ sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist PANInterfaces -$ sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist SCOAudioDevices +sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist DeviceCache +sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist IDSPairedDevices +sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist PANDevices +sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist PANInterfaces +sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist SCOAudioDevices ``` `/var/spool/cups` contains the CUPS printer job cache. To clear it, use the commands: @@ -1645,17 +1620,17 @@ GnuPG can also be used to manage password files (see [drduh/Purse](https://githu In addition to passwords, ensure eligible online accounts, such as GitHub, Google accounts, banking, have [multi-factor authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication) enabled. -[Yubikey](https://www.yubico.com/products/) offers affordable hardware tokens. See [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) and [trmm.net/Yubikey](https://trmm.net/Yubikey). One of two Yubikey's slots can also be programmed to emit a long, static password (which can be used in combination with a short, memorized password, for example). +[Yubikey](https://www.yubico.com/products/) offers affordable hardware tokens. See [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) and [trmm.net/Yubikey](https://trmm.net/Yubikey). One of two Yubikey slots can also be programmed to emit a long, static password - which can be used in combination with a short, memorized password, for example. -In Addition to Login and other PAMs, you can use Yubikey to secure your login and sudo, here is a pdf guide from [Yubico](https://www.yubico.com/wp-content/uploads/2016/02/Yubico_YubiKeyMacOSXLogin_en.pdf). Yubikey are a bit pricey, there is cheaper alternative, but not as capable, [U2F Zero](https://www.u2fzero.com/). +In Addition to Login and other PAMs, you can use Yubikey to secure your login and sudo, here is a pdf guide from [Yubico](https://www.yubico.com/wp-content/uploads/2016/02/Yubico_YubiKeyMacOSXLogin_en.pdf). [U2F Zero](https://u2fzero.com/) is a Yubikey alternative to consider. ## Backup Always encrypt files locally before backing them up to external media or online services. -One way is to use a symmetric cipher with GPG and a password of your choosing. Files can also be encrypted to a public key with GPG, with the private key stored on [YubiKey](https://github.com/drduh/YubiKey-Guide). +One way is to use a GPG with a static password or your own public key (with the private key stored on [YubiKey](https://github.com/drduh/YubiKey-Guide)). -To compress and encrypt a directory: +To compress and encrypt a directory using a password: ```console $ tar zcvf - ~/Downloads | gpg -c > ~/Desktop/backup-$(date +%F-%H%M).tar.gz.gpg @@ -1727,9 +1702,7 @@ This is a privacy risk, so remove networks from the list in **System Preferences Also see [Signals from the Crowd: Uncovering Social Relationships through Smartphone Probes](https://conferences.sigcomm.org/imc/2013/papers/imc148-barberaSP106.pdf) (pdf) and [Wi-Fi told me everything about you](http://confiance-numerique.clermont-universite.fr/Slides/M-Cunche-2014.pdf) (pdf). -Saved Wi-Fi information (SSID, last connection, etc.) can be found in: - - /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist +Saved Wi-Fi information (SSID, last connection, etc.) can be found in `/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist` You may want to [spoof the MAC address](https://en.wikipedia.org/wiki/MAC_spoofing) of the network card before connecting to new and untrusted wireless networks to mitigate passive fingerprinting: @@ -1785,15 +1758,15 @@ $ sudo lsof -Pni TCP:22 ## Physical access -Keep your Mac physically secure at all times. Don't leave it unattended in public spaces, such as hotels. +Keep your Mac physically secure at all times and do not leave it unattended in public. -A skilled attacker with unsupervised physical access to your computer can infect the boot ROM to install a keylogger and steal your password, for example - see [Thunderstrike](https://trmm.net/Thunderstrike). +A skilled attacker with unsupervised physical access can infect the boot ROM to install a keylogger and steal passwords. See [Thunderstrike](https://trmm.net/Thunderstrike) for example. To protect against physical theft during use, you can use an anti-forensic tool like [BusKill](https://github.com/buskill/buskill-app), [usbkill](https://github.com/hephaest0s/usbkill) or [swiftGuard](https://github.com/Lennolium/swiftGuard) (updated usbkill, with graphical user interface). All respond to USB events and can immediately shutdown your computer if your device is physically separated from you or an unauthorized device is connected. -Consider purchasing a [privacy filter](https://www.amazon.com/s/ref=nb_sb_noss_2?url=node%3D15782001&field-keywords=macbook) for your screen to thwart shoulder surfers. +Consider purchasing a privacy screen/filter for use in public. -Superglues or epoxy resins can also be used to disable physical access to computer ports. [Nail polish](https://trmm.net/Glitter) and tamper-evidence seals can be applied to components to detect tampering. +Superglue or epoxy resin can be used to disable physical access to peripheral ports. [Nail polish](https://trmm.net/Glitter) and tamper-evidence seals can be applied to components to detect tampering. ## System monitoring @@ -2102,7 +2075,7 @@ Google Chrome should now launch, and subsequent updates to the application will To disable "Lockdown" mode: ```console -$ sudo defaults delete /var/db/santa/config.plist ClientMode +sudo defaults delete /var/db/santa/config.plist ClientMode ``` See `/var/log/santa.log` to monitor ALLOW and DENY execution decisions. @@ -2124,47 +2097,45 @@ If you want to use **torrents**, use [Transmission](https://www.transmissionbt.c Manage default file handlers with [duti](http://duti.org/), which can be installed with `brew install duti`. One reason to manage extensions is to prevent auto-mounting of remote file systems in Finder (see [Protecting Yourself From Sparklegate](https://www.taoeffect.com/blog/2016/02/apologies-sky-kinda-falling-protecting-yourself-from-sparklegate/)). Here are several recommended file handlers to manage: ```console -$ duti -s com.apple.Safari afp +duti -s com.apple.Safari afp -$ duti -s com.apple.Safari ftp +duti -s com.apple.Safari ftp -$ duti -s com.apple.Safari nfs +duti -s com.apple.Safari nfs -$ duti -s com.apple.Safari smb +duti -s com.apple.Safari smb -$ duti -s com.apple.TextEdit public.unix-executable +duti -s com.apple.TextEdit public.unix-executable ``` Monitor system logs with the **Console** application or `syslog -w` or `/usr/bin/log stream` commands. -In systems prior to macOS Sierra (10.12), enable the [tty_tickets flag](https://derflounder.wordpress.com/2016/09/21/tty_tickets-option-now-on-by-default-for-macos-sierras-sudo-tool/) in `/etc/sudoers` to restrict the sudo session to the Terminal window/tab that started it. To do so, use `sudo visudo` and add the line `Defaults tty_tickets`. - Set your screen to lock as soon as the screensaver starts: ```console -$ defaults write com.apple.screensaver askForPassword -int 1 +defaults write com.apple.screensaver askForPassword -int 1 -$ defaults write com.apple.screensaver askForPasswordDelay -int 0 +defaults write com.apple.screensaver askForPasswordDelay -int 0 ``` Expose hidden files and Library folder in Finder: ```console -$ defaults write com.apple.finder AppleShowAllFiles -bool true +defaults write com.apple.finder AppleShowAllFiles -bool true -$ chflags nohidden ~/Library +chflags nohidden ~/Library ``` Show all filename extensions (so that "Evil.jpg.app" cannot masquerade easily). ```console -$ defaults write NSGlobalDomain AppleShowAllExtensions -bool true +defaults write NSGlobalDomain AppleShowAllExtensions -bool true ``` Don't default to saving documents to iCloud: ```console -$ defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false +defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false ``` Enable [Secure Keyboard Entry](https://security.stackexchange.com/questions/47749/how-secure-is-secure-keyboard-entry-in-mac-os-xs-terminal) in Terminal (unless you use [YubiKey](https://mig5.net/content/secure-keyboard-entry-os-x-blocks-interaction-yubikeys) or applications such as [TextExpander](https://smilesoftware.com/textexpander/secureinput)). @@ -2172,13 +2143,13 @@ Enable [Secure Keyboard Entry](https://security.stackexchange.com/questions/4774 Disable crash reporter (the dialog which appears after an application crashes and prompts to report the problem to Apple): ```console -$ defaults write com.apple.CrashReporter DialogType none +defaults write com.apple.CrashReporter DialogType none ``` Disable Bonjour [multicast advertisements](https://www.trustwave.com/Resources/SpiderLabs-Blog/mDNS---Telling-the-world-about-you-(and-your-device)/): ```console -$ sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES +sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES ``` [Disable Handoff](https://apple.stackexchange.com/questions/151481/why-is-my-macbook-visibile-on-bluetooth-after-yosemite-install) and Bluetooth features, if they aren't necessary. @@ -2204,7 +2175,7 @@ export HOME=/Users/blah Set a [custom umask](https://support.apple.com/en-us/HT201684): ```console -$ sudo launchctl config user umask 077 +sudo launchctl config user umask 077 ``` Reboot, create a file in Finder and verify its permissions (macOS default allows 'group/other' read access): @@ -2221,13 +2192,10 @@ drwx------ 2 kevin staff 64 Dec 4 12:27 umask_testing_dir * [Dylib Hijack Scanner](https://objective-see.com/products/dhs.html) - Scan for applications that are either susceptible to dylib hijacking or have been hijacked. * [Lockdown](https://objective-see.com/products/lockdown.html) - Audits and remediates security configuration settings. * [Zentral](https://github.com/zentralopensource/zentral) - A log and configuration server for santa and osquery. Run audit and probes on inventory, events, logfiles, combine with point-in-time alerting. A full Framework and Django web server build on top of the elastic stack (formerly known as ELK stack). -* [facebook/osquery](https://github.com/facebook/osquery) - Can be used to retrieve low level system information. Users can write SQL queries to retrieve system information. +* [osquery](https://github.com/osquery/osquery) - Can be used to retrieve low level system information. Users can write SQL queries to retrieve system information. * [google/grr](https://github.com/google/grr) - Incident response framework focused on remote live forensics. -* [jipegit/OSXAuditor](https://github.com/jipegit/OSXAuditor) - Analyzes artifacts on a running system, such as quarantined files, Safari, Chrome and Firefox history, downloads, HTML5 databases and localstore, social media and email accounts, and Wi-Fi access point names. -* [kristovatlas/osx-config-check](https://github.com/kristovatlas/osx-config-check) - Checks your OSX machine against various hardened configuration settings. * [libyal/libfvde](https://github.com/libyal/libfvde) - Library to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes. * [stronghold](https://github.com/alichtman/stronghold) - Securely and easily configure your Mac from the terminal. Inspired by this guide. -* [yelp/osxcollector](https://github.com/yelp/osxcollector) - Forensic evidence collection & analysis toolkit for OS X. * [The Eclectic Light Company - Downloads](https://eclecticlight.co/downloads/) - A collection of useful diagnostics and control applications and utilities for macOS. * [Pareto Security](https://paretosecurity.app/) - A MenuBar app to automatically audit your Mac for basic security hygiene. From 54e7ffc88aae0d3fcb6576e05100fd16bb7e267e Mon Sep 17 00:00:00 2001 From: drduh Date: Sat, 10 Feb 2024 13:37:40 -0800 Subject: [PATCH 168/476] easier to copy commands --- README.md | 209 ++++++++++++++++++++++++------------------------------ 1 file changed, 91 insertions(+), 118 deletions(-) diff --git a/README.md b/README.md index 4d95da39..f193a2ac 100755 --- a/README.md +++ b/README.md @@ -90,22 +90,18 @@ Standard security best practices apply: * Assure data availability * Create [regular backups](https://www.amazon.com/o/ASIN/0596102461/backupcentral) of your data and be ready to format and re-install the operating system in case of compromise. - * Always encrypt locally before copying backups to external media or the "cloud". - * Verify backups work by testing them regularly, for example by accessing certain files or performing a hash based comparison. + * Encrypt locally before copying backups to external media or the "cloud". + * Verify backups by accessing them regularly. * Click carefully - * Ultimately, the security of a system can be reduced to its administrator. + * Ultimately, the security of a system depends on the capabilities of its administrator. * Care should be taken when installing new software. Always prefer [free](https://www.gnu.org/philosophy/free-sw.en.html) and open source software ([which macOS is not](https://superuser.com/questions/19492/is-mac-os-x-open-source)). ## Preparing and installing macOS There are several ways to install macOS. -The simplest way is to boot into [Recovery Mode](https://support.apple.com/en-us/HT201314) by holding `Command` and `R` keys at boot. A system image can be downloaded and applied directly from Apple. However, this way exposes the serial number and other identifying information over the network in plain text, which may not be desired for privacy reasons. - -PII is transmitted to Apple in plain text when using macOS Recovery - -*Packet capture of an unencrypted HTTP conversation during macOS recovery* +The simplest way is to boot into [Recovery Mode](https://support.apple.com/en-us/HT201314) by holding `Command` and `R` keys at boot. A system image can be downloaded and applied directly from Apple. However, this may expose identifying information. An alternative way to install macOS is to first download the latest version of macOS (**Latest: macOS Ventura**) from Apple via the [App Store](https://apps.apple.com/us/app/macos-ventura/id1638787999) and create a custom installable system image. @@ -185,24 +181,19 @@ Internal requirements count=1 size=88 Instead of booting from the network or using target disk mode, a bootable macOS installer can be made with the `createinstallmedia` utility included in `Contents/Resources` folder of the installer application bundle. See [Create a bootable installer for macOS](https://support.apple.com/en-us/HT201372), or run the utility without arguments to see how it works. -To create a **bootable USB installer**, mount a USB drive, and erase and partition it, then use the `createinstallmedia` utility: +To create a bootable USB installer, mount a USB drive, erase and partition it, then use the `createinstallmedia` utility: ```console -$ diskutil list +diskutil list [Find disk matching correct size, usually the last disk, e.g. /dev/disk2] -$ diskutil unmountDisk /dev/disk2 +diskutil unmountDisk /dev/disk2 -$ diskutil partitionDisk /dev/disk2 1 JHFS+ Installer 100% +diskutil partitionDisk /dev/disk2 1 JHFS+ Installer 100% -$ cd /Applications/Install\ macOS\ Ventura.app +cd /Applications/Install\ macOS\ Ventura.app -$ sudo ./Contents/Resources/createinstallmedia --volume /Volumes/Installer --nointeraction -Erasing disk: 0%... 10%... 20%... 30%... 100% -Copying to disk: 0%... 10%... 20%... 30%... 40%... 50%... 60%... 70%... 80%... 90%... 100% -Making disk bootable... -Copying boot files... -Install media now available at "/Volumes/Install macOS Catalina" +sudo ./Contents/Resources/createinstallmedia --volume /Volumes/Installer --nointeraction ``` [Disk Utility](https://support.apple.com/guide/disk-utility/erase-and-reformat-a-storage-device-dskutl14079/mac) can also be used to configure the storage device. @@ -221,25 +212,22 @@ If you don't have another Mac, boot to a USB installer, with `sierra.dmg` and ot Use the command `diskutil list` to identify the disk of the connected Mac, usually `/dev/disk2` -Optionally, [securely erase](https://www.backblaze.com/blog/securely-erase-mac-ssd/) the disk with a single pass (if previously FileVault-encrypted, the disk must first be unlocked and mounted as `/dev/disk3s2`): +**Optional** [securely erase](https://www.backblaze.com/blog/how-to-wipe-a-mac-hard-drive/) the disk with a single pass (if previously FileVault-encrypted, the disk must first be unlocked and mounted as `/dev/disk3s2`): - $ sudo diskutil secureErase freespace 1 /dev/disk3s2 + sudo diskutil secureErase freespace 1 /dev/disk3s2 Partition the disk to Journaled HFS+: ```console -$ sudo diskutil unmountDisk /dev/disk2 +sudo diskutil unmountDisk /dev/disk2 -$ sudo diskutil partitionDisk /dev/disk2 1 JHFS+ macOS 100% +sudo diskutil partitionDisk /dev/disk2 1 JHFS+ macOS 100% ``` Restore the image to the new volume, making sure `/dev/disk2` is the disk being erased: ```console -$ sudo asr restore --source ~/sierra.dmg --target /Volumes/macOS --erase --buffersize 4m -[...] -Erase contents of /dev/disk2s2 (/Volumes/macOS)? [ny]:y -[...] +sudo asr restore --source ~/sierra.dmg --target /Volumes/macOS --erase --buffersize 4m ``` The **Disk Utility** application may also be used to erase the connected disk and restore `sierra.dmg` to the newly created partition. @@ -264,15 +252,13 @@ f6a4f8ac25eaa6163aa33ac46d40f223f40e58ec0b6b9bf6ad96bdbfc771e12c RecoveryHDUpda Attach and expand the installer, then run it - again ensuring `/Volumes/macOS` path is the newly created partition on the connected disk: ```console -$ hdiutil attach RecoveryHDUpdate.dmg +hdiutil attach RecoveryHDUpdate.dmg -$ pkgutil --expand /Volumes/Mac\ OS\ X\ Lion\ Recovery\ HD\ Update/RecoveryHDUpdate.pkg /tmp/recovery +pkgutil --expand /Volumes/Mac\ OS\ X\ Lion\ Recovery\ HD\ Update/RecoveryHDUpdate.pkg /tmp/recovery -$ hdiutil attach /tmp/recovery/RecoveryHDUpdate.pkg/RecoveryHDMeta.dmg +hdiutil attach /tmp/recovery/RecoveryHDUpdate.pkg/RecoveryHDMeta.dmg -$ /tmp/recovery/RecoveryHDUpdate.pkg/Scripts/Tools/dmtest ensureRecoveryPartition /Volumes/macOS/ /Volumes/Recovery\ HD\ Update/BaseSystem.dmg 0 0 /Volumes/Recovery\ HD\ Update/BaseSystem.chunklist -[...] -Creating recovery partition: finished +/tmp/recovery/RecoveryHDUpdate.pkg/Scripts/Tools/dmtest ensureRecoveryPartition /Volumes/macOS/ /Volumes/Recovery\ HD\ Update/BaseSystem.dmg 0 0 /Volumes/Recovery\ HD\ Update/BaseSystem.chunklist ``` Run `diskutil list` again to confirm `Recovery HD` now exists on `/dev/disk2` @@ -299,11 +285,11 @@ From the host Mac, serve the installable image to the guest VM by editing `/etc/ On the host Mac, link the image to the default Apache Web server directory: - $ sudo ln ~/sierra.dmg /Library/WebServer/Documents + sudo ln ~/sierra.dmg /Library/WebServer/Documents From the host Mac, start Apache in the foreground: - $ sudo httpd -X + sudo httpd -X From the guest VM, install the disk image to the volume over the local network using `asr`: @@ -339,8 +325,10 @@ If you enter your real name at the account setup process, be aware that your com Both should be verified and updated as needed in **System Preferences > Sharing** or with the following commands after installation: - $ sudo scutil --set ComputerName MacBook - $ sudo scutil --set LocalHostName MacBook +```console +sudo scutil --set ComputerName MacBook +sudo scutil --set LocalHostName MacBook +``` ## System activation @@ -387,14 +375,14 @@ Accounts can be created and managed in System Preferences. On settled systems, i Demoting an account can be done either from the the new admin account in System Preferences – the other account must be logged out – or by executing these commands (it may not be necessary to execute both, see [issue #179](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/179)): ```console -$ sudo dscl . -delete /Groups/admin GroupMembership -$ sudo dscl . -delete /Groups/admin GroupMembers +sudo dscl . -delete /Groups/admin GroupMembership +sudo dscl . -delete /Groups/admin GroupMembers ``` To find the **GeneratedUID** of an account: ```console -$ dscl . -read /Users/ GeneratedUID +dscl . -read /Users/ GeneratedUID ``` See also [this post](https://superuser.com/a/395738) for more information about how macOS determines group membership. @@ -426,8 +414,8 @@ To learn about how FileVault works, see the paper [Infiltrate the Vault: Securit **Optional** Enforce system hibernation and evict FileVault keys from memory instead of traditional sleep to memory: ```console -$ sudo pmset -a destroyfvkeyonstandby 1 -$ sudo pmset -a hibernatemode 25 +sudo pmset -a destroyfvkeyonstandby 1 +sudo pmset -a hibernatemode 25 ``` > All computers have firmware of some type - EFI, BIOS - to help in the discovery of hardware components and ultimately to properly bootstrap the computer using the desired OS instance. In the case of Apple hardware and the use of EFI, Apple stores relevant information within EFI to aid in the functionality of macOS. For example, the FileVault key is stored in EFI to transparently come out of standby mode. @@ -437,10 +425,10 @@ $ sudo pmset -a hibernatemode 25 If you choose to evict FileVault keys in standby mode, you should also modify your standby and power nap settings. Otherwise, your machine may wake while in standby mode and then power off due to the absence of the FileVault key. See [issue #124](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/124) for more information. These settings can be changed with: ```console -$ sudo pmset -a powernap 0 -$ sudo pmset -a standby 0 -$ sudo pmset -a standbydelay 0 -$ sudo pmset -a autopoweroff 0 +sudo pmset -a powernap 0 +sudo pmset -a standby 0 +sudo pmset -a standbydelay 0 +sudo pmset -a autopoweroff 0 ``` For more information, see paper [Lest We Remember: Cold Boot Attacks on Encryption Keys](https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf) (pdf) @@ -466,16 +454,13 @@ The firmware password will activate at next boot. To validate the password, hold The firmware password can also be managed with the `firmwarepasswd` utility while booted into the OS. For example, to prompt for the firmware password when attempting to boot from a different volume: ```console -$ sudo firmwarepasswd -setpasswd -setmode command +sudo firmwarepasswd -setpasswd -setmode command ``` To verify the firmware password: ```console -$ sudo firmwarepasswd -verify -Verifying Firmware Password -Enter password: -Correct +sudo firmwarepasswd -verify ``` A firmware password may be bypassed by a determined attacker or Apple, with physical access to the computer. @@ -505,14 +490,11 @@ It can be controlled by the **Firewall** tab of **Security & Privacy** in **Syst Enable the firewall with logging and stealth mode: ```console -$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on -Firewall is enabled. (State = 1) +sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on -$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on -Turning on log mode +sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on -$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on -Stealth mode enabled +sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on ``` > Computer hackers scan networks so they can attempt to identify computers to attack. You can prevent your computer from responding to some of these scans by using **stealth mode**. When stealth mode is enabled, your computer does not respond to ICMP ping requests, and does not answer to connection attempts from a closed TCP or UDP port. This makes it more difficult for attackers to find your computer. @@ -520,11 +502,9 @@ Stealth mode enabled To prevent *built-in software* as well as *code-signed, downloaded software from being whitelisted automatically*: ```console -$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned off -Disabled allow signed built-in applications automatically +sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned off -$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off -Disabled allow signed downloaded applications automatically +sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off ``` > Applications that are signed by a valid certificate authority are automatically added to the list of allowed apps, rather than prompting the user to authorize them. Apps included in macOS are signed by Apple and are allowed to receive incoming connections when this setting is enabled. For example, since iTunes is already signed by Apple, it is automatically allowed to receive incoming connections through the firewall. @@ -534,7 +514,7 @@ Disabled allow signed downloaded applications automatically After interacting with `socketfilterfw`, restart the process by sending a line hangup signal: ```console -$ sudo pkill -HUP socketfilterfw +sudo pkill -HUP socketfilterfw ``` ### Third party firewalls @@ -594,13 +574,13 @@ It is possible to use the pf firewall to block network access to entire ranges o Query [Merit RADb](https://www.radb.net/) for the list of networks in use by an autonomous system, like [Facebook](https://ipinfo.io/AS32934): ```console -$ whois -h whois.radb.net '!gAS32934' +whois -h whois.radb.net '!gAS32934' ``` Copy and paste the list of networks returned into the blocklist command: ```console -$ sudo pfctl -t blocklist -T add 31.13.24.0/21 31.13.64.0/24 157.240.0.0/16 +sudo pfctl -t blocklist -T add 31.13.24.0/21 31.13.64.0/24 157.240.0.0/16 ``` Confirm the addresses were added: @@ -658,7 +638,7 @@ You can also run [KnockKnock](https://objective-see.com/products/knockknock.html For example, to learn what a system launch daemon or agent does, start with: ```console -$ defaults read /System/Library/LaunchDaemons/com.apple.apsd.plist +defaults read /System/Library/LaunchDaemons/com.apple.apsd.plist ``` Look at the `Program` or `ProgramArguments` section to see which binary is run, in this case `apsd`. To find more information about that, look at the man page with `man apsd` @@ -666,7 +646,7 @@ Look at the `Program` or `ProgramArguments` section to see which binary is run, For example, if you're not interested in Apple Push Notifications, disable the service: ```console -$ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist +sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist ``` **Note** Unloading services may break usability of some applications. Read the manual pages and use Google to make sure you understand what you're doing first. @@ -678,7 +658,7 @@ Use [Console](https://en.wikipedia.org/wiki/List_of_macOS_components#Console) an To view the status of services: ```console -$ find /var/db/com.apple.xpc.launchd/ -type f -print -exec defaults read {} \; 2>/dev/null +find /var/db/com.apple.xpc.launchd/ -type f -print -exec defaults read {} \; 2>/dev/null ``` Annotated lists of launch daemons and agents, the respective program executed, and the programs' hash sums are included in this repository. @@ -721,7 +701,7 @@ Consider using [Homebrew](https://brew.sh/) to make software installations easie [Install Homebrew](https://github.com/Homebrew/brew/blob/master/docs/Installation.md#installation): ```console -$ mkdir homebrew && curl -L https://github.com/Homebrew/brew/tarball/master | tar xz --strip 1 -C homebrew +mkdir homebrew && curl -L https://github.com/Homebrew/brew/tarball/master | tar xz --strip 1 -C homebrew ``` Edit `PATH` in your shell or shell rc file to use `~/homebrew/bin` and `~/homebrew/sbin`. For example, `echo 'PATH=$PATH:~/homebrew/sbin:~/homebrew/bin' >> .zshrc`, then change your login shell to Z shell with `chsh -s /bin/zsh`, open a new Terminal window and run `brew update`. @@ -772,16 +752,10 @@ Here are some popular and useful hosts lists: * [StevenBlack/hosts](https://github.com/StevenBlack/hosts) * [someonewhocares.org](https://someonewhocares.org/hosts/zero/hosts) -Append a list of hosts with the `tee` command and confirm only non-routable addresses or comments were added: +Append a list of hosts with `tee`: ```console -$ curl https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | sudo tee -a /etc/hosts - -$ wc -l /etc/hosts -65580 - -$ egrep -ve "^#|^255.255.255.255|^127.|^0.|^::1|^ff..::|^fe80::" /etc/hosts | sort | uniq | egrep -e "[1,2]|::" -[No output] +curl https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | sudo tee -a /etc/hosts ``` #### dnscrypt @@ -793,13 +767,13 @@ To encrypt DNS traffic, consider using [DNSCrypt/dnscrypt-proxy](https://github. Install DNSCrypt from Homebrew and follow the instructions to configure and start `dnscrypt-proxy`: ```console -$ brew install dnscrypt-proxy +brew install dnscrypt-proxy ``` If using in combination with Dnsmasq, find the file `homebrew.mxcl.dnscrypt-proxy.plist` by running ```console -$ brew info dnscrypt-proxy +brew info dnscrypt-proxy ``` which will show a location like `/usr/local/etc/dnscrypt-proxy.toml` @@ -813,7 +787,7 @@ listen_addresses = ['127.0.0.1:5355', '[::1]:5355'] Start DNSCrypt: ```console -$ sudo brew services restart dnscrypt-proxy +sudo brew services restart dnscrypt-proxy ``` Confirm DNSCrypt is running: @@ -846,18 +820,18 @@ Use in combination with DNSCrypt to additionally encrypt DNS traffic. If you don't wish to use DNSCrypt, you should at least use DNS [not provided](https://bcn.boulder.co.us/~neal/ietf/verisign-abuse.html) [by your ISP](https://hackercodex.com/guide/how-to-stop-isp-dns-server-hijacking/). Two popular alternatives are [Google DNS](https://developers.google.com/speed/public-dns/) and [OpenDNS](https://www.opendns.com/home-internet-security/). -**(Optional)** [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity. All answers from DNSSEC protected zones are digitally signed. The signed records are authenticated via a chain of trust, starting with a set of verified public keys for the DNS root-zone. The current root-zone trust anchors may be downloaded [from IANA website](https://www.iana.org/dnssec/files). There are a number of resources on DNSSEC, but probably the best one is [dnssec.net website](https://www.dnssec.net). +**Optional** [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity. All answers from DNSSEC protected zones are digitally signed. The signed records are authenticated via a chain of trust, starting with a set of verified public keys for the DNS root-zone. The current root-zone trust anchors may be downloaded [from IANA website](https://www.iana.org/dnssec/files). There are a number of resources on DNSSEC, but probably the best one is [dnssec.net website](https://www.dnssec.net). Install Dnsmasq (DNSSEC is optional): ```console -$ brew install dnsmasq --with-dnssec +brew install dnsmasq --with-dnssec ``` Download [drduh/config/dnsmasq.conf](https://github.com/drduh/config/blob/master/dnsmasq.conf): ``` -$ curl -o homebrew/etc/dnsmasq.conf https://raw.githubusercontent.com/drduh/config/master/dnsmasq.conf +curl -o homebrew/etc/dnsmasq.conf https://raw.githubusercontent.com/drduh/config/master/dnsmasq.conf ``` Edit the file and examine all the options. To block entire levels of domains, append [drduh/config/domains](https://github.com/drduh/config/tree/master/domains) or your own rules. @@ -865,13 +839,13 @@ Edit the file and examine all the options. To block entire levels of domains, ap Install and start the program (sudo is required to bind to [privileged port](https://unix.stackexchange.com/questions/16564/why-are-the-first-1024-ports-restricted-to-the-root-user-only) 53): ```console -$ sudo brew services start dnsmasq +sudo brew services start dnsmasq ``` To set Dnsmasq as your local DNS server, open **System Preferences** > **Network** and select the active interface, then the **DNS** tab, select **+** and add `127.0.0.1`, or use: ```console -$ sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1 +sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1 ``` Confirm Dnsmasq is configured: @@ -917,7 +891,7 @@ When macOS connects to new networks, it checks for Internet connectivity and may It is possible to trigger the utility and direct a Mac to malware without user interaction, so it's best to disable this feature and log in to captive portals using your regular Web browser by navigating to a non-secure HTTP page and accepting a redirect to the captive portal login interface (after disabling any custom proxy or DNS settings). ```console -$ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active -bool false +sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active -bool false ``` Also see [Apple's secret "wispr" request](https://web.archive.org/web/20171008071031/http://blog.erratasec.com/2010/09/apples-secret-wispr-request.html), [How to disable the captive portal window in Mac OS Lion](https://web.archive.org/web/20130407200745/http://www.divertednetworks.net/apple-captiveportal.html) and [An undocumented change to Captive Network Assistant settings in OS X 10.10 Yosemite](https://web.archive.org/web/20170622064304/https://grpugh.wordpress.com/2014/10/29/an-undocumented-change-to-captive-network-assistant-settings-in-os-x-10-10-yosemite/). @@ -950,9 +924,9 @@ A signed installation package for privoxy can be downloaded from [silvester.org. Alternatively, install and start privoxy using Homebrew: ```console -$ brew install privoxy +brew install privoxy -$ brew services start privoxy +brew services start privoxy ``` Privoxy listens on local TCP port 8118 by default. @@ -960,13 +934,13 @@ Privoxy listens on local TCP port 8118 by default. Set the system **HTTP** proxy for your active network interface `127.0.0.1` and `8118` (This can be done through **System Preferences > Network > Advanced > Proxies**): ```console -$ sudo networksetup -setwebproxy "Wi-Fi" 127.0.0.1 8118 +sudo networksetup -setwebproxy "Wi-Fi" 127.0.0.1 8118 ``` -**(Optional)** Set the system **HTTPS** proxy, which still allows for domain name filtering, with: +**Optional** Set the system **HTTPS** proxy, which still allows for domain name filtering, with: ```console -$ sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 8118 +sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 8118 ``` Confirm the proxy is set: @@ -1000,9 +974,9 @@ Privoxy already comes with many good rules, however you can also write your own. Download [drduh/config/privoxy/config](https://github.com/drduh/config/blob/master/privoxy/config) and [drduh/config/privoxy/user.action](https://github.com/drduh/config/blob/master/privoxy/user.action) to get started: ```console -$ curl -o homebrew/etc/privoxy/config https://raw.githubusercontent.com/drduh/config/master/privoxy/config +curl -o homebrew/etc/privoxy/config https://raw.githubusercontent.com/drduh/config/master/privoxy/config -$ curl -o homebrew/etc/privoxy/user.action https://raw.githubusercontent.com/drduh/config/master/privoxy/user.action +curl -o homebrew/etc/privoxy/user.action https://raw.githubusercontent.com/drduh/config/master/privoxy/user.action ``` Restart Privoxy and verify traffic is blocked or redirected: @@ -1082,9 +1056,9 @@ Read [Chromium Security](https://www.chromium.org/Home/chromium-security) and [C [Safari](https://www.apple.com/safari/) is the default browser on macOS. It is also the most optimized browser for reducing battery use. Safari, like Chrome, has both Open Source and proprietary components. Safari is based on the open source Web Engine [WebKit](https://en.wikipedia.org/wiki/WebKit), which is ubiquitous among the macOS ecosystem. WebKit is used by Apple apps such as Mail, iTunes, iBooks, and the App Store. Chrome's [Blink](https://www.chromium.org/blink) engine is a fork of WebKit and both engines share a number of similarities. -Safari supports certain unique features that benefit user security and privacy. [Content blockers](https://webkit.org/blog/3476/content-blockers-first-look/) enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory use, security, and privacy. Safari 11 introduced [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/), whihc removes tracking data stored in Safari after a period of non-interaction by the user from the tracker's website. +Safari supports certain unique features that benefit user security and privacy. [Content blockers](https://webkit.org/blog/3476/content-blockers-first-look/) enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory use, security, and privacy. Safari 11 introduced [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/), which removes tracking data stored in Safari after a period of non-interaction by the user from the tracker's website. -Similar to Chrome and Firefox, Safari offers an invite-only [bounty program](https://developer.apple.com/bug-reporting/) for bug reporting to a select number of security researchers. The bounty program was announced during Apple's [presentation](https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf) at [BlackHat](https://www.blackhat.com/us-16/briefings.html#behind-the-scenes-of-ios-security) 2016. +Safari offers an invite-only [bounty program](https://developer.apple.com/bug-reporting/) for bug reporting to a select number of security researchers. The bounty program was announced during Apple's [presentation](https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf) at [BlackHat](https://www.blackhat.com/us-16/briefings.html#behind-the-scenes-of-ios-security) 2016. Web Extensions in Safari have an additional option to use native code in the Safari's sandbox environment, in addition to Web Extension APIs. Web Extensions in Safari are also distributed through Apple's App store. App store submission comes with the added benefit of Web Extension code being audited by Apple. On the other hand App store submission comes at a steep cost. Yearly [developer subscription](https://developer.apple.com/support/compare-memberships/) fee costs 100 USD (in contrast to Chrome's 5 USD fee and Firefox's free submission). The high cost is prohibitive for the majority of Open Source developers. As a result, Safari has very few extensions to choose from. However, you should keep the high cost in mind when installing extensions. It is expected that most Web Extensions will have some way of monetizing usage in order to cover developer costs. Be wary of Web Extensions whose source code is not open. @@ -1165,9 +1139,9 @@ See [How can I verify Tor Browser's signature?](https://support.torproject.org/) To finish installing Tor Browser, open the disk image and drag the it into the Applications folder, or with: ```console -$ hdiutil mount TorBrowser-8.0.4-osx64_en-US.dmg +hdiutil mount TorBrowser-8.0.4-osx64_en-US.dmg -$ cp -r /Volumes/Tor\ Browser/Tor\ Browser.app/ ~/Applications/ +cp -r /Volumes/Tor\ Browser/Tor\ Browser.app/ ~/Applications/ ``` @@ -1286,7 +1260,7 @@ If you prefer a graphical application, download and install [GPG Suite](https:// Download [drduh/config/gpg.conf](https://github.com/drduh/config/blob/master/gpg.conf) to use recommended settings: ```console -$ curl -o ~/.gnupg/gpg.conf https://raw.githubusercontent.com/drduh/config/master/gpg.conf +curl -o ~/.gnupg/gpg.conf https://raw.githubusercontent.com/drduh/config/master/gpg.conf ``` See [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) to securely generate and store GPG keys. @@ -1346,7 +1320,7 @@ See also [Gatekeeper, XProtect and the Quarantine attribute](https://ilostmynote **Note** Quarantine stores information about downloaded files in `~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2`, which may pose a privacy risk. To examine the file, simply use `strings` or the following command: ```console -$ echo 'SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, ' \ +echo 'SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, ' \ 'LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent;' | \ sqlite3 /Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 ``` @@ -1354,9 +1328,9 @@ $ echo 'SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQua To permanently disable this feature, [clear the file](https://superuser.com/questions/90008/how-to-clear-the-contents-of-a-file-from-the-command-line) and make it immutable: ```console -$ :>~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 +:>~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 -$ sudo chflags schg ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 +sudo chflags schg ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 ``` Alternatively, you can also disable Gatekeeper using the following command: @@ -1425,12 +1399,11 @@ com.apple.quarantine: 0081;58519ffa;Google Chrome.app;1F032CAB-F5A1-4D92-84EB-CB Metadata attributes can also be removed with the `-d` flag: ```console -$ xattr -d com.apple.metadata:kMDItemWhereFroms ~/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg +xattr -d com.apple.metadata:kMDItemWhereFroms ~/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg -$ xattr -d com.apple.quarantine ~/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg +xattr -d com.apple.quarantine ~/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg -$ xattr -l ~/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg -[No output expected] +xattr -l ~/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg ``` Other metadata and artifacts may be found in the directories including, but not limited to, `~/Library/Preferences/`, `~/Library/Containers//Data/Library/Preferences`, `/Library/Preferences`, some of which is detailed below. @@ -1707,7 +1680,7 @@ Saved Wi-Fi information (SSID, last connection, etc.) can be found in `/Library/ You may want to [spoof the MAC address](https://en.wikipedia.org/wiki/MAC_spoofing) of the network card before connecting to new and untrusted wireless networks to mitigate passive fingerprinting: ```console -$ sudo ifconfig en0 ether $(openssl rand -hex 6 | sed 's%\(..\)%\1:%g; s%.$%%') +sudo ifconfig en0 ether $(openssl rand -hex 6 | sed 's%\(..\)%\1:%g; s%.$%%') ``` macOS stores Wi-Fi SSIDs and passwords in NVRAM in order for Recovery Mode to access the Internet. Be sure to either clear NVRAM or de-authenticate your Mac from your Apple account, which will clear the NVRAM, before passing a Mac along. Resetting the SMC will clear some of the NVRAM, but not all. @@ -1725,17 +1698,17 @@ You can also use ssh to create an [encrypted tunnel](http://blog.trackets.com/20 For example, to use Privoxy running on a remote host port 8118: ```console -$ ssh -C -L 5555:127.0.0.1:8118 you@remote-host.tld +ssh -C -L 5555:127.0.0.1:8118 you@remote-host.tld -$ sudo networksetup -setwebproxy "Wi-Fi" 127.0.0.1 5555 +sudo networksetup -setwebproxy "Wi-Fi" 127.0.0.1 5555 -$ sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 5555 +sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 5555 ``` Or to use an ssh connection as a [SOCKS proxy](https://www.mikeash.com/ssh_socks.html): ```console -$ ssh -NCD 3000 you@remote-host.tld +ssh -NCD 3000 you@remote-host.tld ``` By default, macOS does **not** have sshd or *Remote Login* enabled. @@ -1743,7 +1716,7 @@ By default, macOS does **not** have sshd or *Remote Login* enabled. To enable sshd and allow incoming ssh connections: ```console -$ sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist +sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist ``` Or use the **System Preferences** > **Sharing** menu. @@ -1753,7 +1726,7 @@ If enabling sshd, be sure to disable password authentication and consider furthe Confirm whether sshd is running: ```console -$ sudo lsof -Pni TCP:22 +sudo lsof -Pni TCP:22 ``` ## Physical access @@ -1814,13 +1787,13 @@ You can also view processes with **Activity Monitor**. List open network files: ```console -$ sudo lsof -Pni +sudo lsof -Pni ``` List contents of various network-related data structures: ```console -$ sudo netstat -atln +sudo netstat -atln ``` [Wireshark](https://www.wireshark.org/) can be used from the command line with `tshark`. @@ -1828,7 +1801,7 @@ $ sudo netstat -atln Monitor DNS queries and replies: ```console -$ tshark -Y "dns.flags.response == 1" -Tfields \ +tshark -Y "dns.flags.response == 1" -Tfields \ -e frame.time_delta \ -e dns.qry.name \ -e dns.a \ @@ -1838,7 +1811,7 @@ $ tshark -Y "dns.flags.response == 1" -Tfields \ Monitor HTTP requests and responses: ```console -$ tshark -Y "http.request or http.response" -Tfields \ +tshark -Y "http.request or http.response" -Tfields \ -e ip.dst \ -e http.request.full_uri \ -e http.request.method \ @@ -1850,7 +1823,7 @@ $ tshark -Y "http.request or http.response" -Tfields \ Monitor x509 (SSL/TLS) certificates: ```console -$ tshark -Y "ssl.handshake.certificate" -Tfields \ +tshark -Y "ssl.handshake.certificate" -Tfields \ -e ip.src \ -e x509sat.uTF8String \ -e x509sat.printableString \ @@ -1875,9 +1848,9 @@ Santa uses the [Kernel Authorization API](https://developer.apple.com/library/co To install Santa, visit the [Releases](https://github.com/google/santa/releases) page and download the latest disk image, the mount it and install the contained package: ```console -$ hdiutil mount ~/Downloads/santa-0.9.20.dmg +hdiutil mount ~/Downloads/santa-0.9.20.dmg -$ sudo installer -pkg /Volumes/santa-0.9.20/santa-0.9.20.pkg -tgt / +sudo installer -pkg /Volumes/santa-0.9.20/santa-0.9.20.pkg -tgt / ``` By default, Santa installs in "Monitor" mode (meaning, nothing gets blocked, only logged) and comes with two rules: one for Apple binaries and another for Santa software itself. From e2ccad1c693b1f0f54ec7bddf7139ed8d06e6720 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 15 Feb 2024 05:50:43 -0600 Subject: [PATCH 169/476] Update Firmware/Full Disk Encryption Sections --- README.md | 92 +++---------------------------------------------------- 1 file changed, 5 insertions(+), 87 deletions(-) diff --git a/README.md b/README.md index f193a2ac..9237d414 100755 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ This guide is also available in [简体中文](https://github.com/drduh/macOS-Se * [Caveats](#caveats) * [Setup](#setup) - [Full disk encryption](#full-disk-encryption) -- [Firmware](#firmware) +- [Filevault](#filevault) - [Firewall](#firewall) * [Application layer firewall](#application-layer-firewall) * [Third party firewalls](#third-party-firewalls) @@ -387,95 +387,13 @@ dscl . -read /Users/ GeneratedUID See also [this post](https://superuser.com/a/395738) for more information about how macOS determines group membership. -## Full disk encryption +## FileVault -[FileVault](https://en.wikipedia.org/wiki/FileVault) provides full disk (technically, full _volume_) encryption on macOS. +All Mac models with Apple Silicon are encrypted by default. Enabling [FileVault](https://support.apple.com/en-au/guide/mac-help/mh11785/mac) makes it so that you need to enter a password in order to access the data on your drive. Your FileVault password acts as a firmware password as well. -FileVault encryption protects data at rest and hardens (but [not always prevents](https://blog.frizk.net/2016/12/filevault-password-retrieval.html)) someone with physical access from stealing data or tampering with your Mac. +FileVault protects data at rest and hardens against someone with physical access from stealing data or tampering with your Mac. -With much of the cryptographic operations happening [efficiently in hardware](https://web.archive.org/web/20180720195105/https://software.intel.com/sites/default/files/m/d/4/1/d/8/AES_WP_Rev_03_Final_2010_01_26.pdf), the performance penalty for FileVault is not noticeable. - -Like all cryptosystems, the security of FileVault greatly depends on the quality of the pseudo random number generator (PRNG). - -> The random device implements the Yarrow pseudo random number generator algorithm and maintains its entropy pool. Additional entropy is fed to the generator regularly by the SecurityServer daemon from random jitter measurements of the kernel. - -See `man 4 random` for more information. - -Turning on FileVault in System Preferences **after** installing macOS, rather than creating an encrypted partition for the installation first, is [more secure](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/230), because more PRNG entropy is available then. - -It may be possible to increase entropy with an external source, like [OneRNG](http://onerng.info/). See [Entropy and Random Number Generators](https://calomel.org/entropy_random_number_generators.html) and [Fun with encryption and randomness](https://rsmith.home.xs4all.nl/howto/fun-with-encryption-and-randomness.html) for more information. - -Enable FileVault with `sudo fdesetup enable` or through **System Preferences** > **Security & Privacy** and reboot. - -If you can remember the password, there's no reason to save the **recovery key**. However, all encrypted data will be lost forever if without either the password or recovery key. - -To learn about how FileVault works, see the paper [Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption](https://eprint.iacr.org/2012/374.pdf) (pdf) and related [presentation](http://www.cl.cam.ac.uk/~osc22/docs/slides_fv2_ifip_2013.pdf) (pdf). - -**Optional** Enforce system hibernation and evict FileVault keys from memory instead of traditional sleep to memory: - -```console -sudo pmset -a destroyfvkeyonstandby 1 -sudo pmset -a hibernatemode 25 -``` - -> All computers have firmware of some type - EFI, BIOS - to help in the discovery of hardware components and ultimately to properly bootstrap the computer using the desired OS instance. In the case of Apple hardware and the use of EFI, Apple stores relevant information within EFI to aid in the functionality of macOS. For example, the FileVault key is stored in EFI to transparently come out of standby mode. -> -> Organizations especially sensitive to a high-attack environment, or potentially exposed to full device access when the device is in standby mode, should mitigate this risk by destroying the FileVault key in firmware. Doing so doesn't destroy the use of FileVault, but simply requires the user to enter the password in order for the system to come out of standby mode. - -If you choose to evict FileVault keys in standby mode, you should also modify your standby and power nap settings. Otherwise, your machine may wake while in standby mode and then power off due to the absence of the FileVault key. See [issue #124](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/124) for more information. These settings can be changed with: - -```console -sudo pmset -a powernap 0 -sudo pmset -a standby 0 -sudo pmset -a standbydelay 0 -sudo pmset -a autopoweroff 0 -``` - -For more information, see paper [Lest We Remember: Cold Boot Attacks on Encryption Keys](https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf) (pdf) - -**Note** APFS may make evicting FileVault keys redundant - see discussion and links in [issue #283](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/283). - -## Firmware - -Setting a firmware password prevents a Mac from starting up from any device other than the startup disk. It may also be set to be required on each boot. This may be useful for mitigating some attacks which require physical access to hardware. See [How to set a firmware password on your Mac](https://support.apple.com/en-au/HT204455) for official documentation. - -This feature can be helpful if your laptop is lost or stolen, protects against Direct Memory Access (DMA) attacks which can read your FileVault passwords and inject kernel modules such as [pcileech](https://github.com/ufrisk/pcileech), as the only way to reset the firmware password is through an Apple Store, or by using an [SPI programmer](https://reverse.put.as/2016/06/25/apple-efi-firmware-passwords-and-the-scbo-myth/), such as [Bus Pirate](http://ho.ax/posts/2012/06/unbricking-a-macbook/) or other flash IC programmer. - -1. Start up pressing `Command` and `R` keys to boot to [Recovery Mode](https://support.apple.com/en-au/HT201314) mode. -1. When the Recovery window appears, choose **Firmware Password Utility** from the Utilities menu. -1. In the Firmware Utility window that appears, select **Turn On Firmware Password**. -1. Enter a new password, then enter the same password in the **Verify** field. -1. Select **Set Password**. -1. Select **Quit Firmware Utility** to close the Firmware Password Utility. -1. Select Restart or Shutdown from the Apple menu in the top-left corner. - -The firmware password will activate at next boot. To validate the password, hold `Alt` during boot - you should be prompted to enter the password. - -The firmware password can also be managed with the `firmwarepasswd` utility while booted into the OS. For example, to prompt for the firmware password when attempting to boot from a different volume: - -```console -sudo firmwarepasswd -setpasswd -setmode command -``` - -To verify the firmware password: - -```console -sudo firmwarepasswd -verify -``` - -A firmware password may be bypassed by a determined attacker or Apple, with physical access to the computer. - -Using a Dediprog SF600 to dump and flash a 2013 MacBook SPI Flash chip to remove a firmware password, sans Apple - -*Using a [Dediprog SF600](https://www.dediprog.com/product/sf600) to dump and flash a 2013 MacBook SPI Flash chip to remove a firmware password, sans Apple* - -As of macOS 10.15, the `firmwarepasswd` program has a new option `-disable-reset-capability`. According to [Apple's new Platform Security page](https://support.apple.com/en-gb/guide/security/sec28382c9ca/web), this effectively prevents any firmware password resets, even by Apple themselves: - -> For users who want no one but themselves to remove their Firmware Password by software means, the -disable-reset-capability option has been added to the firmwarepasswd command-line tool in macOS 10.15. Before setting this option, users must to acknowledge that if the password is forgotten and needs removal, the user must bear the cost of the motherboard replacement necessary to achieve this. - -Newer Mac models (Mac Pro, iMac Pro, Macbook with TouchBar) with [Apple T2](https://en.wikipedia.org/wiki/Apple-designed_processors#Apple_T2) chips, which provide a secure enclave for encrypted keys, lessen the risk of EFI firmware attacks. See [this blog post](https://michaellynn.github.io/2018/07/27/booting-secure/) for more information. - -See [LongSoft/UEFITool](https://github.com/LongSoft/UEFITool), [chipsec/chipsec](https://github.com/chipsec/chipsec) and discussion in [issue #213](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/213) for more information. +You'll have the option use your iCloud account for recovery; this option is more convenient than keeping track of your own recovery key, but Apple and law enforcement could potentially be able to access your drive so consult your threat model to determine if this is acceptable. ## Firewall From eac287172f5636a481b2e2b7a57483d16a18d42d Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 15 Feb 2024 06:02:24 -0600 Subject: [PATCH 170/476] capitalization --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9237d414..ab181e6e 100755 --- a/README.md +++ b/README.md @@ -389,7 +389,7 @@ See also [this post](https://superuser.com/a/395738) for more information about ## FileVault -All Mac models with Apple Silicon are encrypted by default. Enabling [FileVault](https://support.apple.com/en-au/guide/mac-help/mh11785/mac) makes it so that you need to enter a password in order to access the data on your drive. Your FileVault password acts as a firmware password as well. +All Mac models with Apple silicon are encrypted by default. Enabling [FileVault](https://support.apple.com/en-au/guide/mac-help/mh11785/mac) makes it so that you need to enter a password in order to access the data on your drive. Your FileVault password acts as a firmware password as well. FileVault protects data at rest and hardens against someone with physical access from stealing data or tampering with your Mac. From 0105056c6a3786333030c6eeaca8f629f4182f49 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 15 Feb 2024 06:09:57 -0600 Subject: [PATCH 171/476] add firmware --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index ab181e6e..a889020b 100755 --- a/README.md +++ b/README.md @@ -23,7 +23,7 @@ This guide is also available in [简体中文](https://github.com/drduh/macOS-Se - [Admin and standard user accounts](#admin-and-standard-user-accounts) * [Caveats](#caveats) * [Setup](#setup) -- [Full disk encryption](#full-disk-encryption) +- [Firmware](#firmware) - [Filevault](#filevault) - [Firewall](#firewall) * [Application layer firewall](#application-layer-firewall) @@ -387,6 +387,10 @@ dscl . -read /Users/ GeneratedUID See also [this post](https://superuser.com/a/395738) for more information about how macOS determines group membership. +## Firmware + +You should set firmware security settings to [Full Security](https://support.apple.com/en-au/guide/mac-help/mchl768f7291/mac) to prevent tampering with your OS. + ## FileVault All Mac models with Apple silicon are encrypted by default. Enabling [FileVault](https://support.apple.com/en-au/guide/mac-help/mh11785/mac) makes it so that you need to enter a password in order to access the data on your drive. Your FileVault password acts as a firmware password as well. From b30a386b90496e4deeb85632d7b3c1c79a4c8412 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 15 Feb 2024 16:48:13 -0600 Subject: [PATCH 172/476] Change "set" to "check" --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a889020b..d8449e0c 100755 --- a/README.md +++ b/README.md @@ -389,7 +389,7 @@ See also [this post](https://superuser.com/a/395738) for more information about ## Firmware -You should set firmware security settings to [Full Security](https://support.apple.com/en-au/guide/mac-help/mchl768f7291/mac) to prevent tampering with your OS. +You should check that firmware security settings are set to [Full Security](https://support.apple.com/en-au/guide/mac-help/mchl768f7291/mac) to prevent tampering with your OS. This is the default setting. ## FileVault From b1f998336429dbb2d69746542bdcb68789d959ca Mon Sep 17 00:00:00 2001 From: leohidalgo Date: Thu, 15 Feb 2024 20:38:58 -0300 Subject: [PATCH 173/476] docs: add StevenBlack/hosts rules for Little Snitch --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index f193a2ac..a2e5ba69 100755 --- a/README.md +++ b/README.md @@ -758,6 +758,8 @@ Append a list of hosts with `tee`: curl https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | sudo tee -a /etc/hosts ``` +If you're using a firewall like [Little Snitch](#third-party-firewalls), you could use the [StevenBlack/hosts](https://github.com/StevenBlack/hosts) importing the rules from [leohidalgo/little-snitch---rule-groups](https://github.com/leohidalgo/little-snitch---rule-groups) repository, these rules are updated every 12 hours from the [StevenBlack/hosts](https://github.com/StevenBlack/hosts) repository. + #### dnscrypt To encrypt DNS traffic, consider using [DNSCrypt/dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy). Used in combination with dnsmasq and DNSSEC, the integrity of DNS traffic can be significantly improved. From 6707006a6f381d6bf3b6e1ccc775e4fc6b5eddc8 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 15 Feb 2024 19:49:28 -0600 Subject: [PATCH 174/476] grammar --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d8449e0c..74358a73 100755 --- a/README.md +++ b/README.md @@ -395,7 +395,7 @@ You should check that firmware security settings are set to [Full Security](http All Mac models with Apple silicon are encrypted by default. Enabling [FileVault](https://support.apple.com/en-au/guide/mac-help/mh11785/mac) makes it so that you need to enter a password in order to access the data on your drive. Your FileVault password acts as a firmware password as well. -FileVault protects data at rest and hardens against someone with physical access from stealing data or tampering with your Mac. +FileVault protects data at rest and hardens against someone with physical access stealing data or tampering with your Mac. You'll have the option use your iCloud account for recovery; this option is more convenient than keeping track of your own recovery key, but Apple and law enforcement could potentially be able to access your drive so consult your threat model to determine if this is acceptable. From 963adcecdb49cf9ada1701940c1355fa410fa37a Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 25 Feb 2024 21:35:25 -0600 Subject: [PATCH 175/476] add citation for filevault firmware password and EFF article on generating strong passwords --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index cd19b36e..8b2b225a 100755 --- a/README.md +++ b/README.md @@ -393,7 +393,9 @@ You should check that firmware security settings are set to [Full Security](http ## FileVault -All Mac models with Apple silicon are encrypted by default. Enabling [FileVault](https://support.apple.com/en-au/guide/mac-help/mh11785/mac) makes it so that you need to enter a password in order to access the data on your drive. Your FileVault password acts as a firmware password as well. +All Mac models with Apple silicon are encrypted by default. Enabling [FileVault](https://support.apple.com/en-au/guide/mac-help/mh11785/mac) makes it so that you need to enter a password in order to access the data on your drive. The EFF has a guide on generating [strong but memorable passwords](https://www.eff.org/dice). + +Your FileVault password also acts as a [firmware password](https://support.apple.com/en-us/102384) that will prevent users that don't know it from booting from anything other than the designated startup disk. FileVault protects data at rest and hardens against someone with physical access stealing data or tampering with your Mac. From 9d69de04875652ff43719ea373ac67dd3402adbd Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 25 Feb 2024 22:18:13 -0600 Subject: [PATCH 176/476] clarify icloud recovery --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8b2b225a..c2b3ac09 100755 --- a/README.md +++ b/README.md @@ -399,7 +399,7 @@ Your FileVault password also acts as a [firmware password](https://support.apple FileVault protects data at rest and hardens against someone with physical access stealing data or tampering with your Mac. -You'll have the option use your iCloud account for recovery; this option is more convenient than keeping track of your own recovery key, but Apple and law enforcement could potentially be able to access your drive so consult your threat model to determine if this is acceptable. +Filevault will ask you to set a recovery key in case you forget your password. Keep this key stored somewhere safe. You'll have the option use your iCloud account to unlock your disk; however, anyone with access to your iCloud account will be able to unlock it as well. ## Firewall From 6fc00457c5f28bd75bc19c0dcfba41813ca9575b Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 26 Feb 2024 06:12:43 -0600 Subject: [PATCH 177/476] added more filevault info --- README.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index c2b3ac09..6f8bb72f 100755 --- a/README.md +++ b/README.md @@ -393,13 +393,11 @@ You should check that firmware security settings are set to [Full Security](http ## FileVault -All Mac models with Apple silicon are encrypted by default. Enabling [FileVault](https://support.apple.com/en-au/guide/mac-help/mh11785/mac) makes it so that you need to enter a password in order to access the data on your drive. The EFF has a guide on generating [strong but memorable passwords](https://www.eff.org/dice). +All Mac models with Apple silicon are encrypted by default. Enabling [FileVault](https://support.apple.com/en-au/guide/mac-help/mh11785/mac) makes it so that you need to enter a password in order to access the data on your drive. The EFF has a guide on generating [strong but memorable passwords](https://www.eff.org/dice). -Your FileVault password also acts as a [firmware password](https://support.apple.com/en-us/102384) that will prevent users that don't know it from booting from anything other than the designated startup disk. +Your FileVault password also acts as a [firmware password](https://support.apple.com/en-us/102384) that will prevent people that don't know it from booting from anything other than the designated startup disk, accessing [Recovery](https://support.apple.com/guide/mac-help/macos-recovery-a-mac-apple-silicon-mchl82829c17/14.0/mac/14.0#mchl5abfbb29), and [reviving](https://support.apple.com/en-us/108900) it with DFU mode. -FileVault protects data at rest and hardens against someone with physical access stealing data or tampering with your Mac. - -Filevault will ask you to set a recovery key in case you forget your password. Keep this key stored somewhere safe. You'll have the option use your iCloud account to unlock your disk; however, anyone with access to your iCloud account will be able to unlock it as well. +FileVault will ask you to set a recovery key in case you forget your password. Keep this key stored somewhere safe. You'll have the option use your iCloud account to unlock your disk; however, anyone with access to your iCloud account will be able to unlock it as well. ## Firewall From eda4da20a153e60ac7bfb88299c01bdd94cb468a Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 27 Feb 2024 21:49:30 -0600 Subject: [PATCH 178/476] remove inaccurate statement about downloading updates from the support site --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 6f8bb72f..e858c65e 100755 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -This guide is a collection of techniques for improving the security and privacy of a modern Apple Macintosh computer ("MacBook") running a recent version of macOS (formerly known as "OS X"). +This guide is a collection of techniques for improving the security and privacy of Apple silicon Mac computers running a recent version of macOS. Using older Macs leaves you open to [security vulnerabilities](https://github.com/axi0mX/ipwndfu?tab%253Dreadme-ov-file#checkm8) on the hardware level that Apple can't patch. This guide is targeted to power users who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac. @@ -76,12 +76,12 @@ This guide is also available in [简体中文](https://github.com/drduh/macOS-Se Standard security best practices apply: * Create a [threat model](https://www.owasp.org/index.php/Application_Threat_Modeling) - * What are you trying to protect and from whom? Is your adversary a [three letter agency](https://theintercept.com/document/2015/03/10/strawhorse-attacking-macos-ios-software-development-kit/) (if so, you may want to consider using [OpenBSD](https://www.openbsd.org/) instead); a nosy eavesdropper on the network; or a determined [apt](https://en.wikipedia.org/wiki/Advanced_persistent_threat) orchestrating a campaign against you? + * What are you trying to protect and from whom? Is your adversary a three letter agency; a nosy eavesdropper on the network; or a determined [apt](https://en.wikipedia.org/wiki/Advanced_persistent_threat) orchestrating a campaign against you? * [Recognize threats](https://www.usenix.org/system/files/1401_08-12_mickens.pdf) and how to reduce attack surface against them. * Keep the system up to date * Patch the base operating system and all third party software. - * macOS system updates can be completed using the App Store application, or the `softwareupdate` command-line utility - neither requires registering an Apple account. Updates can also be downloaded directly from Apple's support site. + * macOS system updates can be completed in the [settings](https://support.apple.com/guide/mac-help/keep-your-mac-up-to-date-mchlpx1065/mac), or the `softwareupdate` command-line utility - neither requires registering an Apple account. * Subscribe to announcement mailing lists like [Apple security-announce](https://lists.apple.com/mailman/listinfo/security-announce). * Encrypt sensitive data at rest From e79f2332128b95fece47e02d2a3a4bf4080504de Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 27 Feb 2024 21:51:08 -0600 Subject: [PATCH 179/476] add automatic updates --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e858c65e..6fe4f9af 100755 --- a/README.md +++ b/README.md @@ -81,7 +81,7 @@ Standard security best practices apply: * Keep the system up to date * Patch the base operating system and all third party software. - * macOS system updates can be completed in the [settings](https://support.apple.com/guide/mac-help/keep-your-mac-up-to-date-mchlpx1065/mac), or the `softwareupdate` command-line utility - neither requires registering an Apple account. + * macOS system updates can be completed in the [settings](https://support.apple.com/guide/mac-help/keep-your-mac-up-to-date-mchlpx1065/mac) and set to automatically install. You can also use the `softwareupdate` command-line utility - neither requires registering an Apple account. * Subscribe to announcement mailing lists like [Apple security-announce](https://lists.apple.com/mailman/listinfo/security-announce). * Encrypt sensitive data at rest From 5c05f726dc7259163c052f316e23d0de02b45afd Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 27 Feb 2024 21:52:07 -0600 Subject: [PATCH 180/476] replace amazon book with time machine support page --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6fe4f9af..3311ca20 100755 --- a/README.md +++ b/README.md @@ -89,7 +89,7 @@ Standard security best practices apply: * This will mitigate damage in case of compromise and data theft. * Assure data availability - * Create [regular backups](https://www.amazon.com/o/ASIN/0596102461/backupcentral) of your data and be ready to format and re-install the operating system in case of compromise. + * Create [regular backups](https://support.apple.com/en-us/104984) of your data and be ready to format and re-install the operating system in case of compromise. * Encrypt locally before copying backups to external media or the "cloud". * Verify backups by accessing them regularly. From 4934f016526a5b6d25e74cdfb51e0d304cf0441e Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 27 Feb 2024 21:56:29 -0600 Subject: [PATCH 181/476] add bold --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3311ca20..d48e5058 100755 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -This guide is a collection of techniques for improving the security and privacy of Apple silicon Mac computers running a recent version of macOS. Using older Macs leaves you open to [security vulnerabilities](https://github.com/axi0mX/ipwndfu?tab%253Dreadme-ov-file#checkm8) on the hardware level that Apple can't patch. +This guide is a collection of techniques for improving the security and privacy of Apple silicon Mac computers running a recent version of macOS. **Using older Macs leaves you open to [security vulnerabilities](https://github.com/axi0mX/ipwndfu?tab%253Dreadme-ov-file#checkm8) on the hardware level that Apple can't patch**. This guide is targeted to power users who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac. From 657347530ee6c23d90fd2f1ff9c704ea5351e667 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 27 Feb 2024 22:01:43 -0600 Subject: [PATCH 182/476] remove free and open source recommendation --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d48e5058..b87bbb06 100755 --- a/README.md +++ b/README.md @@ -95,7 +95,7 @@ Standard security best practices apply: * Click carefully * Ultimately, the security of a system depends on the capabilities of its administrator. - * Care should be taken when installing new software. Always prefer [free](https://www.gnu.org/philosophy/free-sw.en.html) and open source software ([which macOS is not](https://superuser.com/questions/19492/is-mac-os-x-open-source)). + * Care should be taken when installing new software; only install from official sources that the developers indicate on their official webiste/github/etc. ## Preparing and installing macOS From 51d065aa84e698dc920283e4d7e845062086a8d1 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 27 Feb 2024 22:16:05 -0600 Subject: [PATCH 183/476] capitalize APT --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b87bbb06..ed5cb1a4 100755 --- a/README.md +++ b/README.md @@ -76,7 +76,7 @@ This guide is also available in [简体中文](https://github.com/drduh/macOS-Se Standard security best practices apply: * Create a [threat model](https://www.owasp.org/index.php/Application_Threat_Modeling) - * What are you trying to protect and from whom? Is your adversary a three letter agency; a nosy eavesdropper on the network; or a determined [apt](https://en.wikipedia.org/wiki/Advanced_persistent_threat) orchestrating a campaign against you? + * What are you trying to protect and from whom? Is your adversary a three letter agency; a nosy eavesdropper on the network; or a determined [APT](https://en.wikipedia.org/wiki/Advanced_persistent_threat) orchestrating a campaign against you? * [Recognize threats](https://www.usenix.org/system/files/1401_08-12_mickens.pdf) and how to reduce attack surface against them. * Keep the system up to date From 24a16f16de0294c046dde1cdc2b30f362709b604 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 27 Feb 2024 22:22:40 -0600 Subject: [PATCH 184/476] add mention that newer chips are more secure --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ed5cb1a4..9a57634f 100755 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -This guide is a collection of techniques for improving the security and privacy of Apple silicon Mac computers running a recent version of macOS. **Using older Macs leaves you open to [security vulnerabilities](https://github.com/axi0mX/ipwndfu?tab%253Dreadme-ov-file#checkm8) on the hardware level that Apple can't patch**. +This guide is a collection of techniques for improving the security and privacy of [Apple silicon](https://support.apple.com/en-us/116943) Mac computers running a recent version of macOS. **Using older Macs leaves you open to [security vulnerabilities](https://github.com/axi0mX/ipwndfu?tab%253Dreadme-ov-file#checkm8) on the hardware level that Apple can't patch**. Apple silicon Macs are the minimum recommendation but as a general rule, newer chips are always more secure. This guide is targeted to power users who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac. From 686564d5a9926266cd89c3ed63040db492e84c97 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 27 Feb 2024 22:37:34 -0600 Subject: [PATCH 185/476] fix typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9a57634f..eade0e80 100755 --- a/README.md +++ b/README.md @@ -95,7 +95,7 @@ Standard security best practices apply: * Click carefully * Ultimately, the security of a system depends on the capabilities of its administrator. - * Care should be taken when installing new software; only install from official sources that the developers indicate on their official webiste/github/etc. + * Care should be taken when installing new software; only install from official sources that the developers indicate on their official website/github/etc. ## Preparing and installing macOS From 79b7853fa5247e021541e214056bb75104a11df8 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 28 Feb 2024 00:34:36 -0600 Subject: [PATCH 186/476] removed unrelated link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index eade0e80..716d5451 100755 --- a/README.md +++ b/README.md @@ -77,7 +77,7 @@ Standard security best practices apply: * Create a [threat model](https://www.owasp.org/index.php/Application_Threat_Modeling) * What are you trying to protect and from whom? Is your adversary a three letter agency; a nosy eavesdropper on the network; or a determined [APT](https://en.wikipedia.org/wiki/Advanced_persistent_threat) orchestrating a campaign against you? - * [Recognize threats](https://www.usenix.org/system/files/1401_08-12_mickens.pdf) and how to reduce attack surface against them. + * Recognize threats and how to reduce attack surface against them. * Keep the system up to date * Patch the base operating system and all third party software. From 6a8006294ce32a7f1e76d7761b9d3b3b50ca3d82 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 29 Feb 2024 15:25:05 -0600 Subject: [PATCH 187/476] update encryption part --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 716d5451..97bf58e9 100755 --- a/README.md +++ b/README.md @@ -85,7 +85,7 @@ Standard security best practices apply: * Subscribe to announcement mailing lists like [Apple security-announce](https://lists.apple.com/mailman/listinfo/security-announce). * Encrypt sensitive data at rest - * In addition to full disk encryption, consider creating one or several encrypted partitions or volumes to store passwords, cryptographic keys, personal documents, etc. at rest. + * In addition to [FileVault](https://support.apple.com/guide/mac-help/protect-data-on-your-mac-with-filevault-mh11785/mac), consider using a [keychain](https://support.apple.com/guide/mac-help/use-keychains-to-store-passwords-mchlf375f392/mac) to protect your passwords and other sensitive info. For sensitive files, consider creating a separate [encrypted volume](https://support.apple.com/guide/disk-utility/encrypt-protect-a-storage-device-password-dskutl35612/mac) to store them in. * This will mitigate damage in case of compromise and data theft. * Assure data availability From 24c044ba415f5a740799f81df8d07d2ffa2bcaf5 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 29 Feb 2024 15:28:15 -0600 Subject: [PATCH 188/476] grammar --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 97bf58e9..a990d7fd 100755 --- a/README.md +++ b/README.md @@ -76,7 +76,7 @@ This guide is also available in [简体中文](https://github.com/drduh/macOS-Se Standard security best practices apply: * Create a [threat model](https://www.owasp.org/index.php/Application_Threat_Modeling) - * What are you trying to protect and from whom? Is your adversary a three letter agency; a nosy eavesdropper on the network; or a determined [APT](https://en.wikipedia.org/wiki/Advanced_persistent_threat) orchestrating a campaign against you? + * What are you trying to protect and from whom? Is your adversary a three letter agency, a nosy eavesdropper on the network, or a determined [APT](https://en.wikipedia.org/wiki/Advanced_persistent_threat) orchestrating a campaign against you? * Recognize threats and how to reduce attack surface against them. * Keep the system up to date From be3bfb7fa3f297ddefa67616b9949b9faec49dfb Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 29 Feb 2024 15:32:35 -0600 Subject: [PATCH 189/476] change format and reinstall to restore from a backup --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a990d7fd..05c86d68 100755 --- a/README.md +++ b/README.md @@ -89,8 +89,8 @@ Standard security best practices apply: * This will mitigate damage in case of compromise and data theft. * Assure data availability - * Create [regular backups](https://support.apple.com/en-us/104984) of your data and be ready to format and re-install the operating system in case of compromise. - * Encrypt locally before copying backups to external media or the "cloud". + * Create [regular backups](https://support.apple.com/en-us/104984) of your data and be ready to [restore from a backup](https://support.apple.com/en-us/102551) in case of compromise. + * Encrypt locally before copying backups to external media or the "cloud"; alternatively, enable [end-to-end encryption](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web) if your cloud provider supports it, although this requires some trust in the provider. * Verify backups by accessing them regularly. * Click carefully From 4f0f790fe7cc864ca48d5e003dd91dabc6a4c2ed Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 29 Feb 2024 15:37:08 -0600 Subject: [PATCH 190/476] add reset link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 05c86d68..213fc1d6 100755 --- a/README.md +++ b/README.md @@ -89,7 +89,7 @@ Standard security best practices apply: * This will mitigate damage in case of compromise and data theft. * Assure data availability - * Create [regular backups](https://support.apple.com/en-us/104984) of your data and be ready to [restore from a backup](https://support.apple.com/en-us/102551) in case of compromise. + * Create [regular backups](https://support.apple.com/en-us/104984) of your data and be ready to [reset](https://support.apple.com/en-us/102664) your Mac and [restore from a backup](https://support.apple.com/en-us/102551) in case of compromise. * Encrypt locally before copying backups to external media or the "cloud"; alternatively, enable [end-to-end encryption](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web) if your cloud provider supports it, although this requires some trust in the provider. * Verify backups by accessing them regularly. From 9c67c072195529fbc2c4a9d668dbac1fc3e0b210 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 29 Feb 2024 15:40:14 -0600 Subject: [PATCH 191/476] cloud --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 213fc1d6..2c052f6e 100755 --- a/README.md +++ b/README.md @@ -90,7 +90,7 @@ Standard security best practices apply: * Assure data availability * Create [regular backups](https://support.apple.com/en-us/104984) of your data and be ready to [reset](https://support.apple.com/en-us/102664) your Mac and [restore from a backup](https://support.apple.com/en-us/102551) in case of compromise. - * Encrypt locally before copying backups to external media or the "cloud"; alternatively, enable [end-to-end encryption](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web) if your cloud provider supports it, although this requires some trust in the provider. + * Encrypt locally before copying backups to external media or the "cloud"; alternatively, enable [end-to-end encryption](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web) if your cloud provider supports it. * Verify backups by accessing them regularly. * Click carefully From 2b876a552ab08d133c0ff4a2bf6e8c3fcb8adc27 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 29 Feb 2024 15:43:20 -0600 Subject: [PATCH 192/476] clarify encryption of external media --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2c052f6e..40505e37 100755 --- a/README.md +++ b/README.md @@ -90,7 +90,7 @@ Standard security best practices apply: * Assure data availability * Create [regular backups](https://support.apple.com/en-us/104984) of your data and be ready to [reset](https://support.apple.com/en-us/102664) your Mac and [restore from a backup](https://support.apple.com/en-us/102551) in case of compromise. - * Encrypt locally before copying backups to external media or the "cloud"; alternatively, enable [end-to-end encryption](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web) if your cloud provider supports it. + * Encrypt locally before copying backups to unencrypted external media or the "cloud"; alternatively, enable [end-to-end encryption](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web) if your cloud provider supports it. * Verify backups by accessing them regularly. * Click carefully From dd0fffbe3c82f8ab1526c635c96339eaa487d592 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 29 Feb 2024 15:48:28 -0600 Subject: [PATCH 193/476] add link to time machine encryption --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 40505e37..31ac9c3d 100755 --- a/README.md +++ b/README.md @@ -90,7 +90,7 @@ Standard security best practices apply: * Assure data availability * Create [regular backups](https://support.apple.com/en-us/104984) of your data and be ready to [reset](https://support.apple.com/en-us/102664) your Mac and [restore from a backup](https://support.apple.com/en-us/102551) in case of compromise. - * Encrypt locally before copying backups to unencrypted external media or the "cloud"; alternatively, enable [end-to-end encryption](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web) if your cloud provider supports it. + * [Encrypt locally](https://support.apple.com/guide/mac-help/keep-your-time-machine-backup-disk-secure-mh21241/mac) before copying backups to unencrypted external media or the "cloud"; alternatively, enable [end-to-end encryption](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web) if your cloud provider supports it. * Verify backups by accessing them regularly. * Click carefully From 8192296f3820d6d73649ecbc9ee5b1e9933e7dee Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 29 Feb 2024 15:57:47 -0600 Subject: [PATCH 194/476] change keychain to passwords --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 31ac9c3d..34d33075 100755 --- a/README.md +++ b/README.md @@ -85,7 +85,7 @@ Standard security best practices apply: * Subscribe to announcement mailing lists like [Apple security-announce](https://lists.apple.com/mailman/listinfo/security-announce). * Encrypt sensitive data at rest - * In addition to [FileVault](https://support.apple.com/guide/mac-help/protect-data-on-your-mac-with-filevault-mh11785/mac), consider using a [keychain](https://support.apple.com/guide/mac-help/use-keychains-to-store-passwords-mchlf375f392/mac) to protect your passwords and other sensitive info. For sensitive files, consider creating a separate [encrypted volume](https://support.apple.com/guide/disk-utility/encrypt-protect-a-storage-device-password-dskutl35612/mac) to store them in. + * In addition to [FileVault](https://support.apple.com/guide/mac-help/protect-data-on-your-mac-with-filevault-mh11785/mac), consider using the [built-in password manager](https://support.apple.com/en-us/105115) to protect your passwords and other sensitive info. For sensitive files, consider creating a separate [encrypted volume](https://support.apple.com/guide/disk-utility/encrypt-protect-a-storage-device-password-dskutl35612/mac) to store them in. * This will mitigate damage in case of compromise and data theft. * Assure data availability From a8607b4a8596e61138e977507fd32056c86eb1f4 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 29 Feb 2024 16:02:25 -0600 Subject: [PATCH 195/476] remove en-us from links --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 34d33075..2360d7bf 100755 --- a/README.md +++ b/README.md @@ -85,11 +85,11 @@ Standard security best practices apply: * Subscribe to announcement mailing lists like [Apple security-announce](https://lists.apple.com/mailman/listinfo/security-announce). * Encrypt sensitive data at rest - * In addition to [FileVault](https://support.apple.com/guide/mac-help/protect-data-on-your-mac-with-filevault-mh11785/mac), consider using the [built-in password manager](https://support.apple.com/en-us/105115) to protect your passwords and other sensitive info. For sensitive files, consider creating a separate [encrypted volume](https://support.apple.com/guide/disk-utility/encrypt-protect-a-storage-device-password-dskutl35612/mac) to store them in. + * In addition to [FileVault](https://support.apple.com/guide/mac-help/protect-data-on-your-mac-with-filevault-mh11785/mac), consider using the [built-in password manager](https://support.apple.com/105115) to protect your passwords and other sensitive info. For sensitive files, consider creating a separate [encrypted volume](https://support.apple.com/guide/disk-utility/encrypt-protect-a-storage-device-password-dskutl35612/mac) to store them in. * This will mitigate damage in case of compromise and data theft. * Assure data availability - * Create [regular backups](https://support.apple.com/en-us/104984) of your data and be ready to [reset](https://support.apple.com/en-us/102664) your Mac and [restore from a backup](https://support.apple.com/en-us/102551) in case of compromise. + * Create [regular backups](https://support.apple.com/104984) of your data and be ready to [reset](https://support.apple.com/102664) your Mac and [restore from a backup](https://support.apple.com/102551) in case of compromise. * [Encrypt locally](https://support.apple.com/guide/mac-help/keep-your-time-machine-backup-disk-secure-mh21241/mac) before copying backups to unencrypted external media or the "cloud"; alternatively, enable [end-to-end encryption](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web) if your cloud provider supports it. * Verify backups by accessing them regularly. From 3c74651202c088284974843a0df9767e438f2467 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 29 Feb 2024 16:09:00 -0600 Subject: [PATCH 196/476] remove unnecessary parts of links --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 2360d7bf..fc4b2c45 100755 --- a/README.md +++ b/README.md @@ -81,16 +81,16 @@ Standard security best practices apply: * Keep the system up to date * Patch the base operating system and all third party software. - * macOS system updates can be completed in the [settings](https://support.apple.com/guide/mac-help/keep-your-mac-up-to-date-mchlpx1065/mac) and set to automatically install. You can also use the `softwareupdate` command-line utility - neither requires registering an Apple account. + * macOS system updates can be completed in the [settings](https://support.apple.com/guide/mac-help/keep-your-mac-up-to-date-mchlpx1065) and set to automatically install. You can also use the `softwareupdate` command-line utility - neither requires registering an Apple account. * Subscribe to announcement mailing lists like [Apple security-announce](https://lists.apple.com/mailman/listinfo/security-announce). * Encrypt sensitive data at rest - * In addition to [FileVault](https://support.apple.com/guide/mac-help/protect-data-on-your-mac-with-filevault-mh11785/mac), consider using the [built-in password manager](https://support.apple.com/105115) to protect your passwords and other sensitive info. For sensitive files, consider creating a separate [encrypted volume](https://support.apple.com/guide/disk-utility/encrypt-protect-a-storage-device-password-dskutl35612/mac) to store them in. + * In addition to [FileVault](https://support.apple.com/guide/mac-help/protect-data-on-your-mac-with-filevault-mh11785), consider using the [built-in password manager](https://support.apple.com/105115) to protect your passwords and other sensitive info. For sensitive files, consider creating a separate [encrypted volume](https://support.apple.com/guide/disk-utility/encrypt-protect-a-storage-device-password-dskutl35612) to store them in. * This will mitigate damage in case of compromise and data theft. * Assure data availability * Create [regular backups](https://support.apple.com/104984) of your data and be ready to [reset](https://support.apple.com/102664) your Mac and [restore from a backup](https://support.apple.com/102551) in case of compromise. - * [Encrypt locally](https://support.apple.com/guide/mac-help/keep-your-time-machine-backup-disk-secure-mh21241/mac) before copying backups to unencrypted external media or the "cloud"; alternatively, enable [end-to-end encryption](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web) if your cloud provider supports it. + * [Encrypt locally](https://support.apple.com/guide/mac-help/keep-your-time-machine-backup-disk-secure-mh21241) before copying backups to unencrypted external media or the "cloud"; alternatively, enable [end-to-end encryption](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) if your cloud provider supports it. * Verify backups by accessing them regularly. * Click carefully From 29fd6344f6f859717b5d6ec07f5d7a0dcbc6e7df Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 29 Feb 2024 16:29:30 -0600 Subject: [PATCH 197/476] remove more unnecessary parts of links --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fc4b2c45..c366f861 100755 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -This guide is a collection of techniques for improving the security and privacy of [Apple silicon](https://support.apple.com/en-us/116943) Mac computers running a recent version of macOS. **Using older Macs leaves you open to [security vulnerabilities](https://github.com/axi0mX/ipwndfu?tab%253Dreadme-ov-file#checkm8) on the hardware level that Apple can't patch**. Apple silicon Macs are the minimum recommendation but as a general rule, newer chips are always more secure. +This guide is a collection of techniques for improving the security and privacy of [Apple silicon](https://support.apple.com/116943) Mac computers running a recent version of macOS. **Using older Macs leaves you open to [security vulnerabilities](https://github.com/axi0mX/ipwndfu?tab%253Dreadme-ov-file#checkm8) on the hardware level that Apple can't patch**. Apple silicon Macs are the minimum recommendation but as a general rule, newer chips are always more secure. This guide is targeted to power users who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac. From 85c0eb1a471417ebab2c6115ef6e043c64aad44d Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 29 Feb 2024 18:17:38 -0600 Subject: [PATCH 198/476] Remove certificate authority section --- README.md | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/README.md b/README.md index 6f8bb72f..c33ec36b 100755 --- a/README.md +++ b/README.md @@ -820,21 +820,6 @@ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.c Also see [Apple's secret "wispr" request](https://web.archive.org/web/20171008071031/http://blog.erratasec.com/2010/09/apples-secret-wispr-request.html), [How to disable the captive portal window in Mac OS Lion](https://web.archive.org/web/20130407200745/http://www.divertednetworks.net/apple-captiveportal.html) and [An undocumented change to Captive Network Assistant settings in OS X 10.10 Yosemite](https://web.archive.org/web/20170622064304/https://grpugh.wordpress.com/2014/10/29/an-undocumented-change-to-captive-network-assistant-settings-in-os-x-10-10-yosemite/). - -## Certificate authorities - -macOS comes with [over 200](https://support.apple.com/en-us/HT202858) root authority certificates installed from for-profit corporations like Apple, Verisign, Thawte, Digicert and government agencies from China, Japan, Netherlands, U.S., and more! These Certificate Authorities (CAs) are capable of issuing SSL/TLS certificates for any domain, code signing certificates, etc. - -For more information, see [Certification Authority Trust Tracker](https://github.com/kirei/catt), [Analysis of the HTTPS certificate ecosystem](https://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf) (pdf), and [You Won’t Be Needing These Any More: On Removing Unused Certificates From Trust Stores](https://www.ifca.ai/fc14/papers/fc14_submission_100.pdf) (pdf). - -Inspect system root certificates in **Keychain Access**, under the **System Roots** tab or by using the `security` command line tool and `/System/Library/Keychains/SystemRootCertificates.keychain` file. - -Disable certificate authorities through Keychain Access by marking them as **Never Trust** and closing the window: - -A certificate authority certificate - -The risk of a [man in the middle](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) attack in which a coerced or compromised certificate authority trusted by your system issues a fake/rogue SSL certificate is quite low, but still [possible](https://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates). - ## Web ### Privoxy From 8ee7de21031d3e29796017c3d596ac7a06ba678c Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 29 Feb 2024 18:18:54 -0600 Subject: [PATCH 199/476] remove link --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index c33ec36b..dc273d1e 100755 --- a/README.md +++ b/README.md @@ -38,7 +38,6 @@ This guide is also available in [简体中文](https://github.com/drduh/macOS-Se + [Dnsmasq](#dnsmasq) - [Test DNSSEC validation](#test-dnssec-validation) - [Captive portal](#captive-portal) -- [Certificate authorities](#certificate-authorities) - [Web](#web) * [Privoxy](#privoxy) * [Browser](#browser) From b4b1bad12a7a6a879ca7c9bcde10ecf32fea1b35 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 2 Mar 2024 08:58:09 -0600 Subject: [PATCH 200/476] add NIST guidelines to the intro --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index c366f861..96d02b5f 100755 --- a/README.md +++ b/README.md @@ -2,6 +2,8 @@ This guide is a collection of techniques for improving the security and privacy This guide is targeted to power users who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac. +If you're securing computers for an organization, use the [official NIST guidelines for macOS](https://github.com/usnistgov/macos_security). + A system is only as secure as its administrator is capable of making it. There is no one single technology, software, nor technique to guarantee perfect computer security; a modern operating system and computer is very complex, and requires numerous incremental changes to meaningfully improve one's security and privacy posture. This guide is provided on an 'as is' basis without any warranties of any kind. Only **you** are responsible if you break anything or get in any sort of trouble by following this guide. From 3500e933784a798216b8267629c90545539029a4 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 3 Mar 2024 07:09:34 -0600 Subject: [PATCH 201/476] remove unnecessary instructions to reset mac --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 96d02b5f..815993e3 100755 --- a/README.md +++ b/README.md @@ -91,7 +91,7 @@ Standard security best practices apply: * This will mitigate damage in case of compromise and data theft. * Assure data availability - * Create [regular backups](https://support.apple.com/104984) of your data and be ready to [reset](https://support.apple.com/102664) your Mac and [restore from a backup](https://support.apple.com/102551) in case of compromise. + * Create [regular backups](https://support.apple.com/104984) of your data and be ready to [restore from a backup](https://support.apple.com/102551) in case of compromise. * [Encrypt locally](https://support.apple.com/guide/mac-help/keep-your-time-machine-backup-disk-secure-mh21241) before copying backups to unencrypted external media or the "cloud"; alternatively, enable [end-to-end encryption](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) if your cloud provider supports it. * Verify backups by accessing them regularly. From b01216a462c39c4d8775a71d0c0cfcaaf227ba90 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 10 Mar 2024 03:11:09 -0500 Subject: [PATCH 202/476] change older macs to intel macs --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 815993e3..957df9c8 100755 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -This guide is a collection of techniques for improving the security and privacy of [Apple silicon](https://support.apple.com/116943) Mac computers running a recent version of macOS. **Using older Macs leaves you open to [security vulnerabilities](https://github.com/axi0mX/ipwndfu?tab%253Dreadme-ov-file#checkm8) on the hardware level that Apple can't patch**. Apple silicon Macs are the minimum recommendation but as a general rule, newer chips are always more secure. +This guide is a collection of techniques for improving the security and privacy of [Apple silicon](https://support.apple.com/116943) Mac computers running a recent version of macOS. **Using Macs with Intel chips leaves you open to [security vulnerabilities](https://github.com/axi0mX/ipwndfu?tab%253Dreadme-ov-file#checkm8) on the hardware level that Apple can't patch**. Apple silicon Macs are the minimum recommendation but as a general rule, newer chips are always more secure. This guide is targeted to power users who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac. From 99ee175427f5100bcf46c8624983c7111d8db4cc Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 10 Mar 2024 03:58:41 -0500 Subject: [PATCH 203/476] re add certificate authorities --- README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/README.md b/README.md index dc273d1e..bb496c3c 100755 --- a/README.md +++ b/README.md @@ -819,6 +819,20 @@ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.c Also see [Apple's secret "wispr" request](https://web.archive.org/web/20171008071031/http://blog.erratasec.com/2010/09/apples-secret-wispr-request.html), [How to disable the captive portal window in Mac OS Lion](https://web.archive.org/web/20130407200745/http://www.divertednetworks.net/apple-captiveportal.html) and [An undocumented change to Captive Network Assistant settings in OS X 10.10 Yosemite](https://web.archive.org/web/20170622064304/https://grpugh.wordpress.com/2014/10/29/an-undocumented-change-to-captive-network-assistant-settings-in-os-x-10-10-yosemite/). +## Certificate authorities + +macOS comes with [over 100](https://support.apple.com/en-us/HT202858) root authority certificates installed from corporations like Apple, Verisign, Thawte, Digicert and government agencies from China, Japan, Netherlands, U.S., and more! These Certificate Authorities (CAs) are capable of issuing SSL/TLS certificates for any domain, code signing certificates, etc. Apple [blocks these certificates](https://support.apple.com/en-us/103247#blocked) when a CA proves to be untrustworthy. + +Inspect system root certificates in **Keychain Access**, under the **System Roots** tab or by using the `security` command line tool and `/System/Library/Keychains/SystemRootCertificates.keychain` file. + +You can manually disable certificate authorities through Keychain Access by marking them as **Never Trust** and closing the window: + +A certificate authority certificate + +**Warning:** This will cause your browser to give a warning when you visit a site using certificates signed by these CA's and may cause breakage in other software. Don't distrust Apple root certificates or it will cause lots of breakage in macOS! + +The risk of a [man in the middle](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) attack in which a coerced or compromised certificate authority trusted by your system issues a fake/rogue SSL certificate is quite low, but still [possible](https://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates). + ## Web ### Privoxy From 93e80878ed64d4ea05299a516cf0f2598062abaf Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 10 Mar 2024 04:05:07 -0500 Subject: [PATCH 204/476] re add link in the index --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index bb496c3c..45baad90 100755 --- a/README.md +++ b/README.md @@ -38,6 +38,7 @@ This guide is also available in [简体中文](https://github.com/drduh/macOS-Se + [Dnsmasq](#dnsmasq) - [Test DNSSEC validation](#test-dnssec-validation) - [Captive portal](#captive-portal) +-[Certificate authorities](#certificate-authorities) - [Web](#web) * [Privoxy](#privoxy) * [Browser](#browser) From 23207133d47a23b0d2755b70d96fc85f549d3834 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 10 Mar 2024 04:06:08 -0500 Subject: [PATCH 205/476] space --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 45baad90..44599659 100755 --- a/README.md +++ b/README.md @@ -38,7 +38,7 @@ This guide is also available in [简体中文](https://github.com/drduh/macOS-Se + [Dnsmasq](#dnsmasq) - [Test DNSSEC validation](#test-dnssec-validation) - [Captive portal](#captive-portal) --[Certificate authorities](#certificate-authorities) +- [Certificate authorities](#certificate-authorities) - [Web](#web) * [Privoxy](#privoxy) * [Browser](#browser) From d7f449a07ded66441d775b557a9e3215dadf912a Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 10 Mar 2024 05:26:30 -0500 Subject: [PATCH 206/476] change chip to CPU --- README.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 957df9c8..143a2e9b 100755 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -This guide is a collection of techniques for improving the security and privacy of [Apple silicon](https://support.apple.com/116943) Mac computers running a recent version of macOS. **Using Macs with Intel chips leaves you open to [security vulnerabilities](https://github.com/axi0mX/ipwndfu?tab%253Dreadme-ov-file#checkm8) on the hardware level that Apple can't patch**. Apple silicon Macs are the minimum recommendation but as a general rule, newer chips are always more secure. +This guide is a collection of techniques for improving the security and privacy of [Apple silicon](https://support.apple.com/116943) Mac computers running a recent version of macOS. **Using Macs with Intel CPUs leaves you open to [security vulnerabilities](https://github.com/axi0mX/ipwndfu?tab%253Dreadme-ov-file#checkm8) on the hardware level that Apple can't patch**. Apple silicon Macs are the minimum recommendation but as a general rule, newer chips are always more secure. This guide is targeted to power users who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac. @@ -837,6 +837,20 @@ Disable certificate authorities through Keychain Access by marking them as **Nev The risk of a [man in the middle](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) attack in which a coerced or compromised certificate authority trusted by your system issues a fake/rogue SSL certificate is quite low, but still [possible](https://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates). +## Certificate authorities + +macOS comes with [over 200](https://support.apple.com/en-us/HT202858) root authority certificates installed from corporations like Apple, Verisign, Thawte, Digicert and government agencies from China, Japan, Netherlands, U.S., and more! These Certificate Authorities (CAs) are capable of issuing TLS certificates for any domain, code signing certificates, etc. + +For more information, see [Analysis of the HTTPS certificate ecosystem](https://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf) (pdf), and [You Won’t Be Needing These Any More: On Removing Unused Certificates From Trust Stores](https://www.ifca.ai/fc14/papers/fc14_submission_100.pdf) (pdf). + +Inspect system root certificates in **Keychain Access**, under the **System Roots** tab or by using the `security` command line tool and `/System/Library/Keychains/SystemRootCertificates.keychain` file. + +Disable certificate authorities through Keychain Access by marking them as **Never Trust** and closing the window: + +A certificate authority certificate + +The risk of a [man in the middle](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) attack in which a coerced or compromised certificate authority trusted by your system issues a fake/rogue SSL certificate is quite low, but still [possible](https://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates). + ## Web ### Privoxy From ed9a64a0abfe0c8e5e29dd58d4e3094f46cd5bba Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 10 Mar 2024 05:29:55 -0500 Subject: [PATCH 207/476] remove accidental addition --- README.md | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/README.md b/README.md index 143a2e9b..745ec132 100755 --- a/README.md +++ b/README.md @@ -837,20 +837,6 @@ Disable certificate authorities through Keychain Access by marking them as **Nev The risk of a [man in the middle](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) attack in which a coerced or compromised certificate authority trusted by your system issues a fake/rogue SSL certificate is quite low, but still [possible](https://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates). -## Certificate authorities - -macOS comes with [over 200](https://support.apple.com/en-us/HT202858) root authority certificates installed from corporations like Apple, Verisign, Thawte, Digicert and government agencies from China, Japan, Netherlands, U.S., and more! These Certificate Authorities (CAs) are capable of issuing TLS certificates for any domain, code signing certificates, etc. - -For more information, see [Analysis of the HTTPS certificate ecosystem](https://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf) (pdf), and [You Won’t Be Needing These Any More: On Removing Unused Certificates From Trust Stores](https://www.ifca.ai/fc14/papers/fc14_submission_100.pdf) (pdf). - -Inspect system root certificates in **Keychain Access**, under the **System Roots** tab or by using the `security` command line tool and `/System/Library/Keychains/SystemRootCertificates.keychain` file. - -Disable certificate authorities through Keychain Access by marking them as **Never Trust** and closing the window: - -A certificate authority certificate - -The risk of a [man in the middle](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) attack in which a coerced or compromised certificate authority trusted by your system issues a fake/rogue SSL certificate is quite low, but still [possible](https://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates). - ## Web ### Privoxy From 322261510cae63421994baa7ca281bcd7d3f9289 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 10 Mar 2024 06:35:41 -0500 Subject: [PATCH 208/476] add link to cloudflare --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 44599659..a0157180 100755 --- a/README.md +++ b/README.md @@ -822,7 +822,9 @@ Also see [Apple's secret "wispr" request](https://web.archive.org/web/2017100807 ## Certificate authorities -macOS comes with [over 100](https://support.apple.com/en-us/HT202858) root authority certificates installed from corporations like Apple, Verisign, Thawte, Digicert and government agencies from China, Japan, Netherlands, U.S., and more! These Certificate Authorities (CAs) are capable of issuing SSL/TLS certificates for any domain, code signing certificates, etc. Apple [blocks these certificates](https://support.apple.com/en-us/103247#blocked) when a CA proves to be untrustworthy. +macOS comes with [over 100](https://support.apple.com/en-us/HT202858) root authority certificates installed from corporations like Apple, Verisign, Thawte, Digicert and government agencies from China, Japan, Netherlands, U.S., and more! These Certificate Authorities (CAs) are capable of issuing TLS certificates for any domain, code signing certificates, etc. Apple [blocks these certificates](https://support.apple.com/en-us/103247#blocked) when a CA proves to be untrustworthy. + +For more information, see [Cloudflare's intro to TLS certificates](https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/). Inspect system root certificates in **Keychain Access**, under the **System Roots** tab or by using the `security` command line tool and `/System/Library/Keychains/SystemRootCertificates.keychain` file. @@ -832,7 +834,7 @@ You can manually disable certificate authorities through Keychain Access by mark **Warning:** This will cause your browser to give a warning when you visit a site using certificates signed by these CA's and may cause breakage in other software. Don't distrust Apple root certificates or it will cause lots of breakage in macOS! -The risk of a [man in the middle](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) attack in which a coerced or compromised certificate authority trusted by your system issues a fake/rogue SSL certificate is quite low, but still [possible](https://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates). +The risk of a [man in the middle](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) attack in which a coerced or compromised certificate authority trusted by your system issues a fake/rogue TLS certificate is quite low, but still [possible](https://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates). ## Web From 46e624768c33e903a7cca294cc698ea64fe60b40 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 10 Mar 2024 07:15:55 -0500 Subject: [PATCH 209/476] shorten URLs --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a0157180..30d9df86 100755 --- a/README.md +++ b/README.md @@ -822,7 +822,7 @@ Also see [Apple's secret "wispr" request](https://web.archive.org/web/2017100807 ## Certificate authorities -macOS comes with [over 100](https://support.apple.com/en-us/HT202858) root authority certificates installed from corporations like Apple, Verisign, Thawte, Digicert and government agencies from China, Japan, Netherlands, U.S., and more! These Certificate Authorities (CAs) are capable of issuing TLS certificates for any domain, code signing certificates, etc. Apple [blocks these certificates](https://support.apple.com/en-us/103247#blocked) when a CA proves to be untrustworthy. +macOS comes with [over 100](https://support.apple.com/HT202858) root authority certificates installed from corporations like Apple, Verisign, Thawte, Digicert and government agencies from China, Japan, Netherlands, U.S., and more! These Certificate Authorities (CAs) are capable of issuing TLS certificates for any domain, code signing certificates, etc. Apple [blocks these certificates](https://support.apple.com/103247#blocked) when a CA proves to be untrustworthy. For more information, see [Cloudflare's intro to TLS certificates](https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/). From 83e8a9075936e81cd4db816d1ad4f00e8e20944b Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 10 Mar 2024 07:30:40 -0500 Subject: [PATCH 210/476] shorten wikipedia links --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 30d9df86..d7e3a9a6 100755 --- a/README.md +++ b/README.md @@ -822,7 +822,7 @@ Also see [Apple's secret "wispr" request](https://web.archive.org/web/2017100807 ## Certificate authorities -macOS comes with [over 100](https://support.apple.com/HT202858) root authority certificates installed from corporations like Apple, Verisign, Thawte, Digicert and government agencies from China, Japan, Netherlands, U.S., and more! These Certificate Authorities (CAs) are capable of issuing TLS certificates for any domain, code signing certificates, etc. Apple [blocks these certificates](https://support.apple.com/103247#blocked) when a CA proves to be untrustworthy. +macOS comes with [over 100](https://support.apple.com/103723) root authority certificates installed from corporations like Apple, Verisign, Thawte, Digicert and government agencies from China, Japan, Netherlands, U.S., and more! These Certificate Authorities (CAs) are capable of issuing TLS certificates for any domain, code signing certificates, etc. Apple [blocks these certificates](https://support.apple.com/103247#blocked) when a CA proves to be untrustworthy. For more information, see [Cloudflare's intro to TLS certificates](https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/). @@ -834,7 +834,7 @@ You can manually disable certificate authorities through Keychain Access by mark **Warning:** This will cause your browser to give a warning when you visit a site using certificates signed by these CA's and may cause breakage in other software. Don't distrust Apple root certificates or it will cause lots of breakage in macOS! -The risk of a [man in the middle](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) attack in which a coerced or compromised certificate authority trusted by your system issues a fake/rogue TLS certificate is quite low, but still [possible](https://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates). +The risk of a [man in the middle](https://wikipedia.org/wiki/Man-in-the-middle_attack) attack in which a coerced or compromised certificate authority trusted by your system issues a fake/rogue TLS certificate is quite low, but still [possible](https://wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates). ## Web From 90c35bc293bc861fa13747c6b209d2151b86cd43 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 10 Mar 2024 07:37:01 -0500 Subject: [PATCH 211/476] change cloudflare to the CA/Browser forum --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d7e3a9a6..af43b048 100755 --- a/README.md +++ b/README.md @@ -824,7 +824,7 @@ Also see [Apple's secret "wispr" request](https://web.archive.org/web/2017100807 macOS comes with [over 100](https://support.apple.com/103723) root authority certificates installed from corporations like Apple, Verisign, Thawte, Digicert and government agencies from China, Japan, Netherlands, U.S., and more! These Certificate Authorities (CAs) are capable of issuing TLS certificates for any domain, code signing certificates, etc. Apple [blocks these certificates](https://support.apple.com/103247#blocked) when a CA proves to be untrustworthy. -For more information, see [Cloudflare's intro to TLS certificates](https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/). +For more information, see the [CA/Browser Forum's website](https://cabforum.org/resources/tools/). Inspect system root certificates in **Keychain Access**, under the **System Roots** tab or by using the `security` command line tool and `/System/Library/Keychains/SystemRootCertificates.keychain` file. From ed8c5096016c57d24921b2548d1ba6421e0b95ac Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 10 Mar 2024 07:40:29 -0500 Subject: [PATCH 212/476] add info about Apple's requirements for CA --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index af43b048..d7d82ca0 100755 --- a/README.md +++ b/README.md @@ -822,7 +822,7 @@ Also see [Apple's secret "wispr" request](https://web.archive.org/web/2017100807 ## Certificate authorities -macOS comes with [over 100](https://support.apple.com/103723) root authority certificates installed from corporations like Apple, Verisign, Thawte, Digicert and government agencies from China, Japan, Netherlands, U.S., and more! These Certificate Authorities (CAs) are capable of issuing TLS certificates for any domain, code signing certificates, etc. Apple [blocks these certificates](https://support.apple.com/103247#blocked) when a CA proves to be untrustworthy. +macOS comes with [over 100](https://support.apple.com/103723) root authority certificates installed from corporations like Apple, Verisign, Thawte, Digicert and government agencies from China, Japan, Netherlands, U.S., and more! These Certificate Authorities (CAs) are capable of issuing TLS certificates for any domain, code signing certificates, etc. Apple [blocks these certificates](https://support.apple.com/103247#blocked) when a CA proves to be untrustworthy. They also have [strict requirements](https://www.apple.com/certificateauthority/ca_program.html) that trusted CA's have to meet. For more information, see the [CA/Browser Forum's website](https://cabforum.org/resources/tools/). From 80bcecce01d85256ec5bd2a8f969a00488ab4a9a Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 10 Mar 2024 07:43:48 -0500 Subject: [PATCH 213/476] apostrophe --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d7d82ca0..143d8d46 100755 --- a/README.md +++ b/README.md @@ -822,7 +822,7 @@ Also see [Apple's secret "wispr" request](https://web.archive.org/web/2017100807 ## Certificate authorities -macOS comes with [over 100](https://support.apple.com/103723) root authority certificates installed from corporations like Apple, Verisign, Thawte, Digicert and government agencies from China, Japan, Netherlands, U.S., and more! These Certificate Authorities (CAs) are capable of issuing TLS certificates for any domain, code signing certificates, etc. Apple [blocks these certificates](https://support.apple.com/103247#blocked) when a CA proves to be untrustworthy. They also have [strict requirements](https://www.apple.com/certificateauthority/ca_program.html) that trusted CA's have to meet. +macOS comes with [over 100](https://support.apple.com/103723) root authority certificates installed from corporations like Apple, Verisign, Thawte, Digicert and government agencies from China, Japan, Netherlands, U.S., and more! These Certificate Authorities (CAs) are capable of issuing TLS certificates for any domain, code signing certificates, etc. Apple [blocks these certificates](https://support.apple.com/103247#blocked) when a CA proves to be untrustworthy. They also have [strict requirements](https://www.apple.com/certificateauthority/ca_program.html) that trusted CAs have to meet. For more information, see the [CA/Browser Forum's website](https://cabforum.org/resources/tools/). @@ -832,7 +832,7 @@ You can manually disable certificate authorities through Keychain Access by mark A certificate authority certificate -**Warning:** This will cause your browser to give a warning when you visit a site using certificates signed by these CA's and may cause breakage in other software. Don't distrust Apple root certificates or it will cause lots of breakage in macOS! +**Warning:** This will cause your browser to give a warning when you visit a site using certificates signed by these CAs and may cause breakage in other software. Don't distrust Apple root certificates or it will cause lots of breakage in macOS! The risk of a [man in the middle](https://wikipedia.org/wiki/Man-in-the-middle_attack) attack in which a coerced or compromised certificate authority trusted by your system issues a fake/rogue TLS certificate is quite low, but still [possible](https://wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates). From ad6fb08c9e619289e0f58fcefec15eb81ce98647 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 10 Mar 2024 08:16:41 -0500 Subject: [PATCH 214/476] specify currently supported macos --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 745ec132..81db09e2 100755 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -This guide is a collection of techniques for improving the security and privacy of [Apple silicon](https://support.apple.com/116943) Mac computers running a recent version of macOS. **Using Macs with Intel CPUs leaves you open to [security vulnerabilities](https://github.com/axi0mX/ipwndfu?tab%253Dreadme-ov-file#checkm8) on the hardware level that Apple can't patch**. Apple silicon Macs are the minimum recommendation but as a general rule, newer chips are always more secure. +This guide is a collection of techniques for improving the security and privacy of [Apple silicon](https://support.apple.com/116943) Mac computers running a [currently supported](https://support.apple.com/HT201222) version of macOS. **Using Macs with Intel CPUs leaves you open to [security vulnerabilities](https://github.com/axi0mX/ipwndfu?tab%253Dreadme-ov-file#checkm8) on the hardware level that Apple can't patch**. Apple silicon Macs are the minimum recommendation but as a general rule, newer chips are always more secure. This guide is targeted to power users who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac. From 0299412e23426ba1f55129d0569cc5db14d2353d Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 10 Mar 2024 08:33:44 -0500 Subject: [PATCH 215/476] cabforum link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 143d8d46..d11d412f 100755 --- a/README.md +++ b/README.md @@ -824,7 +824,7 @@ Also see [Apple's secret "wispr" request](https://web.archive.org/web/2017100807 macOS comes with [over 100](https://support.apple.com/103723) root authority certificates installed from corporations like Apple, Verisign, Thawte, Digicert and government agencies from China, Japan, Netherlands, U.S., and more! These Certificate Authorities (CAs) are capable of issuing TLS certificates for any domain, code signing certificates, etc. Apple [blocks these certificates](https://support.apple.com/103247#blocked) when a CA proves to be untrustworthy. They also have [strict requirements](https://www.apple.com/certificateauthority/ca_program.html) that trusted CAs have to meet. -For more information, see the [CA/Browser Forum's website](https://cabforum.org/resources/tools/). +For more information, see the [CA/Browser Forum's website](https://cabforum.org/resources/browser-os-info/). Inspect system root certificates in **Keychain Access**, under the **System Roots** tab or by using the `security` command line tool and `/System/Library/Keychains/SystemRootCertificates.keychain` file. From e5cc26ad4c5d79b9b54eb4923b1d1603b7f1e1fd Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 10 Mar 2024 12:21:52 -0500 Subject: [PATCH 216/476] Update preparing and installing macOS section --- README.md | 219 ++---------------------------------------------------- 1 file changed, 6 insertions(+), 213 deletions(-) diff --git a/README.md b/README.md index 5795bff8..1a5a4476 100755 --- a/README.md +++ b/README.md @@ -13,12 +13,7 @@ To suggest an improvement, please send a pull request or [open an issue](https:/ This guide is also available in [简体中文](https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/README-cn.md). - [Basics](#basics) -- [Preparing and installing macOS](#preparing-and-installing-macos) - * [Verifying installation integrity](#verifying-installation-integrity) - * [Creating a bootable USB installer](#creating-a-bootable-usb-installer) - * [Creating an install image](#creating-an-install-image) - * [Target disk mode](#target-disk-mode) - * [Creating a recovery partition](#creating-a-recovery-partition) +- [Installing macOS](#preparing-and-installing-macos) * [Virtualization](#virtualization) - [First boot](#first-boot) - [System activation](#system-activation) @@ -99,219 +94,17 @@ Standard security best practices apply: * Ultimately, the security of a system depends on the capabilities of its administrator. * Care should be taken when installing new software; only install from official sources that the developers indicate on their official website/github/etc. -## Preparing and installing macOS +## Installing macOS -There are several ways to install macOS. +There are several ways to [install macOS](https://support.apple.com/102662). Choose your preferred method from the available options. -The simplest way is to boot into [Recovery Mode](https://support.apple.com/en-us/HT201314) by holding `Command` and `R` keys at boot. A system image can be downloaded and applied directly from Apple. However, this may expose identifying information. + **You should install the latest version of macOS that's compatible with your Mac.** More recent versions have security patches and other improvements that older versions lack. -An alternative way to install macOS is to first download the latest version of macOS (**Latest: macOS Ventura**) from Apple via the [App Store](https://apps.apple.com/us/app/macos-ventura/id1638787999) and create a custom installable system image. - -This can also be done from the Terminal using the commands outlined in [OSXDaily](https://osxdaily.com/2020/04/13/how-download-full-macos-installer-terminal/). - -``` -softwareupdate --list-full-installers -# latest is 13.3.1 -softwareupdate -d --fetch-full-installer --full-installer-version 13.3.1 -``` - -### Getting macOS - -Apple's [documentation](https://support.apple.com/en-us/HT211683) provides details for getting older versions of macOS. - -* macOS Ventura (13): [App Store](https://apps.apple.com/us/app/macos-ventura/id1638787999) -* macOS Monterey (12): [App Store](https://apps.apple.com/us/app/macos-monterey/id1576738294) -* macOS Big Sur (11): [App Store](https://apps.apple.com/us/app/macos-big-sur/id1526878132) -* macOS Catalina (10.15): [App Store](https://apps.apple.com/us/app/macos-catalina/id1466841314) -* macOS Mojave (10.14): [App Store](https://apps.apple.com/us/app/macos-mojave/id1398502828) -* macOS High Sierra (10.13): [App Store](https://apps.apple.com/us/app/macos-high-sierra/id1246284741) -* macOS Sierra (10.12): [Direct Link](http://updates-http.cdn-apple.com/2019/cert/061-39476-20191023-48f365f4-0015-4c41-9f44-39d3d2aca067/InstallOS.dmg) (HTTP) -* OS X El Capitan (10.11): [Direct Link](http://updates-http.cdn-apple.com/2019/cert/061-41424-20191024-218af9ec-cf50-4516-9011-228c78eda3d2/InstallMacOSX.dmg) (HTTP) -* OS X Yosemite (10.10): [Direct Link](http://updates-http.cdn-apple.com/2019/cert/061-41343-20191023-02465f92-3ab5-4c92-bfe2-b725447a070d/InstallMacOSX.dmg) (HTTP) - -### Verifying installation integrity - -The macOS installation application is [code signed](https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW6), which should be verified using the commands `pkgutil --check-signature` or `codesign -dvv` - -To verify the code signature and integrity of macOS application bundles: - -```console -$ pkgutil --check-signature /Applications/Install\ macOS\ Ventura.app -Package "Install macOS Ventura": - Status: signed by a certificate trusted by macOS - Certificate Chain: - 1. Software Signing - Expires: 2026-10-24 17:39:41 +0000 - SHA256 Fingerprint: - D8 4D B9 6A F8 C2 E6 0A C4 C8 51 A2 1E C4 60 F6 F8 4E 02 35 BE B1 - 7D 24 A7 87 12 B9 B0 21 ED 57 - ------------------------------------------------------------------------ - 2. Apple Code Signing Certification Authority - Expires: 2026-10-24 17:39:41 +0000 - SHA256 Fingerprint: - 5B DA B1 28 8F C1 68 92 FE F5 0C 65 8D B5 4F 1E 2E 19 CF 8F 71 CC - 55 F7 7D E2 B9 5E 05 1E 25 62 - ------------------------------------------------------------------------ - 3. Apple Root CA - Expires: 2035-02-09 21:40:36 +0000 - SHA256 Fingerprint: - B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C - 68 C5 BE 91 B5 A1 10 01 F0 24 -``` - -Use the `codesign` command to examine an application's code signature: - -```console -$ codesign -dvv /Applications/Install\ macOS\ Ventura.app -Executable=/Applications/Install macOS Ventura.app/Contents/MacOS/InstallAssistant_springboard -Identifier=com.apple.InstallAssistant.macOSVentura -Format=app bundle with Mach-O universal (x86_64 arm64) -CodeDirectory v=20400 size=640 flags=0x2000(library-validation) hashes=13+3 location=embedded -Platform identifier=14 -Signature size=4523 -Authority=Software Signing -Authority=Apple Code Signing Certification Authority -Authority=Apple Root CA -Signed Time=Mar 22, 2023 at 16:09:45 -Info.plist entries=32 -TeamIdentifier=not set -Sealed Resources version=2 rules=2 files=0 -Internal requirements count=1 size=88 -``` - -### Creating a bootable USB installer - -Instead of booting from the network or using target disk mode, a bootable macOS installer can be made with the `createinstallmedia` utility included in `Contents/Resources` folder of the installer application bundle. See [Create a bootable installer for macOS](https://support.apple.com/en-us/HT201372), or run the utility without arguments to see how it works. - -To create a bootable USB installer, mount a USB drive, erase and partition it, then use the `createinstallmedia` utility: - -```console -diskutil list -[Find disk matching correct size, usually the last disk, e.g. /dev/disk2] - -diskutil unmountDisk /dev/disk2 - -diskutil partitionDisk /dev/disk2 1 JHFS+ Installer 100% - -cd /Applications/Install\ macOS\ Ventura.app - -sudo ./Contents/Resources/createinstallmedia --volume /Volumes/Installer --nointeraction -``` - -[Disk Utility](https://support.apple.com/guide/disk-utility/erase-and-reformat-a-storage-device-dskutl14079/mac) can also be used to configure the storage device. - -### Creating an install image - -**Note** Apple's AutoDMG installer [does not appear to work](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/120) across OS versions. If you want to build a 10.14 image, for example, the following steps must be performed on macOS 10.14! - -To create a **custom install image** which can be [restored](https://en.wikipedia.org/wiki/Apple_Software_Restore) to a Mac (using a USB-C cable and target disk mode, for example), use [MagerValp/AutoDMG](https://github.com/MagerValp/AutoDMG). - -### Target disk mode - -To use **Target Disk Mode**, boot up the Mac you wish to image while holding the `T` key and connect it to another Mac using a USB-C, Thunderbolt or Firewire cable. - -If you don't have another Mac, boot to a USB installer, with `sierra.dmg` and other required files copied to it, by holding the *Option* key at boot. - -Use the command `diskutil list` to identify the disk of the connected Mac, usually `/dev/disk2` - -**Optional** [securely erase](https://www.backblaze.com/blog/how-to-wipe-a-mac-hard-drive/) the disk with a single pass (if previously FileVault-encrypted, the disk must first be unlocked and mounted as `/dev/disk3s2`): - - sudo diskutil secureErase freespace 1 /dev/disk3s2 - -Partition the disk to Journaled HFS+: - -```console -sudo diskutil unmountDisk /dev/disk2 - -sudo diskutil partitionDisk /dev/disk2 1 JHFS+ macOS 100% -``` - -Restore the image to the new volume, making sure `/dev/disk2` is the disk being erased: - -```console -sudo asr restore --source ~/sierra.dmg --target /Volumes/macOS --erase --buffersize 4m -``` - -The **Disk Utility** application may also be used to erase the connected disk and restore `sierra.dmg` to the newly created partition. - -To transfer any files, copy them to a shared folder like `/Users/Shared` on the mounted disk image, e.g. `cp Xcode_8.0.dmg /Volumes/macOS/Users/Shared` - -Finished restore install from USB recovery boot - -*Finished restore install from USB recovery boot* - -### Creating a recovery partition - -**Unless** you have built the image with [AutoDMG](https://github.com/MagerValp/AutoDMG), or installed macOS to a second partition on the same Mac, you will need to create a recovery partition in order to use full disk encryption. You can do so using [MagerValp/Create-Recovery-Partition-Installer](https://github.com/MagerValp/Create-Recovery-Partition-Installer) or the following steps. - -Download [RecoveryHDUpdate.dmg](https://support.apple.com/downloads/DL1464/en_US/RecoveryHDUpdate.dmg) and verify its integrity: - -```console -$ shasum -a 256 RecoveryHDUpdate.dmg -f6a4f8ac25eaa6163aa33ac46d40f223f40e58ec0b6b9bf6ad96bdbfc771e12c RecoveryHDUpdate.dmg -``` - -Attach and expand the installer, then run it - again ensuring `/Volumes/macOS` path is the newly created partition on the connected disk: - -```console -hdiutil attach RecoveryHDUpdate.dmg - -pkgutil --expand /Volumes/Mac\ OS\ X\ Lion\ Recovery\ HD\ Update/RecoveryHDUpdate.pkg /tmp/recovery - -hdiutil attach /tmp/recovery/RecoveryHDUpdate.pkg/RecoveryHDMeta.dmg - -/tmp/recovery/RecoveryHDUpdate.pkg/Scripts/Tools/dmtest ensureRecoveryPartition /Volumes/macOS/ /Volumes/Recovery\ HD\ Update/BaseSystem.dmg 0 0 /Volumes/Recovery\ HD\ Update/BaseSystem.chunklist -``` - -Run `diskutil list` again to confirm `Recovery HD` now exists on `/dev/disk2` - -Eject the disk with `hdiutil unmount /Volumes/macOS` and power down the target disk mode-booted Mac. +The simplest way is to boot into [Recovery Mode](https://support.apple.com/guide/mac-help/macos-recovery-a-mac-apple-silicon-mchl82829c17/mac). ### Virtualization -To install macOS as a virtual machine (VM) using [VMware Fusion](https://www.vmware.com/products/fusion.html), follow the instructions above to create an image. You will **not** need to download and create a recovery partition. - -For the Installation Method, select *Install macOS from the recovery partition*. Customize any memory or CPU requirements and complete setup. The guest VM should boot into [Recovery Mode](https://support.apple.com/en-us/HT201314) by default. - -**Note** If the virtual machine does not boot due to a kernel panic, adjust the memory and process resource settings. - -In Recovery Mode, select a language, then select Utilities > Terminal from the menu bar. - -In the guest VM, type `ifconfig | grep inet` - you should see a private address like `172.16.34.129` - -On the host Mac, type `ifconfig | grep inet` - you should see a private gateway address like `172.16.34.1`. From the host Mac, you should be able to `ping 172.16.34.129` or the equivalent guest VM address. - -From the host Mac, serve the installable image to the guest VM by editing `/etc/apache2/httpd.conf` and adding the following line to the top (using the gateway address assigned to the host Mac and port 80): - - Listen 172.16.34.1:80 - -On the host Mac, link the image to the default Apache Web server directory: - - sudo ln ~/sierra.dmg /Library/WebServer/Documents - -From the host Mac, start Apache in the foreground: - - sudo httpd -X - -From the guest VM, install the disk image to the volume over the local network using `asr`: - -```console --bash-3.2# asr restore --source http://172.16.34.1/sierra.dmg --target /Volumes/Macintosh\ HD/ --erase --buffersize 4m - Validating target...done - Validating source...done - Erase contents of /dev/disk0s2 (/Volumes/Macintosh HD)? [ny]: y - Retrieving scan information...done - Validating sizes...done - Restoring ....10....20....30....40....50....60....70....80....90....100 - Verifying ....10....20....30....40....50....60....70....80....90....100 - Remounting target volume...done -``` - -When it's finished, stop the Apache Web server on the host Mac by pressing `Control` `C` at the `sudo httpd -X` window and remove the image copy with `sudo rm /Library/WebServer/Documents/sierra.dmg` - -In the guest VM, select *Startup Disk* from the menubar top-left, select the hard drive and restart. You may wish to disable the Network Adapter in VMware to configure the guest VM initially. - -Take and Restore from saved guest VM snapshots before and after attempting risky browsing, for example, or use a guest VM to install and operate questionable software. +You can easily run macOS in a virtual machine using [UTM](https://mac.getutm.app/). It's free from their site but if you buy it from the App Store, you'll get automatic updates. ## First boot From 7f365added526ca15d63d9cf68cd669023524d28 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 10 Mar 2024 12:24:26 -0500 Subject: [PATCH 217/476] fix link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1a5a4476..d54090b9 100755 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ To suggest an improvement, please send a pull request or [open an issue](https:/ This guide is also available in [简体中文](https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/README-cn.md). - [Basics](#basics) -- [Installing macOS](#preparing-and-installing-macos) +- [Installing macOS](#installing-macos) * [Virtualization](#virtualization) - [First boot](#first-boot) - [System activation](#system-activation) From 29dc545b6485d9ed64399aa5f76d49c18c7cf826 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 10 Mar 2024 12:27:19 -0500 Subject: [PATCH 218/476] clarify VM --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d54090b9..f0439b9d 100755 --- a/README.md +++ b/README.md @@ -104,7 +104,7 @@ The simplest way is to boot into [Recovery Mode](https://support.apple.com/guide ### Virtualization -You can easily run macOS in a virtual machine using [UTM](https://mac.getutm.app/). It's free from their site but if you buy it from the App Store, you'll get automatic updates. +You can easily run macOS natively in a virtual machine using [UTM](https://mac.getutm.app/). It's free from their site but if you buy it from the App Store, you'll get automatic updates. ## First boot From 82d1bdd79daab9a24ef362c5f7e2f9c007004f32 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 10 Mar 2024 13:39:42 -0500 Subject: [PATCH 219/476] Recommend QuickTime player instead of VLC --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5795bff8..a15826a4 100755 --- a/README.md +++ b/README.md @@ -1990,7 +1990,7 @@ Zentral will support Santa in both MONITORING and LOCKDOWN operation mode. Clien Disable [Diagnostics & Usage Data](https://github.com/fix-macosx/fix-macosx/wiki/Diagnostics-&-Usage-Data). -If you want to play **music** or watch **videos**, use [VLC media player](https://www.videolan.org/vlc/index.html) which is free and open source. +If you want to play **music** or watch **videos**, use QuickTime Player, the built-in media player in macOS. It uses the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox/protecting_user_data_with_app_sandbox), [Hardened Runtime](https://developer.apple.com/documentation/xcode/configuring-the-hardened-runtime), and benefits from the [Signed System Volume](https://support.apple.com/guide/security/signed-system-volume-security-secd698747c9/web) as part of the base system. If you want to use **torrents**, use [Transmission](https://www.transmissionbt.com/download/) which is free and open source (note: like all software, even open source projects, [malware may still find its way in](http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/)). You may also wish to use a block list to avoid peering with known bad hosts - see [Which is the best blocklist for Transmission](https://giuliomac.wordpress.com/2014/02/19/best-blocklist-for-transmission/) and [johntyree/3331662](https://gist.github.com/johntyree/3331662). From 1572ff293596d35b9644b67ff677dde6d11d1fa5 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 10 Mar 2024 14:22:26 -0500 Subject: [PATCH 220/476] update first boot and system activation --- README.md | 24 ++---------------------- 1 file changed, 2 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index f0439b9d..74fa6bde 100755 --- a/README.md +++ b/README.md @@ -108,13 +108,9 @@ You can easily run macOS natively in a virtual machine using [UTM](https://mac.g ## First boot -**Note** Before setting up macOS, consider disconnecting networking and configuring a firewall(s) first. However, late 2016 MacBooks with Touch Bar hardware [require online OS activation](https://onemoreadmin.wordpress.com/2016/11/27/the-untouchables-apples-new-os-activation-for-touch-bar-macbook-pros/) (see next section). - -(Intel-based Mac only) On first boot, hold `Command` `Option` `P` `R` keys to [clear NVRAM](https://support.apple.com/en-us/HT204063). - When macOS first starts, you'll be greeted by **Setup Assistant**. -When creating the first account, use a [strong password](https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength) without a hint. +When creating the first account, use a [strong password](https://www.eff.org/dice) without a hint. If you enter your real name at the account setup process, be aware that your computer's name and local hostname will comprise that name (e.g., *John Appleseed's MacBook*) and thus will appear on local networks and in various preference files. @@ -127,23 +123,7 @@ sudo scutil --set LocalHostName MacBook ## System activation -A few words on the privacy implications of activating "Touch Bar" MacBook devices from your friendly anonymous security researcher: - -> Apple increasingly seems (despite vague claims to the contrary) increasingly interested in merging or "unifying" the two OSes, and there are constantly rumors of fundamental changes to macOS that make it far more like iOS than the macOS of old. Apple's introduction of ARM-based coprocessors running iOS/sepOS, first with the T1 processor on the TouchBar MacBook Pros (run the TouchBar, implement NFC/ApplePay, add biometric login using sep, and verify firmware integrity) and the iMac Pro's T2 (implements/verifies embedded device firmware, implements secure boot, etc) seems to cement this concern and basically renders using macOS devices without sending metadata to Apple difficult to impossible. -> -> iOS devices have always required "activation" on first boot and when the battery has gone dead which initializes sepOS to proceed with verified boot. First boot activation not only initializes sepOS as discussed below, but sends metadata to Apple (and carriers via Apple with cellular devices) to activate the baseband and SIM. In activation processes after first boot, just as with first boot, a long list of highly sensitive metadata are sent hashed (note hashing does not give you any privacy from Apple here since they link this exact metadata to payment information at purchase) to Apple so it can return the personalized response required for secure boot to complete. What is particularly worrying about this process is that it is a network-linked secure boot process where centralized external servers have the power to dictate what the device should boot. Equally there are significant privacy concerns with devices constantly sending metadata (both during activation and other Apple-linked/-hosted activities) and linking IP addresses very strongly with real identities based on purchase payment information and if a cellular device, metadata collected about SIM, etc unless such connections are blocked at the network level (which is only possible on self-managed infrastructure, i.e. not cellular) and doing this basically renders using the device impossible since simply installing an application requires sending device metadata to Apple. -> -> That the activation verification mechanism is designed specifically to rely on unique device identifiers that are associated with payment information at purchase and actively associated on a continuing basis by Apple for every Apple-hosted service that the device interacts with (Apple ID-based services, softwareupdate, iMessage, FaceTime, etc.) the ability (and invitation) for Apple to silently send targeted malicious updates to devices matching specific unique ID criteria is a valid concern, and something that should not be dismissed as unlikely, especially given Apple's full compliance with recently implemented Chinese (and other authoritarian and "non-authoritarian" countries') national security laws. -> -> iOS has from the start been designed with very little end-user control with no way for end-users to configure devices according to their wishes while maintaining security and relies heavily on new, closed source code. While macOS has for most of its history been designed on the surface in a similar fashion, power and enterprise users can (for the moment) still configure their devices relatively securely while maintaining basically zero network interaction with Apple and with the installation of third party software/kernel extensions, completely control the network stack and intercept filesystem events on a per-process basis. macOS, despite having a good deal of closed source code, was designed at a very different period in Apple's history and was designed more in line with open source standards, and designed to be configurable and controllable by enterprise/power users. -> -> The introduction of these coprocessors to Mac devices, while increasing security in many ways, brings with it all the issues with iOS discussed above, and means that running mac devices securely with complete user control, and without forced network interaction with the Apple mothership in highly sensitive corporate and other environments problematic and risky. Given this author is unaware of the exact hardware configuration of the coprocessors, the following may be inaccurate. However, given the low-level nature of these coprocessors, it would not surprise the author if these coprocessors, if not already, will eventually have separate network access of their own, independent of the Intel CPU (indications suggest not currently the case for T1; unclear on T2), which leads to concerns similar to those that many have raised around Intel ME/AMT (and of course mac devices also have ME in the Intel CPU...). One could argue that these coprocessors increase security, and in many ways that is the case, but not the user's security against a malicious Apple. -> -> The lack of configurability is the key issue. Apple could have introduced secure boot and firmware protection without making it require network access, without making verification linked to device-unique IDs and without introducing an enormous amount of potentially exploitable code to protect against a much smaller, but highly exploitable codebase, while running on a coprocessor with a highly privileged position on the board which gives immense power to an adversary with manufacturer compliance for targeted attacks. -> -> This is an ongoing concern and in the worst case scenario could potentially represent the end of macs as independent, end-user controllable and relatively secure systems appropriate for sensitive environments with strict network and security policies. - -From [iOS, The Future Of macOS, Freedom, Security And Privacy In An Increasingly Hostile Global Environment](https://gist.github.com/iosecure/357e724811fe04167332ef54e736670d). +As part of Apple's [theft prevention system](https://support.apple.com/102541), Apple silicon Macs will need to activate with Apple's servers to check against the database of stolen Macs. ## Admin and standard user accounts From d408c4b36a168cfd966592e7a9799cc6d82b7a2b Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 10 Mar 2024 14:24:44 -0500 Subject: [PATCH 221/476] clarify --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 74fa6bde..c906cc2a 100755 --- a/README.md +++ b/README.md @@ -123,7 +123,7 @@ sudo scutil --set LocalHostName MacBook ## System activation -As part of Apple's [theft prevention system](https://support.apple.com/102541), Apple silicon Macs will need to activate with Apple's servers to check against the database of stolen Macs. +As part of Apple's [theft prevention system](https://support.apple.com/102541), Apple silicon Macs will need to activate with Apple's servers every time you reinstall macOS to check against the database of stolen Macs. ## Admin and standard user accounts From 746bb2384b046ca41cd6de0c6f0caa9657f2a60a Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 10 Mar 2024 18:05:35 -0500 Subject: [PATCH 222/476] add apple id and app store sections and rearrange it a bit --- README.md | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 7a4ad0ff..1cf1facb 100755 --- a/README.md +++ b/README.md @@ -13,7 +13,11 @@ To suggest an improvement, please send a pull request or [open an issue](https:/ This guide is also available in [简体中文](https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/README-cn.md). - [Basics](#basics) +- [Acquiring a Mac](#acquiring-a-mac) - [Installing macOS](#installing-macos) + * [System Activation](#system-activation) + * [Apple ID](#apple-id) + * [App Store](#app-store) * [Virtualization](#virtualization) - [First boot](#first-boot) - [System activation](#system-activation) @@ -94,6 +98,10 @@ Standard security best practices apply: * Ultimately, the security of a system depends on the capabilities of its administrator. * Care should be taken when installing new software; only install from official sources that the developers indicate on their official website/github/etc. +## Acquiring a Mac + +When you purchase your Mac, you might want to avoid it being linked back to you. Depending on your threat model, you might want to pay for it in cash in person rather than ordering online or purchasing with a credit/debit card. + ## Installing macOS There are several ways to [install macOS](https://support.apple.com/102662). Choose your preferred method from the available options. @@ -102,6 +110,22 @@ There are several ways to [install macOS](https://support.apple.com/102662). Cho The simplest way is to boot into [Recovery Mode](https://support.apple.com/guide/mac-help/macos-recovery-a-mac-apple-silicon-mchl82829c17/mac). +### System activation + +As part of Apple's [theft prevention system](https://support.apple.com/102541), Apple silicon Macs will need to activate with Apple's servers every time you reinstall macOS to check against the database of stolen Macs. + +### Apple ID + +Creating an Apple ID is not required to use macOS. Making an Apple ID requires a phone number and it will by default sync a [lot of data](https://www.apple.com/legal/privacy/data/en/apple-id/) to Apple's servers. You can [disable](https://support.apple.com/102651) most of it later if you want. + +An Apple ID is required in order to access the App Store and use most Apple services. + +### App Store + +The Mac App Store is a [curated](https://developer.apple.com/app-store/review/guidelines/) repository of software that is required to utilize the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox/protecting_user_data_with_app_sandbox) and [Hardened Runtime](https://developer.apple.com/documentation/security/hardened_runtime), as well as offering automatic updates that integrate with your system. + +The App Store offers the greatest security guarantees for software on macOS, but it requires you to log in with an Apple ID and Apple will be able to link your Apple ID to your downloaded apps. + ### Virtualization You can easily run macOS natively in a virtual machine using [UTM](https://mac.getutm.app/). It's free from their site but if you buy it from the App Store, you'll get automatic updates. @@ -121,10 +145,6 @@ sudo scutil --set ComputerName MacBook sudo scutil --set LocalHostName MacBook ``` -## System activation - -As part of Apple's [theft prevention system](https://support.apple.com/102541), Apple silicon Macs will need to activate with Apple's servers every time you reinstall macOS to check against the database of stolen Macs. - ## Admin and standard user accounts The first user account is always an admin account. Admin accounts are members of the admin group and have access to `sudo`, which allows them to usurp other accounts, in particular root, and gives them effective control over the system. Any program that the admin executes can potentially obtain the same access, making this a security risk. From c13f8dd5c386dd7e3eb6d22eb0150128ff01a417 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 10 Mar 2024 18:12:49 -0500 Subject: [PATCH 223/476] edit wording --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1cf1facb..f798c2fc 100755 --- a/README.md +++ b/README.md @@ -100,7 +100,7 @@ Standard security best practices apply: ## Acquiring a Mac -When you purchase your Mac, you might want to avoid it being linked back to you. Depending on your threat model, you might want to pay for it in cash in person rather than ordering online or purchasing with a credit/debit card. +When you purchase your Mac, you might want to avoid it being linked back to you. You should pay for it in cash in person rather than ordering online or purchasing with a credit/debit card, that way no identifying information can be linked back to your purchase. ## Installing macOS From 06a563f1209822ce12834bf660c0c2096f1c0033 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 11 Mar 2024 02:52:14 -0500 Subject: [PATCH 224/476] add hardware instructions --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index f798c2fc..cb4dee03 100755 --- a/README.md +++ b/README.md @@ -100,6 +100,8 @@ Standard security best practices apply: ## Acquiring a Mac +macOS is most secure running on Apple hardware with Apple silicon. The newer the Mac, the better. Avoid hackintoshes and Macs that don't support the latest macOS, as Apple doesn't [patch all vulnerabilities](https://support.apple.com/guide/deployment/about-software-updates-depc4c80847a/web) in versions that aren't the most recent one. + When you purchase your Mac, you might want to avoid it being linked back to you. You should pay for it in cash in person rather than ordering online or purchasing with a credit/debit card, that way no identifying information can be linked back to your purchase. ## Installing macOS From 58aa1b1d20f7583c4f9317cba54c03049fcaabd9 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 11 Mar 2024 03:26:29 -0500 Subject: [PATCH 225/476] add utm documentation link --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index cb4dee03..6cac50c5 100755 --- a/README.md +++ b/README.md @@ -132,6 +132,8 @@ The App Store offers the greatest security guarantees for software on macOS, but You can easily run macOS natively in a virtual machine using [UTM](https://mac.getutm.app/). It's free from their site but if you buy it from the App Store, you'll get automatic updates. +Follow their [documentation](https://docs.getutm.app/guest-support/macos/) to install a macOS VM with just a few clicks. + ## First boot When macOS first starts, you'll be greeted by **Setup Assistant**. From 222c2a15dbf14b5e78c568d243d82235f9467d4d Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 11 Mar 2024 03:51:34 -0500 Subject: [PATCH 226/476] add documentation that explains exactly how activation lock works --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 6cac50c5..d9ff5782 100755 --- a/README.md +++ b/README.md @@ -114,7 +114,9 @@ The simplest way is to boot into [Recovery Mode](https://support.apple.com/guide ### System activation -As part of Apple's [theft prevention system](https://support.apple.com/102541), Apple silicon Macs will need to activate with Apple's servers every time you reinstall macOS to check against the database of stolen Macs. +As part of Apple's [theft prevention system](https://support.apple.com/102541), Apple silicon Macs will need to activate with Apple's servers every time you reinstall macOS to check against the database of stolen or activation-locked Macs. + +You can read about exactly how this process works [here](https://support.apple.com/guide/security/localpolicy-signing-key-creation-management-sec1f90fbad1). ### Apple ID From 3d704261e1ca5f47d8d3aa03fe746c10fc9929ce Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 11 Mar 2024 04:09:21 -0500 Subject: [PATCH 227/476] update recovery mode link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d9ff5782..6bca8f96 100755 --- a/README.md +++ b/README.md @@ -110,7 +110,7 @@ There are several ways to [install macOS](https://support.apple.com/102662). Cho **You should install the latest version of macOS that's compatible with your Mac.** More recent versions have security patches and other improvements that older versions lack. -The simplest way is to boot into [Recovery Mode](https://support.apple.com/guide/mac-help/macos-recovery-a-mac-apple-silicon-mchl82829c17/mac). +The simplest way is to boot into [Recovery Mode](https://support.apple.com/guide/mac-help/macos-recovery-a-mac-apple-silicon-mchl82829c17/14.0/mac/14.0#mchl57249f89) ### System activation From b56ac76084f7a541a4edf5166213f8542e434911 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 11 Mar 2024 04:11:52 -0500 Subject: [PATCH 228/476] add examples for apple id --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6bca8f96..014b9f16 100755 --- a/README.md +++ b/README.md @@ -122,7 +122,7 @@ You can read about exactly how this process works [here](https://support.apple.c Creating an Apple ID is not required to use macOS. Making an Apple ID requires a phone number and it will by default sync a [lot of data](https://www.apple.com/legal/privacy/data/en/apple-id/) to Apple's servers. You can [disable](https://support.apple.com/102651) most of it later if you want. -An Apple ID is required in order to access the App Store and use most Apple services. +An Apple ID is required in order to access the App Store and use most Apple services like iCloud, Apple Music, etc. ### App Store From 8cbafd0f370a1315d5ac1b8421118967428b7667 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 11 Mar 2024 04:15:58 -0500 Subject: [PATCH 229/476] update computer name --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 014b9f16..da36a655 100755 --- a/README.md +++ b/README.md @@ -144,7 +144,7 @@ When creating the first account, use a [strong password](https://www.eff.org/dic If you enter your real name at the account setup process, be aware that your computer's name and local hostname will comprise that name (e.g., *John Appleseed's MacBook*) and thus will appear on local networks and in various preference files. -Both should be verified and updated as needed in **System Preferences > Sharing** or with the following commands after installation: +Both should be verified and updated as needed in **System Settings > About** or with the following commands after installation: ```console sudo scutil --set ComputerName MacBook From b54baadeb24e5d768f33814868b677cd5ece30e5 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 11 Mar 2024 04:23:41 -0500 Subject: [PATCH 230/476] shorten links --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index da36a655..af6c40a3 100755 --- a/README.md +++ b/README.md @@ -100,7 +100,7 @@ Standard security best practices apply: ## Acquiring a Mac -macOS is most secure running on Apple hardware with Apple silicon. The newer the Mac, the better. Avoid hackintoshes and Macs that don't support the latest macOS, as Apple doesn't [patch all vulnerabilities](https://support.apple.com/guide/deployment/about-software-updates-depc4c80847a/web) in versions that aren't the most recent one. +macOS is most secure running on Apple hardware with Apple silicon. The newer the Mac, the better. Avoid hackintoshes and Macs that don't support the latest macOS, as Apple doesn't [patch all vulnerabilities](https://support.apple.com/guide/deployment/about-software-updates-depc4c80847a) in versions that aren't the most recent one. When you purchase your Mac, you might want to avoid it being linked back to you. You should pay for it in cash in person rather than ordering online or purchasing with a credit/debit card, that way no identifying information can be linked back to your purchase. @@ -110,7 +110,7 @@ There are several ways to [install macOS](https://support.apple.com/102662). Cho **You should install the latest version of macOS that's compatible with your Mac.** More recent versions have security patches and other improvements that older versions lack. -The simplest way is to boot into [Recovery Mode](https://support.apple.com/guide/mac-help/macos-recovery-a-mac-apple-silicon-mchl82829c17/14.0/mac/14.0#mchl57249f89) +The simplest way is to boot into [Recovery Mode](https://support.apple.com/guide/mac-help/macos-recovery-a-mac-apple-silicon-mchl82829c17/14.0#mchl57249f89) ### System activation @@ -126,15 +126,15 @@ An Apple ID is required in order to access the App Store and use most Apple serv ### App Store -The Mac App Store is a [curated](https://developer.apple.com/app-store/review/guidelines/) repository of software that is required to utilize the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox/protecting_user_data_with_app_sandbox) and [Hardened Runtime](https://developer.apple.com/documentation/security/hardened_runtime), as well as offering automatic updates that integrate with your system. +The Mac App Store is a [curated](https://developer.apple.com/app-store/review/guidelines) repository of software that is required to utilize the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox/protecting_user_data_with_app_sandbox) and [Hardened Runtime](https://developer.apple.com/documentation/security/hardened_runtime), as well as offering automatic updates that integrate with your system. The App Store offers the greatest security guarantees for software on macOS, but it requires you to log in with an Apple ID and Apple will be able to link your Apple ID to your downloaded apps. ### Virtualization -You can easily run macOS natively in a virtual machine using [UTM](https://mac.getutm.app/). It's free from their site but if you buy it from the App Store, you'll get automatic updates. +You can easily run macOS natively in a virtual machine using [UTM](https://mac.getutm.app). It's free from their site but if you buy it from the App Store, you'll get automatic updates. -Follow their [documentation](https://docs.getutm.app/guest-support/macos/) to install a macOS VM with just a few clicks. +Follow their [documentation](https://docs.getutm.app/guest-support/macos) to install a macOS VM with just a few clicks. ## First boot From abc7c4b74f20a5801431780511ff49c73a0b15a5 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 11 Mar 2024 05:50:00 -0500 Subject: [PATCH 231/476] add mention of threat model --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index af6c40a3..3c5399fe 100755 --- a/README.md +++ b/README.md @@ -102,7 +102,7 @@ Standard security best practices apply: macOS is most secure running on Apple hardware with Apple silicon. The newer the Mac, the better. Avoid hackintoshes and Macs that don't support the latest macOS, as Apple doesn't [patch all vulnerabilities](https://support.apple.com/guide/deployment/about-software-updates-depc4c80847a) in versions that aren't the most recent one. -When you purchase your Mac, you might want to avoid it being linked back to you. You should pay for it in cash in person rather than ordering online or purchasing with a credit/debit card, that way no identifying information can be linked back to your purchase. +When you purchase your Mac, you might want to avoid it being linked back to you. Depending on your threat model, you should pay for it in cash in person rather than ordering online or purchasing with a credit/debit card, that way no identifying information can be linked back to your purchase. ## Installing macOS From 86d08f178190e6f027c6a6ee2435e28752835c6a Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 11 Mar 2024 06:10:10 -0500 Subject: [PATCH 232/476] add link to hardware security --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3c5399fe..8d516e7e 100755 --- a/README.md +++ b/README.md @@ -100,7 +100,7 @@ Standard security best practices apply: ## Acquiring a Mac -macOS is most secure running on Apple hardware with Apple silicon. The newer the Mac, the better. Avoid hackintoshes and Macs that don't support the latest macOS, as Apple doesn't [patch all vulnerabilities](https://support.apple.com/guide/deployment/about-software-updates-depc4c80847a) in versions that aren't the most recent one. +macOS is most secure running on [Apple hardware](https://support.apple.com/guide/security/hardware-security-overview-secf020d1074/1/web/1) with Apple silicon. The newer the Mac, the better. Avoid hackintoshes and Macs that don't support the latest macOS, as Apple doesn't [patch all vulnerabilities](https://support.apple.com/guide/deployment/about-software-updates-depc4c80847a) in versions that aren't the most recent one. When you purchase your Mac, you might want to avoid it being linked back to you. Depending on your threat model, you should pay for it in cash in person rather than ordering online or purchasing with a credit/debit card, that way no identifying information can be linked back to your purchase. From 98e3f0ac8ee4c2682df78bf979c1912fd3ab6f65 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 11 Mar 2024 06:10:54 -0500 Subject: [PATCH 233/476] change acquiring a mac to hardware --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8d516e7e..06893f69 100755 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ To suggest an improvement, please send a pull request or [open an issue](https:/ This guide is also available in [简体中文](https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/README-cn.md). - [Basics](#basics) -- [Acquiring a Mac](#acquiring-a-mac) +- [Hardware](#hardware) - [Installing macOS](#installing-macos) * [System Activation](#system-activation) * [Apple ID](#apple-id) @@ -98,7 +98,7 @@ Standard security best practices apply: * Ultimately, the security of a system depends on the capabilities of its administrator. * Care should be taken when installing new software; only install from official sources that the developers indicate on their official website/github/etc. -## Acquiring a Mac +## Hardware macOS is most secure running on [Apple hardware](https://support.apple.com/guide/security/hardware-security-overview-secf020d1074/1/web/1) with Apple silicon. The newer the Mac, the better. Avoid hackintoshes and Macs that don't support the latest macOS, as Apple doesn't [patch all vulnerabilities](https://support.apple.com/guide/deployment/about-software-updates-depc4c80847a) in versions that aren't the most recent one. From 0a7762328e5d53b3d93e2c13a1be387ee00e940c Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 11 Mar 2024 06:38:04 -0500 Subject: [PATCH 234/476] add link to apple id privacy controls --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 06893f69..e4497ecb 100755 --- a/README.md +++ b/README.md @@ -122,6 +122,8 @@ You can read about exactly how this process works [here](https://support.apple.c Creating an Apple ID is not required to use macOS. Making an Apple ID requires a phone number and it will by default sync a [lot of data](https://www.apple.com/legal/privacy/data/en/apple-id/) to Apple's servers. You can [disable](https://support.apple.com/102651) most of it later if you want. +You can [control the data](https://support.apple.com/102283) associated with your Apple ID or completely delete it. + An Apple ID is required in order to access the App Store and use most Apple services like iCloud, Apple Music, etc. ### App Store From 6732bfdc98a007a5bb85b4dcf4cd5408c98dff6d Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 11 Mar 2024 06:56:11 -0500 Subject: [PATCH 235/476] clarify about icloud syncing --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e4497ecb..c47164f2 100755 --- a/README.md +++ b/README.md @@ -120,7 +120,7 @@ You can read about exactly how this process works [here](https://support.apple.c ### Apple ID -Creating an Apple ID is not required to use macOS. Making an Apple ID requires a phone number and it will by default sync a [lot of data](https://www.apple.com/legal/privacy/data/en/apple-id/) to Apple's servers. You can [disable](https://support.apple.com/102651) most of it later if you want. +Creating an Apple ID is not required to use macOS. Making an Apple ID requires a phone number and it will by default sync a [lot of data](https://www.apple.com/legal/privacy/data/en/apple-id/) to iCloud, Apple's cloud storage service. You can [disable](https://support.apple.com/102651) the syncing later if you want or enable [end-to-end encryption](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web) for your iCloud data. You can [control the data](https://support.apple.com/102283) associated with your Apple ID or completely delete it. From 60dd764be1535cf0706a10bb7a4fa6c791d4853b Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 11 Mar 2024 06:58:47 -0500 Subject: [PATCH 236/476] remove instructions to install from recovery mode --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index c47164f2..42c0bdb0 100755 --- a/README.md +++ b/README.md @@ -110,8 +110,6 @@ There are several ways to [install macOS](https://support.apple.com/102662). Cho **You should install the latest version of macOS that's compatible with your Mac.** More recent versions have security patches and other improvements that older versions lack. -The simplest way is to boot into [Recovery Mode](https://support.apple.com/guide/mac-help/macos-recovery-a-mac-apple-silicon-mchl82829c17/14.0#mchl57249f89) - ### System activation As part of Apple's [theft prevention system](https://support.apple.com/102541), Apple silicon Macs will need to activate with Apple's servers every time you reinstall macOS to check against the database of stolen or activation-locked Macs. From 05f85df75ba439f5d209cb897acc01fd19e4afcb Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 11 Mar 2024 06:59:19 -0500 Subject: [PATCH 237/476] punctuation --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 42c0bdb0..caa28b46 100755 --- a/README.md +++ b/README.md @@ -108,7 +108,7 @@ When you purchase your Mac, you might want to avoid it being linked back to you. There are several ways to [install macOS](https://support.apple.com/102662). Choose your preferred method from the available options. - **You should install the latest version of macOS that's compatible with your Mac.** More recent versions have security patches and other improvements that older versions lack. + **You should install the latest version of macOS that's compatible with your Mac**. More recent versions have security patches and other improvements that older versions lack. ### System activation From 9135eb6198ac8130205cf187ecfe2df5bc54de05 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 11 Mar 2024 07:09:58 -0500 Subject: [PATCH 238/476] add mention of bluetooth peripherals --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index caa28b46..374dc793 100755 --- a/README.md +++ b/README.md @@ -104,6 +104,8 @@ macOS is most secure running on [Apple hardware](https://support.apple.com/guide When you purchase your Mac, you might want to avoid it being linked back to you. Depending on your threat model, you should pay for it in cash in person rather than ordering online or purchasing with a credit/debit card, that way no identifying information can be linked back to your purchase. +If you want to use a wireless keyboard, mouse, headphones or other accessory, the most secure option is Apple ones since they will automatically be updated by your system. They also support the latest [Bluetooth features](https://support.apple.com/guide/security/bluetooth-security-sec82597d97e/web) like BLE Privacy which randomizes your Bluetooth hardware address to prevent tracking. With third party accessories, this isn't a guarantee. + ## Installing macOS There are several ways to [install macOS](https://support.apple.com/102662). Choose your preferred method from the available options. From 6f8f14035d33411a5d49b695c9343291cd73d9fc Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 11 Mar 2024 12:50:03 -0500 Subject: [PATCH 239/476] re add vmware --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 374dc793..1a25bd20 100755 --- a/README.md +++ b/README.md @@ -138,6 +138,8 @@ You can easily run macOS natively in a virtual machine using [UTM](https://mac.g Follow their [documentation](https://docs.getutm.app/guest-support/macos) to install a macOS VM with just a few clicks. +Another option is [VMware Fusion](https://www.vmware.com/products/fusion.html), although it costs money. You can read their [documentation](https://docs.vmware.com/en/VMware-Fusion/13/com.vmware.fusion.using.doc/GUID-474FC78E-4E77-42B7-A1C6-12C2F378C5B9.html) to see how to install a macOS VM. + ## First boot When macOS first starts, you'll be greeted by **Setup Assistant**. From c5726fe3dd7d9f71bcf05a3737a063c66b24a036 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 11 Mar 2024 12:51:51 -0500 Subject: [PATCH 240/476] add link to article in additional resources --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 1a25bd20..de2ba394 100755 --- a/README.md +++ b/README.md @@ -1918,6 +1918,7 @@ drwx------ 2 kevin staff 64 Dec 4 12:27 umask_testing_dir * [How to Switch to the Mac](https://taoofmac.com/space/HOWTO/Switch) * [IOKit kernel code execution exploit](https://code.google.com/p/google-security-research/issues/detail?id=135) * [IPv6 Hardening Guide for OS X](http://www.insinuator.net/2015/02/ipv6-hardening-guide-for-os-x/) +* [iOS, The Future Of macOS, Freedom, Security And Privacy In An Increasingly Hostile Global Environment](https://gist.github.com/iosecure/357e724811fe04167332ef54e736670d) * [Mac Developer Library: Secure Coding Guide](https://developer.apple.com/library/mac/documentation/Security/Conceptual/SecureCodingGuide/Introduction.html) * [Mac Forensics: Mac OS X and the HFS+ File System](https://cet4861.pbworks.com/w/file/fetch/71245694/mac.forensics.craiger-burke.IFIP.06.pdf) (pdf) * [Mac OS X and iOS Internals: To the Apple's Core by Jonathan Levin](https://www.amazon.com/Mac-OS-iOS-Internals-Apples/dp/1118057651) From 2625ee85f6801a19390438524c43a493830a5a24 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 11 Mar 2024 17:38:57 -0500 Subject: [PATCH 241/476] fix link order --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index de2ba394..4d4ab1ee 100755 --- a/README.md +++ b/README.md @@ -1917,8 +1917,8 @@ drwx------ 2 kevin staff 64 Dec 4 12:27 umask_testing_dir * [Hidden backdoor API to root privileges in Apple OS X](https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/) * [How to Switch to the Mac](https://taoofmac.com/space/HOWTO/Switch) * [IOKit kernel code execution exploit](https://code.google.com/p/google-security-research/issues/detail?id=135) -* [IPv6 Hardening Guide for OS X](http://www.insinuator.net/2015/02/ipv6-hardening-guide-for-os-x/) * [iOS, The Future Of macOS, Freedom, Security And Privacy In An Increasingly Hostile Global Environment](https://gist.github.com/iosecure/357e724811fe04167332ef54e736670d) +* [IPv6 Hardening Guide for OS X](http://www.insinuator.net/2015/02/ipv6-hardening-guide-for-os-x/) * [Mac Developer Library: Secure Coding Guide](https://developer.apple.com/library/mac/documentation/Security/Conceptual/SecureCodingGuide/Introduction.html) * [Mac Forensics: Mac OS X and the HFS+ File System](https://cet4861.pbworks.com/w/file/fetch/71245694/mac.forensics.craiger-burke.IFIP.06.pdf) (pdf) * [Mac OS X and iOS Internals: To the Apple's Core by Jonathan Levin](https://www.amazon.com/Mac-OS-iOS-Internals-Apples/dp/1118057651) From 9aa1d575cd5ab4ad6b0c408c902af87bb76561ce Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 11 Mar 2024 20:19:02 -0500 Subject: [PATCH 242/476] Update application firewall section --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 4d4ab1ee..1c120df7 100755 --- a/README.md +++ b/README.md @@ -212,7 +212,7 @@ There are several types of firewalls available for macOS. Built-in, basic firewall which blocks **incoming** connections only. This firewall does not have the ability to monitor, nor block **outgoing** connections. -It can be controlled by the **Firewall** tab of **Security & Privacy** in **System Preferences**, or with the following commands. +It can be controlled by the **Firewall** tab of **Network** in **System Settings**, or with the following commands. Enable the firewall with logging and stealth mode: @@ -224,7 +224,7 @@ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on ``` -> Computer hackers scan networks so they can attempt to identify computers to attack. You can prevent your computer from responding to some of these scans by using **stealth mode**. When stealth mode is enabled, your computer does not respond to ICMP ping requests, and does not answer to connection attempts from a closed TCP or UDP port. This makes it more difficult for attackers to find your computer. +Computer hackers scan networks so they can attempt to identify computers to attack. You can prevent your computer from responding to some of these scans by using **stealth mode**. When stealth mode is enabled, your computer does not respond to ICMP ping requests, and does not answer to connection attempts from a closed TCP or UDP port. This makes it more difficult for attackers to find your computer. To prevent *built-in software* as well as *code-signed, downloaded software from being whitelisted automatically*: @@ -234,9 +234,9 @@ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned off sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off ``` -> Applications that are signed by a valid certificate authority are automatically added to the list of allowed apps, rather than prompting the user to authorize them. Apps included in macOS are signed by Apple and are allowed to receive incoming connections when this setting is enabled. For example, since iTunes is already signed by Apple, it is automatically allowed to receive incoming connections through the firewall. +Applications that are signed by a valid certificate authority are automatically added to the list of allowed apps, rather than prompting the user to authorize them. Apps included in macOS are signed by Apple and are allowed to receive incoming connections when this setting is enabled. For example, since iTunes is already signed by Apple, it is automatically allowed to receive incoming connections through the firewall. -> If you run an unsigned app that is not listed in the firewall list, a dialog appears with options to Allow or Deny connections for the app. If you choose "Allow", macOS signs the application and automatically adds it to the firewall list. If you choose "Deny", macOS adds it to the list but denies incoming connections intended for this app. +If you run an unsigned app that is not listed in the firewall list, a dialog appears with options to Allow or Deny connections for the app. If you choose "Allow", macOS signs the application and automatically adds it to the firewall list. If you choose "Deny", macOS adds it to the list but denies incoming connections intended for this app. After interacting with `socketfilterfw`, restart the process by sending a line hangup signal: From 30884ae8348d7a9c7829088b97ec62f098cdbd4f Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 11 Mar 2024 20:24:04 -0500 Subject: [PATCH 243/476] remove security growler --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1c120df7..36e0d9dc 100755 --- a/README.md +++ b/README.md @@ -246,7 +246,7 @@ sudo pkill -HUP socketfilterfw ### Third party firewalls -Programs such as [Little Snitch](https://www.obdev.at/products/littlesnitch/index.html), [Radio Silence](https://radiosilenceapp.com/), [LuLu](https://objective-see.com/products/lulu.html) and [Security Growler](https://pirate.github.io/security-growler/) provide a good balance of usability and security. +Programs such as [Little Snitch](https://www.obdev.at/products/littlesnitch/index.html), [Radio Silence](https://radiosilenceapp.com/), and [LuLu](https://objective-see.com/products/lulu.html) provide a good balance of usability and security. These programs are capable of monitoring and blocking **incoming** and **outgoing** network connections. However, they may require the use of a closed source [kernel extension](https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/KernelProgramming/Extend/Extend.html). From ae301b67b50c4fa7533ed15c30c7b00265b9a8e9 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 11 Mar 2024 20:25:43 -0500 Subject: [PATCH 244/476] change kernel extension to system extension --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 36e0d9dc..08de854c 100755 --- a/README.md +++ b/README.md @@ -248,7 +248,7 @@ sudo pkill -HUP socketfilterfw Programs such as [Little Snitch](https://www.obdev.at/products/littlesnitch/index.html), [Radio Silence](https://radiosilenceapp.com/), and [LuLu](https://objective-see.com/products/lulu.html) provide a good balance of usability and security. -These programs are capable of monitoring and blocking **incoming** and **outgoing** network connections. However, they may require the use of a closed source [kernel extension](https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/KernelProgramming/Extend/Extend.html). +These programs are capable of monitoring and blocking **incoming** and **outgoing** network connections. However, they may require the use of a closed source [system extension](https://support.apple.com/HT210999). If the number of choices of allowing/blocking network connections is overwhelming, use **Silent Mode** with connections allowed, then periodically check the configuration to gain understanding of applications and what they are doing. From f9ce5440188d6eebde4eb179bfbb6f244735b43e Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 11 Mar 2024 20:26:47 -0500 Subject: [PATCH 245/476] remove outdated little snitch links --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 08de854c..21d75769 100755 --- a/README.md +++ b/README.md @@ -254,8 +254,6 @@ If the number of choices of allowing/blocking network connections is overwhelmin It is worth noting that these firewalls can be bypassed by programs running as **root** or through [OS vulnerabilities](https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf) (pdf), but they are still worth having - just don't expect absolute protection. However, some malware actually [deletes itself](https://www.cnet.com/how-to/how-to-remove-the-flashback-malware-from-os-x/) and doesn't execute if Little Snitch, or other security software, is installed. -For more on how Little Snitch works, see the [Network Kernel Extensions Programming Guide](https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/NKEConceptual/socket_nke/socket_nke.html#//apple_ref/doc/uid/TP40001858-CH228-SW1) and [Shut up snitch! – reverse engineering and exploiting a critical Little Snitch vulnerability](https://reverse.put.as/2016/07/22/shut-up-snitch-reverse-engineering-and-exploiting-a-critical-little-snitch-vulnerability/). - ### Kernel level packet filtering A highly customizable, powerful, but also most complicated firewall exists in the kernel. It can be controlled with `pfctl` and various configuration files. From 233f3c51dd7fc49256a72c781169345aa95ef356 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 11 Mar 2024 20:30:55 -0500 Subject: [PATCH 246/476] remove icefloor --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 21d75769..0dbfc02b 100755 --- a/README.md +++ b/README.md @@ -258,7 +258,7 @@ It is worth noting that these firewalls can be bypassed by programs running as * A highly customizable, powerful, but also most complicated firewall exists in the kernel. It can be controlled with `pfctl` and various configuration files. -pf can also be controlled with a GUI application such as [IceFloor](https://www.hanynet.com/icefloor/) or [Murus](https://www.murusfirewall.com/). +pf can also be controlled with a GUI application such as [Murus](https://www.murusfirewall.com/). There are many books and articles on the subject of pf firewall. Here's is just one example of blocking traffic by IP address. From 3a2d5830c2408c56e738fe6427de74761aa39a47 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 11 Mar 2024 20:32:28 -0500 Subject: [PATCH 247/476] remove outdated link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0dbfc02b..f6bf91ac 100755 --- a/README.md +++ b/README.md @@ -342,7 +342,7 @@ IP 192.168.1.1.162771 > 157.240.2.35.80: tcp 0 Outgoing TCP SYN packets are blocked, so a TCP connection is not established and thus a Web site is effectively blocked at the IP layer. -To use pf to audit "phone home" behavior of user and system-level processes, see [fix-macosx/net-monitor](https://github.com/fix-macosx/net-monitor). See [drduh/config/scripts/pf-blocklist.sh](https://github.com/drduh/config/blob/master/scripts/pf-blocklist.sh) for more inspiration. +See [drduh/config/scripts/pf-blocklist.sh](https://github.com/drduh/config/blob/master/scripts/pf-blocklist.sh) for more inspiration. ## Services From 1992f13999e1602f1865882ee0f8158741e195e9 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 12 Mar 2024 10:20:50 -0500 Subject: [PATCH 248/476] Remove recommendation to disable SIP --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index f6bf91ac..25876d03 100755 --- a/README.md +++ b/README.md @@ -346,8 +346,6 @@ See [drduh/config/scripts/pf-blocklist.sh](https://github.com/drduh/config/blob/ ## Services -**Note** [System Integrity Protection](https://github.com/drduh/macOS-Security-and-Privacy-Guide#system-integrity-protection) does not allow disabling system services on recent macOS versions. Either temporarily disable SIP or disable services from Recovery Mode. See [Issue 334](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/334) for more information. - See [fix-macosx/yosemite-phone-home](https://github.com/fix-macosx/yosemite-phone-home), [l1k/osxparanoia](https://github.com/l1k/osxparanoia) for further recommendations. Services on macOS are managed by **launchd**. See [launchd.info](https://launchd.info/), as well as [Apple's Daemons and Services Programming Guide](https://developer.apple.com/library/mac/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html) and [Technical Note TN2083](https://developer.apple.com/library/mac/technotes/tn2083/_index.html) From b606f8aa2571c3817d901557183704670c59173b Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 12 Mar 2024 10:21:05 -0500 Subject: [PATCH 249/476] remove outdated links --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 25876d03..1ca63ace 100755 --- a/README.md +++ b/README.md @@ -346,8 +346,6 @@ See [drduh/config/scripts/pf-blocklist.sh](https://github.com/drduh/config/blob/ ## Services -See [fix-macosx/yosemite-phone-home](https://github.com/fix-macosx/yosemite-phone-home), [l1k/osxparanoia](https://github.com/l1k/osxparanoia) for further recommendations. - Services on macOS are managed by **launchd**. See [launchd.info](https://launchd.info/), as well as [Apple's Daemons and Services Programming Guide](https://developer.apple.com/library/mac/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html) and [Technical Note TN2083](https://developer.apple.com/library/mac/technotes/tn2083/_index.html) You can also run [KnockKnock](https://objective-see.com/products/knockknock.html) that shows more information about startup items. From 97a55d9974142c161ae66b2e75142f1acc0ef54f Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 12 Mar 2024 10:21:55 -0500 Subject: [PATCH 250/476] remove links to archived apple documentation --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1ca63ace..3501ef4d 100755 --- a/README.md +++ b/README.md @@ -346,7 +346,7 @@ See [drduh/config/scripts/pf-blocklist.sh](https://github.com/drduh/config/blob/ ## Services -Services on macOS are managed by **launchd**. See [launchd.info](https://launchd.info/), as well as [Apple's Daemons and Services Programming Guide](https://developer.apple.com/library/mac/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html) and [Technical Note TN2083](https://developer.apple.com/library/mac/technotes/tn2083/_index.html) +Services on macOS are managed by **launchd**. See [launchd.info](https://launchd.info). You can also run [KnockKnock](https://objective-see.com/products/knockknock.html) that shows more information about startup items. From ed2d645cefbcc11a5c2a5ed68916e134d68db5fd Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 12 Mar 2024 10:30:29 -0500 Subject: [PATCH 251/476] remove knock knock and add first party functionality --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3501ef4d..8015f3f1 100755 --- a/README.md +++ b/README.md @@ -348,7 +348,7 @@ See [drduh/config/scripts/pf-blocklist.sh](https://github.com/drduh/config/blob/ Services on macOS are managed by **launchd**. See [launchd.info](https://launchd.info). -You can also run [KnockKnock](https://objective-see.com/products/knockknock.html) that shows more information about startup items. +You can manage and see more information about software that runs at login in [System Settings](https://support.apple.com/guide/mac-help/change-login-items-settings-mtusr003). You can see installed System, Quick Look, Finder, and other extensions in [System Settings](https://support.apple.com/guide/mac-help/change-extensions-settings-mchl8baf92fe) as well. * Use `launchctl list` to view running user agents * Use `sudo launchctl list` to view running system daemons From 4f7b4ee08a2b9c49445c580ccec51eb28f406dff Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 12 Mar 2024 10:40:39 -0500 Subject: [PATCH 252/476] add warning about disabling SIP --- README.md | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/README.md b/README.md index 8015f3f1..9d75a467 100755 --- a/README.md +++ b/README.md @@ -364,17 +364,7 @@ defaults read /System/Library/LaunchDaemons/com.apple.apsd.plist Look at the `Program` or `ProgramArguments` section to see which binary is run, in this case `apsd`. To find more information about that, look at the man page with `man apsd` -For example, if you're not interested in Apple Push Notifications, disable the service: - -```console -sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist -``` - -**Note** Unloading services may break usability of some applications. Read the manual pages and use Google to make sure you understand what you're doing first. - -Be careful about disabling any system daemons you don't understand, as it may render your system unbootable. If you break your Mac, use [single user mode](https://support.apple.com/guide/mac-help/start-up-your-mac-in-single-user-mode-mchlp1720/mac) to fix it. - -Use [Console](https://en.wikipedia.org/wiki/List_of_macOS_components#Console) and [Activity Monitor](https://support.apple.com/en-us/HT201464) applications if you notice your Mac heating up, feeling sluggish, or generally misbehaving, as it may have resulted from your tinkering. +**Note** System services are protected by SIP, don't disable SIP just to tinker with system services as SIP is an integral part of security on macOS. Disabling system services could cause breakage and unstable behavior! To view the status of services: From f8d32f399fbd7971a4dc84c0f8ca55af84fafe53 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 12 Mar 2024 10:44:04 -0500 Subject: [PATCH 253/476] replace outdated links with apple documentation --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9d75a467..31452bbd 100755 --- a/README.md +++ b/README.md @@ -374,7 +374,7 @@ find /var/db/com.apple.xpc.launchd/ -type f -print -exec defaults read {} \; 2>/ Annotated lists of launch daemons and agents, the respective program executed, and the programs' hash sums are included in this repository. -See also [cirrusj.github.io/Yosemite-Stop-Launch](https://cirrusj.github.io/Yosemite-Stop-Launch/) for descriptions of services and [Provisioning OS X and Disabling Unnecessary Services](https://vilimpoc.org/blog/2014/01/15/provisioning-os-x-and-disabling-unnecessary-services/) for another explanation. +Read more about launchd on [Apple's website](https://support.apple.com/guide/terminal/script-management-with-launchd-apdc6c1077b-5d5d-4d35-9c19-60f2397b2369). Persistent login items may also exist in these directories: From 516e12dd3549fb5803fb103244bda0de1f89edbb Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 12 Mar 2024 10:45:11 -0500 Subject: [PATCH 254/476] replace duplicated apple documentation --- README.md | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/README.md b/README.md index 31452bbd..2bd0ab84 100755 --- a/README.md +++ b/README.md @@ -374,20 +374,7 @@ find /var/db/com.apple.xpc.launchd/ -type f -print -exec defaults read {} \; 2>/ Annotated lists of launch daemons and agents, the respective program executed, and the programs' hash sums are included in this repository. -Read more about launchd on [Apple's website](https://support.apple.com/guide/terminal/script-management-with-launchd-apdc6c1077b-5d5d-4d35-9c19-60f2397b2369). - -Persistent login items may also exist in these directories: - -* `/Library/LaunchAgents` -* `/Library/LaunchDaemons` -* `/Library/ScriptingAdditions` -* `/Library/StartupItems` -* `/System/Library/LaunchAgents` -* `/System/Library/LaunchDaemons` -* `/System/Library/ScriptingAdditions` -* `/System/Library/StartupItems` -* `~/Library/LaunchAgents` -* `~/Library/Preferences/com.apple.loginitems.plist` +Read more about launchd and where login items can be found on [Apple's website](https://support.apple.com/guide/terminal/script-management-with-launchd-apdc6c1077b-5d5d-4d35-9c19-60f2397b2369). See [Mac OSX Startup](https://web.archive.org/web/20200415041603/http://www.malicious-streams.com/article/Mac_OSX_Startup.pdf) (pdf) for more information. From 23ec99f7a660c98f0475fe12b00c5f280368f02d Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 12 Mar 2024 10:47:11 -0500 Subject: [PATCH 255/476] remove outdated, archived pdf --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 2bd0ab84..8ea57c34 100755 --- a/README.md +++ b/README.md @@ -376,8 +376,6 @@ Annotated lists of launch daemons and agents, the respective program executed, a Read more about launchd and where login items can be found on [Apple's website](https://support.apple.com/guide/terminal/script-management-with-launchd-apdc6c1077b-5d5d-4d35-9c19-60f2397b2369). -See [Mac OSX Startup](https://web.archive.org/web/20200415041603/http://www.malicious-streams.com/article/Mac_OSX_Startup.pdf) (pdf) for more information. - ## Spotlight Suggestions Disable **Spotlight Suggestions** in both the Spotlight preferences and Safari's Search preferences to avoid your search queries being sent to Apple. From 15cc788087a910bcec7c97606b11b169a9817f60 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 12 Mar 2024 19:23:02 -0500 Subject: [PATCH 256/476] update spotlight suggestions --- README.md | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 8ea57c34..1e76802d 100755 --- a/README.md +++ b/README.md @@ -376,17 +376,9 @@ Annotated lists of launch daemons and agents, the respective program executed, a Read more about launchd and where login items can be found on [Apple's website](https://support.apple.com/guide/terminal/script-management-with-launchd-apdc6c1077b-5d5d-4d35-9c19-60f2397b2369). -## Spotlight Suggestions +## Siri Suggestions & Spotlight -Disable **Spotlight Suggestions** in both the Spotlight preferences and Safari's Search preferences to avoid your search queries being sent to Apple. - -Also disable **Bing Web Searches** in the Spotlight preferences to avoid your search queries being sent to Microsoft. - -See [fix-macosx.com](https://web.archive.org/web/20180817061520/https://fix-macosx.com/) for detailed instructions. - -> If you've upgraded to OS X 10.10 "Yosemite" and you're using the default settings, each time you start typing in Spotlight (to open an application or search for a file on your computer), your local search terms and location are sent to Apple and third parties (including Microsoft). - - **Note** This Web site and instructions may no longer work on macOS Sierra - see [issue 164](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/164). +Apple is moving to on-device processing for a lot of Siri functions, but some info is still sent to Apple when you use Siri Suggestions or Spotlight. You can read Apple's [Privacy Policy](https://www.apple.com/legal/privacy/data/en/siri-suggestions-search/) to see exactly what is sent and how to disable it. ## Homebrew From df4b2748a7ea5b33ca28ee92d5085d1064ae618d Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 12 Mar 2024 19:40:20 -0500 Subject: [PATCH 257/476] update index link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1e76802d..5ba0ef30 100755 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ This guide is also available in [简体中文](https://github.com/drduh/macOS-Se * [Third party firewalls](#third-party-firewalls) * [Kernel level packet filtering](#kernel-level-packet-filtering) - [Services](#services) -- [Spotlight Suggestions](#spotlight-suggestions) +- [Siri Suggestions & Spotlight](#siri-suggestions-&-spotlight) - [Homebrew](#homebrew) - [DNS](#dns) + [Hosts file](#hosts-file) From 0b3e0b29c7fde8f967b0533be4f0478a99e8a3b5 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 10:12:59 -0500 Subject: [PATCH 258/476] remove outdated link about a "GPL purge" --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5ba0ef30..fc23da31 100755 --- a/README.md +++ b/README.md @@ -382,7 +382,7 @@ Apple is moving to on-device processing for a lot of Siri functions, but some in ## Homebrew -Consider using [Homebrew](https://brew.sh/) to make software installations easier and to update userland tools (see [Apple's great GPL purge](http://meta.ath0.com/2012/02/05/apples-great-gpl-purge/)). +Consider using [Homebrew](https://brew.sh/) to make software installations easier and to update userland tools. **Note** If you have not already installed Xcode or Command Line Tools, use `xcode-select --install` to download and install them, or check Apple's developer site. From f4ff7c65a5aceeaaecc14a0b350cf6e418b6ed35 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 10:17:20 -0500 Subject: [PATCH 259/476] remove outdated homebrew installation instructions --- README.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/README.md b/README.md index fc23da31..7508ec16 100755 --- a/README.md +++ b/README.md @@ -386,14 +386,6 @@ Consider using [Homebrew](https://brew.sh/) to make software installations easie **Note** If you have not already installed Xcode or Command Line Tools, use `xcode-select --install` to download and install them, or check Apple's developer site. -[Install Homebrew](https://github.com/Homebrew/brew/blob/master/docs/Installation.md#installation): - -```console -mkdir homebrew && curl -L https://github.com/Homebrew/brew/tarball/master | tar xz --strip 1 -C homebrew -``` - -Edit `PATH` in your shell or shell rc file to use `~/homebrew/bin` and `~/homebrew/sbin`. For example, `echo 'PATH=$PATH:~/homebrew/sbin:~/homebrew/bin' >> .zshrc`, then change your login shell to Z shell with `chsh -s /bin/zsh`, open a new Terminal window and run `brew update`. - Homebrew uses SSL/TLS to talk with GitHub and verifies integrity of downloaded packages, so it's [fairly secure](https://brew.sh/2022/05/17/homebrew-security-audit/). Remember to periodically run `brew upgrade` on trusted and secure networks to download and install software updates. To get information on a package before installation, run `brew info ` and check its formula online. From 7a5d363c6bffb8cff89bef09e9d0453741fef453 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 10:29:42 -0500 Subject: [PATCH 260/476] link to quad9 profile download page --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7508ec16..6a658966 100755 --- a/README.md +++ b/README.md @@ -402,7 +402,7 @@ You may also wish to enable [additional security options](https://github.com/drd macOS 11 introduced "DNS configuration profiles" to configure encrypted DNS, filter domains and use DNSSEC. -DNS profiles [can be created](https://dns.notjakob.com/) or obtained from providers such as [Quad9](https://docs.quad9.net/), [AdGuard](https://adguard-dns.io/en/public-dns.html) and [NextDNS](https://nextdns.io/). +DNS profiles [can be created](https://dns.notjakob.com/) or obtained from providers such as [Quad9](https://docs.quad9.net/Setup_Guides/MacOS/Big_Sur_and_later_%2528Encrypted%2529/#download-profile), [AdGuard](https://adguard-dns.io/en/public-dns.html) and [NextDNS](https://nextdns.io/). #### Hosts file From 2fbb18712662d057a0f6813e02c1f91bae507c93 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 10:33:30 -0500 Subject: [PATCH 261/476] remove gui app for hosts file that hasn't had a commit in over a year --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 6a658966..8365866e 100755 --- a/README.md +++ b/README.md @@ -410,8 +410,6 @@ DNS profiles [can be created](https://dns.notjakob.com/) or obtained from provid Edit the hosts file as root, for example with `sudo vi /etc/hosts` -The hosts file can also be managed with the GUI app [2ndalpha/gasmask](https://github.com/2ndalpha/gasmask). - To block a domain by `A` record, append any one of the following lines to `/etc/hosts`: ``` From c1fc6149b9c314aa8369eabce3651cf54148a808 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 10:35:15 -0500 Subject: [PATCH 262/476] remove blocklists that haven't been updated in years --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 8365866e..7009dcb8 100755 --- a/README.md +++ b/README.md @@ -424,8 +424,6 @@ There are many lists of domains available online which you can paste in, just ma Here are some popular and useful hosts lists: -* [jmdugan/blocklists](https://github.com/jmdugan/blocklists) -* [l1k/osxparanoia](https://github.com/l1k/osxparanoia/blob/master/hosts) * [Sinfonietta/hostfiles](https://github.com/Sinfonietta/hostfiles) * [StevenBlack/hosts](https://github.com/StevenBlack/hosts) * [someonewhocares.org](https://someonewhocares.org/hosts/zero/hosts) From 358f43ad03480a5cadc98c5e8c8eb91aadb88aa7 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 10:37:17 -0500 Subject: [PATCH 263/476] remove dnscrypt GUI apps that are abandoned --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 7009dcb8..29047cdb 100755 --- a/README.md +++ b/README.md @@ -440,8 +440,6 @@ If you're using a firewall like [Little Snitch](#third-party-firewalls), you cou To encrypt DNS traffic, consider using [DNSCrypt/dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy). Used in combination with dnsmasq and DNSSEC, the integrity of DNS traffic can be significantly improved. -[JayBrown/DNSCrypt-Menu](https://github.com/JayBrown/DNSCrypt-Menu) and [jedisct1/bitbar-dnscrypt-proxy-switcher](https://github.com/jedisct1/bitbar-dnscrypt-proxy-switcher) provide a graphical user interface to dnscrypt. - Install DNSCrypt from Homebrew and follow the instructions to configure and start `dnscrypt-proxy`: ```console From c5ca7df0c9f89fe945a42ebd709f4bfb0388800b Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 10:52:59 -0500 Subject: [PATCH 264/476] fix quad9 link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 29047cdb..3dee414f 100755 --- a/README.md +++ b/README.md @@ -402,7 +402,7 @@ You may also wish to enable [additional security options](https://github.com/drd macOS 11 introduced "DNS configuration profiles" to configure encrypted DNS, filter domains and use DNSSEC. -DNS profiles [can be created](https://dns.notjakob.com/) or obtained from providers such as [Quad9](https://docs.quad9.net/Setup_Guides/MacOS/Big_Sur_and_later_%2528Encrypted%2529/#download-profile), [AdGuard](https://adguard-dns.io/en/public-dns.html) and [NextDNS](https://nextdns.io/). +DNS profiles [can be created](https://dns.notjakob.com/) or obtained from providers such as [Quad9](https://docs.quad9.net/Setup_Guides/MacOS/Big_Sur_and_later_(Encrypted)/#download-profile), [AdGuard](https://adguard-dns.io/en/public-dns.html) and [NextDNS](https://nextdns.io/). #### Hosts file From e1badc4b9169d57782bdc4d936424584237941f5 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 11:06:29 -0500 Subject: [PATCH 265/476] remove outdated links --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 3dee414f..b29576d6 100755 --- a/README.md +++ b/README.md @@ -570,8 +570,6 @@ It is possible to trigger the utility and direct a Mac to malware without user i sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active -bool false ``` -Also see [Apple's secret "wispr" request](https://web.archive.org/web/20171008071031/http://blog.erratasec.com/2010/09/apples-secret-wispr-request.html), [How to disable the captive portal window in Mac OS Lion](https://web.archive.org/web/20130407200745/http://www.divertednetworks.net/apple-captiveportal.html) and [An undocumented change to Captive Network Assistant settings in OS X 10.10 Yosemite](https://web.archive.org/web/20170622064304/https://grpugh.wordpress.com/2014/10/29/an-undocumented-change-to-captive-network-assistant-settings-in-os-x-10-10-yosemite/). - ## Certificate authorities macOS comes with [over 100](https://support.apple.com/103723) root authority certificates installed from corporations like Apple, Verisign, Thawte, Digicert and government agencies from China, Japan, Netherlands, U.S., and more! These Certificate Authorities (CAs) are capable of issuing TLS certificates for any domain, code signing certificates, etc. Apple [blocks these certificates](https://support.apple.com/103247#blocked) when a CA proves to be untrustworthy. They also have [strict requirements](https://www.apple.com/certificateauthority/ca_program.html) that trusted CAs have to meet. From 6a89fd19002f899ae1f57481bdd9c3da7adec9a1 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 12:07:04 -0500 Subject: [PATCH 266/476] remove captive portal --- README.md | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/README.md b/README.md index b29576d6..7abb1440 100755 --- a/README.md +++ b/README.md @@ -38,7 +38,6 @@ This guide is also available in [简体中文](https://github.com/drduh/macOS-Se + [dnscrypt](#dnscrypt) + [Dnsmasq](#dnsmasq) - [Test DNSSEC validation](#test-dnssec-validation) -- [Captive portal](#captive-portal) - [Certificate authorities](#certificate-authorities) - [Web](#web) * [Privoxy](#privoxy) @@ -560,16 +559,6 @@ $ dig www.dnssec-failed.org ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ``` -## Captive portal - -When macOS connects to new networks, it checks for Internet connectivity and may launch a Captive Portal assistant utility application. - -It is possible to trigger the utility and direct a Mac to malware without user interaction, so it's best to disable this feature and log in to captive portals using your regular Web browser by navigating to a non-secure HTTP page and accepting a redirect to the captive portal login interface (after disabling any custom proxy or DNS settings). - -```console -sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active -bool false -``` - ## Certificate authorities macOS comes with [over 100](https://support.apple.com/103723) root authority certificates installed from corporations like Apple, Verisign, Thawte, Digicert and government agencies from China, Japan, Netherlands, U.S., and more! These Certificate Authorities (CAs) are capable of issuing TLS certificates for any domain, code signing certificates, etc. Apple [blocks these certificates](https://support.apple.com/103247#blocked) when a CA proves to be untrustworthy. They also have [strict requirements](https://www.apple.com/certificateauthority/ca_program.html) that trusted CAs have to meet. From a07d13a95d1bd79e67808cf689d2478f673688e8 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 13:16:55 -0500 Subject: [PATCH 267/476] remove outdated software and resources links --- README.md | 36 +----------------------------------- 1 file changed, 1 insertion(+), 35 deletions(-) diff --git a/README.md b/README.md index 7abb1440..1fd50a9b 100755 --- a/README.md +++ b/README.md @@ -1826,52 +1826,18 @@ drwx------ 2 kevin staff 64 Dec 4 12:27 umask_testing_dir ## Related software * [CISOfy/lynis](https://github.com/CISOfy/lynis) - Cross-platform security auditing tool and assists with compliance testing and system hardening. -* [Dylib Hijack Scanner](https://objective-see.com/products/dhs.html) - Scan for applications that are either susceptible to dylib hijacking or have been hijacked. -* [Lockdown](https://objective-see.com/products/lockdown.html) - Audits and remediates security configuration settings. * [Zentral](https://github.com/zentralopensource/zentral) - A log and configuration server for santa and osquery. Run audit and probes on inventory, events, logfiles, combine with point-in-time alerting. A full Framework and Django web server build on top of the elastic stack (formerly known as ELK stack). * [osquery](https://github.com/osquery/osquery) - Can be used to retrieve low level system information. Users can write SQL queries to retrieve system information. * [google/grr](https://github.com/google/grr) - Incident response framework focused on remote live forensics. -* [libyal/libfvde](https://github.com/libyal/libfvde) - Library to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes. -* [stronghold](https://github.com/alichtman/stronghold) - Securely and easily configure your Mac from the terminal. Inspired by this guide. -* [The Eclectic Light Company - Downloads](https://eclecticlight.co/downloads/) - A collection of useful diagnostics and control applications and utilities for macOS. -* [Pareto Security](https://paretosecurity.app/) - A MenuBar app to automatically audit your Mac for basic security hygiene. ## Additional resources * [Apple Open Source](https://opensource.apple.com/) -* [Auditing and Exploiting Apple IPC](https://googleprojectzero.blogspot.com/2015/09/revisiting-apple-ipc-1-distributed_28.html) * [CIS Benchmarks](https://www.cisecurity.org/benchmark/apple_os/) -* [Demystifying the DMG File Format](http://newosxbook.com/DMG.html) -* [Developing Mac OSX kernel rootkits](http://phrack.org/issues/66/16.html#article) * [EFF Surveillance Self-Defense Guide](https://ssd.eff.org/) -* [Fuzzing the macOS WindowServer for Exploitable Vulnerabilities](https://blog.ret2.io/2018/07/25/pwn2own-2018-safari-sandbox/) -* [Hacker News discussion 2](https://news.ycombinator.com/item?id=13023823) -* [Hacker News discussion](https://news.ycombinator.com/item?id=10148077) -* [Harden the World: Mac OSX 10.11 El Capitan](https://docs.hardentheworld.org/OS/OSX_10.11_El_Capitan/) -* [Hidden backdoor API to root privileges in Apple OS X](https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/) -* [How to Switch to the Mac](https://taoofmac.com/space/HOWTO/Switch) -* [IOKit kernel code execution exploit](https://code.google.com/p/google-security-research/issues/detail?id=135) * [iOS, The Future Of macOS, Freedom, Security And Privacy In An Increasingly Hostile Global Environment](https://gist.github.com/iosecure/357e724811fe04167332ef54e736670d) -* [IPv6 Hardening Guide for OS X](http://www.insinuator.net/2015/02/ipv6-hardening-guide-for-os-x/) -* [Mac Developer Library: Secure Coding Guide](https://developer.apple.com/library/mac/documentation/Security/Conceptual/SecureCodingGuide/Introduction.html) -* [Mac Forensics: Mac OS X and the HFS+ File System](https://cet4861.pbworks.com/w/file/fetch/71245694/mac.forensics.craiger-burke.IFIP.06.pdf) (pdf) -* [Mac OS X and iOS Internals: To the Apple's Core by Jonathan Levin](https://www.amazon.com/Mac-OS-iOS-Internals-Apples/dp/1118057651) -* [MacOS Hardening Guide - Appendix of \*OS Internals: Volume III - Security & Insecurity Internals](http://newosxbook.com/files/moxii3/AppendixA.pdf) (pdf) -* [Managing Macs at Google Scale (LISA '13)](https://www.usenix.org/conference/lisa13/managing-macs-google-scale) -* [OS X 10.10 Yosemite: The Ars Technica Review](https://arstechnica.com/apple/2014/10/os-x-10-10/) -* [OS X Core Technologies Overview White Paper](https://www.apple.com/osx/all-features/pdf/osx_elcapitan_core_technologies_overview.pdf) (pdf) -* [OS X Hardening: Securing a Large Global Mac Fleet (LISA '13)](https://www.usenix.org/conference/lisa13/os-x-hardening-securing-large-global-mac-fleet) -* [OSX.Pirrit Mac Adware Part III: The DaVinci Code](https://www.cybereason.com/blog/targetingedge-mac-os-x-pirrit-malware-adware-still-active) -* [Over The Air - Vol. 2, Pt. 1: Exploiting The Wi-Fi Stack on Apple Devices](https://googleprojectzero.blogspot.com/2017/09/over-air-vol-2-pt-1-exploiting-wi-fi.html) * [Patrick Wardle's Objective-See blog](https://objective-see.com/blog.html) -* [Remote code execution, git, and OS X](https://rachelbythebay.com/w/2016/04/17/unprotected/) * [Reverse Engineering Mac OS X blog](https://reverse.put.as/) * [Reverse Engineering Resources](http://samdmarshall.com/re.html) -* [The EFI boot process](https://web.archive.org/web/20160508052211/http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/efi-boot-process.html) -* [The Great DOM Fuzz-off of 2017](https://googleprojectzero.blogspot.be/2017/09/the-great-dom-fuzz-off-of-2017.html) -* [The Intel Mac boot process](http://refit.sourceforge.net/info/boot_process.html) * [The macOS Phishing Easy Button: AppleScript Dangers](https://duo.com/blog/the-macos-phishing-easy-button-applescript-dangers) -* [There's a lot of vulnerable OS X applications out there (Sparkle Framework RCE)](https://vulnsec.com/2016/osx-apps-vulnerabilities/) -* [Userland Persistence on Mac OS X](https://archive.org/details/joshpitts_shmoocon2015) -* [iCloud security and privacy overview](https://support.apple.com/kb/HT4865) -* [iSeeYou: Disabling the MacBook Webcam Indicator LED](https://jscholarship.library.jhu.edu/handle/1774.2/36569) +* [iCloud security and privacy overview](https://support.apple.com/102651) \ No newline at end of file From a20a3bbbbe190b72b9c0948e4dd6aa5236225775 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 13:34:28 -0500 Subject: [PATCH 268/476] change mac os x to macos --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1fd50a9b..6a801113 100755 --- a/README.md +++ b/README.md @@ -1837,7 +1837,7 @@ drwx------ 2 kevin staff 64 Dec 4 12:27 umask_testing_dir * [EFF Surveillance Self-Defense Guide](https://ssd.eff.org/) * [iOS, The Future Of macOS, Freedom, Security And Privacy In An Increasingly Hostile Global Environment](https://gist.github.com/iosecure/357e724811fe04167332ef54e736670d) * [Patrick Wardle's Objective-See blog](https://objective-see.com/blog.html) -* [Reverse Engineering Mac OS X blog](https://reverse.put.as/) +* [Reverse Engineering macOS blog](https://reverse.put.as/) * [Reverse Engineering Resources](http://samdmarshall.com/re.html) * [The macOS Phishing Easy Button: AppleScript Dangers](https://duo.com/blog/the-macos-phishing-easy-button-applescript-dangers) * [iCloud security and privacy overview](https://support.apple.com/102651) \ No newline at end of file From 5c9356ef0e0970c10fc254535466399e66c31b8f Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 13:59:45 -0500 Subject: [PATCH 269/476] change diagnostics link to official documentation --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6a801113..23f6ccdd 100755 --- a/README.md +++ b/README.md @@ -1725,7 +1725,7 @@ Zentral will support Santa in both MONITORING and LOCKDOWN operation mode. Clien ## Miscellaneous -Disable [Diagnostics & Usage Data](https://github.com/fix-macosx/fix-macosx/wiki/Diagnostics-&-Usage-Data). +Disable [Diagnostics & Usage Data](https://support.apple.com/guide/mac-help/share-analytics-information-mac-apple-mh27990). If you want to play **music** or watch **videos**, use QuickTime Player, the built-in media player in macOS. It uses the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox/protecting_user_data_with_app_sandbox), [Hardened Runtime](https://developer.apple.com/documentation/xcode/configuring-the-hardened-runtime), and benefits from the [Signed System Volume](https://support.apple.com/guide/security/signed-system-volume-security-secd698747c9/web) as part of the base system. From 5a16f718b4253b57d914e183c70718a332b98472 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 14:03:03 -0500 Subject: [PATCH 270/476] remove duti which hasn't had an update in a decade --- README.md | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/README.md b/README.md index 23f6ccdd..57b6de3e 100755 --- a/README.md +++ b/README.md @@ -1731,20 +1731,6 @@ If you want to play **music** or watch **videos**, use QuickTime Player, the bui If you want to use **torrents**, use [Transmission](https://www.transmissionbt.com/download/) which is free and open source (note: like all software, even open source projects, [malware may still find its way in](http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/)). You may also wish to use a block list to avoid peering with known bad hosts - see [Which is the best blocklist for Transmission](https://giuliomac.wordpress.com/2014/02/19/best-blocklist-for-transmission/) and [johntyree/3331662](https://gist.github.com/johntyree/3331662). -Manage default file handlers with [duti](http://duti.org/), which can be installed with `brew install duti`. One reason to manage extensions is to prevent auto-mounting of remote file systems in Finder (see [Protecting Yourself From Sparklegate](https://www.taoeffect.com/blog/2016/02/apologies-sky-kinda-falling-protecting-yourself-from-sparklegate/)). Here are several recommended file handlers to manage: - -```console -duti -s com.apple.Safari afp - -duti -s com.apple.Safari ftp - -duti -s com.apple.Safari nfs - -duti -s com.apple.Safari smb - -duti -s com.apple.TextEdit public.unix-executable -``` - Monitor system logs with the **Console** application or `syslog -w` or `/usr/bin/log stream` commands. Set your screen to lock as soon as the screensaver starts: From 8a9387cb2901e6f0b71c56a994354bfe44e2b60c Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 14:08:45 -0500 Subject: [PATCH 271/476] remove bonjour --- README.md | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/README.md b/README.md index 57b6de3e..0471288d 100755 --- a/README.md +++ b/README.md @@ -1761,7 +1761,7 @@ Don't default to saving documents to iCloud: defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false ``` -Enable [Secure Keyboard Entry](https://security.stackexchange.com/questions/47749/how-secure-is-secure-keyboard-entry-in-mac-os-xs-terminal) in Terminal (unless you use [YubiKey](https://mig5.net/content/secure-keyboard-entry-os-x-blocks-interaction-yubikeys) or applications such as [TextExpander](https://smilesoftware.com/textexpander/secureinput)). +Enable [Secure Keyboard Entry](https://support.apple.com/guide/terminal/use-secure-keyboard-entry-trml109) in Terminal (unless you use [YubiKey](https://mig5.net/content/secure-keyboard-entry-os-x-blocks-interaction-yubikeys) or applications such as [TextExpander](https://smilesoftware.com/textexpander/secureinput)). Disable crash reporter (the dialog which appears after an application crashes and prompts to report the problem to Apple): @@ -1769,12 +1769,6 @@ Disable crash reporter (the dialog which appears after an application crashes an defaults write com.apple.CrashReporter DialogType none ``` -Disable Bonjour [multicast advertisements](https://www.trustwave.com/Resources/SpiderLabs-Blog/mDNS---Telling-the-world-about-you-(and-your-device)/): - -```console -sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES -``` - [Disable Handoff](https://apple.stackexchange.com/questions/151481/why-is-my-macbook-visibile-on-bluetooth-after-yosemite-install) and Bluetooth features, if they aren't necessary. Consider sandboxing your applications. See [fG! Sandbox Guide](https://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v0.1.pdf) (pdf) and [s7ephen/OSX-Sandbox--Seatbelt--Profiles](https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles). From 9cf6b8c447add764695e0202a839c34106221c52 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 14:13:03 -0500 Subject: [PATCH 272/476] update handoff/bluetooth links --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0471288d..24348186 100755 --- a/README.md +++ b/README.md @@ -1769,7 +1769,7 @@ Disable crash reporter (the dialog which appears after an application crashes an defaults write com.apple.CrashReporter DialogType none ``` -[Disable Handoff](https://apple.stackexchange.com/questions/151481/why-is-my-macbook-visibile-on-bluetooth-after-yosemite-install) and Bluetooth features, if they aren't necessary. +[Disable Handoff](https://support.apple.com/guide/mac-help/change-airdrop-handoff-settings-mchl6a407f99) and [Bluetooth](https://support.apple.com/guide/mac-help/turn-bluetooth-on-or-off-blth1008) features, if they aren't necessary. Consider sandboxing your applications. See [fG! Sandbox Guide](https://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v0.1.pdf) (pdf) and [s7ephen/OSX-Sandbox--Seatbelt--Profiles](https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles). From 26080a1732c3be113313843950862e4047630410 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 14:15:26 -0500 Subject: [PATCH 273/476] remove outdated sandbox links --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 24348186..8100be5f 100755 --- a/README.md +++ b/README.md @@ -1771,7 +1771,7 @@ defaults write com.apple.CrashReporter DialogType none [Disable Handoff](https://support.apple.com/guide/mac-help/change-airdrop-handoff-settings-mchl6a407f99) and [Bluetooth](https://support.apple.com/guide/mac-help/turn-bluetooth-on-or-off-blth1008) features, if they aren't necessary. -Consider sandboxing your applications. See [fG! Sandbox Guide](https://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v0.1.pdf) (pdf) and [s7ephen/OSX-Sandbox--Seatbelt--Profiles](https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles). +Check that your apps are sandboxed in [Activity Monitor](https://developer.apple.com/documentation/security/app_sandbox/protecting_user_data_with_app_sandbox#4098972). Did you know Apple has not shipped a computer with TPM since 2006? From 439c23d7b3af6bf8dd38c73d8ceacb77a798ff50 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 14:16:04 -0500 Subject: [PATCH 274/476] remove tpm mention --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 8100be5f..6d9e6a53 100755 --- a/README.md +++ b/README.md @@ -1773,8 +1773,6 @@ defaults write com.apple.CrashReporter DialogType none Check that your apps are sandboxed in [Activity Monitor](https://developer.apple.com/documentation/security/app_sandbox/protecting_user_data_with_app_sandbox#4098972). -Did you know Apple has not shipped a computer with TPM since 2006? - macOS comes with this line in `/etc/sudoers`: ``` From 6a6912f54b294f4dfde2f0b4444d0eea6f14df54 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 14:19:58 -0500 Subject: [PATCH 275/476] update umask link --- README.md | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/README.md b/README.md index 6d9e6a53..f8b90a18 100755 --- a/README.md +++ b/README.md @@ -1787,19 +1787,7 @@ If you want to retain the convenience of the root user having a non-root user's export HOME=/Users/blah ``` -Set a [custom umask](https://support.apple.com/en-us/HT201684): - -```console -sudo launchctl config user umask 077 -``` - -Reboot, create a file in Finder and verify its permissions (macOS default allows 'group/other' read access): - -```console -$ ls -ld umask* -drwx------ 2 kevin staff 64 Dec 4 12:27 umask_testing_dir --rw-------@ 1 kevin staff 2026566 Dec 4 12:28 umask_testing_file -``` +Set a [custom umask](https://support.apple.com/101914). ## Related software From 49f0828f0152abbc8cdaa5ce5d1f6727a23fc826 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 14:37:45 -0500 Subject: [PATCH 276/476] add official documentation to change default file handlers --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index f8b90a18..65a1cf12 100755 --- a/README.md +++ b/README.md @@ -1731,6 +1731,8 @@ If you want to play **music** or watch **videos**, use QuickTime Player, the bui If you want to use **torrents**, use [Transmission](https://www.transmissionbt.com/download/) which is free and open source (note: like all software, even open source projects, [malware may still find its way in](http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/)). You may also wish to use a block list to avoid peering with known bad hosts - see [Which is the best blocklist for Transmission](https://giuliomac.wordpress.com/2014/02/19/best-blocklist-for-transmission/) and [johntyree/3331662](https://gist.github.com/johntyree/3331662). +Change the [default file handlers](https://support.apple.com/guide/mac-help/choose-an-app-to-open-a-file-on-mac-mh35597). + Monitor system logs with the **Console** application or `syslog -w` or `/usr/bin/log stream` commands. Set your screen to lock as soon as the screensaver starts: From 24f2cee414aeb676fb185b30c780085661cbc986 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 14:38:21 -0500 Subject: [PATCH 277/476] change to manage --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 65a1cf12..814f04fc 100755 --- a/README.md +++ b/README.md @@ -1731,7 +1731,7 @@ If you want to play **music** or watch **videos**, use QuickTime Player, the bui If you want to use **torrents**, use [Transmission](https://www.transmissionbt.com/download/) which is free and open source (note: like all software, even open source projects, [malware may still find its way in](http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/)). You may also wish to use a block list to avoid peering with known bad hosts - see [Which is the best blocklist for Transmission](https://giuliomac.wordpress.com/2014/02/19/best-blocklist-for-transmission/) and [johntyree/3331662](https://gist.github.com/johntyree/3331662). -Change the [default file handlers](https://support.apple.com/guide/mac-help/choose-an-app-to-open-a-file-on-mac-mh35597). +Manage [default file handlers](https://support.apple.com/guide/mac-help/choose-an-app-to-open-a-file-on-mac-mh35597). Monitor system logs with the **Console** application or `syslog -w` or `/usr/bin/log stream` commands. From 56deafb53e5b7da9d16b14a543156037a2111288 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 14:41:09 -0500 Subject: [PATCH 278/476] shorten transmission link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 814f04fc..edaa4a3d 100755 --- a/README.md +++ b/README.md @@ -1729,7 +1729,7 @@ Disable [Diagnostics & Usage Data](https://support.apple.com/guide/mac-help/shar If you want to play **music** or watch **videos**, use QuickTime Player, the built-in media player in macOS. It uses the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox/protecting_user_data_with_app_sandbox), [Hardened Runtime](https://developer.apple.com/documentation/xcode/configuring-the-hardened-runtime), and benefits from the [Signed System Volume](https://support.apple.com/guide/security/signed-system-volume-security-secd698747c9/web) as part of the base system. -If you want to use **torrents**, use [Transmission](https://www.transmissionbt.com/download/) which is free and open source (note: like all software, even open source projects, [malware may still find its way in](http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/)). You may also wish to use a block list to avoid peering with known bad hosts - see [Which is the best blocklist for Transmission](https://giuliomac.wordpress.com/2014/02/19/best-blocklist-for-transmission/) and [johntyree/3331662](https://gist.github.com/johntyree/3331662). +If you want to use **torrents**, use [Transmission](https://transmissionbt.com/download/) which is free and open source (note: like all software, even open source projects, [malware may still find its way in](http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/)). You may also wish to use a block list to avoid peering with known bad hosts - see [Which is the best blocklist for Transmission](https://giuliomac.wordpress.com/2014/02/19/best-blocklist-for-transmission/) and [johntyree/3331662](https://gist.github.com/johntyree/3331662). Manage [default file handlers](https://support.apple.com/guide/mac-help/choose-an-app-to-open-a-file-on-mac-mh35597). From daa4f0c1f866f7f3cf2b0b97a8685e82792b04a2 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 16:20:36 -0500 Subject: [PATCH 279/476] re add disabling bonjour --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index edaa4a3d..befb500c 100755 --- a/README.md +++ b/README.md @@ -1771,6 +1771,12 @@ Disable crash reporter (the dialog which appears after an application crashes an defaults write com.apple.CrashReporter DialogType none ``` +Disable Bonjour [multicast advertisements](https://www.trustwave.com/Resources/SpiderLabs-Blog/mDNS---Telling-the-world-about-you-(and-your-device)/): + +```console +sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES +``` + [Disable Handoff](https://support.apple.com/guide/mac-help/change-airdrop-handoff-settings-mchl6a407f99) and [Bluetooth](https://support.apple.com/guide/mac-help/turn-bluetooth-on-or-off-blth1008) features, if they aren't necessary. Check that your apps are sandboxed in [Activity Monitor](https://developer.apple.com/documentation/security/app_sandbox/protecting_user_data_with_app_sandbox#4098972). From 694fdb7d51a5c360e7c4f5f77f9caea2a7c821a5 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 16:24:07 -0500 Subject: [PATCH 280/476] re add custom umask --- README.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index befb500c..df91f13e 100755 --- a/README.md +++ b/README.md @@ -1795,7 +1795,19 @@ If you want to retain the convenience of the root user having a non-root user's export HOME=/Users/blah ``` -Set a [custom umask](https://support.apple.com/101914). +Set a [custom umask](https://support.apple.com/en-us/101914): + +```console +sudo launchctl config user umask 077 +``` + +Reboot, create a file in Finder and verify its permissions (macOS default allows 'group/other' read access): + +```console +$ ls -ld umask* +drwx------ 2 kevin staff 64 Dec 4 12:27 umask_testing_dir +-rw-------@ 1 kevin staff 2026566 Dec 4 12:28 umask_testing_file +``` ## Related software From 0956919c714a5eb56807ccac360796ca16d1ba73 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 16:31:03 -0500 Subject: [PATCH 281/476] remove missing link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index df91f13e..1085dd62 100755 --- a/README.md +++ b/README.md @@ -1771,7 +1771,7 @@ Disable crash reporter (the dialog which appears after an application crashes an defaults write com.apple.CrashReporter DialogType none ``` -Disable Bonjour [multicast advertisements](https://www.trustwave.com/Resources/SpiderLabs-Blog/mDNS---Telling-the-world-about-you-(and-your-device)/): +Disable Bonjour multicast advertisements. ```console sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES From ac987a687bd9304a808e74068717276ba197b957 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 16:32:04 -0500 Subject: [PATCH 282/476] Add instructions to open executable files with textedit --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1085dd62..6d473a64 100755 --- a/README.md +++ b/README.md @@ -1731,7 +1731,7 @@ If you want to play **music** or watch **videos**, use QuickTime Player, the bui If you want to use **torrents**, use [Transmission](https://transmissionbt.com/download/) which is free and open source (note: like all software, even open source projects, [malware may still find its way in](http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/)). You may also wish to use a block list to avoid peering with known bad hosts - see [Which is the best blocklist for Transmission](https://giuliomac.wordpress.com/2014/02/19/best-blocklist-for-transmission/) and [johntyree/3331662](https://gist.github.com/johntyree/3331662). -Manage [default file handlers](https://support.apple.com/guide/mac-help/choose-an-app-to-open-a-file-on-mac-mh35597). +Manage [default file handlers](https://support.apple.com/guide/mac-help/choose-an-app-to-open-a-file-on-mac-mh35597). Try setting executable files to harmlessly open with TextEdit. Monitor system logs with the **Console** application or `syslog -w` or `/usr/bin/log stream` commands. From f9c9a4666ea21e2c95ca78dbc922c3d29d035afc Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 16:32:50 -0500 Subject: [PATCH 283/476] : --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6d473a64..3b85dc09 100755 --- a/README.md +++ b/README.md @@ -1771,7 +1771,7 @@ Disable crash reporter (the dialog which appears after an application crashes an defaults write com.apple.CrashReporter DialogType none ``` -Disable Bonjour multicast advertisements. +Disable Bonjour multicast advertisements: ```console sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES From 78adb604cc825b44347ffbd8924234fec8ae582f Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 17:04:11 -0500 Subject: [PATCH 284/476] add bonjour warning --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 3b85dc09..2d91287d 100755 --- a/README.md +++ b/README.md @@ -1773,6 +1773,8 @@ defaults write com.apple.CrashReporter DialogType none Disable Bonjour multicast advertisements: +**Warning:** This will cause problems with AirPlay and AirPrint! + ```console sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES ``` From b70f52a37d419e9d5254397b0849cb79c3b3edcc Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 17:06:05 -0500 Subject: [PATCH 285/476] remove vague text --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2d91287d..cc22b1e6 100755 --- a/README.md +++ b/README.md @@ -1731,7 +1731,7 @@ If you want to play **music** or watch **videos**, use QuickTime Player, the bui If you want to use **torrents**, use [Transmission](https://transmissionbt.com/download/) which is free and open source (note: like all software, even open source projects, [malware may still find its way in](http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/)). You may also wish to use a block list to avoid peering with known bad hosts - see [Which is the best blocklist for Transmission](https://giuliomac.wordpress.com/2014/02/19/best-blocklist-for-transmission/) and [johntyree/3331662](https://gist.github.com/johntyree/3331662). -Manage [default file handlers](https://support.apple.com/guide/mac-help/choose-an-app-to-open-a-file-on-mac-mh35597). Try setting executable files to harmlessly open with TextEdit. +Manage [default file handlers](https://support.apple.com/guide/mac-help/choose-an-app-to-open-a-file-on-mac-mh35597). Monitor system logs with the **Console** application or `syslog -w` or `/usr/bin/log stream` commands. From 9a9a84767802106c389ad79ba728c0507a0ffacc Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 18:51:37 -0500 Subject: [PATCH 286/476] remove otr --- README.md | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/README.md b/README.md index 6a801113..098eeb90 100755 --- a/README.md +++ b/README.md @@ -51,7 +51,6 @@ This guide is also available in [简体中文](https://github.com/drduh/macOS-Se - [Tor](#tor) - [VPN](#vpn) - [PGP/GPG](#pgpgpg) -- [OTR](#otr) - [Viruses and malware](#viruses-and-malware) - [System Integrity Protection](#system-integrity-protection) - [Gatekeeper and XProtect](#gatekeeper-and-xprotect) @@ -931,22 +930,6 @@ See [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) to securely ge Read [online](https://alexcabal.com/creating-the-perfect-gpg-keypair/) [guides](https://security.stackexchange.com/questions/31594/what-is-a-good-general-purpose-gnupg-key-setup) and [practice](https://help.riseup.net/en/security/message-security/openpgp/best-practices) encrypting and decrypting email to yourself and your friends. Get them interested in this stuff! -## OTR - -**Note** Strongly consider using [Signal](https://github.com/signalapp/Signal-Desktop) instead. - -OTR stands for **off-the-record** and is a cryptographic protocol for encrypting and authenticating conversations over instant messaging. - -You can use OTR on top of any existing [XMPP](https://xmpp.org/about) chat service, even Google Hangouts (which only encrypts conversations between users and the server using TLS). - -The first time you start a conversation with someone new, you'll be asked to verify their public key fingerprint. Do this in person or by other secure means, such as GPG. - -A popular macOS GUI client for XMPP and other chat protocols is [Adium](https://adium.im/). - -Other XMPP clients include [agl/xmpp-client](https://github.com/agl/xmpp-client) and [CoyIM](https://coy.im/), which is focused on security and has built-in support for OTR and Tor. - -If you want to know how OTR works, read the paper [Off-the-Record Communication, or, Why Not To Use PGP](https://otr.cypherpunks.ca/otr-wpes.pdf) (pdf) - ## Viruses and malware There is an [ever-increasing](https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html) amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software! From 483e4e7fdf5de44b1342e846647fd2855c3ddbdd Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 13 Mar 2024 23:39:39 -0500 Subject: [PATCH 287/476] change bash to zsh --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index cc22b1e6..7485ef0e 100755 --- a/README.md +++ b/README.md @@ -1789,15 +1789,15 @@ macOS comes with this line in `/etc/sudoers`: Defaults env_keep += "HOME MAIL" ``` -Which stops sudo from changing the HOME variable when you elevate privileges. This means it will execute as root the bash dotfiles in the non-root user's home directory when you run "sudo bash". It is advisable to comment this line out to avoid a potentially easy way for malware or a local attacker to escalate privileges to root. +Which stops sudo from changing the HOME variable when you elevate privileges. This means it will execute as root the zsh dotfiles in the non-root user's home directory when you run "sudo zsh". It is advisable to comment this line out to avoid a potentially easy way for malware or a local attacker to escalate privileges to root. -If you want to retain the convenience of the root user having a non-root user's home directory, you can append an export line to /var/root/.bashrc, e.g.: +If you want to retain the convenience of the root user having a non-root user's home directory, you can append an export line to /var/root/.zshrc, e.g.: ```console export HOME=/Users/blah ``` -Set a [custom umask](https://support.apple.com/en-us/101914): +Set a [custom umask](https://support.apple.com/101914): ```console sudo launchctl config user umask 077 From 8dda15a003392427a9685d6f5fe59e736af9343f Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 14 Mar 2024 17:07:41 -0500 Subject: [PATCH 288/476] add messaging section --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 1455e6a3..3e151918 100755 --- a/README.md +++ b/README.md @@ -930,6 +930,14 @@ See [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) to securely ge Read [online](https://alexcabal.com/creating-the-perfect-gpg-keypair/) [guides](https://security.stackexchange.com/questions/31594/what-is-a-good-general-purpose-gnupg-key-setup) and [practice](https://help.riseup.net/en/security/message-security/openpgp/best-practices) encrypting and decrypting email to yourself and your friends. Get them interested in this stuff! +## Messengers + +### iMessage + +iMessage, Apple's first party messenger, offers [E2EE](https://support.apple.com/guide/security/imessage-security-overview-secd9764312f) and the ability to verify keys with your contact via [Contact Key Verification](https://support.apple.com/118246) as well as [E2EE backups](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f). + +**Note:** By default, iCloud backup is enabled which stores copies of your message encryption keys on [Apple's servers](https://support.apple.com/102651) without E2EE. Either disable iCloud backup, Messages in iCloud, or enable [Advanced Data Protection](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) to prevent this. Also remember to tell your messaging partner to do that same! + ## Viruses and malware There is an [ever-increasing](https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html) amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software! From e776985d03fbb7d783506dd8dc714ddf2ca731e6 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 14 Mar 2024 17:11:14 -0500 Subject: [PATCH 289/476] add XMPP --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 3e151918..d53fe6a5 100755 --- a/README.md +++ b/README.md @@ -938,6 +938,10 @@ iMessage, Apple's first party messenger, offers [E2EE](https://support.apple.com **Note:** By default, iCloud backup is enabled which stores copies of your message encryption keys on [Apple's servers](https://support.apple.com/102651) without E2EE. Either disable iCloud backup, Messages in iCloud, or enable [Advanced Data Protection](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) to prevent this. Also remember to tell your messaging partner to do that same! +### XMPP + +XMPP is an [open standard](https://xmpp.org/extensions) developed by the [IETF](https://www.ietf.org) that allows for federated messaging. There are many options for [clients](https://xmpp.org/getting-started). + ## Viruses and malware There is an [ever-increasing](https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html) amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software! From ad71bb8f2278c604a94bf93ebfdb3f0cd72673fc Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 14 Mar 2024 17:15:08 -0500 Subject: [PATCH 290/476] add index for messengers --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index d53fe6a5..ded90c63 100755 --- a/README.md +++ b/README.md @@ -51,6 +51,7 @@ This guide is also available in [简体中文](https://github.com/drduh/macOS-Se - [Tor](#tor) - [VPN](#vpn) - [PGP/GPG](#pgpgpg) +- [Messengers](#messengers) - [Viruses and malware](#viruses-and-malware) - [System Integrity Protection](#system-integrity-protection) - [Gatekeeper and XProtect](#gatekeeper-and-xprotect) From 57447956980a442665964c9c012a532fd1db73d1 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 14 Mar 2024 17:20:02 -0500 Subject: [PATCH 291/476] add SIP --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ded90c63..51c4bff0 100755 --- a/README.md +++ b/README.md @@ -935,7 +935,7 @@ Read [online](https://alexcabal.com/creating-the-perfect-gpg-keypair/) [guides]( ### iMessage -iMessage, Apple's first party messenger, offers [E2EE](https://support.apple.com/guide/security/imessage-security-overview-secd9764312f) and the ability to verify keys with your contact via [Contact Key Verification](https://support.apple.com/118246) as well as [E2EE backups](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f). +iMessage, Apple's first party messenger, offers [E2EE](https://support.apple.com/guide/security/imessage-security-overview-secd9764312f) and the ability to verify keys with your contact via [Contact Key Verification](https://support.apple.com/118246) as well as [E2EE backups](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f). It also benefits from [System Integrity Protection](https://support.apple.com/102149) since it's part of the base OS. **Note:** By default, iCloud backup is enabled which stores copies of your message encryption keys on [Apple's servers](https://support.apple.com/102651) without E2EE. Either disable iCloud backup, Messages in iCloud, or enable [Advanced Data Protection](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) to prevent this. Also remember to tell your messaging partner to do that same! From c15627cfdd7ef67c7107b81633d6e1050d46a00f Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 14 Mar 2024 17:28:05 -0500 Subject: [PATCH 292/476] add omemo --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 51c4bff0..1e477227 100755 --- a/README.md +++ b/README.md @@ -943,6 +943,8 @@ iMessage, Apple's first party messenger, offers [E2EE](https://support.apple.com XMPP is an [open standard](https://xmpp.org/extensions) developed by the [IETF](https://www.ietf.org) that allows for federated messaging. There are many options for [clients](https://xmpp.org/getting-started). +XMPP isn't E2EE by default, you'll need to use [OMEMO](https://omemo.top) encryption, so make sure your client supports it. + ## Viruses and malware There is an [ever-increasing](https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html) amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software! From e4adf86bb6303aa7f6f21818e50c5c8e1e39488c Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 14 Mar 2024 17:32:34 -0500 Subject: [PATCH 293/476] shorten --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1e477227..b7d0ae2d 100755 --- a/README.md +++ b/README.md @@ -935,7 +935,7 @@ Read [online](https://alexcabal.com/creating-the-perfect-gpg-keypair/) [guides]( ### iMessage -iMessage, Apple's first party messenger, offers [E2EE](https://support.apple.com/guide/security/imessage-security-overview-secd9764312f) and the ability to verify keys with your contact via [Contact Key Verification](https://support.apple.com/118246) as well as [E2EE backups](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f). It also benefits from [System Integrity Protection](https://support.apple.com/102149) since it's part of the base OS. +iMessage, Apple's first party messenger, offers [E2EE](https://support.apple.com/guide/security/imessage-security-overview-secd9764312f) and the ability to verify keys via [Contact Key Verification](https://support.apple.com/118246) as well as [E2EE backups](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f). It also benefits from [System Integrity Protection](https://support.apple.com/102149) since it's part of the base OS. **Note:** By default, iCloud backup is enabled which stores copies of your message encryption keys on [Apple's servers](https://support.apple.com/102651) without E2EE. Either disable iCloud backup, Messages in iCloud, or enable [Advanced Data Protection](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) to prevent this. Also remember to tell your messaging partner to do that same! From e13ad7e7a78d12629ec0b22ecf73751603cdfca3 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 14 Mar 2024 17:40:47 -0500 Subject: [PATCH 294/476] add cross platform for xmpp --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b7d0ae2d..d38939f1 100755 --- a/README.md +++ b/README.md @@ -941,7 +941,7 @@ iMessage, Apple's first party messenger, offers [E2EE](https://support.apple.com ### XMPP -XMPP is an [open standard](https://xmpp.org/extensions) developed by the [IETF](https://www.ietf.org) that allows for federated messaging. There are many options for [clients](https://xmpp.org/getting-started). +XMPP is an [open standard](https://xmpp.org/extensions) developed by the [IETF](https://www.ietf.org) that allows for cross-platform federated messaging. There are many options for [clients](https://xmpp.org/getting-started). XMPP isn't E2EE by default, you'll need to use [OMEMO](https://omemo.top) encryption, so make sure your client supports it. From 2c85a087b1caa13caf2c9a3a53ba65a3d07c6170 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 14 Mar 2024 18:27:58 -0500 Subject: [PATCH 295/476] add more info about the messages app --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d38939f1..96968d72 100755 --- a/README.md +++ b/README.md @@ -935,7 +935,9 @@ Read [online](https://alexcabal.com/creating-the-perfect-gpg-keypair/) [guides]( ### iMessage -iMessage, Apple's first party messenger, offers [E2EE](https://support.apple.com/guide/security/imessage-security-overview-secd9764312f) and the ability to verify keys via [Contact Key Verification](https://support.apple.com/118246) as well as [E2EE backups](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f). It also benefits from [System Integrity Protection](https://support.apple.com/102149) since it's part of the base OS. +iMessage, Apple's first party messenger, offers [E2EE](https://support.apple.com/guide/security/imessage-security-overview-secd9764312f) and the ability to verify keys via [Contact Key Verification](https://support.apple.com/118246) as well as [E2EE backups](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f). + +The Messages app itself uses the App Sandbox, Hardened Runtime, and benefits from [System Integrity Protection](https://support.apple.com/102149) since it's part of the base OS. **Note:** By default, iCloud backup is enabled which stores copies of your message encryption keys on [Apple's servers](https://support.apple.com/102651) without E2EE. Either disable iCloud backup, Messages in iCloud, or enable [Advanced Data Protection](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) to prevent this. Also remember to tell your messaging partner to do that same! From 6071af97a83c8709439a965f12f0203608202cce Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 14 Mar 2024 18:29:19 -0500 Subject: [PATCH 296/476] clarify icloud backup --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 96968d72..58cd2cd0 100755 --- a/README.md +++ b/README.md @@ -939,7 +939,7 @@ iMessage, Apple's first party messenger, offers [E2EE](https://support.apple.com The Messages app itself uses the App Sandbox, Hardened Runtime, and benefits from [System Integrity Protection](https://support.apple.com/102149) since it's part of the base OS. -**Note:** By default, iCloud backup is enabled which stores copies of your message encryption keys on [Apple's servers](https://support.apple.com/102651) without E2EE. Either disable iCloud backup, Messages in iCloud, or enable [Advanced Data Protection](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) to prevent this. Also remember to tell your messaging partner to do that same! +**Note:** By default, iCloud backup is enabled which stores copies of your message encryption keys on [Apple's servers](https://support.apple.com/102651) without E2EE. Either disable iCloud backup or enable [Advanced Data Protection](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) to prevent this. Also remember to tell your messaging partner to do that same! ### XMPP From a79aff9cdf54fe9db2241fbf9a654d7053e1173b Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 14 Mar 2024 18:30:18 -0500 Subject: [PATCH 297/476] add links --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 58cd2cd0..da878505 100755 --- a/README.md +++ b/README.md @@ -937,7 +937,7 @@ Read [online](https://alexcabal.com/creating-the-perfect-gpg-keypair/) [guides]( iMessage, Apple's first party messenger, offers [E2EE](https://support.apple.com/guide/security/imessage-security-overview-secd9764312f) and the ability to verify keys via [Contact Key Verification](https://support.apple.com/118246) as well as [E2EE backups](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f). -The Messages app itself uses the App Sandbox, Hardened Runtime, and benefits from [System Integrity Protection](https://support.apple.com/102149) since it's part of the base OS. +The Messages app itself uses the [App Sandbox](https://developer.apple.com/documentation/xcode/configuring-the-macos-app-sandbox), [Hardened Runtime](https://developer.apple.com/documentation/security/hardened_runtime), and benefits from [System Integrity Protection](https://support.apple.com/102149) since it's part of the base OS. **Note:** By default, iCloud backup is enabled which stores copies of your message encryption keys on [Apple's servers](https://support.apple.com/102651) without E2EE. Either disable iCloud backup or enable [Advanced Data Protection](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) to prevent this. Also remember to tell your messaging partner to do that same! From de5bd87595fc910d4c0991ee7337d61b3f4cdaf0 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 14 Mar 2024 19:01:57 -0500 Subject: [PATCH 298/476] add PQ3 blog post --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index da878505..fa1f9420 100755 --- a/README.md +++ b/README.md @@ -935,7 +935,7 @@ Read [online](https://alexcabal.com/creating-the-perfect-gpg-keypair/) [guides]( ### iMessage -iMessage, Apple's first party messenger, offers [E2EE](https://support.apple.com/guide/security/imessage-security-overview-secd9764312f) and the ability to verify keys via [Contact Key Verification](https://support.apple.com/118246) as well as [E2EE backups](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f). +iMessage, Apple's first party messenger, offers [quantum-resistant](https://security.apple.com/blog/imessage-pq3/) [E2EE](https://support.apple.com/guide/security/imessage-security-overview-secd9764312f) and the ability to verify keys via [Contact Key Verification](https://support.apple.com/118246) as well as [E2EE backups](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f). The Messages app itself uses the [App Sandbox](https://developer.apple.com/documentation/xcode/configuring-the-macos-app-sandbox), [Hardened Runtime](https://developer.apple.com/documentation/security/hardened_runtime), and benefits from [System Integrity Protection](https://support.apple.com/102149) since it's part of the base OS. From b9c1c2911bae2254e48159d806828976e12de92a Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 14 Mar 2024 19:15:54 -0500 Subject: [PATCH 299/476] grammar --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fa1f9420..8557929f 100755 --- a/README.md +++ b/README.md @@ -939,7 +939,7 @@ iMessage, Apple's first party messenger, offers [quantum-resistant](https://secu The Messages app itself uses the [App Sandbox](https://developer.apple.com/documentation/xcode/configuring-the-macos-app-sandbox), [Hardened Runtime](https://developer.apple.com/documentation/security/hardened_runtime), and benefits from [System Integrity Protection](https://support.apple.com/102149) since it's part of the base OS. -**Note:** By default, iCloud backup is enabled which stores copies of your message encryption keys on [Apple's servers](https://support.apple.com/102651) without E2EE. Either disable iCloud backup or enable [Advanced Data Protection](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) to prevent this. Also remember to tell your messaging partner to do that same! +**Note:** By default, iCloud backup is enabled which stores copies of your message encryption keys on [Apple's servers](https://support.apple.com/102651) without E2EE. Either disable iCloud backup or enable [Advanced Data Protection](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) to prevent this. Also remember to tell your messaging partner/s to do the same! ### XMPP From ca7269333352d2736ac3bd1ff0eb20b50556e295 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 14 Mar 2024 19:16:58 -0500 Subject: [PATCH 300/476] add icloud backup link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8557929f..8de06e28 100755 --- a/README.md +++ b/README.md @@ -939,7 +939,7 @@ iMessage, Apple's first party messenger, offers [quantum-resistant](https://secu The Messages app itself uses the [App Sandbox](https://developer.apple.com/documentation/xcode/configuring-the-macos-app-sandbox), [Hardened Runtime](https://developer.apple.com/documentation/security/hardened_runtime), and benefits from [System Integrity Protection](https://support.apple.com/102149) since it's part of the base OS. -**Note:** By default, iCloud backup is enabled which stores copies of your message encryption keys on [Apple's servers](https://support.apple.com/102651) without E2EE. Either disable iCloud backup or enable [Advanced Data Protection](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) to prevent this. Also remember to tell your messaging partner/s to do the same! +**Note:** By default, iCloud backup is enabled which stores copies of your message encryption keys on [Apple's servers](https://support.apple.com/102651) without E2EE. Either [disable iCloud backup](https://support.apple.com/guide/icloud/view-and-manage-backups-mm122d3ef202/1.0/icloud/1.0) or enable [Advanced Data Protection](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) to prevent this. Also remember to tell your messaging partner/s to do the same! ### XMPP From f7183686e779c772b5f37410b19d31159ebd51aa Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 14 Mar 2024 22:27:34 -0500 Subject: [PATCH 301/476] add more info --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 8de06e28..7c66c666 100755 --- a/README.md +++ b/README.md @@ -939,12 +939,16 @@ iMessage, Apple's first party messenger, offers [quantum-resistant](https://secu The Messages app itself uses the [App Sandbox](https://developer.apple.com/documentation/xcode/configuring-the-macos-app-sandbox), [Hardened Runtime](https://developer.apple.com/documentation/security/hardened_runtime), and benefits from [System Integrity Protection](https://support.apple.com/102149) since it's part of the base OS. +You can use iMessage with either a [phone number or an email](https://support.apple.com/108758#Mac) so choose one that you don't mind your contacts seeing. + **Note:** By default, iCloud backup is enabled which stores copies of your message encryption keys on [Apple's servers](https://support.apple.com/102651) without E2EE. Either [disable iCloud backup](https://support.apple.com/guide/icloud/view-and-manage-backups-mm122d3ef202/1.0/icloud/1.0) or enable [Advanced Data Protection](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) to prevent this. Also remember to tell your messaging partner/s to do the same! ### XMPP XMPP is an [open standard](https://xmpp.org/extensions) developed by the [IETF](https://www.ietf.org) that allows for cross-platform federated messaging. There are many options for [clients](https://xmpp.org/getting-started). +Depending on the provider, you might not need anything other than a username and password to set up your account. + XMPP isn't E2EE by default, you'll need to use [OMEMO](https://omemo.top) encryption, so make sure your client supports it. ## Viruses and malware From 076d197b55ce0db2fc80b8050fa285a0df3b2357 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Fri, 15 Mar 2024 19:54:29 -0500 Subject: [PATCH 302/476] add imessage limitations --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 7c66c666..6e5ef287 100755 --- a/README.md +++ b/README.md @@ -939,6 +939,8 @@ iMessage, Apple's first party messenger, offers [quantum-resistant](https://secu The Messages app itself uses the [App Sandbox](https://developer.apple.com/documentation/xcode/configuring-the-macos-app-sandbox), [Hardened Runtime](https://developer.apple.com/documentation/security/hardened_runtime), and benefits from [System Integrity Protection](https://support.apple.com/102149) since it's part of the base OS. +iMessage is not designed for anonymity; you should only use it with people you know in real life. + You can use iMessage with either a [phone number or an email](https://support.apple.com/108758#Mac) so choose one that you don't mind your contacts seeing. **Note:** By default, iCloud backup is enabled which stores copies of your message encryption keys on [Apple's servers](https://support.apple.com/102651) without E2EE. Either [disable iCloud backup](https://support.apple.com/guide/icloud/view-and-manage-backups-mm122d3ef202/1.0/icloud/1.0) or enable [Advanced Data Protection](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) to prevent this. Also remember to tell your messaging partner/s to do the same! From 3a9ef32dd78d03ba01f4ee88a06bfe7794f1c14c Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Fri, 15 Mar 2024 20:03:49 -0500 Subject: [PATCH 303/476] xmpp --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6e5ef287..03f5203a 100755 --- a/README.md +++ b/README.md @@ -947,7 +947,7 @@ You can use iMessage with either a [phone number or an email](https://support.ap ### XMPP -XMPP is an [open standard](https://xmpp.org/extensions) developed by the [IETF](https://www.ietf.org) that allows for cross-platform federated messaging. There are many options for [clients](https://xmpp.org/getting-started). +XMPP is an [open standard](https://xmpp.org/extensions) developed by the [IETF](https://www.ietf.org) that allows for cross-platform federated messaging. There are many options for [clients](https://xmpp.org/getting-started). Consider using one of the browser-based clients to take advantage of your browser's sandbox. Depending on the provider, you might not need anything other than a username and password to set up your account. From 1a9079482567492f7c0d8660917e20b3395d346c Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 16 Mar 2024 20:33:42 -0500 Subject: [PATCH 304/476] add lockdown mode --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index 7485ef0e..0ecf1035 100755 --- a/README.md +++ b/README.md @@ -26,6 +26,7 @@ This guide is also available in [简体中文](https://github.com/drduh/macOS-Se * [Setup](#setup) - [Firmware](#firmware) - [Filevault](#filevault) +- [Lockdown Mode](#lockdown-mode) - [Firewall](#firewall) * [Application layer firewall](#application-layer-firewall) * [Third party firewalls](#third-party-firewalls) @@ -203,6 +204,12 @@ Your FileVault password also acts as a [firmware password](https://support.apple FileVault will ask you to set a recovery key in case you forget your password. Keep this key stored somewhere safe. You'll have the option use your iCloud account to unlock your disk; however, anyone with access to your iCloud account will be able to unlock it as well. +## Lockdown Mode + +macOS offers [Lockdown Mode](https://support.apple.com/105120), a security feature that disables several features across the OS, significantly reducing attack surface for attackers while keeping the OS usable. You can read about exactly what is disabled and decide for yourself if it is acceptable to you. + +When Lockdown Mode is on, you can disable it per site in Safari on trusted sites. + ## Firewall There are several types of firewalls available for macOS. From 471332371be89ae59f439862bfd10039bec62f6e Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 17 Mar 2024 06:36:37 -0500 Subject: [PATCH 305/476] reorder messenger section --- README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 32303975..25c8070a 100755 --- a/README.md +++ b/README.md @@ -940,6 +940,14 @@ Read [online](https://alexcabal.com/creating-the-perfect-gpg-keypair/) [guides]( ## Messengers +### XMPP + +XMPP is an [open standard](https://xmpp.org/extensions) developed by the [IETF](https://www.ietf.org) that allows for cross-platform federated messaging. There are many options for [clients](https://xmpp.org/getting-started). Consider using one of the browser-based clients to take advantage of your browser's sandbox. + +Depending on the provider, you might not need anything other than a username and password to set up your account. + +XMPP isn't E2EE by default, you'll need to use [OMEMO](https://omemo.top) encryption, so make sure your client supports it. + ### iMessage iMessage, Apple's first party messenger, offers [quantum-resistant](https://security.apple.com/blog/imessage-pq3/) [E2EE](https://support.apple.com/guide/security/imessage-security-overview-secd9764312f) and the ability to verify keys via [Contact Key Verification](https://support.apple.com/118246) as well as [E2EE backups](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f). @@ -952,14 +960,6 @@ You can use iMessage with either a [phone number or an email](https://support.ap **Note:** By default, iCloud backup is enabled which stores copies of your message encryption keys on [Apple's servers](https://support.apple.com/102651) without E2EE. Either [disable iCloud backup](https://support.apple.com/guide/icloud/view-and-manage-backups-mm122d3ef202/1.0/icloud/1.0) or enable [Advanced Data Protection](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) to prevent this. Also remember to tell your messaging partner/s to do the same! -### XMPP - -XMPP is an [open standard](https://xmpp.org/extensions) developed by the [IETF](https://www.ietf.org) that allows for cross-platform federated messaging. There are many options for [clients](https://xmpp.org/getting-started). Consider using one of the browser-based clients to take advantage of your browser's sandbox. - -Depending on the provider, you might not need anything other than a username and password to set up your account. - -XMPP isn't E2EE by default, you'll need to use [OMEMO](https://omemo.top) encryption, so make sure your client supports it. - ## Viruses and malware There is an [ever-increasing](https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html) amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software! From a0b103a0f42031bd834a3da56f7c57b45fce6a6e Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 17 Mar 2024 12:35:54 -0500 Subject: [PATCH 306/476] remove imessage --- README.md | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/README.md b/README.md index 25c8070a..788ae73b 100755 --- a/README.md +++ b/README.md @@ -948,18 +948,6 @@ Depending on the provider, you might not need anything other than a username and XMPP isn't E2EE by default, you'll need to use [OMEMO](https://omemo.top) encryption, so make sure your client supports it. -### iMessage - -iMessage, Apple's first party messenger, offers [quantum-resistant](https://security.apple.com/blog/imessage-pq3/) [E2EE](https://support.apple.com/guide/security/imessage-security-overview-secd9764312f) and the ability to verify keys via [Contact Key Verification](https://support.apple.com/118246) as well as [E2EE backups](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f). - -The Messages app itself uses the [App Sandbox](https://developer.apple.com/documentation/xcode/configuring-the-macos-app-sandbox), [Hardened Runtime](https://developer.apple.com/documentation/security/hardened_runtime), and benefits from [System Integrity Protection](https://support.apple.com/102149) since it's part of the base OS. - -iMessage is not designed for anonymity; you should only use it with people you know in real life. - -You can use iMessage with either a [phone number or an email](https://support.apple.com/108758#Mac) so choose one that you don't mind your contacts seeing. - -**Note:** By default, iCloud backup is enabled which stores copies of your message encryption keys on [Apple's servers](https://support.apple.com/102651) without E2EE. Either [disable iCloud backup](https://support.apple.com/guide/icloud/view-and-manage-backups-mm122d3ef202/1.0/icloud/1.0) or enable [Advanced Data Protection](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) to prevent this. Also remember to tell your messaging partner/s to do the same! - ## Viruses and malware There is an [ever-increasing](https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html) amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software! From 9f3878525744e67dc05a58e4f902f3b1574472ab Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 17 Mar 2024 12:42:16 -0500 Subject: [PATCH 307/476] re add imessage --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index 788ae73b..fea622e0 100755 --- a/README.md +++ b/README.md @@ -948,6 +948,13 @@ Depending on the provider, you might not need anything other than a username and XMPP isn't E2EE by default, you'll need to use [OMEMO](https://omemo.top) encryption, so make sure your client supports it. +### iMessage + +iMessage, Apple's first party messenger, offers [quantum-resistant](https://security.apple.com/blog/imessage-pq3/) [E2EE](https://support.apple.com/guide/security/imessage-security-overview-secd9764312f) and the ability to verify keys via [Contact Key Verification](https://support.apple.com/118246) as well as [E2EE backups](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f). +@@ -952,14 +960,6 @@ You can use iMessage with either a [phone number or an email](https://support.ap + +**Note:** By default, iCloud backup is enabled which stores copies of your message encryption keys on [Apple's servers](https://support.apple.com/102651) without E2EE. Either [disable iCloud backup](https://support.apple.com/guide/icloud/view-and-manage-backups-mm122d3ef202/1.0/icloud/1.0) or enable [Advanced Data Protection](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) to prevent this. Also remember to tell your messaging partner/s to do the same! + ## Viruses and malware There is an [ever-increasing](https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html) amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software! From fa23fa2fae43ce4b9a43b68f0f203a814b244f59 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 17 Mar 2024 18:29:29 -0500 Subject: [PATCH 308/476] update physical access --- README.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 0ecf1035..deabd527 100755 --- a/README.md +++ b/README.md @@ -1404,13 +1404,17 @@ sudo lsof -Pni TCP:22 Keep your Mac physically secure at all times and do not leave it unattended in public. -A skilled attacker with unsupervised physical access can infect the boot ROM to install a keylogger and steal passwords. See [Thunderstrike](https://trmm.net/Thunderstrike) for example. +A skilled attacker could install a [hardware keylogger](https://en.wikipedia.org/wiki/Hardware_keylogger) to record all of your keystrokes. Using a Mac with a built-in keyboard or a bluetooth keyboard makes this more difficult as many of these devices are designed to be plugged in between a USB keyboard and your computer. -To protect against physical theft during use, you can use an anti-forensic tool like [BusKill](https://github.com/buskill/buskill-app), [usbkill](https://github.com/hephaest0s/usbkill) or [swiftGuard](https://github.com/Lennolium/swiftGuard) (updated usbkill, with graphical user interface). All respond to USB events and can immediately shutdown your computer if your device is physically separated from you or an unauthorized device is connected. +To protect against physical theft during use, you can use an anti-forensic tool like [BusKill](https://github.com/buskill/buskill-app) or [swiftGuard](https://github.com/Lennolium/swiftGuard) (updated usbkill, with graphical user interface). All respond to USB events and can immediately shutdown your computer if your device is physically separated from you or an unauthorized device is connected. Consider purchasing a privacy screen/filter for use in public. -Superglue or epoxy resin can be used to disable physical access to peripheral ports. [Nail polish](https://trmm.net/Glitter) and tamper-evidence seals can be applied to components to detect tampering. +Superglue or epoxy resin can be used to disable physical access to peripheral ports. + +**Warning:** This will damage your ports so be 100% sure you'll never need to use them. + +[Nail polish](https://trmm.net/Glitter) and tamper-evidence seals can be applied to components to detect tampering. ## System monitoring From 8272623db67d56dbaeb4fa88a18ebe3cd8b40699 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 17 Mar 2024 18:31:49 -0500 Subject: [PATCH 309/476] wording --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index deabd527..d915e758 100755 --- a/README.md +++ b/README.md @@ -1404,7 +1404,7 @@ sudo lsof -Pni TCP:22 Keep your Mac physically secure at all times and do not leave it unattended in public. -A skilled attacker could install a [hardware keylogger](https://en.wikipedia.org/wiki/Hardware_keylogger) to record all of your keystrokes. Using a Mac with a built-in keyboard or a bluetooth keyboard makes this more difficult as many of these devices are designed to be plugged in between a USB keyboard and your computer. +A skilled attacker could install a [hardware keylogger](https://en.wikipedia.org/wiki/Hardware_keylogger) to record all of your keystrokes. Using a Mac with a built-in keyboard or a bluetooth keyboard makes this more difficult as many of these off-the-shelf devices are designed to be plugged in between a USB keyboard and your computer. To protect against physical theft during use, you can use an anti-forensic tool like [BusKill](https://github.com/buskill/buskill-app) or [swiftGuard](https://github.com/Lennolium/swiftGuard) (updated usbkill, with graphical user interface). All respond to USB events and can immediately shutdown your computer if your device is physically separated from you or an unauthorized device is connected. From 671a2c548261b960f390fb7e2cacea24b80f80b5 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 17 Mar 2024 18:34:52 -0500 Subject: [PATCH 310/476] punctuation --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d915e758..71017152 100755 --- a/README.md +++ b/README.md @@ -1412,7 +1412,7 @@ Consider purchasing a privacy screen/filter for use in public. Superglue or epoxy resin can be used to disable physical access to peripheral ports. -**Warning:** This will damage your ports so be 100% sure you'll never need to use them. +**Warning:** This will damage your ports so be 100% sure you'll never need to use them! [Nail polish](https://trmm.net/Glitter) and tamper-evidence seals can be applied to components to detect tampering. From 3cd51cdfc1ee9cee130e554cc79084e1bf271b94 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 17 Mar 2024 19:24:39 -0500 Subject: [PATCH 311/476] unsupervised --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 71017152..9c3aaaee 100755 --- a/README.md +++ b/README.md @@ -1404,7 +1404,7 @@ sudo lsof -Pni TCP:22 Keep your Mac physically secure at all times and do not leave it unattended in public. -A skilled attacker could install a [hardware keylogger](https://en.wikipedia.org/wiki/Hardware_keylogger) to record all of your keystrokes. Using a Mac with a built-in keyboard or a bluetooth keyboard makes this more difficult as many of these off-the-shelf devices are designed to be plugged in between a USB keyboard and your computer. +A skilled attacker with unsupervised physical access could install a [hardware keylogger](https://en.wikipedia.org/wiki/Hardware_keylogger) to record all of your keystrokes. Using a Mac with a built-in keyboard or a bluetooth keyboard makes this more difficult as many of these off-the-shelf devices are designed to be plugged in between a USB keyboard and your computer. To protect against physical theft during use, you can use an anti-forensic tool like [BusKill](https://github.com/buskill/buskill-app) or [swiftGuard](https://github.com/Lennolium/swiftGuard) (updated usbkill, with graphical user interface). All respond to USB events and can immediately shutdown your computer if your device is physically separated from you or an unauthorized device is connected. From d601db96e48c87866d9e5447f55d745debddfa29 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 17 Mar 2024 20:06:01 -0500 Subject: [PATCH 312/476] update imessage --- README.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index fea622e0..944435c2 100755 --- a/README.md +++ b/README.md @@ -950,8 +950,11 @@ XMPP isn't E2EE by default, you'll need to use [OMEMO](https://omemo.top) encryp ### iMessage -iMessage, Apple's first party messenger, offers [quantum-resistant](https://security.apple.com/blog/imessage-pq3/) [E2EE](https://support.apple.com/guide/security/imessage-security-overview-secd9764312f) and the ability to verify keys via [Contact Key Verification](https://support.apple.com/118246) as well as [E2EE backups](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f). -@@ -952,14 +960,6 @@ You can use iMessage with either a [phone number or an email](https://support.ap +iMessage is Apple's first party messenger. + +Make sure to enable [Contact Key Verification](https://support.apple.com/118246) and verify with anyone you message to ensure that you're messaging the right person. + +You can use iMessage with either a [phone number or an email](https://support.apple.com/108758#help), so decide pick on that you're comfortable with your contacts seeing. **Note:** By default, iCloud backup is enabled which stores copies of your message encryption keys on [Apple's servers](https://support.apple.com/102651) without E2EE. Either [disable iCloud backup](https://support.apple.com/guide/icloud/view-and-manage-backups-mm122d3ef202/1.0/icloud/1.0) or enable [Advanced Data Protection](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) to prevent this. Also remember to tell your messaging partner/s to do the same! From edf39a66c4d044f7c188d790cf98edc20464fced Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 17 Mar 2024 20:10:33 -0500 Subject: [PATCH 313/476] add signal --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 944435c2..7c5cc069 100755 --- a/README.md +++ b/README.md @@ -948,6 +948,12 @@ Depending on the provider, you might not need anything other than a username and XMPP isn't E2EE by default, you'll need to use [OMEMO](https://omemo.top) encryption, so make sure your client supports it. +### Signal + +[Signal](https://www.signal.org) is an advanced E2EE messenger whose [double-ratchet](https://signal.org/docs/specifications/doubleratchet/) protocol is used by countless others including WhatsApp, Google Messages, and Facebook Messenger. + +Signal requires a phone number to sign up and you'll need to install it on your phone first before you can use it on desktop. + ### iMessage iMessage is Apple's first party messenger. From 861f4d653cd48b4ca2718981a5feda164d5d2f4d Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 17 Mar 2024 20:30:55 -0500 Subject: [PATCH 314/476] wording --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7c5cc069..02fed255 100755 --- a/README.md +++ b/README.md @@ -950,7 +950,7 @@ XMPP isn't E2EE by default, you'll need to use [OMEMO](https://omemo.top) encryp ### Signal -[Signal](https://www.signal.org) is an advanced E2EE messenger whose [double-ratchet](https://signal.org/docs/specifications/doubleratchet/) protocol is used by countless others including WhatsApp, Google Messages, and Facebook Messenger. +[Signal](https://www.signal.org) is an advanced E2EE messenger whose [double-ratchet](https://signal.org/docs/specifications/doubleratchet/) protocol is used by countless other messengers including WhatsApp, Google Messages, and Facebook Messenger. Signal requires a phone number to sign up and you'll need to install it on your phone first before you can use it on desktop. From 78e947156bf438a2e3743a6f55987d24037304ad Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 17 Mar 2024 20:31:42 -0500 Subject: [PATCH 315/476] grammar --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 02fed255..2374ffd9 100755 --- a/README.md +++ b/README.md @@ -960,7 +960,7 @@ iMessage is Apple's first party messenger. Make sure to enable [Contact Key Verification](https://support.apple.com/118246) and verify with anyone you message to ensure that you're messaging the right person. -You can use iMessage with either a [phone number or an email](https://support.apple.com/108758#help), so decide pick on that you're comfortable with your contacts seeing. +You can use iMessage with either a [phone number or an email](https://support.apple.com/108758#help), so decide pick one that you're comfortable with your contacts seeing. **Note:** By default, iCloud backup is enabled which stores copies of your message encryption keys on [Apple's servers](https://support.apple.com/102651) without E2EE. Either [disable iCloud backup](https://support.apple.com/guide/icloud/view-and-manage-backups-mm122d3ef202/1.0/icloud/1.0) or enable [Advanced Data Protection](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) to prevent this. Also remember to tell your messaging partner/s to do the same! From 212626fa892e0a4f545f492546b06cd28ac9f7b7 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 17 Mar 2024 20:54:43 -0500 Subject: [PATCH 316/476] grammar --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2374ffd9..84bc2cc0 100755 --- a/README.md +++ b/README.md @@ -960,7 +960,7 @@ iMessage is Apple's first party messenger. Make sure to enable [Contact Key Verification](https://support.apple.com/118246) and verify with anyone you message to ensure that you're messaging the right person. -You can use iMessage with either a [phone number or an email](https://support.apple.com/108758#help), so decide pick one that you're comfortable with your contacts seeing. +You can use iMessage with either a [phone number or an email](https://support.apple.com/108758#help), so pick one that you're comfortable with your contacts seeing. **Note:** By default, iCloud backup is enabled which stores copies of your message encryption keys on [Apple's servers](https://support.apple.com/102651) without E2EE. Either [disable iCloud backup](https://support.apple.com/guide/icloud/view-and-manage-backups-mm122d3ef202/1.0/icloud/1.0) or enable [Advanced Data Protection](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) to prevent this. Also remember to tell your messaging partner/s to do the same! From dd57ba0e58a982919feb9a949582103ecd418929 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 17 Mar 2024 22:13:03 -0500 Subject: [PATCH 317/476] add apple id requirement to imessage --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 84bc2cc0..24c61c62 100755 --- a/README.md +++ b/README.md @@ -956,7 +956,7 @@ Signal requires a phone number to sign up and you'll need to install it on your ### iMessage -iMessage is Apple's first party messenger. +iMessage is Apple's first party messenger. It requires an [Apple ID](#apple-id) in order to use it. Make sure to enable [Contact Key Verification](https://support.apple.com/118246) and verify with anyone you message to ensure that you're messaging the right person. From bad182fac6e31116d2e4ca6b18502d6976ba46eb Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 17 Mar 2024 23:09:10 -0500 Subject: [PATCH 318/476] change wikipedia link to thunderstrike --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9c3aaaee..6965ef6f 100755 --- a/README.md +++ b/README.md @@ -1404,7 +1404,7 @@ sudo lsof -Pni TCP:22 Keep your Mac physically secure at all times and do not leave it unattended in public. -A skilled attacker with unsupervised physical access could install a [hardware keylogger](https://en.wikipedia.org/wiki/Hardware_keylogger) to record all of your keystrokes. Using a Mac with a built-in keyboard or a bluetooth keyboard makes this more difficult as many of these off-the-shelf devices are designed to be plugged in between a USB keyboard and your computer. +A skilled attacker with unsupervised physical access could install a [hardware keylogger](https://trmm.net/Thunderstrike_31c3) to record all of your keystrokes. Using a Mac with a built-in keyboard or a bluetooth keyboard makes this more difficult as many of these off-the-shelf devices are designed to be plugged in between a USB keyboard and your computer. To protect against physical theft during use, you can use an anti-forensic tool like [BusKill](https://github.com/buskill/buskill-app) or [swiftGuard](https://github.com/Lennolium/swiftGuard) (updated usbkill, with graphical user interface). All respond to USB events and can immediately shutdown your computer if your device is physically separated from you or an unauthorized device is connected. From f24a0cbd7a2cf0ec6eb14bea99faac4378ebc293 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 17 Mar 2024 23:09:42 -0500 Subject: [PATCH 319/476] remove glue/epoxy --- README.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/README.md b/README.md index 6965ef6f..6c49909d 100755 --- a/README.md +++ b/README.md @@ -1410,10 +1410,6 @@ To protect against physical theft during use, you can use an anti-forensic tool Consider purchasing a privacy screen/filter for use in public. -Superglue or epoxy resin can be used to disable physical access to peripheral ports. - -**Warning:** This will damage your ports so be 100% sure you'll never need to use them! - [Nail polish](https://trmm.net/Glitter) and tamper-evidence seals can be applied to components to detect tampering. ## System monitoring From 974d65c3d23059d49baf67920d6c6390afdd71b5 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 17 Mar 2024 23:13:16 -0500 Subject: [PATCH 320/476] wording --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6c49909d..6a3e49d5 100755 --- a/README.md +++ b/README.md @@ -1404,7 +1404,7 @@ sudo lsof -Pni TCP:22 Keep your Mac physically secure at all times and do not leave it unattended in public. -A skilled attacker with unsupervised physical access could install a [hardware keylogger](https://trmm.net/Thunderstrike_31c3) to record all of your keystrokes. Using a Mac with a built-in keyboard or a bluetooth keyboard makes this more difficult as many of these off-the-shelf devices are designed to be plugged in between a USB keyboard and your computer. +A skilled attacker with unsupervised physical access could install a [hardware keylogger](https://trmm.net/Thunderstrike_31c3) to record all of your keystrokes. Using a Mac with a built-in keyboard or a bluetooth keyboard makes this more difficult as many off-the-shelf versions of this attack are designed to be plugged in between a USB keyboard and your computer. To protect against physical theft during use, you can use an anti-forensic tool like [BusKill](https://github.com/buskill/buskill-app) or [swiftGuard](https://github.com/Lennolium/swiftGuard) (updated usbkill, with graphical user interface). All respond to USB events and can immediately shutdown your computer if your device is physically separated from you or an unauthorized device is connected. From 85b727db397d9809b81ed7f93e5a90867cff8c46 Mon Sep 17 00:00:00 2001 From: drduh Date: Mon, 18 Mar 2024 10:23:57 -0700 Subject: [PATCH 321/476] Remove cn guide and installesd hashes, both out of date. Fix TOC --- InstallESD_Hashes.csv | 41 - README-cn.md | 2016 ----------------------------------------- README.md | 72 +- 3 files changed, 36 insertions(+), 2093 deletions(-) delete mode 100644 InstallESD_Hashes.csv delete mode 100755 README-cn.md diff --git a/InstallESD_Hashes.csv b/InstallESD_Hashes.csv deleted file mode 100644 index 15b5ff55..00000000 --- a/InstallESD_Hashes.csv +++ /dev/null @@ -1,41 +0,0 @@ -Version,Build,SHA-256,SHA-1 -10.10.2,14C109,1652d5bd574fd79eda00c19f71187bbf78a01fe22cbcf1443c066524d5f29f0c,059f2603a91465bcee24c864d446da30df920f85 -10.10.5,14F27,24c4934d91401dd2f738c7811d35ae16d3d7993586592a64b9baf625fe0427db,ef5cc8851b893dbe4bc9a5cf5c648c10450af6bc -10.10.5,14F27,6a2d563b89d4c2733e8ff087c16db0caaa6594375ac835b3110df4306edb2459,0e063fd87d5b0a4f68dbd35da95b2018748f88eb -10.11,15A284,d20002ec8328784d65274eb49663b24a48be95dc06c6623ec67c9f28a7481352,5e21097f2e98417ecc12574a7bb46a402594ea4a -10.11.1,15B42,6275929722c35674fce90d2272d383d49696096e8626ee7f7900dd0334167a9a,306a080c07e293b6765ba950bab213572704acec -10.11.2,15C50,8e81dc547f07bc92408d5269983c64cf6ab2206e4d9a1cd94eb6e9003279921b,2b11b8b618a2e5100507c3c432363081db65c4c8 -10.11.3,15D21,bc46b9b02e69546e1446e131d4a8d3b0203a6bbad73a003749571da85f51a613,e4311d93127d0668372b32e5342f3b455b6bc9bd -10.11.4,15E65,532830b2a04b6f496b1cc1b18cc1645d1cda34151c212b68133f41c19d1431ed,f6292573395b46e8110be6077fd4827409bc948b -10.11.5,15F34,8be0c4144d79dc0ef275d6bea60db4d23ccf83b22b6c22a99ff35261862b0758,850781fe8cb5d88c5d1bc23e704e6686ff1fcc2f -10.11.6,15G31,0b8156957236865e170bc7784bf067ba8b5b231ad8ce45790865e16c9c653615,7739e3f62080000da5d28efa689c53976112a262 -10.12,16A323,78a2701bb63a0dcb30862314d1a4598522cfe6a2dd2b096a4e30f256909a4446,139ef35e4af0da8286b2a3af326cb114d774f606 -10.12.1,16B2657,8608c0cebf689431ad35d37bcb0035aac266c78f95e7e2a3fd8104d153a24e9b,e559e142a4c9ebaaa740c575d5c3c23c6eb3fb06 -10.12.1,16B2659,8efa85e12bcc6c2145cce68b6ecaf9ce23e11f58c1452982b1907fe0f9f76fd1,f7f147c54627c2a9beb1fa318394e1579b30b167 -10.12.2,16C67,6c2b16f248407a3853a9c4a63efadc94813321708f5eed5c09b73f33e5edd855,1432e3be6222c434b536721076ed8b16b1c6050e -10.12.2,16C68,6e8ccda1849bb49b1acf75f455019fe327adb47c676dbff018ea811c2456dcce,94f9e8f7ae2540dee6fe3465f60fc037e2547d16 -10.12.3,16D32,75a288fe6efc0591f757baf08305270f1b843b54cfb66fe6b257049400a0d6e9,77d354ec06df0d0acc37c105ae524ba96948142b -10.12.4,16E195,30319aeae18c3277919c59fe678201553f5a11022d6966b67a43422996391181,30b9245f7c7608c40bbdf4d4a74f3ab84dbac716 -10.12.5,16F73,dae2d71921a737d41df8f00379b7c04653bd35ed8db0f38313f8d86eb7f39f88,51df126965433187403987c9d74d95c26cba9266 -10.12.6,16G29,d93efaaaa9d029b52ac1985043fabf0e6c8d5015841e7338f96ed9e162538b2c,b53c36706eef6e0e15c1f76ef51d1b552705fc75 -10.13.2,17C88,a016570e65a70e23462efdddd845d3a1a5a7cc39aa770a0052af16e3d5f2ac4f,49e336085247331ea6033ebd3598a827caa6596e -10.13.3,17D47,438fc19055e56ac90fb485796d3aacc4059d241d79bc5c303220c4c2468a1f9d,726c7516fdbe33ae3f2384ba1ce7efcda4335776 -10.13.4,17E199,fd33bb6f8a4132c2ba50808c0e1f92eb05b6c300d38e58287d5d7dec01a4cd65,2c72b22a45ea8f5a80bee91db8aba96dae8310ea -10.13.5,17F77,c4ff5048bafbf7f386cd6cb3b09b58112df607a526874c726d9b0c5ba2e61a4f,216b38acfb234b4e29c2dba41fd76814550b59e2 -10.13.6,17G65,e3de527616e5a0bc6c2120960b55b458d49822900b09fd8d4884479efdce1c65,69159caf25666ea1c5d466e158e075d947f6a9ee -10.13.6,17G2208,82489dfce5025a6ee4725f194ec014d2f962e8ab2ea7c15032b5b1ea02e76598,686d5b9e2797b9604e5f2c9eaf3e2dbb839a66da -10.14,18A391,cdf15a36a082af2da1cc3ac913a6facb78894a5311c69d51fdfce706b83d8692,d29afb53d32d350453356d6025c4cbb2fb123985 -10.14.1,18B75,84989fd343e4eeb1013703565eb54f652f2f89d3305fa952d85879d94606619a,635fdcb4a9baee1885825e9067d104d7aa0b9c2f -10.14.2,18C54,25a6c7d467fb72fed170dce786202f24c0120045c358902a19be8d3e106fe1a4,da00f1ccb5e0927ae4550fd8399160cc5f3a9b47 -10.14.3,18D109,cbf25956bb89860d01edfb1550b9a09f58d8c4c4fea6eaf64a16dd93236a437d,51493681f3e82bb78e22e97f38725ffc67f611cd -10.14.4,18E226,b5b52ebf55fee7b5997b288255453f28f506421250485d37cf907f82950f85e8,458ea61e228defda08c0fe9dcd925db2e73e54f0 -10.14.4,18E227,8b51a1695152fe61b0c3ba72fe91123c7c7cafda465e4b988d55fc291d6e5069,2f37bc2ea1bd74baf42c9fa93b4518e155bae62e -10.14.5,18F132,96c324576490e012a4383f3410e5c53fc0ccbbd22356e577fc3fc59aae112910,29e5d1a30a1259b9ff849111fb0d6588937c629d -10.14.6,18G84,c4f1c01c50e819f231f9a54d567672d3da162c4b9dc21c8c7719ca4e679ecac8,892c930f496ceeb88708fa7507f27dc5a6f036d9 -10.14.6,18G95,ffa3fcc7e08b6134dca9f481f15aabce3fd80159951551dccdcd29df1a59e777,df554c1a284e0655ef643258ff2dddb491dc86e6 -10.15,19A583,4409a34604f4443993debccf855b0896e594dc1fa09ebf2d632a7787b0083436,2faf7d456ce292662a058cb571a520acabe81ce7 -10.15,19A602,d62588185b524bc27902c6e0348fb36a9c071dc8e45df89caf9a45bc6731492d,65aed4389ce4a65d713affef388356d251d9eec3 -10.15,19A603,572f8ccc909762f9bc75019fa9729eefc3e2f85834e082aea926b1c7931f729a,5ac1070e34ecc02f66beb03a77198dd0dc3d3377 -10.15.3,19D76,54bb26608f2916ca73f3482e8f4d5a98fc875d479482293840ec1b7a111c70f6,6ac088372d0bf0286d24ce55d9f0eb14a81d91c3 -10.15.5,19F96,833aa44561e9883f7a2e3b4861617c3d14905a6b612cc4352f9adbee49657c9f,18b35ba4b4a1bdefeccaddf50da749f6cb3b2ad5 -10.15.6,19G2021,f4a4874fab03cab52cfd73135d53226c5c8b72fb58b798e61b951a88c69b5f0d,d9be22bfc3220c17cc024ef52a14216e157f42f2 diff --git a/README-cn.md b/README-cn.md deleted file mode 100755 index 612f229c..00000000 --- a/README-cn.md +++ /dev/null @@ -1,2016 +0,0 @@ -# MacOS 的安全和隐私指南 - -> * 原文地址:[macOS Security and Privacy Guide](https://github.com/drduh/macOS-Security-and-Privacy-Guide) -> * 原文作者:[drduh](https://github.com/drduh) -> * 译文出自:[掘金翻译计划](https://github.com/xitu/gold-miner) -> * 译者:[Nicolas(Yifei) Li](https://github.com/yifili09), [MAYDAY1993](https://github.com/MAYDAY1993), [DeadLion](https://github.com/DeadLion) -> * 校对者:[lovelyCiTY](https://github.com/lovelyCiTY), [sqrthree](https://github.com/sqrthree) -> * 这个 [链接](https://github.com/xitu/macOS-Security-and-Privacy-Guide/compare/master...drduh:master) 用来查看本翻译与英文版是否有差别(如果你没有看到 README.md 发生变化,那就意味着这份翻译文档是最新的)。 - -这里汇集了一些想法,它们是有关如何保护运行了 macOS 10.12 "Sierra" 操作系统(以前是 **OS X**)的现代化苹果 Mac 电脑,也包含了一些提高个人网络隐私的小贴士。 - -这份指南的目标读者是那些希望采用企业级安全标准的"高级用户",但是也适用于那些想在 Mac 上提高个人隐私和安全性的初级用户们。 - -一个系统的安全与否完全取决于管理员的能力。没有一个单独的技术、软件,或者任何一个科技能保证计算机完全安全;现代的计算机和操作系统都是非常复杂的,并且需要大量的增量修改才能获得在安全性和隐私性上真正意义的提高。 - -**免责声明**:若按照以下操作后对您的 Mac 电脑造成损伤,**望您自行负责**。 - -如果你发现了本文中的错误或者有待改进的内容,请提交 `pull request` 或者 [创建一个 `issue`](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues). - -- [基础知识](#基础知识) -- [固件](#固件) -- [准备和安装 macOS](#准备和安装-macos) - - [虚拟机](#虚拟机) -- [首次启动](#首次启动) -- [管理员和普通用户账号](#管理员和普通用户账号) -- [对整个磁盘进行数据加密](#对整个磁盘进行数据加密) -- [防火墙](#防火墙) - - [应用程序层的防火墙](#应用程序层的防火墙) - - [第三方防火墙](#第三方防火墙) - - [内核级的数据包过滤](#内核级的数据包过滤) -- [系统服务](#系统服务) -- [Spotlight 建议](#spotlight-建议) -- [Homebrew](#homebrew) -- [DNS](#dns) - - [Hosts 文件](#hosts-文件) - - [Dnsmasq](#dnsmasq) - - [检测 DNSSEC 验证](#检测-dnssec-验证) - - [DNSCrypt](#dnscrypt) -- [Captive portal](#captive-portal) -- [证书授权](#证书授权) -- [OpenSSL](#openssl) -- [Curl](#curl) -- [Web](#web) - - [代理](#代理) - - [浏览器](#浏览器) - - [插件](#插件) -- [PGP/GPG](#pgpgpg) -- [OTR](#otr) -- [Tor](#tor) -- [VPN](#vpn) -- [病毒和恶意软件](#病毒和恶意软件) -- [系统完整性保护](#系统完整性保护) -- [Gatekeeper 和 XProtect](#gatekeeper-和-xprotect) -- [密码](#密码) -- [备份](#备份) -- [Wi-Fi](#wi-fi) -- [SSH](#ssh) -- [物理访问](#物理访问) -- [系统监控](#系统监控) - - [OpenBSM 监测](#openbsm-监测) - - [DTrace](#dtrace) - - [运行](#运行) - - [网络](#网络) -- [二进制白名单](#二进制白名单) -- [其它](#其它) -- [相关软件](#相关软件) -- [其它资源](#其它资源) - -## 基础知识 - -安全标准的最佳实践适用于以下几点: - -* 创建一个威胁模型 - * 考虑下什么是你需要保护的,避免谁的侵害?你的对手会是一个 [TLA](https://theintercept.com/document/2015/03/10/strawhorse-attacking-macos-ios-software-development-kit/) 机构么?(如果是的,你需要考虑替换使用 [OpenBSD](http://www.openbsd.org)),或者是一个在网络上好管闲事的偷听者,还是一起针对你精心策划的 [apt](https://en.wikipedia.org/wiki/Advanced_persistent_threat) 网络攻击? - * 研究并识别出[那些威胁](https://www.usenix.org/system/files/1401_08-12_mickens.pdf),想一想如何减少被攻击的面。 - -* 保持系统更新 - * 请为你的系统和软件持续更新补丁!更新补丁!更新补丁!(重要的事情说三遍)。 - * 可以使用 `App Store` 应用程序来完成对 `macOS` 系统的更新,或者使用命令行工具 `softwareupdate`,这两个都不需要注册苹果账号。 - * 请为那些你经常使用的程序,订阅公告邮件列表(例如,[Apple 安全公告](https://lists.apple.com/mailman/listinfo/security-announce))。 - -* 对敏感数据进行加密 - * 除了对整个磁盘加密之外,创建一个或者多个加密的容器,用它们来保存一些你的密码、秘钥、那些个人文件和余下的其他数据。 - * 这有助于减少数据泄露造成的危害。 - -* 经常备份数据 - * 定期创建[数据备份](https://www.amazon.com/o/ASIN/0596102461/backupcentral),并且做好遇到危机时候的数据恢复工作。 - * 在拷贝数据备份到外部存储介质或者 “云” 系统中之前,始终对它们进行加密。 - * 定期对备份进行测试,验证它们是可以工作的。例如,访问某一部分文件或者对比哈希校验值。 - -* 注意钓鱼网站 - * 最后,具有高安全意识的管理员能大大降低系统的安全风险。 - * 在安装新软件的时候,请加倍小心。始终选择[自由的软件](https://www.gnu.org/philosophy/free-sw.en.html)和开源的软件([当然了,macOS 不是开源的](https://superuser.com/questions/19492/is-mac-os-x-open-source)) - -## 固件 - -为固件设定一个密码,它能阻止除了你的启动盘之外的任何其它设备启动你的 Mac 电脑。它也能设定成每次启动时为必选项。 - -[当你的计算机被盗或者丢失的时候,这个功能是非常有用的](https://www.ftc.gov/news-events/blogs/techftc/2015/08/virtues-strong-enduser-device-controls),该功能可以防止直接内存访问从而可以读取您的 FileVault 密码并注入诸如 [pcileech](https://github.com/ufrisk/pcileech) 之类的内核模块这种攻击方式,因为唯一能重置固件密码的方式是通过 `Apple Store`,或者使用一个 [SPI 程序](https://reverse.put.as/2016/06/25/apple-efi-firmware-passwords-and-the-scbo-myth/),例如 [Bus Pirate](http://ho.ax/posts/2012/06/unbricking-a-macbook/) 或者其它刷新电路的程序。 - -1. 开始时,按下 `Command` 和 `R` 键来启动[恢复模式 / Recovery Mode](https://support.apple.com/en-au/HT201314)。 - -2. 当出现了恢复模式的界面,从 `Utilities / 工具` 菜单中选择 **Firmware Password Utility / 固件密码实用工具**。 - -3. 在固件工具窗口中,选择 **Turn On Firmware Password / 打开固件密码**。 - -4. 输入一个新的密码,之后在 **Verify / 验证** 处再次输入一样的密码。 - -5. 选择 **Set Password / 设定密码**。 - -6. 选择 **Quit Firmware Utility / 退出固件工具** 关闭固件密码实用工具。 - -7. 选择 Apple 菜单,并且选择重新启动或者关闭计算机。 - -这个固件密码会在下一次启动后激活。为了验证这个密码,在启动过程中按住 `Option` 键 - 按照提示输入密码。 - -当启动进操作系统以后。固件密码也能通过 `firmwarepasswd` 工具管理。例如,从另一个模式启动的时候可以这样: - -`$ sudo firmwarepasswd -setpasswd -setmode command` - -输入一个密码然后重启。 - -Using a Dediprog SF600 to dump and flash a 2013 MacBook SPI Flash chip to remove a firmware password, sans Apple - -**在没有 Apple 技术支持下,使用 [Dediprog SF600](http://www.dediprog.com/pd/spi-flash-solution/sf600) 来输出并且烧录一个 2013 款的 MacBook SPI 闪存芯片,或者移除一个固件密码** - -可参考 [HT204455](https://support.apple.com/en-au/HT204455), [LongSoft/UEFITool](https://github.com/LongSoft/UEFITool) 或者 [chipsec/chipsec](https://github.com/chipsec/chipsec) 了解更多信息。 - -## 准备和安装 macOS - -有很多种方式来安装一个全新的 macOS 副本。 - -最简单的方式是在启动过程中按住 `Command` 和 `R` 键进入 [Recovery Mode / 恢复模式](https://support.apple.com/en-us/HT201314)。系统镜像文件能够直接从 `Apple` 官网上下载并且使用。然而,这样的方式会以明文形式直接在网络上暴露出你的机器识别码和其它的识别信息。 - -PII is transmitted to Apple in plaintext when using macOS Recovery - -**在 macOS 恢复过程中,捕获到未加密的 HTTP 会话包** - -另一种方式是,从 [App Store](https://itunes.apple.com/us/app/macos-sierra/id1127487414) 或者其他地方下载 **macOS Sierra** 安装程序,之后创建一个自定义可安装的系统镜像。 - -这个 macOS Sierra 安装应用程序是经过[代码签名的](https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW6),它可以使用 `code sign` 命令来验证并确保你接收到的是一个正版文件的拷贝。 - -``` -$ codesign -dvv /Applications/Install\ macOS\ Sierra.app -Executable=/Applications/Install macOS Sierra.app/Contents/MacOS/InstallAssistant -Identifier=com.apple.InstallAssistant.Sierra -Format=app bundle with Mach-O thin (x86_64) -CodeDirectory v=20200 size=297 flags=0x200(kill) hashes=5+5 location=embedded -Signature size=4167 -Authority=Apple Mac OS Application Signing -Authority=Apple Worldwide Developer Relations Certification Authority -Authority=Apple Root CA -Info.plist entries=30 -TeamIdentifier=K36BKF7T3D -Sealed Resources version=2 rules=7 files=137 -Internal requirements count=1 size=124 -``` - -macOS 安装程序也可以由 `createinstallmedia` 工具制作,它在 `Install macOS Sierra.app/Contents/Resources/` 文件路径中。请参考[为 macOS 制作一个启动安装程序](https://support.apple.com/en-us/HT201372),或者直接运行这个命令(不需要输入任何参数),看看它是如何工作的。 - -**注意** Apple 的安装程序[并不能跨版本工作](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/120)。如果你想要创造一个 10.12 的镜像,例如,以下指令也必须要在 10.12 的机器上运行! - -为了创建一个 **macOS USB 启动安装程序**,需要挂载一个 USB 驱动器,清空它的内容、进行重新分区,之后使用 `createinstallmedia` 工具: - -``` -$ diskutil list -[Find disk matching correct size, usually "disk2"] - -$ diskutil unmountDisk /dev/disk2 - -$ diskutil partitionDisk /dev/disk2 1 JHFS+ Installer 100% - -$ cd /Applications/Install\ macOS\ Sierra.app - -$ sudo ./Contents/Resources/createinstallmedia --volume /Volumes/Installer --applicationpath /Applications/Install\ macOS\ Sierra.app --nointeraction -Erasing Disk: 0%... 10%... 20%... 30%... 100%... -Copying installer files to disk... -Copy complete. -Making disk bootable... -Copying boot files... -Copy complete. -Done. -``` - -为了创建一个自定义、可安装的镜像,能用它恢复一台 Mac 电脑,你需要找到 `InstallESD.dmg`,这个文件也包含在 `Install macOS Sierra.app` 中。 - -通过 `Finder` 找到,并在这个应用程序图标上点击鼠标右键,选择 **Show Package Contents / 显示包内容**,之后从 **Contents / 内容** 进入到 **SharedSupport / 共享支持**,找到 `InstallESD.dmg` 文件。 - -你能通过 `openssl sha1 InstallESD.dmg` 、`shasum -a 1 InstallESD.dmg` 或者 `shasum -a 256 InstallESD.dmg` 得到的加密过的哈希值[验证](https://support.apple.com/en-us/HT201259)来确保你得到的是同一份正版拷贝(在 Finder 中,你能把文件直接拷贝到终端中,它能提供这个文件的完整路径地址)。 - -可以参考 [HT204319](https://support.apple.com/en-us/HT204319),它能确定你最初采购来的计算机使用了哪个版本的 macOS,或者哪个版本适合你的计算机。 - -可以参考 [InstallESD_Hashes.csv](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/blob/master/InstallESD_Hashes.csv) 这个在我代码仓库中的文件,它是现在和之前该版本文件的哈希值。你也可以使用 Google 搜索这些加密的哈希值,确保这个文件是正版且没有被修改过的。 - -可以使用 [MagerValp/AutoDMG](https://github.com/MagerValp/AutoDMG) 来创建这个镜像文件,或者手动创建、挂载和安装这个操作系统到一个临时镜像中: - - $ hdiutil attach -mountpoint /tmp/install_esd ./InstallESD.dmg - - $ hdiutil create -size 32g -type SPARSE -fs HFS+J -volname "macOS" -uid 0 -gid 80 -mode 1775 /tmp/output.sparseimage - - $ hdiutil attach -mountpoint /tmp/os -owners on /tmp/output.sparseimage - - $ sudo installer -pkg /tmp/install_esd/Packages/OSInstall.mpkg -tgt /tmp/os -verbose - -这一步需要花费一些时间,请耐心等待。你能使用 `tail -F /var/log/install.log` 命令在另一个终端的窗口内查看进度。 - -**(可选项)** 安装额外的软件,例如,[Wireshark](https://www.wireshark.org/download.html): - - $ hdiutil attach Wireshark\ 2.2.0\ Intel\ 64.dmg - - $ sudo installer -pkg /Volumes/Wireshark/Wireshark\ 2.2.0\ Intel\ 64.pkg -tgt /tmp/os - - $ hdiutil unmount /Volumes/Wireshark - -遇到安装错误时,请参考 [MagerValp/AutoDMG/wiki/Packages-Suitable-for-Deployment](https://github.com/MagerValp/AutoDMG/wiki/Packages-Suitable-for-Deployment),使用 [chilcote/outset](https://github.com/chilcote/outset) 来替代解决首次启动时候的包和脚本。 - -当你完成的时候,分离、转换并且验证这个镜像: - - $ hdiutil detach /tmp/os - - $ hdiutil detach /tmp/install_esd - - $ hdiutil convert -format UDZO /tmp/output.sparseimage -o ~/sierra.dmg - - $ asr imagescan --source ~/sierra.dmg - -现在,`sierra.dmg` 已经可以被用在一个或者多个 Mac 电脑上了。它能继续自定义化这个镜像,比如包含预先定义的用户、应用程序、预置参数等。 - -这个镜像能使用另一个在 [Target Disk Mode / 目标磁盘模式](https://support.apple.com/en-us/HT201462) 下的 Mac 进行安装,或者从 USB 启动安装盘安装。 - -为了使用 **Target Disk Mode / 目标磁盘模式**,按住 `T` 键的同时启动 Mac 电脑,并且通过 `Firewire` 接口,`Thunderbolt` 接口或者 `USB-C` 线连接另外一台 Mac 电脑。 - -如果你没有其它 Mac 电脑,通过启动的时候,按住 **Option** 键用 USB 安装盘启动,把 `sierra.dmg` 和其它需要的文件拷贝到里面。 - -执行 `diskutil list` 来识别连接着的 Mac 磁盘,通常是 `/dev/disk2` - -**(可选项)** 一次性[安全清除](https://www.backblaze.com/blog/securely-erase-mac-ssd/)磁盘(如果之前通过 FileVault 加密,该磁盘必须先要解锁,并且装载在 `/dev/disk3s2`): - - $ sudo diskutil secureErase freespace 1 /dev/disk3s2 - -把磁盘分区改成 `Journaled HFS+` 格式: - - $ sudo diskutil unmountDisk /dev/disk2 - - $ sudo diskutil partitionDisk /dev/disk2 1 JHFS+ macOS 100% - -把该镜像还原到新的卷中: - - $ sudo asr restore --source ~/sierra.dmg --target /Volumes/macOS --erase --buffersize 4m - -你也能使用 **Disk Utility / 磁盘工具** 应用程序来清除连接着的 Mac 磁盘,之后将 `sierra.dmg` 还原到新创建的分区中。 - -如果你正确按照这些步骤执行,该目标 Mac 电脑应该安装了新的 macOS Sierra 了。 - -如果你想传送一些文件,把它们拷贝到一个共享文件夹,例如在挂载磁盘的镜像中, `/Users/Shared`,例如,`cp Xcode_8.0.dmg /Volumes/macOS/Users/Shared` - -Finished restore install from USB recovery boot - -**完成从 USB 启动的还原安装** - -这里还没有大功告成!除非你使用 [AutoDMG](https://github.com/MagerValp/AutoDMG) 创建了镜像,或者把 macOS 安装在你 Mac 上的其它分区内,你需要创建一块还原分区(为了使用对整个磁盘加密的功能)。你能使用 [MagerValp/Create-Recovery-Partition-Installer](https://github.com/MagerValp/Create-Recovery-Partition-Installer) 或者按照以下步骤: - -请下载 [RecoveryHDUpdate.dmg](https://support.apple.com/downloads/DL1464/en_US/RecoveryHDUpdate.dmg) 这个文件。 - -``` -RecoveryHDUpdate.dmg -SHA-256: f6a4f8ac25eaa6163aa33ac46d40f223f40e58ec0b6b9bf6ad96bdbfc771e12c -SHA-1: 1ac3b7059ae0fcb2877d22375121d4e6920ae5ba -``` - -添加并且扩展这个安装程序,之后执行以下命令: - -``` -$ hdiutil attach RecoveryHDUpdate.dmg - -$ pkgutil --expand /Volumes/Mac\ OS\ X\ Lion\ Recovery\ HD\ Update/RecoveryHDUpdate.pkg /tmp/recovery - -$ hdiutil attach /tmp/recovery/RecoveryHDUpdate.pkg/RecoveryHDMeta.dmg - -$ /tmp/recovery/RecoveryHDUpdate.pkg/Scripts/Tools/dmtest ensureRecoveryPartition /Volumes/macOS/ /Volumes/Recovery\ HD\ Update/BaseSystem.dmg 0 0 /Volumes/Recovery\ HD\ Update/BaseSystem.chunklist -``` - -必要的时候把 `/Volumes/macOS` 替换成以目标磁盘启动的 Mac 的路径。 - -这个步骤需要花几分钟才能完成。再次执行 `diskutil list` 来确保 **Recovery HD** 已经存在 `/dev/disk2` 或者相似的路径下。 - -一旦你完成了这些,执行 `hdituil unmount /Volumes/macOS` 命令弹出磁盘,之后关闭以目标磁盘模式启动的 Mac 电脑。 - -### 虚拟机 - -在虚拟机内安装 macOS,可以使用 [VMware Fusion](https://www.vmware.com/products/fusion.html) 工具,按照上文中的说明来创建一个镜像。你**不需要**再下载,也不需要手动创建还原分区。 - -``` -VMware-Fusion-8.5.6-5234762.dmg -SHA-256: 57a879095c9fcce0066bea0d3c203571689fb53205915fda156c0d742f7c7ad2 -SHA-1: b7315d00a7c92dbad280d0f01f42dd8b56d96040 - ``` - -选择 **Install OS X from the recovery parition** 这个安装方法。可自定义配置任意的内存和 CPU,之后完成设置。默认情况下,这个虚拟机应该进入 [Recovery Mode / 还原模式](https://support.apple.com/en-us/HT201314)。 - -在还原模式中,选择一个语言,之后在菜单条中由 Utilities 打开 Terminal。 - -在虚拟机内,输入 `ifconfig | grep inet` — 你应该能看到一个私有地址,比如 `172.16.34.129` - -在 Mac 宿主机内,输入 `ifconfig | grep inet` — 你应该能看到一个私有地址,比如 `172.16.34.1` - -通过修改 Mac 宿主机内的文件让可安装镜像对虚拟器起作用,比如,修改 `/etc/apache2/htpd.conf` 并且在该文件最上部增加以下内容:(使用网关分配给 Mac 宿主机的地址和端口号 80): - - Listen 172.16.34.1:80 - -在 Mac 宿主机上,把镜像链接到 Apache 网络服务器目录: - - $ sudo ln ~/sierra.dmg /Library/WebServer/Documents - -在 Mac 宿主机的前台运行 Apache: - - $ sudo httpd -X - -在虚拟机上通过本地网络命令 `asr`,安装镜像文件到卷分区内: - -``` --bash-3.2# asr restore --source http://172.16.34.1/sierra.dmg --target /Volumes/Macintosh\ HD/ --erase --buffersize 4m - Validating target...done - Validating source...done - Erase contents of /dev/disk0s2 (/Volumes/Macintosh HD)? [ny]: y - Retrieving scan information...done - Validating sizes...done - Restoring ....10....20....30....40....50....60....70....80....90....100 - Verifying ....10....20....30....40....50....60....70....80....90....100 - Remounting target volume...done -``` - -完成后,在 `sudo httpd -X` 窗口内通过 `Control` 和 `C` 组合键停止在宿主机 Mac 上运行的 Apache 网络服务器服务,并且通过命令 `sudo rm /Library/WebServer/Documents/sierra.dmg` 删除镜像备份文件。 - -在虚拟机内,在左上角 Apple 菜单中选择 **Startup Disk**,选择硬件驱动器并重启你的电脑。你可能想在初始化虚拟机启动的时候禁用网络适配器。 - -例如,在访问某些有风险的网站之前保存虚拟机的快照,并在之后用它还原该虚拟机。或者使用一个虚拟机来安装和使用有潜在问题的软件。 - -## 首次启动 - -**注意** 在设置 macOS 之前,请先断开网络连接并且配置一个防火墙。然而,装备有触摸条(`Touch Bar`)的 [2016 最新款 MacBook](https://www.ifixit.com/Device/MacBook_Pro_15%22_Late_2016_Touch_Bar),它[需要在线激活系统](https://onemoreadmin.wordpress.com/2016/11/27/the-untouchables-apples-new-os-activation-for-touch-bar-macbook-pros/). - -在首次启动时,按住 `Command` `Option` `P` `R` 键位组合,它用于[清除 NVRAM](https://support.apple.com/en-us/HT204063)。 - -当 macOS 首次启动时,你会看到 **Setup Assistant / 设置助手** 的欢迎画面。 - -请在创建你个人账户的时候,使用一个没有任何提示的[高安全性密码](http://www.explainxkcd.com/wiki/index.php/936:_Password_Strength)。 - -如果你在设置账户的过程中使用了真实的名字,你得意识到,你的[计算机的名字和局域网的主机名](https://support.apple.com/kb/PH18720)将会因为这个名字而泄露 (例如,**John Applesseed's MacBook**),所以这个名字会显示在局域网络和一些配置文件中。这两个名字都能在 **System Preferences / 系统配置 > Sharing / 共享** 菜单中或者以下命令来改变: - - $ sudo scutil --set ComputerName your_computer_name - - $ sudo scutil --set LocalHostName your_hostname - -## 管理员和普通用户账号 - -管理员账户始终是第一个账户。管理员账户是管理组中的成员并且有访问 `sudo` 的能力,允许它们修改其它账户,特别是 `root`,赋予它们对系统更高效的控制权。管理员执行的任何程序也有可能获得一样的权限,这就造成了一个安全风险。类似于 `sudo` 这样的工具[都有一些能被利用的弱点](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/),例如在默认管理员账户运行的情况下,并行打开的程序或者很多系统的设定都是[处于解锁的状态](http://csrc.nist.gov/publications/drafts/800-179/sp800_179_draft.pdf) [p. 61–62]。[Apple](https://help.apple.com/machelp/mac/10.12/index.html#/mh11389) 提供了一个最佳实践和[其它一些方案](http://csrc.nist.gov/publications/drafts/800-179/sp800_179_draft.pdf) [p. 41–42],例如,为每天基本的工作建立一个单独的账号,使用管理员账号仅为了安装软件和配置系统。 - -每一次都通过 macOS 登录界面进入管理员帐号并不是必须的。系统会在需要认证许可的时候弹出提示框,之后交给终端就行了。为了达到这个目的,Apple 为隐藏管理员账户和它的根目录提供了一些[建议](https://support.apple.com/HT203998)。这对避免显示一个可见的 `影子` 账户来说是一个好办法。管理员账户也能[从 FileVault 里移除](http://apple.stackexchange.com/a/94373)。 - -#### 错误警告 - -1. 只有管理员账户才能把应用程序安装在 `/Applications` 路径下 (本地目录)。Finder 和安装程序将为普通用户弹出一个许可对话框。然而,许多应用程序都能安装在 `~/Applications` (该目录能被手动创建) 路径下。经验之谈: 那些不需要管理员权限的应用程序 — 或者在不在 `/Applications` 目录下都没关系的应用程序 — 都应该安装在用户目录内,其它的应安装在本地目录。Mac App Store 上的应用程序仍然会安装在 `/Applications` 并且不需要额外的管理员认证。 - -2. `sudo` 无法在普通用户的 shell 内使用,它需要使用 `su` 或者 `login` 在 shell 内输入一个管理员账户。这需要很多技巧和一些命令行界面操作的经验。 - -3. 系统配置和一些系统工具 (比如 Wi-Fi 诊断器) 为了所有的功能都能执行,它会需要 root 权限。在系统配置界面中的一些面板都是上锁的,所以需要单独的解锁按钮。一些应用程序在打开的时候会提示认证对话框,其它一些则需要通过一个管理员账号直接打开才能获得全部功能的权限。(例如 Console) - -4. 有些第三方应用程序无法正确运行,因为它们假设当前的用户是管理员账户。这些程序只能在登录管理员账户的情况下才能被执行,或者使用 `open` 工具。 - -#### 设置 - -账户能在系统设置中创建和管理。在一个已经建立的系统中,通常很容易就能创建第二个管理员账号并且把之前的管理员帐号降级。这就避免了数据迁移的问题。新安装的系统都能增加普通账号。对一个账号降级能通过新建立的管理员帐号中的系统设置 — 当然那个管理员账号必须已经注销 — 或者执行这些命令(这两个指令可能没有必要都执行,可以参考[issue #179](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/179)): - -``` -$ sudo dscl . -delete /Groups/admin GroupMembership - -$ sudo dscl . -delete /Groups/admin GroupMembers -``` - -通过以下指令,你就能发现你账号的 “GeneratedUID”: - -``` -$ dscl . -read /Users/ GeneratedUID -``` - -也可以参考[这篇文章](https://superuser.com/a/395738),它能带给你有关更多 macOS 是如何确定组成员的内容。 - -## 对整个磁盘进行数据加密 - -[FileVault](https://en.wikipedia.org/wiki/FileVault) 提供了在 macOS 上对整个磁盘加密的能力(技术上来说,是**整个卷宗**。) - -FileVault 加密在休眠的时候保护数据,并且使通过物理访问形式偷取数据或者使用你的 Mac 修改数据的某人更为艰难(但[不总是阻止](http://blog.frizk.net/2016/12/filevault-password-retrieval.html))。 - -因为大部分的加密操作都[高效地运作在硬件上](https://software.intel.com/en-us/articles/intel-advanced-encryption-standard-aes-instructions-set/),性能上的损失对 FireVault 来说并不凸显。 - -FileVault 的安全性依赖于伪随机数生成器 (PRNG)。 - -> 这个随机设备实现了 Yarrow 伪随机数生成器算法并且维护着它自己的熵池。额外的熵值通常由守护进程 SecurityServer 提供,它由内核测算得到的随机抖动决定。 - -> SecurityServer 也常常负责定期保存一些熵值到磁盘,并且在启动的时候重新加载它们,把这些熵值提供给早期的系统使用。 - -参考 `man 4 random` 获得更多信息。 - -在开启 FileVault 之前,PRNG 也能通过写入 /dev/random 文件手动提供熵的种子。也就是说,在激活 FileVault 之前,我们能用这种方式撑一段时间。 - -在启用 FileVault **之前**,手动配置种子熵: - - $ cat > /dev/random - [Type random letters for a long while, then press Control-D] - -通过 `sudo fdsetup enable` 启用 FileVault 或者通过 **System Preferences** > **Security & Privacy** 之后重启电脑。 - -如果你能记住你的密码,那就没有理由不保存一个**还原秘钥**。然而,如果你忘记了密码或者还原秘钥,那意味着你加密的数据将永久丢失了。 - -如果你想深入了解 FileVault 是如何工作得, 可以参考这篇论文 [Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption](https://eprint.iacr.org/2012/374.pdf) (pdf) 和这篇相关的[演讲文稿](http://www.cl.cam.ac.uk/~osc22/docs/slides_fv2_ifip_2013.pdf) (pdf)。也可以参阅 [IEEE Std 1619-2007 “The XTS-AES Tweakable Block Cipher”](http://libeccio.di.unisa.it/Crypto14/Lab/p1619.pdf) (pdf). - -你可能希望强制开启**休眠**并且从内存中删除 FileVault 的秘钥,而非一般情况下系统休眠对内存操作的处理方式: - - $ sudo pmset -a destroyfvkeyonstandby 1 - $ sudo pmset -a hibernatemode 25 - -> 所有计算机都有 EFI 或 BIOS 这类的固件,它们帮助发现其它硬件,最终使用所需的操作系统实例把计算机正确启动起来。以 Apple 硬件和 EFI 的使用来说,Apple 把有关的信息保存在 EFI 内,它辅助 macOS 的功能正确运行。举例来说,FileVault 的秘钥保存在 EFI 内,在待机模式的时候出现。 - -> 那些容易被高频攻击的部件,或者那些待机模式下,容易被暴露给所有设备访问的设备,它们都应该销毁在固件中的 FileVault 秘钥来减少这个风险。这么干并不会影响 FileVault 的正常使用,但是系统需要用户在每次跳出待机模式的时候输入这个密码。 - -如果你选择在待机模式下删除 FileVault 秘钥,你也应该修改待机模式的设置。否则,你的机器可能无法正常进入待机模式,会因为缺少 FileVault 秘钥而关机。参考 [issue #124](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/124) 获得更多信息。可以通过以下命令修改这些设置: - - $ sudo pmset -a powernap 0 - $ sudo pmset -a standby 0 - $ sudo pmset -a standbydelay 0 - $ sudo pmset -a autopoweroff 0 - -如果你想了解更多, 请参考 [Best Practices for Deploying FileVault 2](http://training.apple.com/pdf/WP_FileVault2.pdf) (pdf) 和这篇论文 [Lest We Remember: Cold Boot Attacks on Encryption Keys](https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf) (pdf) - - -## 防火墙 - -在准备连接进入互联网之前,最好是先配置一个防火墙。 - -在 macOS 上有好几种防火墙。 - -#### 应用程序层的防火墙 - -系统自带的那个基本的防火墙,它只阻止**对内**的连接。 - -注意,这个防火墙没有监控的能力,也没有阻止**对外**连接的能力。 - -它能在 **System Preferences** 中 **Security & Privacy** 标签中的 **Firewall** 控制,或者使用以下的命令。 - -开启防火墙: - - $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on - -开启日志: - - $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on - -你可能还想开启私密模式: - - $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on - -> 计算机黑客会扫描网络,所以它们能标记计算机并且实施网络攻击。你能使用**私密模式**,避免你的计算机响应一些这样的恶意扫描。当开启了防火墙的私密模式后,你的计算机就不会响应 ICMP 请求,并且不响应那些已关闭的 TCP 或 UDP 端口的连接。这会让那些网络攻击者们很难发现你的计算机。 - -最后,你可能会想阻止**系统自带的软件**和**经过代码签名,下载过的软件自动加入白名单:** - - $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned off - - $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off - -> 那些经过一个认证签名的应用程序会自动允许加入列表,而不是提示用户再对它们进行认证。包含在 OS X 内的应用程序都被 Apple 代码签名,并且都允许接对内的连接,当这个配置开启了。举例来说,因为 iTunes 已经被 Apple 代码签名,所以它能自动允许防火墙接收对内的连接。 - -> 如果你执行一个未签名的应用程序,它也没有被纳入防火墙白名单,此时一个带允许或者拒绝该连接选项的对话框会出现。如果你选择“允许连接”,macOS 对这个应用程序签名并且自动把它增加进防火墙的白名单。如果你选择“拒绝连接”,macOS 也会把它加入名单中,但是会拒绝对这个应用程序的对内连接。 - -在使用完 `socketfilterfw` 之后,你需要重新启动(或者结束)这个进程: - - $ sudo pkill -HUP socketfilterfw - -#### 第三方防火墙 - -例如 [Little Snitch](https://www.obdev.at/products/littlesnitch/index.html), [Hands Off](https://www.oneperiodic.com/products/handsoff/), [Radio Silence](http://radiosilenceapp.com/) 和 [Security Growler](https://pirate.github.io/security-growler/) 这样的程序都提供了一个方便、易用且安全的防火墙。 - -Example of Little Snitch monitored session - -**以下是一段 Little Snitch 监控会话的例子** - -``` -LittleSnitch-3.7.4.dmg -SHA-256: b0ce3519d72affbc7910c24c264efa94aa91c9ad9b1a905c52baa9769156ea22 -SHA-1: 868ad75623c60cb9ad428c7c1d3e5ae449a9033e - ``` - -这些程序都具备有监控和阻拦**对内**和**对外**网络连接的能力。然而,它们可能会需要使用一个闭源的[内核扩展](https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/KernelProgramming/Extend/Extend.html)。 - -如果过多的允许或者阻拦网络连接的选择让你不堪重负,使用配置过白名单的**静谧模式**,之后定期检查你设定项,来了解这么多应用程序都在干什么。 - -需要指出的是,这些防火墙都会被以 **root** 权限运行的程序绕过,或者通过 [OS vulnerabilities](https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf) (pdf),但是它们还是值得拥有的 — 只是不要期待完全的保护。然而,一些恶意软件实际上能[自我删除](https://www.cnet.com/how-to/how-to-remove-the-flashback-malware-from-os-x/),如果发现 `Little Snitch` 或者其他一些安全软件已经安装,它就根本不启动。 - -若想了解更多有关 Little Snitch 是如何工作的,可参考以下两篇文章:[Network Kernel Extensions Programming Guide](https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/NKEConceptual/socket_nke/socket_nke.html#//apple_ref/doc/uid/TP40001858-CH228-SW1) 和 [Shut up snitch! – reverse engineering and exploiting a critical Little Snitch vulnerability](https://reverse.put.as/2016/07/22/shut-up-snitch-reverse-engineering-and-exploiting-a-critical-little-snitch-vulnerability/). - -#### 内核级的数据包过滤 - -有一个高度可定制化、功能强大,但的确也是最复杂的防火墙存在内核中。它能通过 `pfctl` 或者很多配置文件控制。 - -pf 也能通过一个 GUI 应用程序控制,例如 [IceFloor](http://www.hanynet.com/icefloor/) 或者 [Murus](http://www.murusfirewall.com/)。 - -有很多书和文章介绍 pf 防火墙。这里,我们只介绍一个有关通过 IP 地址阻拦访问的例子。 - -将以下内容增加到 `pf.rules` 文件中: - -``` -set block-policy drop -set fingerprints "/etc/pf.os" -set ruleset-optimization basic -set skip on lo0 -scrub in all no-df -table persist -block in log -block in log quick from no-route to any -pass out proto tcp from any to any keep state -pass out proto udp from any to any keep state -block log on en0 from {} to any -``` - -使用以下命令: - -* `sudo pfctl -e -f pf.rules` — 开启防火墙 -* `sudo pfctl -d` — 禁用防火墙 -* `sudo pfctl -t blocklist -T add 1.2.3.4` — 把某个主机加入阻止清单中 -* `sudo pfctl -t blocklist -T show` — 查看阻止清单 -* `sudo ifconfig pflog0 create` — 为某个接口创建日志 -* `sudo tcpdump -ni pflog0` — 输出打印数据包 - -我不建议你花大量时间在如何配置 pf 上,除非你对数据包过滤器非常熟悉。比如说,如果你的 Mac 计算机连接在一个 [NAT](https://www.grc.com/nat/nat.htm) 后面,它存在于一个安全的家庭网络中,那以上操作是完全没有必要的。 - -可以参考 [fix-macosx/net-monitor](https://github.com/fix-macosx/net-monitor) 来了解如何使用 pf 监控用户和系统级别对“背景连接通讯"的使用。 - -## 系统服务 - -在你连接到互联网之前,你不妨禁用一些系统服务,它们会使用一些资源或者后台连接通讯到 Apple。 - -可参考这三个代码仓库获得更多建议,[fix-macosx/yosemite-phone-home](https://github.com/fix-macosx/yosemite-phone-home), [l1k/osxparanoia](https://github.com/l1k/osxparanoia) 和 [karek314/macOS-home-call-drop](https://github.com/karek314/macOS-home-call-drop)。 - -在 macOS 上的系统服务都由 **launchd** 管理。可参考 [launchd.info](http://launchd.info/),也可以参考以下两个材料,[Apple's Daemons and Services Programming Guide](https://developer.apple.com/library/mac/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html) 和 [Technical Note TN2083](https://developer.apple.com/library/mac/technotes/tn2083/_index.html)。 - -你也可以运行 [KnockKnock](https://github.com/synack/knockknock),它能展示出更多有关启动项的内容。 - -* 使用 `launchctl list` 查看正在运行的用户代理 -* 使用 `sudo launchctl list` 查看正在运行的系统守护进程 -* 通过指定服务名称查看,例如,`launchctl list com.apple.Maps.mapspushd` -* 使用 `defaults read` 来检查在 `/System/Library/LaunchDaemons` 和 `/System/Library/LaunchAgents` 工作中的 plist -* 使用 `man`,`strings` 和 Google 来学习运行中的代理和守护进程是什么 - -举例来说,想要知道某个系统启动的守护进程或者代理干了什么,可以输入以下指令: - - $ defaults read /System/Library/LaunchDaemons/com.apple.apsd.plist - -看一看 `Program` 或者 `ProgramArguments` 这两个部分的内容,你就知道哪个二进制文件在运行,此处是 `apsd`。可以通过 `man apsd` 查看更多有关它的信息。 - -再举一个例子,如果你对 `Apple Push Nofitications` 不感兴趣,可以禁止这个服务: - - $ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist - -**注意** 卸载某些服务可能造成某些应用程序无法使用。首先,请阅读手册或者使用 Google 检索确保你明白自己在干什么。 - -禁用那些你不理解的系统进程的时候一定要万分小心,因为它可能会让你的系统瘫痪无法启动。如果你弄坏了你的 Mac,可以使用[单一用户模式](https://support.apple.com/en-us/HT201573)来修复。 - -如果你觉得 Mac 持续升温,感觉卡顿或者常常表现出诡异的行为,可以使用 [Console](https://en.wikipedia.org/wiki/Console_(OS_X)) 和 [Activity Monitor](https://support.apple.com/en-us/HT201464) 这两个应用程序,因为这可能是你不小心操作造成的。 - -以下指令可以查看现在已经禁用的服务: - - $ find /var/db/com.apple.xpc.launchd/ -type f -print -exec defaults read {} \; 2>/dev/null - -有详细注释的启动系统守护进程和代理的列表,各自运行的程序和程序的哈希校验值都包含在这个代码仓库中了。 - -**(可选项)** 运行 `read_launch_plists.py` 脚本,使用 `diff` 输出和你系统对比后产生的差异,例如: - - $ diff <(python read_launch_plists.py) <(cat 16A323_launchd.csv) - -你可以参考这篇 [cirrusj.github.io/Yosemite-Stop-Launch](http://cirrusj.github.io/Yosemite-Stop-Launch/),它对具体服务进行了一些解释, 也可以看看这篇 [Provisioning OS X and Disabling Unnecessary Services](https://vilimpoc.org/blog/2014/01/15/provisioning-os-x-and-disabling-unnecessary-services/),这篇是其它一些解释。 - -## Spotlight 建议 - -在 Spotlight 偏好设置面板和 Safari 的搜索偏好设置中都禁用 **Spotlight 建议**,来避免你的搜索查询项会发送给 Apple。 - -在 Spotlight 偏好设置面板中也禁用**必应 Web 搜索**来避免你的搜索查询项会发送给 Microsoft。 - -查看 [fix-macosx.com](https://fix-macosx.com/) 获得更详细的信息。 - -> 如果你已经更新到 Mac OS X Yosemite(10.10)并且在用默认的设置,每一次你开始在 Spotlight (去打开一个应用或在你的电脑中搜索一个文件)中打字,你本地的搜索词和位置会被发送给 Apple 和第三方(包括 Microsoft )。 - - **注意** 这个网站和它的指导说明已不再适用于 macOS Sierra — 参考[issue 164](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/164). - -下载,查看并应用他们建议的补丁: - -``` -$ curl -O https://fix-macosx.com/fix-macosx.py - -$ less fix-macosx.py - -$ /usr/bin/python fix-macosx.py -All done. Make sure to log out (and back in) for the changes to take effect. -``` - -谈到 Microsoft,你可能还想看看 ,挺有意思的。 - -## Homebrew - -考虑使用 [Homebrew](http://brew.sh/) 来安装软件和更新用户工具(查看 [Apple’s great GPL purge](http://meta.ath0.com/2012/02/05/apples-great-gpl-purge/)),这样更简单些。 -**注意**如果你还没安装 Xcode 或命令行工具,可以用 `xcode-select --install` 来从 Apple 下载、安装。 - -要[安装 Homebrew](https://github.com/Homebrew/brew/blob/master/docs/Installation.md#installation): - - $ mkdir homebrew && curl -L https://github.com/Homebrew/brew/tarball/master | tar xz --strip 1 -C homebrew - - -在你的脚本或 rc 文件中编辑 `PATH` 来使用 `~/homebrew/bin` 和 `~/homebrew/sbin`。例如,先 `echo 'PATH=$PATH:~/homebrew/sbin:~/homebrew/bin' >> .zshrc`,然后用 `chsh -s /bin/zsh` 把登录脚本改为 Z shell,打开一个新的终端窗口并运行 `brew update`。 - -Homebrew 使用 SSL/TLS 与 GitHub 通信并验证下载包的校验,所以它是[相当安全的](https://github.com/Homebrew/homebrew/issues/18036)。 - -记得定期在可信任的、安全的网络上运行 `brew update` 和 `brew upgrade` 来下载、安装软件更新。想在安装前得到关于一个包的信息,运行 `brew info ` 在线查看。 - -依据 [Homebrew 匿名汇总用户行为分析](https://github.com/Homebrew/brew/blob/master/docs/Analytics.md),Homebrew 获取匿名的汇总的用户行为分析数据并把它们报告给 Google Analytics。 - -你可以在你的(shell)环境或 rc 文件中设置 `export HOMEBREW_NO_ANALYTICS=1`,或使用 `brew analytics off` 来退出 Homebrew 的分析。 - -可能你还希望启用[额外的安全选项](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/138),例如 `HOMEBREW_NO_INSECURE_REDIRECT=1` 和 `HOMEBREW_CASK_OPTS=--require-sha`。 - -## DNS - -#### Hosts 文件 - -使用 [Hosts 文件](https://en.wikipedia.org/wiki/Hosts_(file)) 来屏蔽蔽已知的恶意软件、广告或那些不想访问的域名。 - -用 root 用户编辑 hosts 文件,例如用 `sudo vi /etc/hosts`。hosts 文件也能用可视化的应用 [2ndalpha/gasmask](https://github.com/2ndalpha/gasmask) 管理。 - -要屏蔽一个域名,在 `/etc/hosts` 中加上 `0 example.com` 或 `0.0.0.0 example.com` 或 `127.0.0.1 example.com`。 - -网上有很多可用的域名列表,你可以直接复制过来,要确保每一行以 `0`, `0.0.0.0`, `127.0.0.1` 开始,并且 `127.0.0.1 localhost` 这一行包含在内。 - -对于这些主机列表,可以查看 [someonewhocares.org](http://someonewhocares.org/hosts/zero/hosts)、[l1k/osxparanoia/blob/master/hosts](https://github.com/l1k/osxparanoia/blob/master/hosts)、[StevenBlack/hosts](https://github.com/StevenBlack/hosts) 和 [gorhill/uMatrix/hosts-files.json](https://github.com/gorhill/uMatrix/blob/master/assets/umatrix/hosts-files.json)。 - -要添加一个新的列表: - -``` -$ curl "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" | sudo tee -a /etc/hosts - -$ wc -l /etc/hosts -31998 - -$ egrep -ve "^#|^255.255.255|^0.0.0.0|^127.0.0.0|^0 " /etc/hosts -::1 localhost -fe80::1%lo0 localhost -[should not return any other IP addresses] -``` - -更多信息请查看 `man hosts` 和 [FreeBSD 配置文件](https://www.freebsd.org/doc/handbook/configtuning-configfiles.html)。 - -#### Dnsmasq - -与其他特性相比,[dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) 能缓存请求,避免无资格名单中的查询数据上传和屏蔽所有的顶级域名。 - -另外,和 DNSCrypt 一起使用来加密输出的 DNS 流量。 - -如果你不想使用 DNSCrypt,再怎么滴也不要用 [ISP](http://hackercodex.com/guide/how-to-stop-isp-dns-server-hijacking) [提供](http://bcn.boulder.co.us/~neal/ietf/verisign-abuse.html) 的 DNS。两个流行的选择是 [Google DNS](https://developers.google.com/speed/public-dns/) 和 [OpenDNS](https://www.opendns.com/home-internet-security/)。 - -**(可选)** [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) 是一系列 DNS 的扩展,为 DNS 客户端提供 DNS 数据的来源验证、否定存在验证和数据完整性检验。所有来自 DNSSEC 保护区域的应答都是数字签名的。签名的记录通过一个信任链授权,以一系列验证过的 DNS 根区域的公钥开头。当前的根区域信任锚点可能下载下来[从 IANA 网站](https://www.iana.org/dnssec/files)。关于 DNSSEC 有很多的资源,可能最好的一个是 [dnssec.net 网站](http://www.dnssec.net)。 - -安装 Dnsmasq (DNSSEC 是可选的): - - $ brew install dnsmasq --with-dnssec - - $ cp /usr/local/opt/dnsmasq/dnsmasq.conf.example /usr/local/etc/dnsmasq.conf - - -编辑配置项: - - $ vim /usr/local/etc/dnsmasq.conf - -检查所有的选项。这有一些推荐启用的设置: - -``` -# Forward queries to DNSCrypt on localhost port 5355 -server=127.0.0.1#5355 - -# Uncomment to forward queries to Google Public DNS -#server=8.8.8.8 - -# Never forward plain names -domain-needed - -# Examples of blocking TLDs or subdomains -address=/.onion/0.0.0.0 -address=/.local/0.0.0.0 -address=/.mycoolnetwork/0.0.0.0 -address=/.facebook.com/0.0.0.0 - -# Never forward addresses in the non-routed address spaces -bogus-priv - -# Reject private addresses from upstream nameservers -stop-dns-rebind - -# Query servers in order -strict-order - -# Set the size of the cache -# The default is to keep 150 hostnames -cache-size=8192 - -# Optional logging directives -log-async -log-dhcp -log-facility=/var/log/dnsmasq.log - -# Uncomment to log all queries -#log-queries - -# Uncomment to enable DNSSEC -#dnssec -#trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 -#trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D -#dnssec-check-unsigned -``` - -安装并启动程序(`sudo` 需要绑定在 [53 特权端口](https://unix.stackexchange.com/questions/16564/why-are-the-first-1024-ports-restricted-to-the-root-user-only)): - - $ sudo brew services start dnsmasq - -要设置 Dnsmasq 为本地的 DNS 服务器,打开**系统偏好设置** > **网络**并选择“高级”(译者注:原文为 ‘active interface’,实际上‘高级’),接着切换到 **DNS** 选项卡,选择 **+** 并 添加 `127.0.0.1`, 或使用: - - $ sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1 - -确保 Dnsmasq 正确配置: - -``` -$ scutil --dns -DNS configuration - -resolver #1 - search domain[0] : whatever - nameserver[0] : 127.0.0.1 - flags : Request A records, Request AAAA records - reach : Reachable, Local Address, Directly Reachable Address - -$ networksetup -getdnsservers "Wi-Fi" -127.0.0.1 -``` - -**注意** 一些 VPN 软件一链接会覆盖 DNS 设置。更多信息查看 [issue #24](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/24)。 - -#### 检测 DNSSEC 验证 - -测试已签名区域的 DNSSEC(域名系统安全扩展协议)验证是否成功: - - $ dig +dnssec icann.org - -应答应该有`NOERROR`状态并包含`ad`。例如: - - ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47039 - ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 - -不恰当签名的区域会导致检测 DNSSEC 验证的失败: - - $ dig www.dnssec-failed.org - -应答应该包含`SERVFAIL`状态。例如: - - ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15190 - ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 - -#### dnscrypt - -使用 [dnscrypt](https://dnscrypt.org/) 在可选的范围内加密 DNS 流量(译者注:原文为 ‘the provider of choice’)。 - -如果你更喜欢一个 GUI 应用程序,看这里 [alterstep/dnscrypt-osxclient](https://github.com/alterstep/dnscrypt-osxclient)。 - -从 Homebrew 安装 DNSCrypt: - - $ brew install dnscrypt-proxy - -如果要和 Dnsmasq 一起使用,找到这个文件`homebrew.mxcl.dnscrypt-proxy.plist` - -``` -$ find ~/homebrew -name homebrew.mxcl.dnscrypt-proxy.plist -/Users/drduh/homebrew/Cellar/dnscrypt-proxy/1.7.0/homebrew.mxcl.dnscrypt-proxy.plist -``` - -将下面一行编辑进去: - - --local-address=127.0.0.1:5355 - -接着写: - - /usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy - -dnscrypt - -**添加一行本地地址来使用 DNScrypt,使用 53 以外的端口,比如 5355** - -用 Homebrew 也能实现上述过程,安装 `gnu-sed` 并使用` gsed` 命令行: - - $ sudo gsed -i "/sbin\\/dnscrypt-proxy<\\/string>/a--local-address=127.0.0.1:5355<\\/string>\n" $(find ~/homebrew -name homebrew.mxcl.dnscrypt-proxy.plist) - -默认情况下,`resolvers-list` 将会指向 dnscrypt 版本特定的 resolvers 文件。当更新了 dnscrypt,这一版本将不再存在,若它存在,可能指向一个过期的文件。在 `homebrew.mxcl.dnscrypt-proxy.plist` 中把 resolvers 文件改为 `/usr/local/share` 中的符号链接的版本,能解决上述问题: - - --resolvers-list=/usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv - -还有下面这一行: - - /usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy - -启用 DNSCrypt: - - $ sudo brew services start dnscrypt-proxy - -确保 DNSCrypt 在运行: - -``` -$ sudo lsof -Pni UDP:5355 -COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME -dnscrypt- 83 nobody 7u IPv4 0x1773f85ff9f8bbef 0t0 UDP 127.0.0.1:5355 - -$ ps A | grep '[d]nscrypt' - 83 ?? Ss 0:00.27 /Users/drduh/homebrew/opt/dnscrypt-proxy/sbin/dnscrypt-proxy --local-address=127.0.0.1:5355 --ephemeral-keys --resolvers-list=/Users/drduh/homebrew/opt/dnscrypt-proxy/share/dnscrypt-proxy/dnscrypt-resolvers.csv --resolver-name=dnscrypt.eu-dk --user=nobody -``` - -> 默认情况下,dnscrypt-proxy 运行在本地 (127.0.0.1) ,53 端口,并且 "nobody" 身份使用dnscrypt.eu-dk DNSCrypt-enabled -resolver。如果你想改变这些设置,你得编辑 plist 文件 (例如, --resolver-address, --provider-name, --provider-key, 等。) - -通过编辑 `homebrew.mxcl.dnscrypt-proxy.plist` 也能完成 - -你能从一个信任的位置或使用 [public servers](https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv) 中的一个运行你自己的 [dnscrypt server](https://github.com/Cofyc/dnscrypt-wrapper)(也可以参考 [drduh/Debian-Privacy-Server-Guide#dnscrypt](https://github.com/drduh/Debian-Privacy-Server-Guide#dnscrypt)) - -确保输出的 DNS 流量已加密: - -``` -$ sudo tcpdump -qtni en0 -IP 10.8.8.8.59636 > 77.66.84.233.443: UDP, length 512 -IP 77.66.84.233.443 > 10.8.8.8.59636: UDP, length 368 - -$ dig +short -x 77.66.84.233 -resolver2.dnscrypt.eu -``` - -你也可以阅读 [What is a DNS leak](https://dnsleaktest.com/what-is-a-dns-leak.html),[mDNSResponder manual page](https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/mDNSResponder.8.html) 和 [ipv6-test.com](http://ipv6-test.com/)。 - -## Captive portal - -当 macOS 连接到新的网络,它会**检测**网络,如果连接没有被接通,则会启动 Captive Portal assistant 功能。 - -一个攻击者能触发这一功能,无需用户交互就将一台电脑定向到有恶意软件的网站,最好禁用这个功能并用你经常用的浏览器登录 captive portals, 前提是你必须首先禁用了任何的客户端 / 代理设置。 - - $ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false - -也可以看看 [Apple OS X Lion Security: Captive Portal Hijacking Attack](https://www.securestate.com/blog/2011/10/07/apple-os-x-lion-captive-portal-hijacking-attack),[Apple's secret "wispr" request](http://blog.erratasec.com/2010/09/apples-secret-wispr-request.html),[How to disable the captive portal window in Mac OS Lion](https://web.archive.org/web/20130407200745/http://www.divertednetworks.net/apple-captiveportal.html),和 [An undocumented change to Captive Network Assistant settings in OS X 10.10 Yosemite](https://grpugh.wordpress.com/2014/10/29/an-undocumented-change-to-captive-network-assistant-settings-in-os-x-10-10-yosemite/)。 - -## 证书授权 - -macOS 上有从像 Apple、Verisign、Thawte、Digicert 这样的营利性公司和来自中国、日本、荷兰、美国等等的政府机关安装的[超过 200](https://support.apple.com/en-us/HT202858) 个可信任的根证书。这些证书授权(CAs)能够针对任一域名处理 SSL/TLS 认证,代码签名证书等等。 - -想要了解更多,可以看看 [Certification Authority Trust Tracker](https://github.com/kirei/catt)、[Analysis of the HTTPS certificate ecosystem](http://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf)(pdf) 和 [You Won’t Be Needing These Any More: On Removing Unused Certificates From Trust Stores](http://www.ifca.ai/fc14/papers/fc14_submission_100.pdf)(pdf)。 - -你可以在**钥匙串访问**中的**系统根证书**选项卡下检查系统根证书,或者使用 `security` 命令行工具和 `/System/Library/Keychains/SystemRootCertificates.keychain` 文件。 - -你可以通过钥匙串访问将它们标记为**永不信任**禁用证书授权并关闭窗口: - -A certificate authority certificate - -被你的系统信任的被迫或妥协的证书授权产生一个假的 / 欺骗的 SSL 证书,这样的一个[中间人攻击](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)的风险很低,但仍然是[可能的](https://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates)。 - -## OpenSSL - -在 Sierra 中 OpenSSL 的版本是`0.9.8zh`,这[不是最新的](https://apple.stackexchange.com/questions/200582/why-is-apple-using-an-older-version-of-openssl)。它不支持 TLS 1.1 或新的版本,elliptic curve ciphers,[还有更多](https://stackoverflow.com/questions/27502215/difference-between-openssl-09-8z-and-1-0-1)。 - -Apple 在他们的 [Cryptographic Services 指南](https://developer.apple.com/library/mac/documentation/Security/Conceptual/cryptoservices/GeneralPurposeCrypto/GeneralPurposeCrypto.html)文档中宣布**弃用** OpenSSL。他们的版本也有补丁,可能会[带来惊喜喔](https://hynek.me/articles/apple-openssl-verification-surprises/)。 - -如果你要在你的 Mac 上用 OpenSSL,用 `brew install openssl` 下载并安装一个 OpenSSL 最近的版本。注意,brew 已经链接了 `/usr/bin/openssl` ,可能和内置软件冲突。查看 [issue #39](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/39)。 - -在 homebrew 版本和 OpenSSL 系统版本之间比较 TLS 协议和密码: - -``` -$ ~/homebrew/bin/openssl version; echo | ~/homebrew/bin/openssl s_client -connect github.com:443 2>&1 | grep -A2 SSL-Session -OpenSSL 1.0.2j 26 Sep 2016 -SSL-Session: - Protocol : TLSv1.2 - Cipher : ECDHE-RSA-AES128-GCM-SHA256 - -$ /usr/bin/openssl version; echo | /usr/bin/openssl s_client -connect github.com:443 2>&1 | grep -A2 SSL-Session -OpenSSL 0.9.8zh 14 Jan 2016 -SSL-Session: - Protocol : TLSv1 - Cipher : AES128-SHA -``` - -阅读 [Comparison of TLS implementations](https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations),[How's My SSL](https://www.howsmyssl.com/),[Qualys SSL Labs Tools](https://www.ssllabs.com/projects/) 了解更多,查看更详细的解释和最新的漏洞测试请看 [ssl-checker.online-domain-tools.com](http://ssl-checker.online-domain-tools.com)。 - -## Curl - -macOS 中 Curl 的版本针对 SSL/TLS 验证使用[安全传输](https://developer.apple.com/library/mac/documentation/Security/Reference/secureTransportRef/)。 - -如果你更愿意使用 OpenSSL,用 `brew install curl --with-openssl` 安装并通过 `brew link --force curl` 确保它是默认的。 - -这里推荐几个向 `~/.curlrc` 中添加的[可选项](http://curl.haxx.se/docs/manpage.html)(更多请查看 `man curl`): - -``` -user-agent = "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" -referer = ";auto" -connect-timeout = 10 -progress-bar -max-time = 90 -verbose -show-error -remote-time -ipv4 -``` - -## Web - -### 代理 - -考虑使用 [Privoxy](http://www.privoxy.org/) 作为本地代理来过滤网络浏览内容。 - -一个已签名的 privoxy 安装包能从 [silvester.org.uk](http://silvester.org.uk/privoxy/OSX/) 或 [Sourceforge](http://sourceforge.net/projects/ijbswa/files/Macintosh%20%28OS%20X%29/) 下载。签过名的包比 Homebrew 版本[更安全](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/65),而且能得到 Privoxy 项目全面的支持。 - -另外,用 Homebrew 安装、启动 privoxy: - - $ brew install privoxy - - $ brew services start privoxy - - -默认情况下,privoxy 监听本地的 8118 端口。 - -为你的网络接口设置系统 **http** 代理为`127.0.0.1` 和 `8118`(可以通过 **系统偏好设置 > 网络 > 高级 > 代理**): - - $ sudo networksetup -setwebproxy "Wi-Fi" 127.0.0.1 8118 - - -**(可选)** 用下述方法设置系统 **https** 代理,这仍提供了域名过滤功能: - - $ sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 8118 - -确保代理设置好了: - -``` -$ scutil --proxy - { - ExceptionsList : { - 0 : *.local - 1 : 169.254/16 - } - FTPPassive : 1 - HTTPEnable : 1 - HTTPPort : 8118 - HTTPProxy : 127.0.0.1 -} -``` - -在一个浏览器里访问 ,或用 Curl 访问: - -``` -$ ALL_PROXY=127.0.0.1:8118 curl -I http://p.p/ -HTTP/1.1 200 OK -Content-Length: 2401 -Content-Type: text/html -Cache-Control: no-cache -``` - -代理已经有很多好的规则,你也能自己定义。 - -编辑 `~/homebrew/etc/privoxy/user.action` 用域名或正则表达式来过滤。 - -示例如下: - -``` -{ +block{social networking} } -www.facebook.com/(extern|plugins)/(login_status|like(box)?|activity|fan)\.php -.facebook.com - -{ +block{unwanted images} +handle-as-image } -.com/ads/ -/.*1x1.gif -/.*fb-icon.[jpg|gif|png] -/assets/social-.* -/cleardot.gif -/img/social.* -ads.*.co.*/ -ads.*.com/ - -{ +redirect{s@http://@https://@} } -.google.com -.wikipedia.org -code.jquery.com -imgur.com -``` - -验证 Privoxy 能够拦截和重定向: - -``` -$ ALL_PROXY=127.0.0.1:8118 curl ads.foo.com/ -IL -HTTP/1.1 403 Request blocked by Privoxy -Content-Type: image/gif -Content-Length: 64 -Cache-Control: no-cache - -$ ALL_PROXY=127.0.0.1:8118 curl imgur.com/ -IL -HTTP/1.1 302 Local Redirect from Privoxy -Location: https://imgur.com/ -Content-Length: 0 -Date: Sun, 09 Oct 2016 18:48:19 GMT - -HTTP/1.1 200 OK -Content-Type: text/html; charset=utf-8 -``` - -你能用小猫的图片来代替广告图片,例如,通过启动一个本地的 Web 服务器然后[重定向屏蔽的请求](https://www.privoxy.org/user-manual/actions-file.html#SET-IMAGE-BLOCKER)到本地。 - -### 浏览器 - -Web 浏览器引发最大的安全和隐私风险,因为它基本的工作是从因特网上下载和运行未信任的代码。 - -对于你的大部分浏览请使用 [Google Chrome](https://www.google.com/chrome/browser/desktop/)。它提供了[独立的配置文件](https://www.chromium.org/user-experience/multi-profiles),[好的沙盒处理](https://www.chromium.org/developers/design-documents/sandbox),[经常更新](http://googlechromereleases.blogspot.com/)(包括 Flash,尽管你应该禁用它 —— 原因看下面),并且[自带牛哄哄的资格证书](https://www.chromium.org/Home/chromium-security/brag-sheet)。 - -Chrome 也有一个很好的 [PDF 阅读器](http://0xdabbad00.com/2013/01/13/most-secure-pdf-viewer-chrome-pdf-viewer/)。 - -如果你不想用 Chrome,[Firefox](https://www.mozilla.org/en-US/firefox/new/) 也是一个很好的浏览器。或两个都用。看这里的讨论 [#2](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/2),[#90](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/90)。 - -如果用 Firefox,查看 [TheCreeper/PrivacyFox](https://github.com/TheCreeper/PrivacyFox) 里推荐的隐私偏好设置。也要确保为基于 Mozilla 的浏览器检查 [NoScript](https://noscript.net/),它允许基于白名单预先阻止脚本。 - -创建至少三个配置文件,一个用来浏览**可信任的**网站 (邮箱,银行),另一个为了**大部分是可信的** 网站(聚合类,新闻类站点),第三个是针对完全**无 cookie** 和**无脚本**的网站浏览。 - -* 一个启用了 **无 cookies 和 Javascript**(例如, 在 `chrome://settings/content`中被关掉)的配置文件就应该用来访问未信任的网站。然而,如果不启用 Javascript,很多页面根本不会加载。 - -* 一个有 [uMatrix](https://github.com/gorhill/uMatrix) 或 [uBlock Origin](https://github.com/gorhill/uBlock)(或两个都有)的配置文件。用这个文件来访问**大部分是可信的**网站。花时间了解防火墙扩展程序是怎么工作的。其他经常被推荐的扩展程序是 [Privacy Badger](https://www.eff.org/privacybadger)、[HTTPSEverywhere](https://www.eff.org/https-everywhere) 和 [CertPatrol](http://patrol.psyced.org/)(仅限 Firefox)。 - -* 一个或更多的配置文件用来满足安全和可信任的浏览需求,例如仅限于银行和邮件。 - -想法是分隔并划分数据,那么如果一个“会话”出现漏洞或泄露隐私并不一定会影响其它数据。 - -在每一个文件里,访问 `chrome://plugins/` 并禁用 **Adobe Flash Player**。如果你一定要用 Flash,访问 `chrome://settings/contents`,在插件部分,启用在**让我自行选择何时运行插件内容**(也叫做 *click-to-play*)。 - -花时间阅读 [Chromium 安全](https://www.chromium.org/Home/chromium-security)和 [Chromium 隐私](https://www.chromium.org/Home/chromium-privacy)。 - -例如你可能希望禁用 [DNS prefetching](https://www.chromium.org/developers/design-documents/dns-prefetching)(也可以阅读 [DNS Prefetching and Its Privacy Implications](https://www.usenix.org/legacy/event/leet10/tech/full_papers/Krishnan.pdf))。 - -你也应该知道 [WebRTC](https://en.wikipedia.org/wiki/WebRTC#Concerns),它能获取你本地或外网的(如果连到 VPN)IP 地址。这可以用诸如 [uBlock Origin](https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address) 和 [rentamob/WebRTC-Leak-Prevent](https://github.com/rentamob/WebRTC-Leak-Prevent) 这样的扩展程序禁用掉。 - -很多源于 Chromium 的浏览器本文是不推荐的。它们通常[不开源](http://yro.slashdot.org/comments.pl?sid=4176879&cid=44774943),[维护性差](https://plus.google.com/+JustinSchuh/posts/69qw9wZVH8z),[有很多 bug](https://code.google.com/p/google-security-research/issues/detail?id=679),而且对保护隐私有可疑的声明。阅读 [The Private Life of Chromium Browsers](http://thesimplecomputer.info/the-private-life-of-chromium-browsers)。 - -也不推荐 Safari。代码一团糟而且[安全问题](https://nakedsecurity.sophos.com/2014/02/24/anatomy-of-a-goto-fail-apples-ssl-bug-explained-plus-an-unofficial-patch/)[漏洞](https://vimeo.com/144872861)经常发生,并且打补丁很慢(阅读 [Hacker News 上的讨论](https://news.ycombinator.com/item?id=10150038))。安全[并不是](https://discussions.apple.com/thread/5128209) Safari 的一个优点。如果你硬要使用它,至少在偏好设置里[禁用](https://thoughtsviewsopinions.wordpress.com/2013/04/26/how-to-stop-downloaded-files-opening-automatically/)**下载后打开"安全的文件**,也要了解其他的[隐私差别](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/93)。 - -其他乱七八糟的浏览器,例如 [Brave](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/94),在这个指南里没有评估,所以既不推荐也不反对使用。 - -想浏览更多安全方面的问题,请阅读 [HowTo: Privacy & Security Conscious Browsing](https://gist.github.com/atcuno/3425484ac5cce5298932),[browserleaks.com](https://www.browserleaks.com/) 和 [EFF Panopticlick](https://panopticlick.eff.org/)。 - -### 插件 - -**Adobe Flash**, **Oracle Java**, **Adobe Reader**, **Microsoft Silverlight**(Netflix 现在使用了 [HTML5](https://help.netflix.com/en/node/23742)) 和其他的插件有[安全风险](https://news.ycombinator.com/item?id=9901480),不应该安装。 - -如果它们是必须的,只在一个虚拟机里安装它们并且订阅安全通知以便确保你总能及时修补漏洞。 - -阅读 [Hacking Team Flash Zero-Day](http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-zero-day-integrated-into-exploit-kits/)、[Java Trojan BackDoor.Flashback](https://en.wikipedia.org/wiki/Trojan_BackDoor.Flashback)、[Acrobat Reader: Security Vulnerabilities](http://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-497/Adobe-Acrobat-Reader.html) 和 [Angling for Silverlight Exploits](https://blogs.cisco.com/security/angling-for-silverlight-exploits)。 - -## PGP/GPG - -PGP 是一个端对端邮件加密标准。这意味着只是选中的接收者能解密一条消息,不像通常的邮件被提供者永久阅读和保存。 - -**GPG** 或 **GNU Privacy Guard**,是一个符合标准的 GPL 协议项目。 - -**GPG** 被用来验证你下载和安装的软件签名,既可以[对称](https://en.wikipedia.org/wiki/Symmetric-key_algorithm)也可以[非对称](https://en.wikipedia.org/wiki/Public-key_cryptography)的加密文件和文本。 - -从 Homebrew 上用 `brew install gnupg2` 安装。 - -如果你更喜欢图形化的应用,下载安装 [GPG Suite](https://gpgtools.org/)。 - -这有几个往 `~/.gnupg/gpg.conf` 中添加的[推荐选项](https://github.com/drduh/config/blob/master/gpg.conf): - -``` -auto-key-locate keyserver -keyserver hkps://hkps.pool.sks-keyservers.net -keyserver-options no-honor-keyserver-url -keyserver-options ca-cert-file=/etc/sks-keyservers.netCA.pem -keyserver-options no-honor-keyserver-url -keyserver-options debug -keyserver-options verbose -personal-cipher-preferences AES256 AES192 AES CAST5 -personal-digest-preferences SHA512 SHA384 SHA256 SHA224 -default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed -cert-digest-algo SHA512 -s2k-digest-algo SHA512 -s2k-cipher-algo AES256 -charset utf-8 -fixed-list-mode -no-comments -no-emit-version -keyid-format 0xlong -list-options show-uid-validity -verify-options show-uid-validity -with-fingerprint -``` - -安装 keyservers [CA 认证](https://sks-keyservers.net/verify_tls.php): - - $ curl -O https://sks-keyservers.net/sks-keyservers.netCA.pem - - $ sudo mv sks-keyservers.netCA.pem /etc - -这些设置将配置 GnuPG 在获取新密钥和想用强加密原语时使用 SSL。 - -请阅读 [ioerror/duraconf/configs/gnupg/gpg.conf](https://github.com/ioerror/duraconf/blob/master/configs/gnupg/gpg.conf)。你也应该花时间读读 [OpenPGP Best Practices](https://help.riseup.net/en/security/message-security/openpgp/best-practices)。 - -如果你没有一个密钥对,可以用 `gpg --gen-key` 创建一个。也可以阅读 [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide)。 - -读[在线的](https://alexcabal.com/creating-the-perfect-gpg-keypair/)[指南](https://security.stackexchange.com/questions/31594/what-is-a-good-general-purpose-gnupg-key-setup)并练习给你自己和朋友们加密解密邮件。让他们也对这篇文章感兴趣吧! - -## OTR - -OTR 代表 **off-the-record** 并且是一个针对即时消息对话加密和授权的密码协议。 - -你能在任何一个已存在的 [XMPP](https://xmpp.org/about) 聊天服务中使用 OTR,甚至是 Google Hangouts(它只在使用 TLS 的用户和服务器之间加密对话)。 - -你和某人第一次开始一段对话,你将被要求去验证他们的公钥指纹。确保是本人亲自操作或通过其它一些安全的方式(例如 GPG 加密过的邮件)。 -针对 XMPP 和其他的聊天协议,有一个流行的 macOS GUI 客户端是 [Adium](https://adium.im/)。 - -考虑下载一个 [beta 版本](https://beta.adium.im/),使用 OAuth2 验证,确保登录谷歌账号[更](https://adium.im/blog/2015/04/)[安全](https://trac.adium.im/ticket/16161)。 - -``` -Adium_1.5.11b3.dmg -SHA-256: 999e1931a52dc327b3a6e8492ffa9df724a837c88ad9637a501be2e3b6710078 -SHA-1: ca804389412f9aeb7971ade6812f33ac739140e6 -``` - -记住对于 Adium 的 OTR 聊天[禁用登录](https://trac.adium.im/ticket/15722)。 - -一个好的基于控制台的 XMPP 客户端是 [profanity](http://www.profanity.im/),它能用 `brew install profanity` 安装。 - -想增加匿名性的话,查看 [Tor Messenger](https://blog.torproject.org/blog/tor-messenger-beta-chat-over-tor-easily),尽管它还在测试中,[Ricochet](https://ricochet.im/)(它最近接受了一个彻底的[安全审查](https://ricochet.im/files/ricochet-ncc-audit-2016-01.pdf))也是,这两个都使用 Tor 网络而不是依赖于消息服务器。 - -如果你想了解 OTR 是如何工作的,可以阅读这篇论文 [Off-the-Record Communication, or, Why Not To Use PGP](https://otr.cypherpunks.ca/otr-wpes.pdf) - -## Tor - -Tor 是一个用来浏览网页的匿名代理。 - -从[官方 Tor 项目网站](https://www.torproject.org/projects/torbrowser.html)下载 Tor 浏览器。 - -**不要**尝试配置其他的浏览器或应用程序来使用 Tor,因为你可能会导致一个错误,危及你的匿名信息。 - -下载 `dmg` 和 `asc` 签名文件,然后验证已经被 Tor 开发者签过名的磁盘镜像: - -``` -$ cd Downloads - -$ file Tor* -TorBrowser-6.0.5-osx64_en-US.dmg: bzip2 compressed data, block size = 900k -TorBrowser-6.0.5-osx64_en-US.dmg.asc: PGP signature Signature (old) - -$ gpg Tor*asc -gpg: assuming signed data in `TorBrowser-6.0.5-osx64_en-US.dmg' -gpg: Signature made Fri Sep 16 07:51:52 2016 EDT using RSA key ID D40814E0 -gpg: Can't check signature: public key not found - -$ gpg --recv 0x4E2C6E8793298290 -gpg: requesting key 0x4E2C6E8793298290 from hkp server keys.gnupg.net -gpg: key 0x4E2C6E8793298290: public key "Tor Browser Developers (signing key) " imported -gpg: no ultimately trusted keys found -gpg: Total number processed: 1 -gpg: imported: 1 (RSA: 1) - -$ gpg Tor*asc -gpg: assuming signed data in 'TorBrowser-6.0.5-osx64_en-US.dmg' -gpg: Signature made Fri Sep 16 07:51:52 2016 EDT using RSA key ID D40814E0 -gpg: Good signature from "Tor Browser Developers (signing key) " [unknown] -gpg: WARNING: This key is not certified with a trusted signature! -gpg: There is no indication that the signature belongs to the owner. -Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290 - Subkey fingerprint: BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0 -``` - -确保 `Good signature from "Tor Browser Developers (signing key) "`出现在输出结果中。关于密钥没被认证的警告没有危害的,因为它还没被手动分配信任。 - -看 [How to verify signatures for packages](https://www.torproject.org/docs/verifying-signatures.html) 获得更多信息。 - -要完成安装 Tor 浏览器,打开磁盘镜像,拖动它到应用文件夹里,或者这样: - -``` -$ hdiutil mount TorBrowser-6.0.5-osx64_en-US.dmg - -$ cp -rv /Volumes/Tor\ Browser/TorBrowser.app /Applications -``` - -也可以验证是否这个 Tor 应用程序是由名为 **MADPSAYN6T** 的 Apple 开发者账号进行签名编译的: - -``` -$ codesign -dvv /Applications/TorBrowser.app -Executable=/Applications/TorBrowser.app/Contents/MacOS/firefox -Identifier=org.mozilla.tor browser -Format=app bundle with Mach-O thin (x86_64) -CodeDirectory v=20200 size=247 flags=0x0(none) hashes=5+3 location=embedded -Library validation warning=OS X SDK version before 10.9 does not support Library Validation -Signature size=4247 -Authority=Developer ID Application: The Tor Project, Inc (MADPSAYN6T) -Authority=Developer ID Certification Authority -Authority=Apple Root CA -Signed Time=Nov 30, 2016, 10:40:34 AM -Info.plist entries=21 -TeamIdentifier=MADPSAYN6T -Sealed Resources version=2 rules=12 files=130 -Internal requirements count=1 size=184 -``` - -为了查看证书的详细内容,可以使用 `codesign` 提取并且使用 `openssl` 对它进行解码: - -``` -$ codesign -d --extract-certificates /Applications/TorBrowser.app -Executable=/Applications/TorBrowser.app/Contents/MacOS/firefox - -$ file codesign* -codesign0: data -codesign1: data -codesign2: data - -$ openssl x509 -inform der -in codesign0 -subject -issuer -startdate -enddate -noout -subject= /UID=MADPSAYN6T/CN=Developer ID Application: The Tor Project, Inc (MADPSAYN6T)/OU=MADPSAYN6T/O=The Tor Project, Inc/C=US -issuer= /CN=Developer ID Certification Authority/OU=Apple Certification Authority/O=Apple Inc./C=US -notBefore=Apr 12 22:40:13 2016 GMT -notAfter=Apr 13 22:40:13 2021 GMT - -$ openssl x509 -inform der -in codesign0 -fingerprint -noout -SHA1 Fingerprint=95:80:54:F1:54:66:F3:9C:C2:D8:27:7A:29:21:D9:61:11:93:B3:E8 - -$ openssl x509 -inform der -in codesign0 -fingerprint -sha256 -noout -SHA256 Fingerprint=B5:0D:47:F0:3E:CB:42:B6:68:1C:6F:38:06:2B:C2:9F:41:FA:D6:54:F1:29:D3:E4:DD:9C:C7:49:35:FF:F5:D9 -``` - -Tor 流量对于[出口节点](https://en.wikipedia.org/wiki/Tor_anonymity_network#Exit_node_eavesdropping)(不能被一个网络窃听者读取)是**加密的**, Tor 是**可以**被发现的- 例如,TLS 握手“主机名”将会以明文显示: - -``` -$ sudo tcpdump -An "tcp" | grep "www" -listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes -.............". ...www.odezz26nvv7jeqz1xghzs.com......... -.............#.!...www.bxbko3qi7vacgwyk4ggulh.com......... -.6....m.....>...:.........|../* Z....W....X=..6...C../....................................0...0..0.......'....F./0.. *.H........0%1#0!..U....www.b6zazzahl3h3faf4x2.com0...160402000000Z..170317000000Z0'1%0#..U....www.tm3ddrghe22wgqna5u8g.net0..0.. -``` - -查看 [Tor Protocol Specification](https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt) 和 [Tor/TLSHistory](https://trac.torproject.org/projects/tor/wiki/org/projects/Tor/TLSHistory) 获得更多信息。 - -另外,你可能也希望使用一个 [pluggable transport](https://www.torproject.org/docs/pluggable-transports.html),例如 [Yawning/obfs4proxy](https://github.com/Yawning/obfs4) 或 [SRI-CSL/stegotorus](https://github.com/SRI-CSL/stegotorus) 来混淆 Tor 流量。 - -这能通过建立你自己的 [Tor relay](https://www.torproject.org/docs/tor-relay-debian.html) 或找到一个已存在的私有或公用的 [bridge](https://www.torproject.org/docs/bridges.html.en#RunningABridge) 来作为一个混淆入口节点来实现。 - -对于额外的安全性,在 [VirtualBox](https://www.virtualbox.org/wiki/Downloads) 或 [VMware](https://www.vmware.com/products/fusion),可视化的 [GNU/Linux](http://www.brianlinkletter.com/installing-debian-linux-in-a-virtualbox-virtual-machine/) 或 [BSD](http://www.openbsd.org/faq/faq4.html) 机器里用 Tor。 - -最后,记得 Tor 网络提供了[匿名](https://www.privateinternetaccess.com/blog/2013/10/how-does-privacy-differ-from-anonymity-and-why-are-both-important/),这并不等于隐私。Tor 网络不一定能防止一个全球的窃听者能获得流量统计和[相关性](https://blog.torproject.org/category/tags/traffic-correlation)。你也可以阅读 [Seeking Anonymity in an Internet Panopticon](http://bford.info/pub/net/panopticon-cacm.pdf) 和 [Traffic Correlation on Tor by Realistic Adversaries](http://www.ohmygodel.com/publications/usersrouted-ccs13.pdf)。 - -阅读 [Invisible Internet Project (I2P)](https://geti2p.net/en/about/intro) 和它的 [Tor 对比](https://geti2p.net/en/comparison/tor)。 - -## VPN - -如果你在未信任的网络使用 Mac - 机场,咖啡厅等 - 你的网络流量会被监控并可能被篡改。 - -用一个 VPN 是个好想法,它能用一个你信任的提供商加密**所有**输出的网络流量。举例说如何建立并拥有自己的 VPN,阅读 [drduh/Debian-Privacy-Server-Guide](https://github.com/drduh/Debian-Privacy-Server-Guide)。 - -不要盲目地还没理解整个流程和流量将如何被传输就为一个 VPN 服务签名。如果你不理解 VPN 是怎样工作的或不熟悉软件的使用,你就最好别用它。 - -当选择一个 VPN 服务或建立你自己的服务时,确保研究过协议,密钥交换算法,认证机制和使用的加密类型。诸如 [PPTP](https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security) 这样的一些协议,应该避免支持 [OpenVPN](https://en.wikipedia.org/wiki/OpenVPN)。 - -当 VPN 被中断或失去连接时,一些客户端可能通过下一个可用的接口发送流量。查看 [scy/8122924](https://gist.github.com/scy/8122924) 研究下如何允许流量只通过 VPN。 - -另一些脚本会关闭系统,所以只能通过 VPN 访问网络,这就是 the Voodoo Privacy project - [sarfata/voodooprivacy](https://github.com/sarfata/voodooprivacy) 的一部分,有一个更新的指南用来在一个虚拟机上([hwdsl2/setup-ipsec-vpn](https://github.com/hwdsl2/setup-ipsec-vpn))或一个 docker 容器([hwdsl2/docker-ipsec-vpn-server](https://github.com/hwdsl2/docker-ipsec-vpn-server))上建立一个 IPSec VPN。 - -## 病毒和恶意软件 - -面对[日益增长](https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html)的恶意软件,Mac 还无法很好的防御这些病毒和恶意软件! - -一些恶意软件捆绑在正版软件上,比如 [Java bundling Ask Toolbar](http://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/),还有 [Mac.BackDoor.iWorm](https://docs.google.com/document/d/1YOfXRUQJgMjJSLBSoLiUaSZfiaS_vU3aG4Bvjmz6Dxs/edit?pli=1) 这种和盗版软件捆绑到一块的。 [Malwarebytes Anti-Malware for Mac](https://www.malwarebytes.com/antimalware/mac/) 是一款超棒的应用,它可以帮你摆脱种类繁多的垃圾软件和其他恶意程序的困扰。 - -看看[恶意软件驻留在 Mac OS X 的方法](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) 和[恶意软件在 OS X Yosemite 后台运行](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite)了解各种恶意软件的功能和危害。 - -你可以定期运行 [Knock Knock](https://github.com/synack/knockknock) 这样的工具来检查在持续运行的应用(比如脚本,二进制程序)。但这种方法可能已经过时了。[Block Block](https://objective-see.com/products/blockblock.html) 和 [Ostiarius](https://objective-see.com/products/ostiarius.html) 这样的应用可能还有些帮助。可以在 [issue #90](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/90) 中查看相关警告。除此之外,使用 [Little Flocker](https://www.littleflocker.com/) 也能保护部分文件系统免遭非法写入,类似 Little Snitch 保护网络 (注意,该软件目前是 beta 版本,[谨慎使用](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/pull/128))。 - -**反病毒**软件是把双刃剑 -- 对于**高级**用户没什么用,却可能面临更多复杂攻击的威胁。然而对于 Mac **新手**用户可能是有用的,可以检测到“各种”恶意软件。不过也要考到额外的处理开销。 - -看看 [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sophailv2.pdf) (pdf), [Analysis and Exploitation of an ESET Vulnerability](http://googleprojectzero.blogspot.ro/2015/06/analysis-and-exploitation-of-eset.html), [a trivial Avast RCE](https://code.google.com/p/google-security-research/issues/detail?id=546), [Popular Security Software Came Under Relentless NSA and GCHQ Attacks](https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/), 和 [AVG: "Web TuneUP" extension multiple critical vulnerabilities](https://code.google.com/p/google-security-research/issues/detail?id=675). - -因此,最好的防病毒方式是日常地防范。看看 [issue #44](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/44) 中的讨论。 - -macOS 上有很多本地提权漏洞,所以要小心那些从第三方网站或 HTTP([案例](http://arstechnica.com/security/2015/08/0-day-bug-in-fully-patched-os-x-comes-under-active-exploit-to-hijack-macs/))下载且运行受信或不受信的程序。 - -看看 [The Safe Mac](http://www.thesafemac.com/) 上过去和目前的 Mac 安全新闻。 - -也检查下 [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html) 为 Mac OS 开发的恶意软件:[root installation for MacOS](https://github.com/hackedteam/vector-macos-root)、 [Support driver for Mac Agent](https://github.com/hackedteam/driver-macos) 和 [RCS Agent for Mac](https://github.com/hackedteam/core-macos),这是一个很好的示例,一些高级的恶意程序是如何在**用户空间**隐藏自己的(例如 `ps`、`ls`)。想了解更多的话,看看 [A Brief Analysis of an RCS Implant Installer](https://objective-see.com/blog/blog_0x0D.html) 和 [reverse.put.as](https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/)。 - -## 系统完整性保护 - -[System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) 这个安全特性源于 OS X 10.11 "El Capitan"。默认是开启的,不过[可以禁用](https://derflounder.wordpress.com/2015/10/01/system-integrity-protection-adding-another-layer-to-apples-security-model/),这可能需要更改某些系统设置,如删除根证书颁发机构或卸载某些启动守护进程。保持这项功能默认开启状态。 - -摘取自 [OS X 10.11 新增功能](https://developer.apple.com/library/prerelease/mac/releasenotes/MacOSX/WhatsNewInOSX/Articles/MacOSX10_11.html): - -> 一项新的安全政策,应用于每个正在运行的进程,包括特权代码和非沙盒中运行的代码。该策略对磁盘上和运行时的组件增加了额外的保护,只允许系统安装程序和软件更新修改系统二进制文件。不再允许代码注入和运行时附加系统二进制文件。 - -阅读 [What is the “rootless” feature in El Capitan, really?](https://apple.stackexchange.com/questions/193368/what-is-the-rootless-feature-in-el-capitan-really) - -[禁用 SIP](http://appleinsider.com/articles/16/11/17/system-integrity-protection-disabled-by-default-on-some-touch-bar-macbook-pros) 的一些 MacBook 已经售出。要验证 SIP 是否已启用,请使用命令 `csrutil status`,该命令应返回:`System Integrity Protection status: enabled.`。否则,通过恢复模式[启用 SIP](https://developer.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html)。 - -## Gatekeeper 和 XProtect - -**Gatekeeper** 和 **quarantine** 系统试图阻止运行(打开)未签名或恶意程序及文件。 - -**XProtect** 防止执行已知的坏文件和过时的版本插件,但并不能清除或停止现有的恶意软件。 - -两者都提供了对常见风险的一些保护,默认设置就好。 - -你也可以阅读 [Mac Malware Guide : How does Mac OS X protect me?](http://www.thesafemac.com/mmg-builtin/) 和 [Gatekeeper, XProtect and the Quarantine attribute](http://ilostmynotes.blogspot.com/2012/06/gatekeeper-xprotect-and-quarantine.html)。 - -**注意** Quarantine 会将下载的文件信息存储在 `~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2`,这可能会造成隐私泄露的风险。简单的使用 `strings` 或下面的命令来检查文件: - - $ echo 'SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent;' | sqlite3 /Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 - -阅读[这篇文章](http://www.zoharbabin.com/hey-mac-i-dont-appreciate-you-spying-on-me-hidden-downloads-log-in-os-x/)了解更多信息。 - -想永久禁用此项功能,[清除文件](https://superuser.com/questions/90008/how-to-clear-the-contents-of-a-file-from-the-command-line)和[让它不可更改](http://hints.macworld.com/article.php?story=20031017061722471): - - $ :>~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 - - $ sudo chflags schg ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 - -此外,macOS 附加元数据([HFS+ extended attributes](https://en.wikipedia.org/wiki/Extended_file_attributes#OS_X))来下载文件,能通过 `mdls` 和 `xattr` 指令来观察: - -``` -$ ls -l@ ~/Downloads/TorBrowser-6.0.8-osx64_en-US.dmg --rw-r--r--@ 1 drduh staff 59322237 Dec 1 12:00 TorBrowser-6.0.8-osx64_en-US.dmg -com.apple.metadata:kMDItemWhereFroms 186 -com.apple.quarantine 68 - -$ mdls ~/Downloads/TorBrowser-6.0.8-osx64_en-US.dmg -_kMDItemOwnerUserID = 501 -kMDItemContentCreationDate = 2016-12-01 12:00:00 +0000 -kMDItemContentModificationDate = 2016-12-01 12:00:00 +0000 -kMDItemContentType = "com.apple.disk-image-udif" -kMDItemContentTypeTree = ( - "public.archive", - "public.item", - "public.data", - "public.disk-image", - "com.apple.disk-image", - "com.apple.disk-image-udif" -) -kMDItemDateAdded = 2016-12-01 12:00:00 +0000 -kMDItemDisplayName = "TorBrowser-6.0.8-osx64_en-US.dmg" -kMDItemFSContentChangeDate = 2016-12-01 12:00:00 +0000 -kMDItemFSCreationDate = 2016-12-01 12:00:00 +0000 -kMDItemFSCreatorCode = "" -kMDItemFSFinderFlags = 0 -kMDItemFSHasCustomIcon = (null) -kMDItemFSInvisible = 0 -kMDItemFSIsExtensionHidden = 0 -kMDItemFSIsStationery = (null) -kMDItemFSLabel = 0 -kMDItemFSName = "TorBrowser-6.0.8-osx64_en-US.dmg" -kMDItemFSNodeCount = (null) -kMDItemFSOwnerGroupID = 5000 -kMDItemFSOwnerUserID = 501 -kMDItemFSSize = 60273898 -kMDItemFSTypeCode = "" -kMDItemKind = "Disk Image" -kMDItemLogicalSize = 60273898 -kMDItemPhysicalSize = 60276736 -kMDItemWhereFroms = ( - "https://dist.torproject.org/torbrowser/6.0.8/TorBrowser-6.0.8-osx64_en-US.dmg", - "https://www.torproject.org/projects/torbrowser.html.en" -) - -$ xattr -l TorBrowser-6.0.8-osx64_en-US.dmg -com.apple.metadata:kMDItemWhereFroms: -00000000  62 70 6C 69 73 74 30 30 A2 01 02 5F 10 4D 68 74  |bplist00..._.Mht| -00000010  74 70 73 3A 2F 2F 64 69 73 74 2E 74 6F 72 70 72  |tps://dist.torpr| -00000020  6F 6A 65 63 74 2E 6F 72 67 2F 74 6F 72 62 72 6F  |oject.org/torbro| -00000030  77 73 65 72 2F 36 2E 30 2E 38 2F 54 6F 72 42 72  |wser/6.0.8/TorBr| -00000040  6F 77 73 65 72 2D 36 2E 30 2E 38 2D 6F 73 78 36  |owser-6.0.8-osx6| -00000050  34 5F 65 6E 2D 55 53 2E 64 6D 67 5F 10 36 68 74  |4_en-US.dmg_.6ht| -00000060  74 70 73 3A 2F 2F 77 77 77 2E 74 6F 72 70 72 6F  |tps://www.torpro| -00000070  6A 65 63 74 2E 6F 72 67 2F 70 72 6F 6A 65 63 74  |ject.org/project| -00000080  73 2F 74 6F 72 62 72 6F 77 73 65 72 2E 68 74 6D  |s/torbrowser.htm| -00000090  6C 2E 65 6E 08 0B 5B 00 00 00 00 00 00 01 01 00  |l.en..[.........| -000000A0  00 00 00 00 00 00 03 00 00 00 00 00 00 00 00 00  |................| -000000B0  00 00 00 00 00 00 94                             |.......| -000000b7 -com.apple.quarantine: 0081;58519ffa;Google Chrome.app;1F032CAB-F5A1-4D92-84EB-CBECA971B7BC -``` - -可以使用 `-d` 指令标志移除原数据属性: - -``` -$ xattr -d com.apple.metadata:kMDItemWhereFroms ~/Downloads/TorBrowser-6.0.5-osx64_en-US.dmg - -$ xattr -d com.apple.quarantine ~/Downloads/TorBrowser-6.0.5-osx64_en-US.dmg - -$ xattr -l ~/Downloads/TorBrowser-6.0.5-osx64_en-US.dmg -[No output after removal.] -``` - -## 密码 - -你可以使用 OpenSSL 生成强密码: - - $ openssl rand -base64 30 - LK9xkjUEAemc1gV2Ux5xqku+PDmMmCbSTmwfiMRI - -或者 GPG: - - $ gpg --gen-random -a 0 30 - 4/bGZL+yUEe8fOqQhF5V01HpGwFSpUPwFcU3aOWQ - -或 `/dev/urandom` 输出: - - $ dd if=/dev/urandom bs=1 count=30 2>/dev/null | base64 - CbRGKASFI4eTa96NMrgyamj8dLZdFYBaqtWUSxKe - -还可以控制字符集: - - $ LANG=C tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 40 | head -n 1 - jm0iKn7ngQST8I0mMMCbbi6SKPcoUWwCb5lWEjxK - - $ LANG=C tr -dc 'DrDuh0-9' < /dev/urandom | fold -w 40 | head -n 1 - 686672u2Dh7r754209uD312hhh23uD7u41h3875D - -你也可以用 **Keychain Access(钥匙串访问)**生成一个令人难忘的密码,或者用 [anders/pwgen](https://github.com/anders/pwgen) 这样的命令行生成。 - -钥匙串使用 [PBKDF2 派生密钥](https://en.wikipedia.org/wiki/PBKDF2)加密,是个**非常安全**存储凭据的地方。看看 [Breaking into the OS X keychain](http://juusosalonen.com/post/30923743427/breaking-into-the-os-x-keychain)。还要注意钥匙串[不加密](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/118)的密码对应密码输入的名称。 - -或者,可以自己用 GnuPG (基于 [drduh/pwd.sh](https://github.com/drduh/pwd.sh) 密码管理脚本的一个插件)管理一个加密的密码文件。 - -除密码外,确保像 GitHub、 Google 账号、银行账户这些网上的账户,开启[两步验证](https://en.wikipedia.org/wiki/Two-factor_authentication)。 - -看看 [Yubikey](https://www.yubico.com/products/yubikey-hardware/yubikey-neo/) 的两因素和私钥(如:ssh、gpg)硬件令牌。 阅读 [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) 和 [trmm.net/Yubikey](https://trmm.net/Yubikey)。两个 Yubikey 的插槽之一可以通过编程来生成一个长的静态密码(例如可以与短的,记住的密码结合使用)。 - -除了登录和其他 PAM 模块,也能用 Yubikey 来使你的登录和 sudo 更安全,这里有份来自[Yubico](https://www.yubico.com/wp-content/uploads/2016/02/Yubico_YubiKeyMacOSXLogin_en.pdf)的 pdf 文档。Yubikey 有点贵,这有个更便宜的替代品,但是没有它好,[U2F Zero](https://www.u2fzero.com/)。这有份文档来[启动它](https://microamps.gibsjose.com/u2f-authentication-on-os-x/)。 - -## 备份 - -备份到外部介质或在线服务之前,总是先对本地文件进行加密。 - -一种方法是使用 GPG 对称加密,你选择一个密码。 - -加密一个文件夹: - - $ tar zcvf - ~/Downloads | gpg -c > ~/Desktop/backup-$(date +%F-%H%M).tar.gz.gpg - -解密文档: - - $ gpg -o ~/Desktop/decrypted-backup.tar.gz -d ~/Desktop/backup-2015-01-01-0000.tar.gz.gpg && \ - tar zxvf ~/Desktop/decrypted-backup.tar.gz - -你也可以用 **Disk Utility** 或 `hdiutil` 创建加密卷: - - $ hdiutil create ~/Desktop/encrypted.dmg -encryption -size 1g -volname "Name" -fs JHFS+ - -这个 `hdiutil` 也会用 `-type SPARSE-BUNDLE` 模式。这一些sparse bundle可以让你加快备份。应为第一次所有的数据要传过去。但是第二、三等次只用传你改变的数据。 - -你可以用 `rsync` 传你的加密过的数据: - -```console -rsync --recursive --times --progress --delete --verbose --stats MyEncryptedDrive.sparsebundle user@server:/path/to/backup -``` - -也可以考虑使用下面的应用和服务:[SpiderOak](https://spideroak.com/)、[Arq](https://www.arqbackup.com/)、[Espionage](https://www.espionageapp.com/) 和 [restic](https://restic.github.io/)。 - -## Wi-Fi - -macOS 会记住它连接过的接入点。比如所有无线设备,每次搜寻网络的时候,Mac 将会显示所有它记住的接入点名称(如 *MyHomeNetwork*) ,比如每次从休眠状态唤醒设备的时候。 - -这就有泄漏隐私的风险,所以当不再需要的时候最好从列表中移除这些连接过的网络, 在 **System Preferences** > **Network** > **Advanced** 。 - -看看 [Signals from the Crowd: Uncovering Social Relationships through Smartphone Probes](http://conferences.sigcomm.org/imc/2013/papers/imc148-barberaSP106.pdf) (pdf) 和 [Wi-Fi told me everything about you](http://confiance-numerique.clermont-universite.fr/Slides/M-Cunche-2014.pdf) (pdf)。 - -保存的 Wi-Fi 信息 (SSID、最后一次连接等)可以在 `/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist` 中找到。 - -你可能希望在连接到新的和不可信的无线网络之前[伪造网卡 MAC 地址](https://en.wikipedia.org/wiki/MAC_spoofing),以减少被动特征探测: - - $ sudo ifconfig en0 ether $(openssl rand -hex 6 | sed 's%\(..\)%\1:%g; s%.$%%') - -**注意**每次启动,MAC 地址将重置为硬件默认地址。 - -了解下 [feross/SpoofMAC](https://github.com/feross/SpoofMAC). - -最后,WEP 保护在无线网络是[不安全](http://www.howtogeek.com/167783/htg-explains-the-difference-between-wep-wpa-and-wpa2-wireless-encryption-and-why-it-matters/)的,你应该尽量选择连接 **WPA2** 保护网络,可以减少被窃听的风险。 - -## SSH - -对于向外的 ssh 连接,使用硬件或密码保护的秘钥,[设置](http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/)远程 hosts 并考虑对它们进行[哈希](http://nms.csail.mit.edu/projects/ssh/),以增强安全性。 - -将这几个[配置项](https://www.freebsd.org/cgi/man.cgi?query=ssh_config&sektion=5)加到 `~/.ssh/config`: - - Host * - PasswordAuthentication no - ChallengeResponseAuthentication no - HashKnownHosts yes - -**注意** [macOS Sierra 默认永久记住 SSH 秘钥密码](https://openradar.appspot.com/28394826)。添加配置 `UseKeyChain no` 来关闭这项功能。 - -你也可以用 ssh 创建一个[加密隧道](http://blog.trackets.com/2014/05/17/ssh-tunnel-local-and-remote-port-forwarding-explained-with-examples.html)来发送数据,这有点类似于 VPN。 - -例如,在一个远程主机上使用 Privoxy: - - $ ssh -C -L 5555:127.0.0.1:8118 you@remote-host.tld - - $ sudo networksetup -setwebproxy "Wi-Fi" 127.0.0.1 5555 - - $ sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 5555 - -或者使用 ssh 连接作为 [SOCKS 代理](https://www.mikeash.com/ssh_socks.html): - - $ ssh -NCD 3000 you@remote-host.tld - -默认情况下, macOS **没有** sshd ,也不允许**远程登陆**。 - -启用 sshd 且允许进入的 ssh 连接: - - $ sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist - -或者设置 **System Preferences** > **Sharing** 菜单。 - -如果你准备使用 sshd,至少禁用密码身份验证并考虑进一步[强化](https://stribika.github.io/2015/01/04/secure-secure-shell.html)配置。 - -找到 `/etc/sshd_config`,添加: - -``` -PasswordAuthentication no -ChallengeResponseAuthentication no -UsePAM no -``` - -确认 sshd 是否启用: - - $ sudo lsof -Pni TCP:22 - -## 物理访问 - -时刻保证 Mac 物理安全。不要将 Mac 留在无人照看的酒店之类的地方。 - -有一种攻击就是通过物理访问,通过注入引导 ROM 来安装键盘记录器,偷走你的密码。看看这个案例 [Thunderstrike](https://trmm.net/Thunderstrike)。 - -有个工具 [usbkill](https://github.com/hephaest0s/usbkill) 可以帮助你,这是**"一个反监视断路开关,一旦发现 USB 端口发生改变就会关闭你的计算机"**。 - -考虑购买屏幕[隐私过滤器](https://www.amazon.com/s/ref=nb_sb_noss_2?url=node%3D15782001&field-keywords=macbook)防止别人偷瞄。 - - -## 系统监控 - -#### OpenBSM 监测 - -macOS 具有强大的 OpenBSM 审计功能。你可以使用它来监视进程执行、网络活动等等。 - -跟踪监测日志,使用 `praudit` 工具: - -``` -$ sudo praudit -l /dev/auditpipe -header,201,11,execve(2),0,Thu Sep 1 12:00:00 2015, + 195 msec,exec arg,/Applications/.evilapp/rootkit,path,/Applications/.evilapp/rootkit,path,/Applications/.evilapp/rootkit,attribute,100755,root,wheel,16777220,986535,0,subject,drduh,root,wheel,root,wheel,412,100005,50511731,0.0.0.0,return,success,0,trailer,201, -header,88,11,connect(2),0,Thu Sep 1 12:00:00 2015, + 238 msec,argument,1,0x5,fd,socket-inet,2,443,173.194.74.104,subject,drduh,root,wheel,root,wheel,326,100005,50331650,0.0.0.0,return,failure : Operation now in progress,4354967105,trailer,88 -header,111,11,OpenSSH login,0,Thu Sep 1 12:00:00 2015, + 16 msec,subject_ex,drduh,drduh,staff,drduh,staff,404,404,49271,::1,text,successful login drduh,return,success,0,trailer,111, -``` - -看看 `audit`、`praudit`、`audit_control` 的操作手册,其它文件在 `/etc/security`目录下。 - -**注意**虽然 `audit 手册` 上说 `-s` 标签会立即同步到配置中,实际上需要重启才能生效。 - -更多信息请看 [ilostmynotes.blogspot.com](http://ilostmynotes.blogspot.com/2013/10/openbsm-auditd-on-os-x-these-are-logs.html) 和 [derflounder.wordpress.com](https://derflounder.wordpress.com/2012/01/30/openbsm-auditing-on-mac-os-x/) 上的文章。 - -#### DTrace - -`iosnoop` 监控磁盘 I/O - -`opensnoop` 监控文件打开 - -`execsnoop` 监控进程执行 - -`errinfo` 监控失败的系统调用 - -`dtruss` 监控所有系统调用 - -运行命令 `man -k dtrace` 去了解更多信息。 - -**注意**[系统完整性保护](https://github.com/drduh/OS-X-Security-and-Privacy-Guide#system-integrity-protection)和 DTrace [冲突](http://internals.exposed/blog/dtrace-vs-sip.html),所以这些工具可能用不上了。 - -#### 运行 - -`ps -ef` 列出所有正在运行的进程。 - -你也可以通过**活动监视器**来查看进程。 - -`launchctl list` 和 `sudo launchctl list` 分别列出用户运行和加载的程序、系统启动守护程序和代理。 - -#### 网络 - -列出公开网络文件: - - $ sudo lsof -Pni - -列出各种网络相关的数据结构的内容: - - $ sudo netstat -atln - -你也可以通过命令行使用 [Wireshark](https://www.wireshark.org/)。 - -监控 DNS 查询和响应: - -``` -$ tshark -Y "dns.flags.response == 1" -Tfields \ - -e frame.time_delta \ - -e dns.qry.name \ - -e dns.a \ - -Eseparator=, -``` - -监控 HTTP 请求和响应: - -``` -$ tshark -Y "http.request or http.response" -Tfields \ - -e ip.dst \ - -e http.request.full_uri \ - -e http.request.method \ - -e http.response.code \ - -e http.response.phrase \ - -Eseparator=/s -``` - -监控 x509 证书: - -``` -$ tshark -Y "ssl.handshake.certificate" -Tfields \ - -e ip.src \ - -e x509sat.uTF8String \ - -e x509sat.printableString \ - -e x509sat.universalString \ - -e x509sat.IA5String \ - -e x509sat.teletexString \ - -Eseparator=/s -Equote=d -``` - -也可以考虑简单的网络监控程序 [BonzaiThePenguin/Loading](https://github.com/BonzaiThePenguin/Loading)。 - -## 二进制白名单 - -[google/santa](https://github.com/google/santa/) 是一款为 Google 公司 Macintosh 团队开发的一款安全软件,而且是开源的。 - -> Santa 是 macOS 上一个二进制白名单/黑名单系统。它由多个部分组成,一个是监控执行程序的内核扩展,基于 SQLite 数据库内容进行执行决策的用户级守护进程,决定拦截的情况下通知用户的一个 GUI 代理,以及用于管理系统和数据库同步服务的命令行实用程序。 - -Santa 使用[内核授权 API](https://developer.apple.com/library/content/technotes/tn2127/_index.html) 来监视和允许/禁止在内核中执行二进制文件。二进制文件可以是经过唯一哈希或开发者证书签名的白/黑名单。Santa 可以用来只允许执行可信代码,或者阻止黑名单中已知恶意软件在 Mac 上运行,和 Windows 软件 Bit9 类似。 - -**注意** Santa 目前还没有管理规则的用户图形界面。下面的教程是为高级用户准备的! - -安装 Santa,先访问[发布](https://github.com/google/santa/releases)页面,下载最新的磁盘镜像,挂载然后安装相关软件包: - -``` -$ hdiutil mount ~/Downloads/santa-0.9.14.dmg - -$ sudo installer -pkg /Volumes/santa-0.9.14/santa-0.9.14.pkg -tgt / -``` - -Santa 默认安装为 "Monitor" 模式 (不拦截,只记录),有两个规则:一条是为了 Apple 二进制,另一条是为了 Santa 软件本身。 - -验证 Santa 是否在运行,内核模块是否加载: - -``` -$ santactl status ->>> Daemon Info - Mode | Monitor - File Logging | No - Watchdog CPU Events | 0 (Peak: 0.00%) - Watchdog RAM Events | 0 (Peak: 0.00MB) ->>> Kernel Info - Kernel cache count | 0 ->>> Database Info - Binary Rules | 0 - Certificate Rules | 2 - Events Pending Upload | 0 - -$ ps -ef | grep "[s]anta" - 0 786 1 0 10:01AM ?? 0:00.39 /Library/Extensions/santa-driver.kext/Contents/MacOS/santad --syslog - -$ kextstat | grep santa - 119 0 0xffffff7f822ff000 0x6000 0x6000 com.google.santa-driver (0.9.14) 693D8E4D-3161-30E0-B83D-66A273CAE026 <5 4 3 1> -``` - -创建一个黑名单规则来阻止 iTunes 运行: - - $ sudo santactl rule --blacklist --path /Applications/iTunes.app/ - Added rule for SHA-256: e1365b51d2cb2c8562e7f1de36bfb3d5248de586f40b23a2ed641af2072225b3. - -试试打开 iTunes ,它会被阻止运行。 - - $ open /Applications/iTunes.app/ - LSOpenURLsWithRole() failed with error -10810 for the file /Applications/iTunes.app. - -Santa block dialog when attempting to run a blacklisted program - -移除规则: - - $ sudo santactl rule --remove --path /Applications/iTunes.app/ - Removed rule for SHA-256: e1365b51d2cb2c8562e7f1de36bfb3d5248de586f40b23a2ed641af2072225b3. - -打开 iTunes: - - $ open /Applications/iTunes.app/ - [iTunes will open successfully] - -创建一个新的 C 语言小程序: - -``` -$ cat < foo.c -> #include -> main() { printf("Hello World\n”); } -> EOF -``` - -用 GCC 编译该程序(需要安装 Xcode 或者命令行工具): - -``` -$ gcc -o foo foo.c - -$ file foo -foo: Mach-O 64-bit executable x86_64 - -$ codesign -d foo -foo: code object is not signed at all -``` - -运行它: - -``` -$ ./foo -Hello World -``` - -将 Santa 切换为 “Lockdown” 模式,这种情况下只允许白名单内二进制程序运行: - - $ sudo defaults write /var/db/santa/config.plist ClientMode -int 2 - -试试运行未签名的二进制: - -``` -$ ./foo -bash: ./foo: Operation not permitted - -Santa - -The following application has been blocked from executing -because its trustworthiness cannot be determined. - -Path: /Users/demouser/foo -Identifier: 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed -Parent: bash (701) -``` -想要在白名单中添加一个指定的二进制,确定其 SHA-256 值: - -``` -$ santactl fileinfo /Users/demouser/foo -Path : /Users/demouser/foo -SHA-256 : 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed -SHA-1 : 4506f3a8c0a5abe4cacb98e6267549a4d8734d82 -Type : Executable (x86-64) -Code-signed : No -Rule : Blacklisted (Unknown) -``` - -增加一条白名单规则: - - $ sudo santactl rule --whitelist --sha256 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed - Added rule for SHA-256: 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed. - -运行它: - -``` -$ ./foo -Hello World -``` - -小程序没有被阻止,它成功的运行了。 - -应用程序也可以通过开发者签名来加到白名单中(这样每次更新应用程序的时候,新版本的二进制文件就不用手动加到白名单中了)。例如,下载运行 Google Chrome , 在 "Lockdown" 模式下 Santa 会阻止它运行: - -``` -$ curl -sO https://dl.google.com/chrome/mac/stable/GGRO/googlechrome.dmg - -$ hdiutil mount googlechrome.dmg - -$ cp -r /Volumes/Google\ Chrome/Google\ Chrome.app /Applications/ - -$ open /Applications/Google\ Chrome.app/ -LSOpenURLsWithRole() failed with error -10810 for the file /Applications/Google Chrome.app. -``` - -通过它自己的开发者签名将应用加到白名单中(Signing Chain 中第一项): - -``` -$ santactl fileinfo /Applications/Google\ Chrome.app/ -Path : /Applications/Google Chrome.app/Contents/MacOS/Google Chrome -SHA-256 : 0eb08224d427fb1d87d2276d911bbb6c4326ec9f74448a4d9a3cfce0c3413810 -SHA-1 : 9213cbc7dfaaf7580f3936a915faa56d40479f6a -Bundle Name : Google Chrome -Bundle Version : 2883.87 -Bundle Version Str : 55.0.2883.87 -Type : Executable (x86-64) -Code-signed : Yes -Rule : Blacklisted (Unknown) -Signing Chain: - 1. SHA-256 : 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153 - SHA-1 : 85cee8254216185620ddc8851c7a9fc4dfe120ef - Common Name : Developer ID Application: Google Inc. - Organization : Google Inc. - Organizational Unit : EQHXZ8M8AV - Valid From : 2012/04/26 07:10:10 -0700 - Valid Until : 2017/04/27 07:10:10 -0700 - - 2. SHA-256 : 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f - SHA-1 : 3b166c3b7dc4b751c9fe2afab9135641e388e186 - Common Name : Developer ID Certification Authority - Organization : Apple Inc. - Organizational Unit : Apple Certification Authority - Valid From : 2012/02/01 14:12:15 -0800 - Valid Until : 2027/02/01 14:12:15 -0800 - - 3. SHA-256 : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024 - SHA-1 : 611e5b662c593a08ff58d14ae22452d198df6c60 - Common Name : Apple Root CA - Organization : Apple Inc. - Organizational Unit : Apple Certification Authority - Valid From : 2006/04/25 14:40:36 -0700 - Valid Until : 2035/02/09 13:40:36 -0800 -``` - -这个例子中, `15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153` 是 Google’s Apple 开发者证书的 SHA-256 (team ID EQHXZ8M8AV)。 将它加到白名单中: - -``` -$ sudo santactl rule --whitelist --certificate --sha256 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153 -Added rule for SHA-256: 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153. -``` - -Google Chrome 现在应该可以启动了,以后的更新也不会被阻止,除非签名证书修改了或过期了。 - -关闭 “Lockdown” 模式: - - $ sudo defaults delete /var/db/santa/config.plist ClientMode - -在 `/var/log/santa.log` 可以查看监控器**允许**和**拒绝**执行的决策记录。 - -[Zentral](https://github.com/zentralopensource/zentral)里有针对 Santa 的一个日志和配置框架,Zentral 是一个开源的事件监控框架和针对osquery 和 Santa 的 TLS 服务器。 - -Zentral 会在监控和锁定模式支持 Santa。客户端需要建立一个 TLS 连接来同步 Santa 规则。所有来自终端的 Santa 事件会汇总并记录在 Zentral 里。Santa 事件能从 Zentral 框架内部触发行为和通知。 - -**注意** Python、Bash 和其它解释性语言是在白名单中的(因为它们是由苹果开发者证书签名的),所以 Santa 不会阻止这些脚本的运行。因此,要注意到 Santa 可能无法有效的拦截非二进制程序运行(这不算漏洞,因为它本身就这么设计的)。 - -## 其它 - -如果你想的话,禁用[诊断与用量](https://github.com/fix-macosx/fix-macosx/wiki/Diagnostics-&-Usage-Data). - -如果你想播放**音乐**或看**视频**,使用 [VLC 播放器](https://www.videolan.org/vlc/index.html),这是免费且开源的。 - -如果你想用 **torrents**, 使用免费、开源的 [Transmission](http://www.transmissionbt.com/download/)(注意:所有软件都一样,即使是开源项目,[恶意软件还是可能找到破解的方式](http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/))。你可能希望使用一个块列表来避免和那些已知的坏主机配对,了解下 [Transmission 上最好的块列表](https://giuliomac.wordpress.com/2014/02/19/best-blocklist-for-transmission/) 和 [johntyree/3331662](https://gist.github.com/johntyree/3331662)。 - -用 [duti](http://duti.org/) 管理默认文件处理,可以通过 `brew install duti` 来安装。管理扩展的原因之一是为了防止远程文件系统在 Finder 中自动挂载。 ([保护自己免受 Sparkle 后门影响](https://www.taoeffect.com/blog/2016/02/apologies-sky-kinda-falling-protecting-yourself-from-sparklegate/))。这里有几个推荐的管理指令: - -``` -$ duti -s com.apple.Safari afp - -$ duti -s com.apple.Safari ftp - -$ duti -s com.apple.Safari nfs - -$ duti -s com.apple.Safari smb -``` - -使用**控制台**应用程序来监控系统日志,也可以用 `syslog -w` 或 `log stream` 命令。 - -在 macOS Sierra (10.12) 之前的系统,在 `/etc/sudoers`启用 [tty_tickets flag](https://derflounder.wordpress.com/2016/09/21/tty_tickets-option-now-on-by-default-for-macos-sierras-sudo-tool/) 来阻止 sudo 会话在其它终端生效。使用命令 `sudo visudo` 然后添加一行 `Defaults tty_tickets` 就可以了。 - -设置进入休眠状态时马上启动屏幕保护程序: - - $ defaults write com.apple.screensaver askForPassword -int 1 - - $ defaults write com.apple.screensaver askForPasswordDelay -int 0 - -在 Finder 中显示隐藏文件和文件夹: - - $ defaults write com.apple.finder AppleShowAllFiles -bool true - - $ chflags nohidden ~/Library - -显示所有文件扩展名(这样 "Evil.jpg.app" 就无法轻易伪装了)。 - - $ defaults write NSGlobalDomain AppleShowAllExtensions -bool true - -不要默认将文档保存到 iCloud: - - $ defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false - -在终端启用[安全键盘输入](https://security.stackexchange.com/questions/47749/how-secure-is-secure-keyboard-entry-in-mac-os-xs-terminal)(除非你用 [YubiKey](https://mig5.net/content/secure-keyboard-entry-os-x-blocks-interaction-yubikeys) 或者像 [TextExpander](https://smilesoftware.com/textexpander/secureinput) 这样的程序)。 - -禁用崩溃报告(就是那个在程序崩溃后,会出现提示将问题报告给苹果的提示框): - - $ defaults write com.apple.CrashReporter DialogType none - -禁用 Bonjour [多播广告](https://www.trustwave.com/Resources/SpiderLabs-Blog/mDNS---Telling-the-world-about-you-(and-your-device)/): - - $ sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES - -如果用不上的话,[禁用 Handoff](https://apple.stackexchange.com/questions/151481/why-is-my-macbook-visibile-on-bluetooth-after-yosemite-install) 和蓝牙功能。 - -考虑 [sandboxing](https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/sandbox-exec.1.html) 你的应用程序。 了解下 [fG! Sandbox Guide](https://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v0.1.pdf) (pdf) 和 [s7ephen/OSX-Sandbox--Seatbelt--Profiles](https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles)。 - -你知道苹果公司自 [2006](http://osxbook.com/book/bonus/chapter10/tpm/) 后就不再出售带 TPM 的电脑了吗? - -## 相关软件 - -[Santa](https://github.com/google/santa/) - macOS 上一个带二进制白名单/黑名单监控系统的软件。 - -[kristovatlas/osx-config-check](https://github.com/kristovatlas/osx-config-check) - 检查你的 OSX 设备各种硬件配置设置。 - -[Lockdown](https://objective-see.com/products/lockdown.html) - 审查和修正安全配置。 - -[Dylib Hijack Scanner](https://objective-see.com/products/dhs.html) - 扫描那些容易被劫持或已经被黑的应用。 - -[Little Flocker](https://www.littleflocker.com/) - "Little Snitch for files", 防止应用程序访问文件。 - -[facebook/osquery](https://github.com/facebook/osquery) - 可以检索系统底层信息。用户可以编写 SQL 来查询系统信息。 - -[google/grr](https://github.com/google/grr) - 事件响应框架侧重于远程现场取证。 - -[yelp/osxcollector](https://github.com/yelp/osxcollector) - 证据收集 & OS X 分析工具包。 - -[jipegit/OSXAuditor](https://github.com/jipegit/OSXAuditor) - 分析运行系统时的部件,比如隔离的文件, Safari、 Chrome 和 Firefox 历史记录, 下载,HTML5 数据库和本地存储、社交媒体、电子邮件帐户、和 Wi-Fi 接入点的名称。 - -[libyal/libfvde](https://github.com/libyal/libfvde) - 访问 FileVault Drive Encryption (FVDE) (或 FileVault2) 加密卷的库。 - -[CISOfy/lynis](https://github.com/CISOfy/lynis) - 跨平台安全审计工具,并协助合规性测试和系统强化。 - -[Zentral](https://github.com/zentralopensource/zentral)- 一个针对 santa 和 osquery 的日志和配置框架。在盘点、事件 -日志文件,结合时点的提醒上运行排查和探测。一个完整的框架和 Django web 服务器搭建在 elastic stack(通常叫 ELK stack)基础上。 - -## 其它资源 - -**排名不分先后** - -[MacOS Hardening Guide - Appendix of \*OS Internals: Volume III - Security & Insecurity Internals](http://newosxbook.com/files/moxii3/AppendixA.pdf) (pdf) - -[Mac Developer Library: Secure Coding Guide](https://developer.apple.com/library/mac/documentation/Security/Conceptual/SecureCodingGuide/Introduction.html) - -[OS X Core Technologies Overview White Paper](https://www.apple.com/osx/all-features/pdf/osx_elcapitan_core_technologies_overview.pdf) (pdf) - -[Reverse Engineering Mac OS X blog](https://reverse.put.as/) - -[Reverse Engineering Resources](http://samdmarshall.com/re.html) - -[Patrick Wardle's Objective-See blog](https://objective-see.com/blog.html) - -[Managing Macs at Google Scale (LISA '13)](https://www.usenix.org/conference/lisa13/managing-macs-google-scale) - -[OS X Hardening: Securing a Large Global Mac Fleet (LISA '13)](https://www.usenix.org/conference/lisa13/os-x-hardening-securing-large-global-mac-fleet) - -[DoD Security Technical Implementation Guides for Mac OS](http://iase.disa.mil/stigs/os/mac/Pages/mac-os.aspx) - -[The EFI boot process](http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/efi-boot-process.html) - -[The Intel Mac boot process](http://refit.sourceforge.net/info/boot_process.html) - -[Userland Persistence on Mac OS X](https://archive.org/details/joshpitts_shmoocon2015) - -[Developing Mac OSX kernel rootkits](http://phrack.org/issues/66/16.html#article) - -[IOKit kernel code execution exploit](https://code.google.com/p/google-security-research/issues/detail?id=135) - -[Hidden backdoor API to root privileges in Apple OS X](https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/) - -[IPv6 Hardening Guide for OS X](http://www.insinuator.net/2015/02/ipv6-hardening-guide-for-os-x/) - -[Harden the World: Mac OSX 10.11 El Capitan](http://docs.hardentheworld.org/OS/OSX_10.11_El_Capitan/) - -[Hacker News discussion](https://news.ycombinator.com/item?id=10148077) - -[Hacker News discussion 2](https://news.ycombinator.com/item?id=13023823) - -[Apple Open Source](https://opensource.apple.com/) - -[OS X 10.10 Yosemite: The Ars Technica Review](http://arstechnica.com/apple/2014/10/os-x-10-10/) - -[CIS Apple OSX 10.10 Benchmark](https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.10_Benchmark_v1.1.0.pdf) (pdf) - -[How to Switch to the Mac](https://taoofmac.com/space/HOWTO/Switch) - -[Security Configuration For Mac OS X Version 10.6 Snow Leopard](http://www.apple.com/support/security/guides/docs/SnowLeopard_Security_Config_v10.6.pdf) (pdf) - -[EFF Surveillance Self-Defense Guide](https://ssd.eff.org/) - -[MacAdmins on Slack](https://macadmins.herokuapp.com/) - -[iCloud security and privacy overview](http://support.apple.com/kb/HT4865) - -[Demystifying the DMG File Format](http://newosxbook.com/DMG.html) - -[There's a lot of vulnerable OS X applications out there (Sparkle Framework RCE)](https://vulnsec.com/2016/osx-apps-vulnerabilities/) - -[iSeeYou: Disabling the MacBook Webcam Indicator LED](https://jscholarship.library.jhu.edu/handle/1774.2/36569) - -[Mac OS X Forensics - Technical Report](https://www.ma.rhul.ac.uk/static/techrep/2015/RHUL-MA-2015-8.pdf) (pdf) - -[Mac Forensics: Mac OS X and the HFS+ File System](https://cet4861.pbworks.com/w/file/fetch/71245694/mac.forensics.craiger-burke.IFIP.06.pdf) (pdf) - -[Extracting FileVault 2 Keys with Volatility](https://tribalchicken.com.au/security/extracting-filevault-2-keys-with-volatility/) - -[Auditing and Exploiting Apple IPC](https://googleprojectzero.blogspot.com/2015/09/revisiting-apple-ipc-1-distributed_28.html) - -[Mac OS X and iOS Internals: To the Apple's Core by Jonathan Levin](https://www.amazon.com/Mac-OS-iOS-Internals-Apples/dp/1118057651) - -[Demystifying the i-Device NVMe NAND (New storage used by Apple)](http://ramtin-amin.fr/#nvmepcie) diff --git a/README.md b/README.md index 0ecf1035..d22ddde3 100755 --- a/README.md +++ b/README.md @@ -8,47 +8,45 @@ A system is only as secure as its administrator is capable of making it. There i This guide is provided on an 'as is' basis without any warranties of any kind. Only **you** are responsible if you break anything or get in any sort of trouble by following this guide. -To suggest an improvement, please send a pull request or [open an issue](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues). - -This guide is also available in [简体中文](https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/README-cn.md). +To suggest an improvement, send a pull request or [open an issue](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues). - [Basics](#basics) - [Hardware](#hardware) - [Installing macOS](#installing-macos) - * [System Activation](#system-activation) - * [Apple ID](#apple-id) - * [App Store](#app-store) - * [Virtualization](#virtualization) + * [System activation](#system-activation) + * [Apple ID](#apple-id) + * [App Store](#app-store) + * [Virtualization](#virtualization) - [First boot](#first-boot) -- [System activation](#system-activation) - [Admin and standard user accounts](#admin-and-standard-user-accounts) - * [Caveats](#caveats) - * [Setup](#setup) + * [Caveats](#caveats) + * [Setup](#setup) - [Firmware](#firmware) -- [Filevault](#filevault) +- [FileVault](#filevault) - [Lockdown Mode](#lockdown-mode) - [Firewall](#firewall) - * [Application layer firewall](#application-layer-firewall) - * [Third party firewalls](#third-party-firewalls) - * [Kernel level packet filtering](#kernel-level-packet-filtering) + * [Application layer firewall](#application-layer-firewall) + * [Third party firewalls](#third-party-firewalls) + * [Kernel level packet filtering](#kernel-level-packet-filtering) - [Services](#services) -- [Siri Suggestions & Spotlight](#siri-suggestions-&-spotlight) +- [Siri Suggestions & Spotlight](#siri-suggestions-spotlight) - [Homebrew](#homebrew) - [DNS](#dns) - + [Hosts file](#hosts-file) - + [dnscrypt](#dnscrypt) - + [Dnsmasq](#dnsmasq) - - [Test DNSSEC validation](#test-dnssec-validation) + + [DNS profiles](#dns-profiles) + + [Hosts file](#hosts-file) + + [dnscrypt](#dnscrypt) + + [Dnsmasq](#dnsmasq) + - [Test DNSSEC validation](#test-dnssec-validation) - [Certificate authorities](#certificate-authorities) - [Web](#web) - * [Privoxy](#privoxy) - * [Browser](#browser) - + [Firefox](#firefox) - + [Chrome](#chrome) - + [Safari](#safari) - + [Other Web browsers](#other-web-browsers) - + [Web browsers and privacy](#web-browsers-and-privacy) - * [Plugins](#plugins) + * [Privoxy](#privoxy) + * [Browser](#browser) + + [Firefox](#firefox) + + [Chrome](#chrome) + + [Safari](#safari) + + [Other Web browsers](#other-web-browsers) + + [Web browsers and privacy](#web-browsers-and-privacy) + * [Plugins](#plugins) - [Tor](#tor) - [VPN](#vpn) - [PGP/GPG](#pgpgpg) @@ -63,10 +61,10 @@ This guide is also available in [简体中文](https://github.com/drduh/macOS-Se - [SSH](#ssh) - [Physical access](#physical-access) - [System monitoring](#system-monitoring) - * [OpenBSM audit](#openbsm-audit) - * [DTrace](#dtrace) - * [Execution](#execution) - * [Network](#network) + * [OpenBSM audit](#openbsm-audit) + * [DTrace](#dtrace) + * [Execution](#execution) + * [Network](#network) - [Binary Whitelisting](#binary-whitelisting) - [Miscellaneous](#miscellaneous) - [Related software](#related-software) @@ -1006,7 +1004,9 @@ sudo chflags schg ~/Library/Preferences/com.apple.LaunchServices.QuarantineEvent Alternatively, you can also disable Gatekeeper using the following command: -```sudo spctl --master-disable``` +```console +sudo spctl --master-disable +``` (See and for reference) @@ -1234,13 +1234,13 @@ defaults delete ~/Library/Preferences/com.apple.iTunes.plist WirelessBuddyID All media played in QuickTime Player can be found in: -``` +```console ~/Library/Containers/com.apple.QuickTimePlayerX/Data/Library/Preferences/com.apple.QuickTimePlayerX.plist ``` Additional metadata may exist in the following files: -``` +```console ~/Library/Containers/com.apple.appstore/Data/Library/Preferences/com.apple.commerce.knownclients.plist ~/Library/Preferences/com.apple.commerce.plist ~/Library/Preferences/com.apple.QuickTimePlayerX.plist @@ -1792,7 +1792,7 @@ Check that your apps are sandboxed in [Activity Monitor](https://developer.apple macOS comes with this line in `/etc/sudoers`: -``` +```console Defaults env_keep += "HOME MAIL" ``` @@ -1835,4 +1835,4 @@ drwx------ 2 kevin staff 64 Dec 4 12:27 umask_testing_dir * [Reverse Engineering macOS blog](https://reverse.put.as/) * [Reverse Engineering Resources](http://samdmarshall.com/re.html) * [The macOS Phishing Easy Button: AppleScript Dangers](https://duo.com/blog/the-macos-phishing-easy-button-applescript-dangers) -* [iCloud security and privacy overview](https://support.apple.com/102651) \ No newline at end of file +* [iCloud security and privacy overview](https://support.apple.com/102651) From 47aa4c34c0f42fb7d9e71d75bfc51513c3fb00d4 Mon Sep 17 00:00:00 2001 From: drduh Date: Mon, 18 Mar 2024 10:39:23 -0700 Subject: [PATCH 322/476] Refresh privoxy section --- README.md | 92 +++++++++++++++++++++++++++++++------------------------ 1 file changed, 52 insertions(+), 40 deletions(-) diff --git a/README.md b/README.md index 143e185b..9d47ab02 100755 --- a/README.md +++ b/README.md @@ -494,7 +494,7 @@ See also [What is a DNS leak](https://dnsleaktest.com/what-is-a-dns-leak.html) a #### Dnsmasq -Among other features, [dnsmasq](https://www.thekelleys.org.uk/dnsmasq/doc.html) is able to cache replies, prevent upstream queries for unqualified names, and block entire top-level domain names. +Among other features, [dnsmasq](https://www.thekelleys.org.uk/dnsmasq/doc.html) is able to cache replies, prevent upstream queries for unqualified names, and block entire top-level domains. Use in combination with DNSCrypt to additionally encrypt DNS traffic. @@ -502,19 +502,15 @@ If you don't wish to use DNSCrypt, you should at least use DNS [not provided](ht **Optional** [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity. All answers from DNSSEC protected zones are digitally signed. The signed records are authenticated via a chain of trust, starting with a set of verified public keys for the DNS root-zone. The current root-zone trust anchors may be downloaded [from IANA website](https://www.iana.org/dnssec/files). There are a number of resources on DNSSEC, but probably the best one is [dnssec.net website](https://www.dnssec.net). -Install Dnsmasq (DNSSEC is optional): +Install Dnsmasq: ```console brew install dnsmasq --with-dnssec ``` -Download [drduh/config/dnsmasq.conf](https://github.com/drduh/config/blob/master/dnsmasq.conf): +Download and edit [drduh/config/dnsmasq.conf](https://github.com/drduh/config/blob/master/dnsmasq.conf) or the default configuration file. -``` -curl -o homebrew/etc/dnsmasq.conf https://raw.githubusercontent.com/drduh/config/master/dnsmasq.conf -``` - -Edit the file and examine all the options. To block entire levels of domains, append [drduh/config/domains](https://github.com/drduh/config/tree/master/domains) or your own rules. +See [drduh/config/domains](https://github.com/drduh/config/tree/master/domains) for appendable examples on blocking services by domains. Install and start the program (sudo is required to bind to [privileged port](https://unix.stackexchange.com/questions/16564/why-are-the-first-1024-ports-restricted-to-the-root-user-only) 53): @@ -522,7 +518,7 @@ Install and start the program (sudo is required to bind to [privileged port](htt sudo brew services start dnsmasq ``` -To set Dnsmasq as your local DNS server, open **System Preferences** > **Network** and select the active interface, then the **DNS** tab, select **+** and add `127.0.0.1`, or use: +To set dnsmasq as the local DNS server, open **System Preferences** > **Network** and select the active interface, then the **DNS** tab, select **+** and add `127.0.0.1`, or use: ```console sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1 @@ -584,13 +580,9 @@ The risk of a [man in the middle](https://wikipedia.org/wiki/Man-in-the-middle_a ### Privoxy -Consider using [Privoxy](https://www.privoxy.org/) as a local proxy to filter Web browsing traffic. - -**Note** macOS proxy settings are not universal; apps and services may not honor system proxy settings. Ensure the application you wish to proxy is correctly configured and verify connections don't leak. Additionally, it may be possible to configure the *pf* firewall to transparently proxy all traffic. - -A signed installation package for privoxy can be downloaded from [silvester.org.uk](https://silvester.org.uk/privoxy/Macintosh%20%28OS%20X%29/) or [Sourceforge](https://sourceforge.net/projects/ijbswa/files/Macintosh%20%28OS%20X%29/). The signed package is [more secure](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/65) than the Homebrew version, and attracts full support from the Privoxy project. +Consider using [Privoxy](https://www.privoxy.org/) as a local proxy to filter Web traffic. -Alternatively, install and start privoxy using Homebrew: +Install and start privoxy using Homebrew: ```console brew install privoxy @@ -598,20 +590,24 @@ brew install privoxy brew services start privoxy ``` -Privoxy listens on local TCP port 8118 by default. +Alternatively, a signed installation package for Privoxy is available from [silvester.org.uk](https://silvester.org.uk/privoxy/Macintosh%20%28OS%20X%29/) or [Sourceforge](https://sourceforge.net/projects/ijbswa/files/Macintosh%20%28OS%20X%29/). The signed package is [more secure](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/65) than the Homebrew version and receives support from the Privoxy project. -Set the system **HTTP** proxy for your active network interface `127.0.0.1` and `8118` (This can be done through **System Preferences > Network > Advanced > Proxies**): +By default, Privoxy listens on local TCP port 8118. + +Set the system **HTTP** proxy for the active network interface `127.0.0.1` and `8118`: ```console sudo networksetup -setwebproxy "Wi-Fi" 127.0.0.1 8118 ``` -**Optional** Set the system **HTTPS** proxy, which still allows for domain name filtering, with: +Set the system **HTTPS** proxy: ```console sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 8118 ``` +This can also be done through **System Preferences > Network > Advanced > Proxies** + Confirm the proxy is set: ```console @@ -628,47 +624,63 @@ $ scutil --proxy } ``` -Visit in a browser, or with Curl: +Although most Web traffic today is encrypted, Privoxy is still useful for filtering by domain name patterns, and for upgrading insecure HTTP requests. + +For example, the following rules block all traffic, except to `.net` and `github.com` and all `apple` domains: ```console -$ ALL_PROXY=127.0.0.1:8118 curl -I http://p.p/ -HTTP/1.1 200 OK -Content-Length: 2401 -Content-Type: text/html -Cache-Control: no-cache -``` +{ +block{all} } +. -Privoxy already comes with many good rules, however you can also write your own. +{ -block } +.apple. +.github.com +.net +``` -Download [drduh/config/privoxy/config](https://github.com/drduh/config/blob/master/privoxy/config) and [drduh/config/privoxy/user.action](https://github.com/drduh/config/blob/master/privoxy/user.action) to get started: +Or to just block Facebook domains, for example: ```console -curl -o homebrew/etc/privoxy/config https://raw.githubusercontent.com/drduh/config/master/privoxy/config - -curl -o homebrew/etc/privoxy/user.action https://raw.githubusercontent.com/drduh/config/master/privoxy/user.action +{ +block{facebook} } +.facebook*. +.fb. +.fbcdn*. +.fbinfra. +.fbsbx. +.fbsv. +.fburl. +.tfbnw. +.thefacebook. +fb*.akamaihd.net ``` -Restart Privoxy and verify traffic is blocked or redirected: +Note that wildcards are supported. + +See [drduh/config/privoxy/config](https://github.com/drduh/config/blob/master/privoxy/config) and [drduh/config/privoxy/user.action](https://github.com/drduh/config/blob/master/privoxy/user.action) for additional Privoxy examples. Privoxy does **not** need to be restarted after editing `user.action` filter rules. + +To verify traffic is blocked or redirected, use curl or the Privoxy interface available at in the browser: ```console -$ sudo brew services restart privoxy +ALL_PROXY=127.0.0.1:8118 curl example.com -IL | head -$ ALL_PROXY=127.0.0.1:8118 curl ads.foo.com/ -IL HTTP/1.1 403 Request blocked by Privoxy -Content-Type: image/gif -Content-Length: 64 +Content-Length: 9001 +Content-Type: text/html Cache-Control: no-cache +Pragma: no-cache -$ ALL_PROXY=127.0.0.1:8118 curl imgur.com/ -IL +ALL_PROXY=127.0.0.1:8118 curl github.com -IL | head HTTP/1.1 302 Local Redirect from Privoxy -Location: https://imgur.com/ +Location: https://github.com/ Content-Length: 0 -HTTP/1.1 200 OK -Content-Type: text/html; charset=utf-8 +HTTP/1.1 200 Connection established + +HTTP/2 200 +server: GitHub.com ``` -You can replace ad images with pictures of kittens, for example, by starting a local Web server and [redirecting blocked requests](https://www.privoxy.org/user-manual/actions-file.html#SET-IMAGE-BLOCKER) to localhost. +**Note** macOS proxy settings are not universal; apps and services may not honor system proxy settings. Ensure the application you wish to proxy is correctly configured and verify connections don't leak. Additionally, *pf* can be configured to transparently proxy traffic on certain ports. ### Browser From 318c2c5d12a270fcbda2ea7c1cdfeae95131dcae Mon Sep 17 00:00:00 2001 From: drduh Date: Mon, 18 Mar 2024 10:50:36 -0700 Subject: [PATCH 323/476] Fix heading and TOC --- README.md | 193 +++++++++++++++++++++++++----------------------------- 1 file changed, 91 insertions(+), 102 deletions(-) diff --git a/README.md b/README.md index 9d47ab02..a80df779 100755 --- a/README.md +++ b/README.md @@ -10,6 +10,7 @@ This guide is provided on an 'as is' basis without any warranties of any kind. O To suggest an improvement, send a pull request or [open an issue](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues). + - [Basics](#basics) - [Hardware](#hardware) - [Installing macOS](#installing-macos) @@ -32,25 +33,25 @@ To suggest an improvement, send a pull request or [open an issue](https://github - [Siri Suggestions & Spotlight](#siri-suggestions-spotlight) - [Homebrew](#homebrew) - [DNS](#dns) - + [DNS profiles](#dns-profiles) - + [Hosts file](#hosts-file) - + [dnscrypt](#dnscrypt) - + [Dnsmasq](#dnsmasq) - - [Test DNSSEC validation](#test-dnssec-validation) + * [DNS profiles](#dns-profiles) + * [Hosts file](#hosts-file) + * [DNSCrypt](#dnscrypt) + * [Dnsmasq](#dnsmasq) - [Certificate authorities](#certificate-authorities) -- [Web](#web) - * [Privoxy](#privoxy) - * [Browser](#browser) - + [Firefox](#firefox) - + [Chrome](#chrome) - + [Safari](#safari) - + [Other Web browsers](#other-web-browsers) - + [Web browsers and privacy](#web-browsers-and-privacy) - * [Plugins](#plugins) +- [Privoxy](#privoxy) +- [Browser](#browser) + * [Firefox](#firefox) + * [Chrome](#chrome) + * [Safari](#safari) + * [Other browsers](#other-browsers) + * [Web browser privacy](#web-browser-privacy) - [Tor](#tor) - [VPN](#vpn) - [PGP/GPG](#pgpgpg) - [Messengers](#messengers) + * [XMPP](#xmpp) + * [Signal](#signal) + * [iMessage](#imessage) - [Viruses and malware](#viruses-and-malware) - [System Integrity Protection](#system-integrity-protection) - [Gatekeeper and XProtect](#gatekeeper-and-xprotect) @@ -70,7 +71,7 @@ To suggest an improvement, send a pull request or [open an issue](https://github - [Related software](#related-software) - [Additional resources](#additional-resources) -## Basics +# Basics Standard security best practices apply: @@ -96,7 +97,7 @@ Standard security best practices apply: * Ultimately, the security of a system depends on the capabilities of its administrator. * Care should be taken when installing new software; only install from official sources that the developers indicate on their official website/github/etc. -## Hardware +# Hardware macOS is most secure running on [Apple hardware](https://support.apple.com/guide/security/hardware-security-overview-secf020d1074/1/web/1) with Apple silicon. The newer the Mac, the better. Avoid hackintoshes and Macs that don't support the latest macOS, as Apple doesn't [patch all vulnerabilities](https://support.apple.com/guide/deployment/about-software-updates-depc4c80847a) in versions that aren't the most recent one. @@ -104,19 +105,19 @@ When you purchase your Mac, you might want to avoid it being linked back to you. If you want to use a wireless keyboard, mouse, headphones or other accessory, the most secure option is Apple ones since they will automatically be updated by your system. They also support the latest [Bluetooth features](https://support.apple.com/guide/security/bluetooth-security-sec82597d97e/web) like BLE Privacy which randomizes your Bluetooth hardware address to prevent tracking. With third party accessories, this isn't a guarantee. -## Installing macOS +# Installing macOS There are several ways to [install macOS](https://support.apple.com/102662). Choose your preferred method from the available options. **You should install the latest version of macOS that's compatible with your Mac**. More recent versions have security patches and other improvements that older versions lack. -### System activation +## System activation As part of Apple's [theft prevention system](https://support.apple.com/102541), Apple silicon Macs will need to activate with Apple's servers every time you reinstall macOS to check against the database of stolen or activation-locked Macs. You can read about exactly how this process works [here](https://support.apple.com/guide/security/localpolicy-signing-key-creation-management-sec1f90fbad1). -### Apple ID +## Apple ID Creating an Apple ID is not required to use macOS. Making an Apple ID requires a phone number and it will by default sync a [lot of data](https://www.apple.com/legal/privacy/data/en/apple-id/) to iCloud, Apple's cloud storage service. You can [disable](https://support.apple.com/102651) the syncing later if you want or enable [end-to-end encryption](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web) for your iCloud data. @@ -124,13 +125,13 @@ You can [control the data](https://support.apple.com/102283) associated with you An Apple ID is required in order to access the App Store and use most Apple services like iCloud, Apple Music, etc. -### App Store +## App Store The Mac App Store is a [curated](https://developer.apple.com/app-store/review/guidelines) repository of software that is required to utilize the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox/protecting_user_data_with_app_sandbox) and [Hardened Runtime](https://developer.apple.com/documentation/security/hardened_runtime), as well as offering automatic updates that integrate with your system. The App Store offers the greatest security guarantees for software on macOS, but it requires you to log in with an Apple ID and Apple will be able to link your Apple ID to your downloaded apps. -### Virtualization +## Virtualization You can easily run macOS natively in a virtual machine using [UTM](https://mac.getutm.app). It's free from their site but if you buy it from the App Store, you'll get automatic updates. @@ -138,7 +139,7 @@ Follow their [documentation](https://docs.getutm.app/guest-support/macos) to ins Another option is [VMware Fusion](https://www.vmware.com/products/fusion.html), although it costs money. You can read their [documentation](https://docs.vmware.com/en/VMware-Fusion/13/com.vmware.fusion.using.doc/GUID-474FC78E-4E77-42B7-A1C6-12C2F378C5B9.html) to see how to install a macOS VM. -## First boot +# First boot When macOS first starts, you'll be greeted by **Setup Assistant**. @@ -153,7 +154,7 @@ sudo scutil --set ComputerName MacBook sudo scutil --set LocalHostName MacBook ``` -## Admin and standard user accounts +# Admin and standard user accounts The first user account is always an admin account. Admin accounts are members of the admin group and have access to `sudo`, which allows them to usurp other accounts, in particular root, and gives them effective control over the system. Any program that the admin executes can potentially obtain the same access, making this a security risk. @@ -163,19 +164,19 @@ It is considered a best practice by [Apple](https://help.apple.com/machelp/mac/1 It is not strictly required to ever log into the admin account via the macOS login screen. When a Terminal command requires administrator privileges, the system will prompt for authentication and Terminal then continues using those privileges. To that end, Apple provides some [recommendations](https://support.apple.com/HT203998) for hiding the admin account and its home directory. This can be an elegant solution to avoid having a visible 'ghost' account. -### Caveats +## Caveats * Only administrators can install applications in `/Applications` (local directory). Finder and Installer will prompt a standard user with an authentication dialog. Many applications can be installed in `~/Applications` instead (the directory can be created). As a rule of thumb: applications that do not require admin access – or do not complain about not being installed in `/Applications` – should be installed in the user directory, the rest in the local directory. Mac App Store applications are still installed in `/Applications` and require no additional authentication. * `sudo` is not available in shells of the standard user, which requires using `su` or `login` to enter a shell of the admin account. This can make some maneuvers trickier and requires some basic experience with command-line interfaces. * System Preferences and several system utilities (e.g. Wi-Fi Diagnostics) will require root privileges for full functionality. Many panels in System Preferences are locked and need to be unlocked separately by clicking on the lock icon. Some applications will simply prompt for authentication upon opening, others must be opened by an admin account directly to get access to all functions (e.g. Console). * There are third-party applications that will not work correctly because they assume that the user account is an admin. These programs may have to be executed by logging into the admin account, or by using the `open` utility. -* See additional discussion in [issue #167](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/167). +* See additional discussion in [issue 167](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/167). -### Setup +## Setup Accounts can be created and managed in System Preferences. On settled systems, it is generally easier to create a second admin account and then demote the first account. This avoids data migration. Newly installed systems can also just add a standard account. -Demoting an account can be done either from the the new admin account in System Preferences – the other account must be logged out – or by executing these commands (it may not be necessary to execute both, see [issue #179](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/179)): +Demoting an account can be done either from the the new admin account in System Preferences – the other account must be logged out – or by executing these commands (it may not be necessary to execute both, see [issue 179](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/179)): ```console sudo dscl . -delete /Groups/admin GroupMembership @@ -190,11 +191,11 @@ dscl . -read /Users/ GeneratedUID See also [this post](https://superuser.com/a/395738) for more information about how macOS determines group membership. -## Firmware +# Firmware You should check that firmware security settings are set to [Full Security](https://support.apple.com/en-au/guide/mac-help/mchl768f7291/mac) to prevent tampering with your OS. This is the default setting. -## FileVault +# FileVault All Mac models with Apple silicon are encrypted by default. Enabling [FileVault](https://support.apple.com/en-au/guide/mac-help/mh11785/mac) makes it so that you need to enter a password in order to access the data on your drive. The EFF has a guide on generating [strong but memorable passwords](https://www.eff.org/dice). @@ -202,17 +203,17 @@ Your FileVault password also acts as a [firmware password](https://support.apple FileVault will ask you to set a recovery key in case you forget your password. Keep this key stored somewhere safe. You'll have the option use your iCloud account to unlock your disk; however, anyone with access to your iCloud account will be able to unlock it as well. -## Lockdown Mode +# Lockdown Mode macOS offers [Lockdown Mode](https://support.apple.com/105120), a security feature that disables several features across the OS, significantly reducing attack surface for attackers while keeping the OS usable. You can read about exactly what is disabled and decide for yourself if it is acceptable to you. When Lockdown Mode is on, you can disable it per site in Safari on trusted sites. -## Firewall +# Firewall There are several types of firewalls available for macOS. -### Application layer firewall +## Application layer firewall Built-in, basic firewall which blocks **incoming** connections only. This firewall does not have the ability to monitor, nor block **outgoing** connections. @@ -248,7 +249,7 @@ After interacting with `socketfilterfw`, restart the process by sending a line h sudo pkill -HUP socketfilterfw ``` -### Third party firewalls +## Third party firewalls Programs such as [Little Snitch](https://www.obdev.at/products/littlesnitch/index.html), [Radio Silence](https://radiosilenceapp.com/), and [LuLu](https://objective-see.com/products/lulu.html) provide a good balance of usability and security. @@ -258,7 +259,7 @@ If the number of choices of allowing/blocking network connections is overwhelmin It is worth noting that these firewalls can be bypassed by programs running as **root** or through [OS vulnerabilities](https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf) (pdf), but they are still worth having - just don't expect absolute protection. However, some malware actually [deletes itself](https://www.cnet.com/how-to/how-to-remove-the-flashback-malware-from-os-x/) and doesn't execute if Little Snitch, or other security software, is installed. -### Kernel level packet filtering +## Kernel level packet filtering A highly customizable, powerful, but also most complicated firewall exists in the kernel. It can be controlled with `pfctl` and various configuration files. @@ -348,7 +349,7 @@ Outgoing TCP SYN packets are blocked, so a TCP connection is not established and See [drduh/config/scripts/pf-blocklist.sh](https://github.com/drduh/config/blob/master/scripts/pf-blocklist.sh) for more inspiration. -## Services +# Services Services on macOS are managed by **launchd**. See [launchd.info](https://launchd.info). @@ -380,11 +381,11 @@ Annotated lists of launch daemons and agents, the respective program executed, a Read more about launchd and where login items can be found on [Apple's website](https://support.apple.com/guide/terminal/script-management-with-launchd-apdc6c1077b-5d5d-4d35-9c19-60f2397b2369). -## Siri Suggestions & Spotlight +# Siri Suggestions & Spotlight Apple is moving to on-device processing for a lot of Siri functions, but some info is still sent to Apple when you use Siri Suggestions or Spotlight. You can read Apple's [Privacy Policy](https://www.apple.com/legal/privacy/data/en/siri-suggestions-search/) to see exactly what is sent and how to disable it. -## Homebrew +# Homebrew Consider using [Homebrew](https://brew.sh/) to make software installations easier and to update userland tools. @@ -400,27 +401,27 @@ To opt out of Homebrew's analytics, you can set `export HOMEBREW_NO_ANALYTICS=1` You may also wish to enable [additional security options](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/138), such as `HOMEBREW_NO_INSECURE_REDIRECT=1` and `HOMEBREW_CASK_OPTS=--require-sha` -## DNS +# DNS -#### DNS profiles +## DNS profiles macOS 11 introduced "DNS configuration profiles" to configure encrypted DNS, filter domains and use DNSSEC. DNS profiles [can be created](https://dns.notjakob.com/) or obtained from providers such as [Quad9](https://docs.quad9.net/Setup_Guides/MacOS/Big_Sur_and_later_(Encrypted)/#download-profile), [AdGuard](https://adguard-dns.io/en/public-dns.html) and [NextDNS](https://nextdns.io/). -#### Hosts file +## Hosts file - Use the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) to block known malware, advertising or otherwise unwanted domains. +Use the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) to block known malware, advertising or otherwise unwanted domains. - Edit the hosts file as root, for example with `sudo vi /etc/hosts` +Edit the hosts file as root, for example with `sudo vi /etc/hosts` - To block a domain by `A` record, append any one of the following lines to `/etc/hosts`: +To block a domain by `A` record, append any one of the following lines to `/etc/hosts`: - ``` - 0 example.com - 0.0.0.0 example.com - 127.0.0.1 example.com - ``` +``` +0 example.com +0.0.0.0 example.com +127.0.0.1 example.com +``` **Note** IPv6 uses the `AAAA` DNS record type, rather than `A` record type, so you may also want to block those connections by *also* including `::1 example.com` entries, like shown [here](https://someonewhocares.org/hosts/ipv6/). @@ -440,7 +441,7 @@ curl https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | sudo tee If you're using a firewall like [Little Snitch](#third-party-firewalls), you could use the [StevenBlack/hosts](https://github.com/StevenBlack/hosts) importing the rules from [leohidalgo/little-snitch---rule-groups](https://github.com/leohidalgo/little-snitch---rule-groups) repository, these rules are updated every 12 hours from the [StevenBlack/hosts](https://github.com/StevenBlack/hosts) repository. -#### dnscrypt +## DNSCrypt To encrypt DNS traffic, consider using [DNSCrypt/dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy). Used in combination with dnsmasq and DNSSEC, the integrity of DNS traffic can be significantly improved. @@ -492,7 +493,7 @@ block drop quick on !lo0 proto tcp from any to any port = 53 See also [What is a DNS leak](https://dnsleaktest.com/what-is-a-dns-leak.html) and [ipv6-test.com](http://ipv6-test.com/) -#### Dnsmasq +## Dnsmasq Among other features, [dnsmasq](https://www.thekelleys.org.uk/dnsmasq/doc.html) is able to cache replies, prevent upstream queries for unqualified names, and block entire top-level domains. @@ -540,14 +541,12 @@ $ networksetup -getdnsservers "Wi-Fi" 127.0.0.1 ``` -**Note** Some VPN software overrides DNS settings on connect. See [issue #24](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/24) and [drduh/config/scripts/macos-dns.sh](https://github.com/drduh/config/blob/master/scripts/macos-dns.sh). +**Note** Some VPN software overrides DNS settings on connect. See [issue 24](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/24) and [drduh/config/scripts/macos-dns.sh](https://github.com/drduh/config/blob/master/scripts/macos-dns.sh). -##### Test DNSSEC validation - -Test DNSSEC validation succeeds for signed zones - the reply should have `NOERROR` status and contain `ad` flag: +**Optional** Test DNSSEC validation for signed zones - the reply should have `NOERROR` status and contain `ad` flag: ```console -$ dig +dnssec icann.org +$ dig +dnssec icann.org | head ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47039 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ``` @@ -555,12 +554,12 @@ $ dig +dnssec icann.org Test DNSSEC validation fails for zones that are signed improperly - the reply should have `SERVFAIL` status: ```console -$ dig www.dnssec-failed.org +$ dig www.dnssec-failed.org | head ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15190 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ``` -## Certificate authorities +# Certificate authorities macOS comes with [over 100](https://support.apple.com/103723) root authority certificates installed from corporations like Apple, Verisign, Thawte, Digicert and government agencies from China, Japan, Netherlands, U.S., and more! These Certificate Authorities (CAs) are capable of issuing TLS certificates for any domain, code signing certificates, etc. Apple [blocks these certificates](https://support.apple.com/103247#blocked) when a CA proves to be untrustworthy. They also have [strict requirements](https://www.apple.com/certificateauthority/ca_program.html) that trusted CAs have to meet. @@ -576,9 +575,7 @@ You can manually disable certificate authorities through Keychain Access by mark The risk of a [man in the middle](https://wikipedia.org/wiki/Man-in-the-middle_attack) attack in which a coerced or compromised certificate authority trusted by your system issues a fake/rogue TLS certificate is quite low, but still [possible](https://wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates). -## Web - -### Privoxy +# Privoxy Consider using [Privoxy](https://www.privoxy.org/) as a local proxy to filter Web traffic. @@ -682,7 +679,7 @@ server: GitHub.com **Note** macOS proxy settings are not universal; apps and services may not honor system proxy settings. Ensure the application you wish to proxy is correctly configured and verify connections don't leak. Additionally, *pf* can be configured to transparently proxy traffic on certain ports. -### Browser +# Browser The Web browser likely poses the largest security and privacy risk, as its fundamental job is to download and execute untrusted code from the Internet. @@ -694,11 +691,11 @@ Another important consideration about browser security are extensions. This is a [Mozilla Firefox](https://www.mozilla.org/en-US/firefox/new/), [Google Chrome](https://www.google.com/chrome/), [Safari](https://www.apple.com/safari/), and [Tor Browser](https://www.torproject.org/projects/torbrowser.html.en) are all recommended browsers for their own unique and individual purposes. -#### Firefox +## Firefox [Mozilla Firefox](https://www.mozilla.org/en-US/firefox/new/) is a popular open source browser. Firefox recently replaced major parts of its infrastructure and code base under projects [Quantum](https://wiki.mozilla.org/Quantum) and [Photon](https://wiki.mozilla.org/Firefox/Photon/Updates). Part of the Quantum project is to replace C++ code with [Rust](https://www.rust-lang.org/en-US/). Rust is a systems programming language with a focus on security and thread safety. It is expected that Rust adoption will greatly improve the overall security posture of Firefox. -Firefox offers a similar security model to Chrome: it has a [bug bounty program](https://www.mozilla.org/en-US/security/bug-bounty/), although it is not a lucrative. Firefox follows a six-week release cycle similar to Chrome. See discussion in issues [#2](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/2) and [#90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) for more information about certain differences in Firefox and Chrome. +Firefox offers a similar security model to Chrome: it has a [bug bounty program](https://www.mozilla.org/en-US/security/bug-bounty/), although it is not a lucrative. Firefox follows a six-week release cycle similar to Chrome. See discussion in [issue 2](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/2) and [issue 90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) for more information about certain differences in Firefox and Chrome. Firefox supports user-supplied configuration files. See See [drduh/config/firefox.user.js](https://github.com/drduh/config/blob/master/firefox.user.js) and [arkenfox/user.js](https://github.com/arkenfox/user.js) for recommended preferences and hardening measures. Also see [NoScript](https://noscript.net/), an extension which allows selective script blocking. @@ -706,7 +703,7 @@ Firefox [focused on user privacy](https://www.mozilla.org/en-US/firefox/privacy/ Previous versions of Firefox used a Web Extension SDK that was quite invasive and offered immense freedom to developers. Sadly, that freedom also introduced a number of vulnerabilities in Firefox that greatly affected its users. Currently, Firefox only supports Web Extensions through the [Web Extension Api](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions), which is very similar to Chrome. Submission of Web Extensions in Firefox is free. Web Extensions in Firefox most of the time are open source, although certain Web Extensions are proprietary. -#### Chrome +## Chrome [Google Chrome](https://www.google.com/chrome/) is based on the open source [Chromium project](https://www.chromium.org/Home) with certain [proprietary components](https://fossbytes.com/difference-google-chrome-vs-chromium-browser/): @@ -733,7 +730,7 @@ Disable [DNS prefetching](https://www.chromium.org/developers/design-documents/d Read [Chromium Security](https://www.chromium.org/Home/chromium-security) and [Chromium Privacy](https://www.chromium.org/Home/chromium-privacy) for more information. Read [Google's privacy policy](https://policies.google.com/privacy) to understand how personal information is collected and used. -#### Safari +## Safari [Safari](https://www.apple.com/safari/) is the default browser on macOS. It is also the most optimized browser for reducing battery use. Safari, like Chrome, has both Open Source and proprietary components. Safari is based on the open source Web Engine [WebKit](https://en.wikipedia.org/wiki/WebKit), which is ubiquitous among the macOS ecosystem. WebKit is used by Apple apps such as Mail, iTunes, iBooks, and the App Store. Chrome's [Blink](https://www.chromium.org/blink) engine is a fork of WebKit and both engines share a number of similarities. @@ -751,13 +748,13 @@ An example of using Safari content blockers is available at [dgraham/Ka-Block](h See also [el1t/uBlock-Safari](https://github.com/el1t/uBlock-Safari/wiki/Disable-hyperlink-auditing-beacon) to disable hyperlink auditing beacons. -#### Other Web browsers +## Other browsers Many Chromium-derived browsers are not recommended. They are usually [closed source](https://yro.slashdot.org/comments.pl?sid=4176879&cid=44774943), [poorly maintained](https://plus.google.com/+JustinSchuh/posts/69qw9wZVH8z), [have bugs](https://code.google.com/p/google-security-research/issues/detail?id=679), and make dubious claims to protect privacy. See [The Private Life of Chromium Browsers](https://web.archive.org/web/20180517132144/http://thesimplecomputer.info/the-private-life-of-chromium-browsers). Other miscellaneous browsers, such as [Brave](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/94), are not evaluated in this guide, so are neither recommended nor actively discouraged from use. -#### Web browsers and privacy +## Web browser privacy Web browsers reveal information in several ways, for example through the [Navigator](https://developer.mozilla.org/en-US/docs/Web/API/Navigator) interface, which may include information such as the browser version, operating system, site permissions, and the device's battery level. Many websites also use [canvas fingerprinting](https://en.wikipedia.org/wiki/Canvas_fingerprinting) to uniquely identify users across sessions. @@ -767,15 +764,7 @@ To hinder third party trackers, it is recommended to **disable third-party cooki Also be aware of [WebRTC](https://en.wikipedia.org/wiki/WebRTC#Concerns), which may reveal your local or public (if connected to VPN) IP address(es). In Firefox and Chrome/Chromium this can be disabled with extensions such as [uBlock Origin](https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address) and [rentamob/WebRTC-Leak-Prevent](https://github.com/rentamob/WebRTC-Leak-Prevent). Disabling WebRTC in Safari is only possible with a [system hack](https://github.com/JayBrown/Disable-and-toggle-WebRTC-in-macOS-Safari). -### Plugins - -**Adobe Flash**, **Oracle Java**, **Adobe Reader**, **Microsoft Silverlight** (Netflix now works with [HTML5](https://help.netflix.com/en/node/23742)) and other plugins are [security risks](https://news.ycombinator.com/item?id=9901480) and should not be installed. - -If they are necessary, only use them in a disposable virtual machine and subscribe to security announcements to make sure you're always patched. - -See [Hacking Team Flash Zero-Day](https://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-zero-day-integrated-into-exploit-kits/), [Java Trojan BackDoor.Flashback](https://en.wikipedia.org/wiki/Trojan_BackDoor.Flashback), [Acrobat Reader: Security Vulnerabilities](https://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-497/Adobe-Acrobat-Reader.html), and [Angling for Silverlight Exploits](https://blogs.cisco.com/security/angling-for-silverlight-exploits) for examples. - -## Tor +# Tor Tor is an anonymizing network which can be used for browsing the Web with additional privacy. Tor Browser is a modified version of Firefox with a proxy to access the Tor network. @@ -914,7 +903,7 @@ Finally, remember the Tor network provides [anonymity](https://www.privateintern Also see [Invisible Internet Project (I2P)](https://geti2p.net/en/about/intro) and its [Tor comparison](https://geti2p.net/en/comparison/tor). -## VPN +# VPN When choosing a VPN service or setting up your own, be sure to research the protocols, key exchange algorithms, authentication mechanisms, and type of encryption being used. Some protocols, such as [PPTP](https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security), should be avoided in favor of [OpenVPN](https://en.wikipedia.org/wiki/OpenVPN) or Linux-based [Wireguard](https://www.wireguard.com/) [on a Linux VM](https://github.com/mrash/Wireguard-macOS-LinuxVM) or via a set of [cross platform tools](https://www.wireguard.com/xplatform/). @@ -922,11 +911,11 @@ Some clients may send traffic over the next available interface when VPN is inte Another set of scripts to lock down your system so it will only access the internet via a VPN can be found as part of the Voodoo Privacy project - [sarfata/voodooprivacy](https://github.com/sarfata/voodooprivacy) and there is an updated guide to setting up an IPSec VPN on a virtual machine ([hwdsl2/setup-ipsec-vpn](https://github.com/hwdsl2/setup-ipsec-vpn)) or a docker container ([hwdsl2/docker-ipsec-vpn-server](https://github.com/hwdsl2/docker-ipsec-vpn-server)). -It may be worthwhile to consider the geographical location of the VPN provider. See further discussion in [issue #114](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/114). +It may be worthwhile to consider the geographical location of the VPN provider. See further discussion in [issue 114](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/114). Also see this [technical overview](https://blog.timac.org/2018/0717-macos-vpn-architecture/) of the macOS built-in VPN L2TP/IPSec and IKEv2 client. -## PGP/GPG +# PGP/GPG PGP is a standard for signing and encrypting data (especially email) end-to-end, so only the sender and recipient can access it. @@ -948,9 +937,9 @@ See [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) to securely ge Read [online](https://alexcabal.com/creating-the-perfect-gpg-keypair/) [guides](https://security.stackexchange.com/questions/31594/what-is-a-good-general-purpose-gnupg-key-setup) and [practice](https://help.riseup.net/en/security/message-security/openpgp/best-practices) encrypting and decrypting email to yourself and your friends. Get them interested in this stuff! -## Messengers +# Messengers -### XMPP +## XMPP XMPP is an [open standard](https://xmpp.org/extensions) developed by the [IETF](https://www.ietf.org) that allows for cross-platform federated messaging. There are many options for [clients](https://xmpp.org/getting-started). Consider using one of the browser-based clients to take advantage of your browser's sandbox. @@ -958,13 +947,13 @@ Depending on the provider, you might not need anything other than a username and XMPP isn't E2EE by default, you'll need to use [OMEMO](https://omemo.top) encryption, so make sure your client supports it. -### Signal +## Signal [Signal](https://www.signal.org) is an advanced E2EE messenger whose [double-ratchet](https://signal.org/docs/specifications/doubleratchet/) protocol is used by countless other messengers including WhatsApp, Google Messages, and Facebook Messenger. Signal requires a phone number to sign up and you'll need to install it on your phone first before you can use it on desktop. -### iMessage +## iMessage iMessage is Apple's first party messenger. It requires an [Apple ID](#apple-id) in order to use it. @@ -974,7 +963,7 @@ You can use iMessage with either a [phone number or an email](https://support.ap **Note:** By default, iCloud backup is enabled which stores copies of your message encryption keys on [Apple's servers](https://support.apple.com/102651) without E2EE. Either [disable iCloud backup](https://support.apple.com/guide/icloud/view-and-manage-backups-mm122d3ef202/1.0/icloud/1.0) or enable [Advanced Data Protection](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) to prevent this. Also remember to tell your messaging partner/s to do the same! -## Viruses and malware +# Viruses and malware There is an [ever-increasing](https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html) amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software! @@ -982,7 +971,7 @@ Some malware comes bundled with both legitimate software, such as the [Java bund See [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) and [Malware Persistence on OS X Yosemite](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite) to learn about how garden-variety malware functions. -You could periodically run a tool like [KnockKnock](https://objective-see.org/products/knockknock.html) to examine persistent applications (e.g. scripts, binaries). But by then, it is probably too late. Maybe applications such as [BlockBlock](https://objective-see.com/products/blockblock.html) and [Ostiarius](https://objective-see.com/products/ostiarius.html) will help. See warnings and caveats in [issue #90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) first, however. An open-source alternative could be [maclaunch.sh](https://github.com/hazcod/maclaunch). +You could periodically run a tool like [KnockKnock](https://objective-see.org/products/knockknock.html) to examine persistent applications (e.g. scripts, binaries). But by then, it is probably too late. Maybe applications such as [BlockBlock](https://objective-see.com/products/blockblock.html) and [Ostiarius](https://objective-see.com/products/ostiarius.html) will help. See warnings and caveats in [issue 90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) first, however. An open-source alternative could be [maclaunch.sh](https://github.com/hazcod/maclaunch). **Anti-virus** programs are generally a double-edged sword: they may catch "garden variety" malware, but also may increase the attack surface for sophisticated adversaries due to their privileged operating mode. @@ -996,11 +985,11 @@ To scan an application with multiple AV products and examine its behavior, uploa Also check out [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html) malware for macOS: [root installation for MacOS](https://github.com/hackedteam/vector-macos-root), [Support driver for Mac Agent](https://github.com/hackedteam/driver-macos) and [RCS Agent for Mac](https://github.com/hackedteam/core-macos), which is a good example of advanced malware with capabilities to hide from userland (e.g., `ps`, `ls`). For more, see [A Brief Analysis of an RCS Implant Installer](https://objective-see.com/blog/blog_0x0D.html) and [reverse.put.as](https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/) -## System Integrity Protection +# System Integrity Protection To verify SIP is enabled, use the command `csrutil status`, which should return: `System Integrity Protection status: enabled.` Otherwise, [enable SIP](https://developer.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html) through Recovery Mode. -## Gatekeeper and XProtect +# Gatekeeper and XProtect **Gatekeeper** and the **quarantine** system try to prevent unsigned or "bad" programs and files from running and opening. @@ -1032,7 +1021,7 @@ sudo spctl --master-disable (See and for reference) -## Metadata and artifacts +# Metadata and artifacts macOS attaches metadata ([HFS+ extended attributes](https://en.wikipedia.org/wiki/Extended_file_attributes#OS_X)) to downloaded files, which can be viewed with the `mdls` and `xattr` commands: @@ -1268,7 +1257,7 @@ Additional metadata may exist in the following files: ~/Library/Preferences/com.apple.QuickTimePlayerX.plist ``` -## Passwords +# Passwords Generate strong passwords using any of the following utilities: @@ -1290,7 +1279,7 @@ In addition to passwords, ensure eligible online accounts, such as GitHub, Googl In Addition to Login and other PAMs, you can use Yubikey to secure your login and sudo, here is a pdf guide from [Yubico](https://www.yubico.com/wp-content/uploads/2016/02/Yubico_YubiKeyMacOSXLogin_en.pdf). [U2F Zero](https://u2fzero.com/) is a Yubikey alternative to consider. -## Backup +# Backup Always encrypt files locally before backing them up to external media or online services. @@ -1360,7 +1349,7 @@ rsync --recursive --times --progress --delete --verbose --stats MyEncryptedDrive See also the following applications and services: [Tresorit](https://www.tresorit.com), [SpiderOak](https://www.spideroak.com/), [Arq](https://www.arqbackup.com/), [Espionage](https://www.espionageapp.com/), and [restic](https://restic.github.io/). -## Wi-Fi +# Wi-Fi macOS remembers access points it has connected to. Like all wireless devices, the Mac will broadcast all access point names it remembers (e.g., *MyHomeNetwork*) each time it looks for a network, such as when waking from sleep. @@ -1382,7 +1371,7 @@ macOS stores Wi-Fi SSIDs and passwords in NVRAM in order for Recovery Mode to ac Finally, WEP protection on wireless networks is [not secure](http://www.howtogeek.com/167783/htg-explains-the-difference-between-wep-wpa-and-wpa2-wireless-encryption-and-why-it-matters/) and you should only connect to **WPA2** protected networks when possible. -## SSH +# SSH For outgoing SSH connections, use hardware or password-protected keys, [set up](http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/) remote hosts and consider [hashing](http://nms.csail.mit.edu/projects/ssh/) them for added privacy. See [drduh/config/ssh_config](https://github.com/drduh/config/blob/master/ssh_config) for recommended client options. @@ -1422,7 +1411,7 @@ Confirm whether sshd is running: sudo lsof -Pni TCP:22 ``` -## Physical access +# Physical access Keep your Mac physically secure at all times and do not leave it unattended in public. @@ -1434,9 +1423,9 @@ Consider purchasing a privacy screen/filter for use in public. [Nail polish](https://trmm.net/Glitter) and tamper-evidence seals can be applied to components to detect tampering. -## System monitoring +# System monitoring -### OpenBSM audit +## OpenBSM audit macOS has a powerful OpenBSM (Basic Security Module) auditing capability. You can use it to monitor process execution, network activity, and much more. @@ -1455,7 +1444,7 @@ See the manual pages for `audit`, `praudit`, `audit_control` and other files in See articles on [ilostmynotes.blogspot.com](https://ilostmynotes.blogspot.com/2013/10/openbsm-auditd-on-os-x-these-are-logs.html) and [derflounder.wordpress.com](https://derflounder.wordpress.com/2012/01/30/openbsm-auditing-on-mac-os-x/) for more information. -### DTrace +## DTrace **Note** [System Integrity Protection](https://github.com/drduh/macOS-Security-and-Privacy-Guide#system-integrity-protection) interferes with DTrace, so it is not possible to use it in recent macOS versions without disabling SIP. @@ -1467,7 +1456,7 @@ See articles on [ilostmynotes.blogspot.com](https://ilostmynotes.blogspot.com/20 See `man -k dtrace` for more information. -### Execution +## Execution `ps -ef` lists information about all running processes. @@ -1475,7 +1464,7 @@ You can also view processes with **Activity Monitor**. `launchctl list` and `sudo launchctl list` list loaded and running user and system launch daemons and agents. -### Network +## Network List open network files: @@ -1528,7 +1517,7 @@ tshark -Y "ssl.handshake.certificate" -Tfields \ Also see the simple networking monitoring application [BonzaiThePenguin/Loading](https://github.com/BonzaiThePenguin/Loading). -## Binary Whitelisting +# Binary Whitelisting [google/santa](https://github.com/google/santa/) is a security software developed for Google's corporate Macintosh fleet and open sourced. @@ -1752,7 +1741,7 @@ Zentral will support Santa in both MONITORING and LOCKDOWN operation mode. Clien **Note** Python, Bash and other interpreters are whitelisted (since they are signed by Apple's developer certificate), so Santa will not be able to block such scripts from executing. Thus, a potential non-binary program which disables Santa is a weakness (not vulnerability, since it is so by design) to take note of. -## Miscellaneous +# Miscellaneous Disable [Diagnostics & Usage Data](https://support.apple.com/guide/mac-help/share-analytics-information-mac-apple-mh27990). @@ -1840,14 +1829,14 @@ drwx------ 2 kevin staff 64 Dec 4 12:27 umask_testing_dir -rw-------@ 1 kevin staff 2026566 Dec 4 12:28 umask_testing_file ``` -## Related software +# Related software * [CISOfy/lynis](https://github.com/CISOfy/lynis) - Cross-platform security auditing tool and assists with compliance testing and system hardening. * [Zentral](https://github.com/zentralopensource/zentral) - A log and configuration server for santa and osquery. Run audit and probes on inventory, events, logfiles, combine with point-in-time alerting. A full Framework and Django web server build on top of the elastic stack (formerly known as ELK stack). * [osquery](https://github.com/osquery/osquery) - Can be used to retrieve low level system information. Users can write SQL queries to retrieve system information. * [google/grr](https://github.com/google/grr) - Incident response framework focused on remote live forensics. -## Additional resources +# Additional resources * [Apple Open Source](https://opensource.apple.com/) * [CIS Benchmarks](https://www.cisecurity.org/benchmark/apple_os/) From 1e5b66b0b01c716c1b8a053da64626d65a547bbc Mon Sep 17 00:00:00 2001 From: drduh Date: Mon, 18 Mar 2024 11:15:07 -0700 Subject: [PATCH 324/476] Refresh passwords section --- README.md | 116 +++++++++++++++++++----------------------------------- 1 file changed, 40 insertions(+), 76 deletions(-) diff --git a/README.md b/README.md index a80df779..6a997c06 100755 --- a/README.md +++ b/README.md @@ -75,27 +75,26 @@ To suggest an improvement, send a pull request or [open an issue](https://github Standard security best practices apply: -* Create a [threat model](https://www.owasp.org/index.php/Application_Threat_Modeling) - * What are you trying to protect and from whom? Is your adversary a three letter agency, a nosy eavesdropper on the network, or a determined [APT](https://en.wikipedia.org/wiki/Advanced_persistent_threat) orchestrating a campaign against you? - * Recognize threats and how to reduce attack surface against them. +- Create a [threat model](https://www.owasp.org/index.php/Application_Threat_Modeling) + * What are you trying to protect and from whom? Is your adversary a three letter agency, a nosy eavesdropper on the network, or a determined [APT](https://en.wikipedia.org/wiki/Advanced_persistent_threat) orchestrating a campaign against you? + * Recognize threats and how to reduce attack surface against them. -* Keep the system up to date - * Patch the base operating system and all third party software. - * macOS system updates can be completed in the [settings](https://support.apple.com/guide/mac-help/keep-your-mac-up-to-date-mchlpx1065) and set to automatically install. You can also use the `softwareupdate` command-line utility - neither requires registering an Apple account. - * Subscribe to announcement mailing lists like [Apple security-announce](https://lists.apple.com/mailman/listinfo/security-announce). +- Keep the system and software up to date + * Patch the operating system and all installed software reguarly. + * macOS system updates can be completed in the [settings](https://support.apple.com/guide/mac-help/keep-your-mac-up-to-date-mchlpx1065) and set to automatically install. You can also use the `softwareupdate` command-line utility - neither requires registering an Apple account. + * Subscribe to announcement mailing lists like [Apple security-announce](https://lists.apple.com/mailman/listinfo/security-announce). -* Encrypt sensitive data at rest - * In addition to [FileVault](https://support.apple.com/guide/mac-help/protect-data-on-your-mac-with-filevault-mh11785), consider using the [built-in password manager](https://support.apple.com/105115) to protect your passwords and other sensitive info. For sensitive files, consider creating a separate [encrypted volume](https://support.apple.com/guide/disk-utility/encrypt-protect-a-storage-device-password-dskutl35612) to store them in. - * This will mitigate damage in case of compromise and data theft. +- Encrypt sensitive data + * In addition to [FileVault](https://support.apple.com/guide/mac-help/protect-data-on-your-mac-with-filevault-mh11785) volume encryption, consider using the [built-in password manager](https://support.apple.com/105115) to protect passwords and other sensitive data. -* Assure data availability - * Create [regular backups](https://support.apple.com/104984) of your data and be ready to [restore from a backup](https://support.apple.com/102551) in case of compromise. - * [Encrypt locally](https://support.apple.com/guide/mac-help/keep-your-time-machine-backup-disk-secure-mh21241) before copying backups to unencrypted external media or the "cloud"; alternatively, enable [end-to-end encryption](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) if your cloud provider supports it. - * Verify backups by accessing them regularly. +- Assure data availability + * Create [regular backups](https://support.apple.com/104984) of your data and be ready to [restore from a backup](https://support.apple.com/102551) in case of compromise. + * [Encrypt locally](https://support.apple.com/guide/mac-help/keep-your-time-machine-backup-disk-secure-mh21241) before copying backups to unencrypted external media or the "cloud"; alternatively, enable [end-to-end encryption](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) if your cloud provider supports it. + * Verify backups by accessing them regularly. -* Click carefully - * Ultimately, the security of a system depends on the capabilities of its administrator. - * Care should be taken when installing new software; only install from official sources that the developers indicate on their official website/github/etc. +- Click carefully + * Ultimately, the security of a system depends on the capabilities of its administrator. + * Care should be taken when installing new software; only install from official sources that the developers indicate on their official website/github/etc. # Hardware @@ -714,7 +713,7 @@ Previous versions of Firefox used a Web Extension SDK that was quite invasive an * PDF viewer * Non-optional tracking. Google Chrome installer includes a randomly generated token. The token is sent to Google after the installation completes in order to measure the success rate. The RLZ identifier stores information – in the form of encoded strings – like the source of chrome download and installation week. It doesn’t include any personal information and it’s used to measure the effectiveness of a promotional campaign. **Chrome downloaded from Google’s website doesn’t have the RLZ identifier**. The source code to decode the strings is made open by Google. -Chrome offers account sync between multiple devices. Part of the sync data are stored website credentials. The login passwords are encrypted and in order to access them, a user's Google account password is required. You can use your Google account to sign to your Chrome customized settings from other devices while retaining your the security of your passwords. +Chrome offers account sync between multiple devices. Part of the sync data includes credentials to Web sites. The data is are encrypted with the account password. Chrome's Web Store for extensions requires a [5 USD lifetime fee](https://developer.chrome.com/webstore/publish#pay-the-developer-signup-fee) in order to submit extensions. The low cost allows the development of many quality Open Source Web Extensions that do not aim to monetize through usage. @@ -740,7 +739,7 @@ Safari offers an invite-only [bounty program](https://developer.apple.com/bug-re Web Extensions in Safari have an additional option to use native code in the Safari's sandbox environment, in addition to Web Extension APIs. Web Extensions in Safari are also distributed through Apple's App store. App store submission comes with the added benefit of Web Extension code being audited by Apple. On the other hand App store submission comes at a steep cost. Yearly [developer subscription](https://developer.apple.com/support/compare-memberships/) fee costs 100 USD (in contrast to Chrome's 5 USD fee and Firefox's free submission). The high cost is prohibitive for the majority of Open Source developers. As a result, Safari has very few extensions to choose from. However, you should keep the high cost in mind when installing extensions. It is expected that most Web Extensions will have some way of monetizing usage in order to cover developer costs. Be wary of Web Extensions whose source code is not open. -Safari syncs user preferences and saved passwords with [iCloud Keychain](https://support.apple.com/en-gb/HT202303). In order to be viewed in plain text, a user must input the account password of the current device. This means that users can sync data across devices with added security. +Safari syncs user preferences and passwords with [iCloud Keychain](https://support.apple.com/en-gb/HT202303). In order to be viewed in plain text, a user must input the account password of the current device. This means that users can sync data across devices with added security. Safari follows a slower release cycle than Chrome and Firefox (3-4 minor releases, 1 major release, per year). Newer features are slower to be adopted to the stable channel. Security updates in Safari are handled independent of the stable release schedule and are installed through the App Store. @@ -1259,95 +1258,60 @@ Additional metadata may exist in the following files: # Passwords -Generate strong passwords using any of the following utilities: +Generate strong passwords using [`urandom`](https://en.wikipedia.org/wiki//dev/random) and [`tr`](https://linux.die.net/man/1/tr): ```console -openssl rand -base64 30 - -gpg --gen-random -a 0 90 | fold -w 40 - -tr -dc '[:graph:]' < /dev/urandom | fold -w 40 | head -n5 +tr -dc '[:graph:]' < /dev/urandom | fold -w 20 | head -1 ``` -Or using **Keychain Access** password assistant, or a command line equivalent like [anders/pwgen](https://github.com/anders/pwgen). +The password assistant in **Keychain Access** can also generate secure credentials. -GnuPG can also be used to manage password files (see [drduh/Purse](https://github.com/drduh/Purse) and [drduh/pwd.sh](https://github.com/drduh/pwd.sh) for example). +Consider using [Diceware](https://secure.research.vt.edu/diceware/) for memorable passwords. -In addition to passwords, ensure eligible online accounts, such as GitHub, Google accounts, banking, have [multi-factor authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication) enabled. +GnuPG can also be used to manage passwords and other encrypted files (see [drduh/Purse](https://github.com/drduh/Purse) and [drduh/pwd.sh](https://github.com/drduh/pwd.sh) for example). -[Yubikey](https://www.yubico.com/products/) offers affordable hardware tokens. See [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) and [trmm.net/Yubikey](https://trmm.net/Yubikey). One of two Yubikey slots can also be programmed to emit a long, static password - which can be used in combination with a short, memorized password, for example. +Ensure all eligible online accounts have [multi-factor authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication) enabled. The strongest form of multi-factor authentication is [WebAuthN](https://en.wikipedia.org/wiki/WebAuthn), followed by app-based authenticators, and SMS-based codes are weakest. -In Addition to Login and other PAMs, you can use Yubikey to secure your login and sudo, here is a pdf guide from [Yubico](https://www.yubico.com/wp-content/uploads/2016/02/Yubico_YubiKeyMacOSXLogin_en.pdf). [U2F Zero](https://u2fzero.com/) is a Yubikey alternative to consider. +[YubiKey](https://www.yubico.com/products/) is an affordable hardware tokens which offers WebAuthN. It can also be used to store cryptographic keys for GnuPG encryption and SSH authentication - see [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide). # Backup Always encrypt files locally before backing them up to external media or online services. -One way is to use a GPG with a static password or your own public key (with the private key stored on [YubiKey](https://github.com/drduh/YubiKey-Guide)). +GnuPG can be used with a static password or public key (with the private key stored on [YubiKey](https://github.com/drduh/YubiKey-Guide)). To compress and encrypt a directory using a password: ```console -$ tar zcvf - ~/Downloads | gpg -c > ~/Desktop/backup-$(date +%F-%H%M).tar.gz.gpg -tar: Removing leading '/' from member names -a Users/drduh/Downloads -a Users/drduh/Downloads/.DS_Store -a Users/drduh/Downloads/.localized -a Users/drduh/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg.asc -a Users/drduh/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg +tar zcvf - ~/Downloads | gpg -c > ~/Desktop/backup-$(date +%F-%H%M).tar.gz.gpg ``` To decrypt and decompress the directory: ```console -$ gpg -o ~/Desktop/decrypted-backup.tar.gz -d ~/Desktop/backup-2015-01-01-0000.tar.gz.gpg -gpg: AES256 encrypted data -gpg: encrypted with 1 passphrase +gpg -o ~/Desktop/decrypted-backup.tar.gz -d ~/Desktop/backup-*.tar.gz.gpg -$ tar zxvf ~/Desktop/decrypted-backup.tar.gz -tar: Removing leading '/' from member names -x Users/drduh/._Downloads -x Users/drduh/Downloads/ -x Users/drduh/Downloads/._.DS_Store -x Users/drduh/Downloads/.DS_Store -x Users/drduh/Downloads/.localized -x Users/drduh/Downloads/._TorBrowser-8.0.4-osx64_en-US.dmg.asc -x Users/drduh/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg.asc -x Users/drduh/Downloads/._TorBrowser-8.0.4-osx64_en-US.dmg -x Users/drduh/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg +tar zxvf ~/Desktop/decrypted-backup.tar.gz ``` -You can also create and use encrypted volumes using **Disk Utility** or `hdiutil`: +Encrypted volumes can also be created using **Disk Utility** or `hdiutil`: ```console -$ hdiutil create ~/Desktop/encrypted.dmg -encryption -size 50M -volname "secretStuff" -fs JHFS+ -Enter a new password to secure "encrypted.dmg": -Re-enter new password: -.................................... -Created: /Users/drduh/Desktop/encrypted.img +hdiutil create ~/Desktop/encrypted.dmg -encryption -size 50M -volname "secretStuff" -fs JHFS+ -$ hdiutil mount ~/Desktop/encrypted.dmg -Enter password to access "encrypted.dmg": -[...] -/Volumes/secretStuff +hdiutil mount ~/Desktop/encrypted.dmg -$ cp -v ~/Documents/passwords.txt /Volumes/secretStuff -[...] +cp -v ~/Documents/passwords.txt /Volumes/secretStuff -$ hdiutil eject /Volumes/secretStuff -"disk4" unmounted. -"disk4" ejected. -``` - -With `hdiutil` you are also able to add the option `-type SPARSE-BUNDLE`. With these sparse bundles you may achieve faster backups because after the first run, the updated information and some padding needs to be transferred. - -A simple way to synchronize this encrypted folder to another server is using rsync: - -```console -rsync --recursive --times --progress --delete --verbose --stats MyEncryptedDrive.sparsebundle user@server:/path/to/backup +hdiutil eject /Volumes/secretStuff ``` -See also the following applications and services: [Tresorit](https://www.tresorit.com), [SpiderOak](https://www.spideroak.com/), [Arq](https://www.arqbackup.com/), [Espionage](https://www.espionageapp.com/), and [restic](https://restic.github.io/). +Additional applications and services which offer backups include: +* [Tresorit](https://www.tresorit.com) +* [SpiderOak](https://www.spideroak.com) +* [Arq](https://www.arqbackup.com) +* [Espionage](https://www.espionageapp.com/) +* [restic](https://restic.github.io) # Wi-Fi From 75a77d6c7010992b72d7b9eabf5939fd52f2a13e Mon Sep 17 00:00:00 2001 From: drduh Date: Mon, 18 Mar 2024 11:23:01 -0700 Subject: [PATCH 325/476] Some formatting --- README.md | 37 ++++++++++++++++++++----------------- 1 file changed, 20 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 6a997c06..3f66e5c5 100755 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ To suggest an improvement, send a pull request or [open an issue](https://github * [App Store](#app-store) * [Virtualization](#virtualization) - [First boot](#first-boot) -- [Admin and standard user accounts](#admin-and-standard-user-accounts) +- [Admin and user accounts](#admin-and-user-accounts) * [Caveats](#caveats) * [Setup](#setup) - [Firmware](#firmware) @@ -66,14 +66,14 @@ To suggest an improvement, send a pull request or [open an issue](https://github * [DTrace](#dtrace) * [Execution](#execution) * [Network](#network) -- [Binary Whitelisting](#binary-whitelisting) +- [Binary authorization](#binary-authorization) - [Miscellaneous](#miscellaneous) - [Related software](#related-software) - [Additional resources](#additional-resources) # Basics -Standard security best practices apply: +General security best practices apply: - Create a [threat model](https://www.owasp.org/index.php/Application_Threat_Modeling) * What are you trying to protect and from whom? Is your adversary a three letter agency, a nosy eavesdropper on the network, or a determined [APT](https://en.wikipedia.org/wiki/Advanced_persistent_threat) orchestrating a campaign against you? @@ -153,7 +153,7 @@ sudo scutil --set ComputerName MacBook sudo scutil --set LocalHostName MacBook ``` -# Admin and standard user accounts +# Admin and user accounts The first user account is always an admin account. Admin accounts are members of the admin group and have access to `sudo`, which allows them to usurp other accounts, in particular root, and gives them effective control over the system. Any program that the admin executes can potentially obtain the same access, making this a security risk. @@ -1268,25 +1268,25 @@ The password assistant in **Keychain Access** can also generate secure credentia Consider using [Diceware](https://secure.research.vt.edu/diceware/) for memorable passwords. -GnuPG can also be used to manage passwords and other encrypted files (see [drduh/Purse](https://github.com/drduh/Purse) and [drduh/pwd.sh](https://github.com/drduh/pwd.sh) for example). +GnuPG can also be used to manage passwords and other encrypted files (see [drduh/Purse](https://github.com/drduh/Purse) and [drduh/pwd.sh](https://github.com/drduh/pwd.sh)). Ensure all eligible online accounts have [multi-factor authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication) enabled. The strongest form of multi-factor authentication is [WebAuthN](https://en.wikipedia.org/wiki/WebAuthn), followed by app-based authenticators, and SMS-based codes are weakest. -[YubiKey](https://www.yubico.com/products/) is an affordable hardware tokens which offers WebAuthN. It can also be used to store cryptographic keys for GnuPG encryption and SSH authentication - see [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide). +[YubiKey](https://www.yubico.com/products/) is an affordable hardware token with WebAuthN support. It can also be used to store cryptographic keys for GnuPG encryption and SSH authentication - see [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide). # Backup -Always encrypt files locally before backing them up to external media or online services. +Encrypt files locally before backing them up to external media or online services. GnuPG can be used with a static password or public key (with the private key stored on [YubiKey](https://github.com/drduh/YubiKey-Guide)). -To compress and encrypt a directory using a password: +Compress and encrypt a directory using with a password: ```console tar zcvf - ~/Downloads | gpg -c > ~/Desktop/backup-$(date +%F-%H%M).tar.gz.gpg ``` -To decrypt and decompress the directory: +Decrypt and decompress the directory: ```console gpg -o ~/Desktop/decrypted-backup.tar.gz -d ~/Desktop/backup-*.tar.gz.gpg @@ -1307,6 +1307,7 @@ hdiutil eject /Volumes/secretStuff ``` Additional applications and services which offer backups include: + * [Tresorit](https://www.tresorit.com) * [SpiderOak](https://www.spideroak.com) * [Arq](https://www.arqbackup.com) @@ -1481,7 +1482,7 @@ tshark -Y "ssl.handshake.certificate" -Tfields \ Also see the simple networking monitoring application [BonzaiThePenguin/Loading](https://github.com/BonzaiThePenguin/Loading). -# Binary Whitelisting +# Binary authorization [google/santa](https://github.com/google/santa/) is a security software developed for Google's corporate Macintosh fleet and open sourced. @@ -1582,9 +1583,11 @@ $ ./foo Hello World ``` -Toggle Santa into "Lockdown" mode, which only allows whitelisted binaries to run: +Toggle Santa into "Lockdown" mode, which only allows authorized binaries to run: - $ sudo defaults write /var/db/santa/config.plist ClientMode -int 2 +```console +$ sudo defaults write /var/db/santa/config.plist ClientMode -int 2 +``` Try to run the unsigned binary: @@ -1602,7 +1605,7 @@ Identifier: 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed Parent: bash (701) ``` -To whitelist a specific binary, determine its SHA-256 sum: +To authorize a binary, determine its SHA-256 sum: ```console $ santactl fileinfo /Users/demouser/foo @@ -1614,7 +1617,7 @@ Code-signed : No Rule : Blacklisted (Unknown) ``` -Add a whitelist rule: +Add a new rule: ```console $ sudo santactl rule --whitelist --sha256 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed @@ -1643,7 +1646,7 @@ $ open /Applications/Google\ Chrome.app/ LSOpenURLsWithRole() failed with error -10810 for the file /Applications/Google Chrome.app. ``` -Whitelist the application by its developer certificate (first item in the Signing Chain): +Authorize the application by the developer certificate (first item in the Signing Chain): ```console $ santactl fileinfo /Applications/Google\ Chrome.app/ @@ -1682,7 +1685,7 @@ Signing Chain: Valid Until : 2035/02/09 13:40:36 -0800 ``` -In this case, `15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153` is the SHA-256 of Google’s Apple developer certificate (team ID EQHXZ8M8AV). To whitelist it: +In this case, `15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153` is the SHA-256 of Google’s Apple developer certificate (team ID EQHXZ8M8AV) - authorize it: ```console $ sudo santactl rule --whitelist --certificate --sha256 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153 @@ -1703,7 +1706,7 @@ A log and configuration server for Santa is available in [Zentral](https://githu Zentral will support Santa in both MONITORING and LOCKDOWN operation mode. Clients need to be enrolled with a TLS connection to sync Santa Rules, all Santa events from endpoints are aggregated and logged back in Zentral. Santa events can trigger actions and notifications from within the Zentral Framework. -**Note** Python, Bash and other interpreters are whitelisted (since they are signed by Apple's developer certificate), so Santa will not be able to block such scripts from executing. Thus, a potential non-binary program which disables Santa is a weakness (not vulnerability, since it is so by design) to take note of. +**Note** Python, Bash and other interpreters are authorized (since they are signed by Apple's developer certificate), so Santa will not be able to block such scripts from executing. Thus, a potential non-binary program which disables Santa is a weakness (not vulnerability, since it is so by design) to take note of. # Miscellaneous From bf7e08e8bc79e56bdae043b1e847793c088ea466 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 18 Mar 2024 14:05:11 -0500 Subject: [PATCH 326/476] remove antivirus recommendation --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3f66e5c5..19422677 100755 --- a/README.md +++ b/README.md @@ -966,7 +966,7 @@ You can use iMessage with either a [phone number or an email](https://support.ap There is an [ever-increasing](https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html) amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software! -Some malware comes bundled with both legitimate software, such as the [Java bundling Ask Toolbar](https://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/), and some with illegitimate software, such as [Mac.BackDoor.iWorm](https://docs.google.com/document/d/1YOfXRUQJgMjJSLBSoLiUaSZfiaS_vU3aG4Bvjmz6Dxs/edit?pli=1) bundled with pirated programs. [Malwarebytes Anti-Malware for Mac](https://www.malwarebytes.com/antimalware/mac/) is an excellent program for ridding oneself of "garden-variety" malware and other "crapware". +Some malware comes bundled with both legitimate software, such as the [Java bundling Ask Toolbar](https://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/), and some with illegitimate software, such as [Mac.BackDoor.iWorm](https://docs.google.com/document/d/1YOfXRUQJgMjJSLBSoLiUaSZfiaS_vU3aG4Bvjmz6Dxs/edit?pli=1) bundled with pirated programs. Only running programs from the App Store or [Notarized](https://support.apple.com/guide/security/app-code-signing-process-sec3ad8e6e53/web) by Apple will help mitigate this issue. This process ensures that the software is made by the real developers and that it hasn't been tampered with between the developers and your computer. App Store apps undergo a [review](https://developer.apple.com/app-store/review/guidelines/) process to catch malware. Apple automatically scans notarized apps for malware. See [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) and [Malware Persistence on OS X Yosemite](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite) to learn about how garden-variety malware functions. From 692b2518f2e6bd82ab0bee7ab208f1be889da495 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 18 Mar 2024 14:09:55 -0500 Subject: [PATCH 327/476] remove ostarius --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 19422677..9e00173c 100755 --- a/README.md +++ b/README.md @@ -970,7 +970,7 @@ Some malware comes bundled with both legitimate software, such as the [Java bund See [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) and [Malware Persistence on OS X Yosemite](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite) to learn about how garden-variety malware functions. -You could periodically run a tool like [KnockKnock](https://objective-see.org/products/knockknock.html) to examine persistent applications (e.g. scripts, binaries). But by then, it is probably too late. Maybe applications such as [BlockBlock](https://objective-see.com/products/blockblock.html) and [Ostiarius](https://objective-see.com/products/ostiarius.html) will help. See warnings and caveats in [issue 90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) first, however. An open-source alternative could be [maclaunch.sh](https://github.com/hazcod/maclaunch). +You could periodically run a tool like [KnockKnock](https://objective-see.org/products/knockknock.html) to examine persistent applications (e.g. scripts, binaries). But by then, it is probably too late. Maybe applications such as [BlockBlock](https://objective-see.com/products/blockblock.html) will help. See warnings and caveats in [issue 90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) first, however. An open-source alternative could be [maclaunch.sh](https://github.com/hazcod/maclaunch). **Anti-virus** programs are generally a double-edged sword: they may catch "garden variety" malware, but also may increase the attack surface for sophisticated adversaries due to their privileged operating mode. From dba113cede5f430822fbd0d86f44397ad704ad71 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 18 Mar 2024 14:29:58 -0500 Subject: [PATCH 328/476] remove knock knock --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9e00173c..5b5faad3 100755 --- a/README.md +++ b/README.md @@ -970,7 +970,7 @@ Some malware comes bundled with both legitimate software, such as the [Java bund See [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) and [Malware Persistence on OS X Yosemite](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite) to learn about how garden-variety malware functions. -You could periodically run a tool like [KnockKnock](https://objective-see.org/products/knockknock.html) to examine persistent applications (e.g. scripts, binaries). But by then, it is probably too late. Maybe applications such as [BlockBlock](https://objective-see.com/products/blockblock.html) will help. See warnings and caveats in [issue 90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) first, however. An open-source alternative could be [maclaunch.sh](https://github.com/hazcod/maclaunch). +Applications such as [BlockBlock](https://objective-see.com/products/blockblock.html) will help. An alternative could be [maclaunch.sh](https://github.com/hazcod/maclaunch). **Anti-virus** programs are generally a double-edged sword: they may catch "garden variety" malware, but also may increase the attack surface for sophisticated adversaries due to their privileged operating mode. From e22a3497284884f4300a271c63689d2e43fd3613 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 18 Mar 2024 14:35:06 -0500 Subject: [PATCH 329/476] move virustotal to where mlawarebytes used to be --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 5b5faad3..ec0cc413 100755 --- a/README.md +++ b/README.md @@ -968,11 +968,13 @@ There is an [ever-increasing](https://www.documentcloud.org/documents/2459197-bi Some malware comes bundled with both legitimate software, such as the [Java bundling Ask Toolbar](https://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/), and some with illegitimate software, such as [Mac.BackDoor.iWorm](https://docs.google.com/document/d/1YOfXRUQJgMjJSLBSoLiUaSZfiaS_vU3aG4Bvjmz6Dxs/edit?pli=1) bundled with pirated programs. Only running programs from the App Store or [Notarized](https://support.apple.com/guide/security/app-code-signing-process-sec3ad8e6e53/web) by Apple will help mitigate this issue. This process ensures that the software is made by the real developers and that it hasn't been tampered with between the developers and your computer. App Store apps undergo a [review](https://developer.apple.com/app-store/review/guidelines/) process to catch malware. Apple automatically scans notarized apps for malware. +To scan an application with multiple AV products and examine its behavior, upload it to [VirusTotal](https://www.virustotal.com/#/home/upload) before running it. + See [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) and [Malware Persistence on OS X Yosemite](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite) to learn about how garden-variety malware functions. Applications such as [BlockBlock](https://objective-see.com/products/blockblock.html) will help. An alternative could be [maclaunch.sh](https://github.com/hazcod/maclaunch). -**Anti-virus** programs are generally a double-edged sword: they may catch "garden variety" malware, but also may increase the attack surface for sophisticated adversaries due to their privileged operating mode. +Locally installed **Anti-virus** programs are generally a double-edged sword: they may catch "garden variety" malware, but also may increase the attack surface for sophisticated adversaries due to their privileged operating mode. See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sophailv2.pdf) (pdf), [Analysis and Exploitation of an ESET Vulnerability](https://googleprojectzero.blogspot.ro/2015/06/analysis-and-exploitation-of-eset.html), [a trivial Avast RCE](https://code.google.com/p/google-security-research/issues/detail?id=546), [Popular Security Software Came Under Relentless NSA and GCHQ Attacks](https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/), [How Israel Caught Russian Hackers Scouring the World for U.S. Secrets](https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html) and [AVG: "Web TuneUP" extension multiple critical vulnerabilities](https://code.google.com/p/google-security-research/issues/detail?id=675). @@ -980,8 +982,6 @@ Local privilege escalation bugs are plenty on macOS, so always be careful when d Subscribe to updates at [The Safe Mac](http://www.thesafemac.com/) and [Malwarebytes Blog](https://blog.malwarebytes.com/) for current Mac security news. -To scan an application with multiple AV products and examine its behavior, upload it to [VirusTotal](https://www.virustotal.com/#/home/upload). - Also check out [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html) malware for macOS: [root installation for MacOS](https://github.com/hackedteam/vector-macos-root), [Support driver for Mac Agent](https://github.com/hackedteam/driver-macos) and [RCS Agent for Mac](https://github.com/hackedteam/core-macos), which is a good example of advanced malware with capabilities to hide from userland (e.g., `ps`, `ls`). For more, see [A Brief Analysis of an RCS Implant Installer](https://objective-see.com/blog/blog_0x0D.html) and [reverse.put.as](https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/) # System Integrity Protection From a6bf430c0c9d6c88566c8078da1586fa6991cc12 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 18 Mar 2024 14:46:01 -0500 Subject: [PATCH 330/476] remove support driver --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ec0cc413..48b540cd 100755 --- a/README.md +++ b/README.md @@ -982,7 +982,7 @@ Local privilege escalation bugs are plenty on macOS, so always be careful when d Subscribe to updates at [The Safe Mac](http://www.thesafemac.com/) and [Malwarebytes Blog](https://blog.malwarebytes.com/) for current Mac security news. -Also check out [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html) malware for macOS: [root installation for MacOS](https://github.com/hackedteam/vector-macos-root), [Support driver for Mac Agent](https://github.com/hackedteam/driver-macos) and [RCS Agent for Mac](https://github.com/hackedteam/core-macos), which is a good example of advanced malware with capabilities to hide from userland (e.g., `ps`, `ls`). For more, see [A Brief Analysis of an RCS Implant Installer](https://objective-see.com/blog/blog_0x0D.html) and [reverse.put.as](https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/) +Also check out [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html) malware for macOS: [root installation for MacOS](https://github.com/hackedteam/vector-macos-root), and [RCS Agent for Mac](https://github.com/hackedteam/core-macos), which is a good example of advanced malware with capabilities to hide from userland (e.g., `ps`, `ls`). For more, see [A Brief Analysis of an RCS Implant Installer](https://objective-see.com/blog/blog_0x0D.html) and [reverse.put.as](https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/) # System Integrity Protection From 9a39fff1450cb94e61d48697dc84e6f21fe7625e Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 18 Mar 2024 14:47:51 -0500 Subject: [PATCH 331/476] re add --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 48b540cd..ec0cc413 100755 --- a/README.md +++ b/README.md @@ -982,7 +982,7 @@ Local privilege escalation bugs are plenty on macOS, so always be careful when d Subscribe to updates at [The Safe Mac](http://www.thesafemac.com/) and [Malwarebytes Blog](https://blog.malwarebytes.com/) for current Mac security news. -Also check out [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html) malware for macOS: [root installation for MacOS](https://github.com/hackedteam/vector-macos-root), and [RCS Agent for Mac](https://github.com/hackedteam/core-macos), which is a good example of advanced malware with capabilities to hide from userland (e.g., `ps`, `ls`). For more, see [A Brief Analysis of an RCS Implant Installer](https://objective-see.com/blog/blog_0x0D.html) and [reverse.put.as](https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/) +Also check out [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html) malware for macOS: [root installation for MacOS](https://github.com/hackedteam/vector-macos-root), [Support driver for Mac Agent](https://github.com/hackedteam/driver-macos) and [RCS Agent for Mac](https://github.com/hackedteam/core-macos), which is a good example of advanced malware with capabilities to hide from userland (e.g., `ps`, `ls`). For more, see [A Brief Analysis of an RCS Implant Installer](https://objective-see.com/blog/blog_0x0D.html) and [reverse.put.as](https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/) # System Integrity Protection From 879f4e75e6dd4f39177e164cff49624ba01f4dc9 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 18 Mar 2024 14:59:12 -0500 Subject: [PATCH 332/476] move xprotect --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index ec0cc413..1d1274bc 100755 --- a/README.md +++ b/README.md @@ -968,9 +968,13 @@ There is an [ever-increasing](https://www.documentcloud.org/documents/2459197-bi Some malware comes bundled with both legitimate software, such as the [Java bundling Ask Toolbar](https://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/), and some with illegitimate software, such as [Mac.BackDoor.iWorm](https://docs.google.com/document/d/1YOfXRUQJgMjJSLBSoLiUaSZfiaS_vU3aG4Bvjmz6Dxs/edit?pli=1) bundled with pirated programs. Only running programs from the App Store or [Notarized](https://support.apple.com/guide/security/app-code-signing-process-sec3ad8e6e53/web) by Apple will help mitigate this issue. This process ensures that the software is made by the real developers and that it hasn't been tampered with between the developers and your computer. App Store apps undergo a [review](https://developer.apple.com/app-store/review/guidelines/) process to catch malware. Apple automatically scans notarized apps for malware. +See [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) and [Malware Persistence on OS X Yosemite](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite) to learn about how garden-variety malware functions. + +## Antivirus + To scan an application with multiple AV products and examine its behavior, upload it to [VirusTotal](https://www.virustotal.com/#/home/upload) before running it. -See [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) and [Malware Persistence on OS X Yosemite](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite) to learn about how garden-variety malware functions. +macOS comes with a built-in AV program called [XProtect](https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8). XProtect automatically runs in the background and updates its signatures that it uses to detect malware without you having to do anything. If it detects malware already running, it will work to remove and mitigate it just like any other AV program. Applications such as [BlockBlock](https://objective-see.com/products/blockblock.html) will help. An alternative could be [maclaunch.sh](https://github.com/hazcod/maclaunch). @@ -992,10 +996,6 @@ To verify SIP is enabled, use the command `csrutil status`, which should return: **Gatekeeper** and the **quarantine** system try to prevent unsigned or "bad" programs and files from running and opening. -**XProtect** prevents the execution of known bad files and outdated plugin versions, but does nothing to cleanup or stop existing malware. - -See also [Gatekeeper, XProtect and the Quarantine attribute](https://ilostmynotes.blogspot.com/2012/06/gatekeeper-xprotect-and-quarantine.html). - **Note** Quarantine stores information about downloaded files in `~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2`, which may pose a privacy risk. To examine the file, simply use `strings` or the following command: ```console From a059774a7ef14978eeb93e9f67b86d553c37f2f0 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 18 Mar 2024 15:05:45 -0500 Subject: [PATCH 333/476] move and update gatekeeper --- README.md | 42 +++++++++++------------------------------- 1 file changed, 11 insertions(+), 31 deletions(-) diff --git a/README.md b/README.md index 1d1274bc..c0e97c64 100755 --- a/README.md +++ b/README.md @@ -970,6 +970,12 @@ Some malware comes bundled with both legitimate software, such as the [Java bund See [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) and [Malware Persistence on OS X Yosemite](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite) to learn about how garden-variety malware functions. +Local privilege escalation bugs are plenty on macOS, so always be careful when downloading and running untrusted programs or trusted programs from third party websites or downloaded over HTTP ([example](https://arstechnica.com/security/2015/08/0-day-bug-in-fully-patched-os-x-comes-under-active-exploit-to-hijack-macs/)). + +Subscribe to updates at [The Safe Mac](http://www.thesafemac.com/) and [Malwarebytes Blog](https://blog.malwarebytes.com/) for current Mac security news. + +Also check out [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html) malware for macOS: [root installation for MacOS](https://github.com/hackedteam/vector-macos-root), [Support driver for Mac Agent](https://github.com/hackedteam/driver-macos) and [RCS Agent for Mac](https://github.com/hackedteam/core-macos), which is a good example of advanced malware with capabilities to hide from userland (e.g., `ps`, `ls`). For more, see [A Brief Analysis of an RCS Implant Installer](https://objective-see.com/blog/blog_0x0D.html) and [reverse.put.as](https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/) + ## Antivirus To scan an application with multiple AV products and examine its behavior, upload it to [VirusTotal](https://www.virustotal.com/#/home/upload) before running it. @@ -982,44 +988,18 @@ Locally installed **Anti-virus** programs are generally a double-edged sword: th See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sophailv2.pdf) (pdf), [Analysis and Exploitation of an ESET Vulnerability](https://googleprojectzero.blogspot.ro/2015/06/analysis-and-exploitation-of-eset.html), [a trivial Avast RCE](https://code.google.com/p/google-security-research/issues/detail?id=546), [Popular Security Software Came Under Relentless NSA and GCHQ Attacks](https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/), [How Israel Caught Russian Hackers Scouring the World for U.S. Secrets](https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html) and [AVG: "Web TuneUP" extension multiple critical vulnerabilities](https://code.google.com/p/google-security-research/issues/detail?id=675). -Local privilege escalation bugs are plenty on macOS, so always be careful when downloading and running untrusted programs or trusted programs from third party websites or downloaded over HTTP ([example](https://arstechnica.com/security/2015/08/0-day-bug-in-fully-patched-os-x-comes-under-active-exploit-to-hijack-macs/)). +## Gatekeeper -Subscribe to updates at [The Safe Mac](http://www.thesafemac.com/) and [Malwarebytes Blog](https://blog.malwarebytes.com/) for current Mac security news. +**Gatekeeper** and the **quarantine** system try to prevent non-notarized .app files from running. -Also check out [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html) malware for macOS: [root installation for MacOS](https://github.com/hackedteam/vector-macos-root), [Support driver for Mac Agent](https://github.com/hackedteam/driver-macos) and [RCS Agent for Mac](https://github.com/hackedteam/core-macos), which is a good example of advanced malware with capabilities to hide from userland (e.g., `ps`, `ls`). For more, see [A Brief Analysis of an RCS Implant Installer](https://objective-see.com/blog/blog_0x0D.html) and [reverse.put.as](https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/) +If you try to run an app that isn't notarized, it will give you a warning. This can be easily bypassed if you open finder to where the program is and right click/control click on it and click Open. Then Gatekeeper will allow you to run it. + +Gatekeeper doesn't cover all binaries, only .app files so be careful when running other file types. # System Integrity Protection To verify SIP is enabled, use the command `csrutil status`, which should return: `System Integrity Protection status: enabled.` Otherwise, [enable SIP](https://developer.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html) through Recovery Mode. -# Gatekeeper and XProtect - -**Gatekeeper** and the **quarantine** system try to prevent unsigned or "bad" programs and files from running and opening. - -**Note** Quarantine stores information about downloaded files in `~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2`, which may pose a privacy risk. To examine the file, simply use `strings` or the following command: - -```console -echo 'SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, ' \ - 'LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent;' | \ - sqlite3 /Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 -``` - -To permanently disable this feature, [clear the file](https://superuser.com/questions/90008/how-to-clear-the-contents-of-a-file-from-the-command-line) and make it immutable: - -```console -:>~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 - -sudo chflags schg ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 -``` - -Alternatively, you can also disable Gatekeeper using the following command: - -```console -sudo spctl --master-disable -``` - -(See and for reference) - # Metadata and artifacts macOS attaches metadata ([HFS+ extended attributes](https://en.wikipedia.org/wiki/Extended_file_attributes#OS_X)) to downloaded files, which can be viewed with the `mdls` and `xattr` commands: From 31bffc985b18ee3251db71a77a5521ee9b03f9f1 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 18 Mar 2024 15:36:15 -0500 Subject: [PATCH 334/476] wording --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c0e97c64..1928b1f6 100755 --- a/README.md +++ b/README.md @@ -966,7 +966,7 @@ You can use iMessage with either a [phone number or an email](https://support.ap There is an [ever-increasing](https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html) amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software! -Some malware comes bundled with both legitimate software, such as the [Java bundling Ask Toolbar](https://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/), and some with illegitimate software, such as [Mac.BackDoor.iWorm](https://docs.google.com/document/d/1YOfXRUQJgMjJSLBSoLiUaSZfiaS_vU3aG4Bvjmz6Dxs/edit?pli=1) bundled with pirated programs. Only running programs from the App Store or [Notarized](https://support.apple.com/guide/security/app-code-signing-process-sec3ad8e6e53/web) by Apple will help mitigate this issue. This process ensures that the software is made by the real developers and that it hasn't been tampered with between the developers and your computer. App Store apps undergo a [review](https://developer.apple.com/app-store/review/guidelines/) process to catch malware. Apple automatically scans notarized apps for malware. +Some malware comes bundled with both legitimate software, such as the [Java bundling Ask Toolbar](https://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/), and some with illegitimate software, such as [Mac.BackDoor.iWorm](https://docs.google.com/document/d/1YOfXRUQJgMjJSLBSoLiUaSZfiaS_vU3aG4Bvjmz6Dxs/edit?pli=1) bundled with pirated programs. Only running programs from the App Store or that is [Notarized](https://support.apple.com/guide/security/app-code-signing-process-sec3ad8e6e53/web) by Apple will help mitigate this issue. This process ensures that the software is made by the real developers and that it hasn't been tampered with between the developers and your computer. App Store apps undergo a [review](https://developer.apple.com/app-store/review/guidelines/) process to catch malware. Apple automatically scans notarized apps for malware. See [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) and [Malware Persistence on OS X Yosemite](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite) to learn about how garden-variety malware functions. From 677854627b1de0eec43a16c67c3de1fb71e8c383 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 18 Mar 2024 15:36:56 -0500 Subject: [PATCH 335/476] wording --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1928b1f6..97a5a957 100755 --- a/README.md +++ b/README.md @@ -966,7 +966,7 @@ You can use iMessage with either a [phone number or an email](https://support.ap There is an [ever-increasing](https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html) amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software! -Some malware comes bundled with both legitimate software, such as the [Java bundling Ask Toolbar](https://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/), and some with illegitimate software, such as [Mac.BackDoor.iWorm](https://docs.google.com/document/d/1YOfXRUQJgMjJSLBSoLiUaSZfiaS_vU3aG4Bvjmz6Dxs/edit?pli=1) bundled with pirated programs. Only running programs from the App Store or that is [Notarized](https://support.apple.com/guide/security/app-code-signing-process-sec3ad8e6e53/web) by Apple will help mitigate this issue. This process ensures that the software is made by the real developers and that it hasn't been tampered with between the developers and your computer. App Store apps undergo a [review](https://developer.apple.com/app-store/review/guidelines/) process to catch malware. Apple automatically scans notarized apps for malware. +Some malware comes bundled with both legitimate software, such as the [Java bundling Ask Toolbar](https://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/), and some with illegitimate software, such as [Mac.BackDoor.iWorm](https://docs.google.com/document/d/1YOfXRUQJgMjJSLBSoLiUaSZfiaS_vU3aG4Bvjmz6Dxs/edit?pli=1) bundled with pirated programs. Only running programs from the App Store or that is [Notarized](https://support.apple.com/guide/security/app-code-signing-process-sec3ad8e6e53/web) by Apple will help mitigate this issue. The notarization process ensures that the software is made by the real developers and that it hasn't been tampered with between the developers and your computer. App Store apps undergo a [review](https://developer.apple.com/app-store/review/guidelines/) process to catch malware. Apple automatically scans notarized apps for malware. See [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) and [Malware Persistence on OS X Yosemite](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite) to learn about how garden-variety malware functions. From c08b71fec801233deb030e4a73636f4ca2d3dab6 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 18 Mar 2024 15:48:57 -0500 Subject: [PATCH 336/476] wording --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 97a5a957..fd7827b0 100755 --- a/README.md +++ b/README.md @@ -990,7 +990,7 @@ See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/soph ## Gatekeeper -**Gatekeeper** and the **quarantine** system try to prevent non-notarized .app files from running. +**Gatekeeper** tries to prevent non-notarized .app files from running. If you try to run an app that isn't notarized, it will give you a warning. This can be easily bypassed if you open finder to where the program is and right click/control click on it and click Open. Then Gatekeeper will allow you to run it. From 05b06725ee27b5307a26a8951c6bdf34206f697b Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 18 Mar 2024 16:01:29 -0500 Subject: [PATCH 337/476] update SIP link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fd7827b0..3ab2d4b7 100755 --- a/README.md +++ b/README.md @@ -998,7 +998,7 @@ Gatekeeper doesn't cover all binaries, only .app files so be careful when runnin # System Integrity Protection -To verify SIP is enabled, use the command `csrutil status`, which should return: `System Integrity Protection status: enabled.` Otherwise, [enable SIP](https://developer.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html) through Recovery Mode. +To verify SIP is enabled, use the command `csrutil status`, which should return: `System Integrity Protection status: enabled.` Otherwise, [enable SIP](https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection) through Recovery Mode. # Metadata and artifacts From 908c6b246bd766e9f82ad98980b64eabdbabc281 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 18 Mar 2024 16:06:24 -0500 Subject: [PATCH 338/476] add warning about closed source --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3ab2d4b7..5556e604 100755 --- a/README.md +++ b/README.md @@ -966,7 +966,7 @@ You can use iMessage with either a [phone number or an email](https://support.ap There is an [ever-increasing](https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html) amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software! -Some malware comes bundled with both legitimate software, such as the [Java bundling Ask Toolbar](https://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/), and some with illegitimate software, such as [Mac.BackDoor.iWorm](https://docs.google.com/document/d/1YOfXRUQJgMjJSLBSoLiUaSZfiaS_vU3aG4Bvjmz6Dxs/edit?pli=1) bundled with pirated programs. Only running programs from the App Store or that is [Notarized](https://support.apple.com/guide/security/app-code-signing-process-sec3ad8e6e53/web) by Apple will help mitigate this issue. The notarization process ensures that the software is made by the real developers and that it hasn't been tampered with between the developers and your computer. App Store apps undergo a [review](https://developer.apple.com/app-store/review/guidelines/) process to catch malware. Apple automatically scans notarized apps for malware. +Some malware comes bundled with both legitimate software, such as the [Java bundling Ask Toolbar](https://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/), and some with illegitimate software, such as [Mac.BackDoor.iWorm](https://docs.google.com/document/d/1YOfXRUQJgMjJSLBSoLiUaSZfiaS_vU3aG4Bvjmz6Dxs/edit?pli=1) bundled with pirated programs. Only running programs from the App Store or that is [Notarized](https://support.apple.com/guide/security/app-code-signing-process-sec3ad8e6e53/web) by Apple will help mitigate this issue. The notarization process ensures that the software is made by the real developers and that it hasn't been tampered with between the developers and your computer. App Store apps undergo a [review](https://developer.apple.com/app-store/review/guidelines/) process to catch malware. Apple automatically scans notarized apps for malware. You should also avoid programs that ask for lots of permissions and closed source programs. See [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) and [Malware Persistence on OS X Yosemite](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite) to learn about how garden-variety malware functions. From 0f0882666d81bd1d4cbae6494e6d8ae33e256596 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 18 Mar 2024 16:12:53 -0500 Subject: [PATCH 339/476] add more av info --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 5556e604..0915cb2e 100755 --- a/README.md +++ b/README.md @@ -986,6 +986,8 @@ Applications such as [BlockBlock](https://objective-see.com/products/blockblock. Locally installed **Anti-virus** programs are generally a double-edged sword: they may catch "garden variety" malware, but also may increase the attack surface for sophisticated adversaries due to their privileged operating mode. +They also typically phone home to send samples in order to catch the newest malware. This can be a privacy concern for some. They also tend to require payment information, and have run [crypto mining software](https://www.tomsguide.com/news/norton-crypto) on their users' machines before. Usually they come bundled with lots of other "services" like VPNs and file backup programs and such. + See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sophailv2.pdf) (pdf), [Analysis and Exploitation of an ESET Vulnerability](https://googleprojectzero.blogspot.ro/2015/06/analysis-and-exploitation-of-eset.html), [a trivial Avast RCE](https://code.google.com/p/google-security-research/issues/detail?id=546), [Popular Security Software Came Under Relentless NSA and GCHQ Attacks](https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/), [How Israel Caught Russian Hackers Scouring the World for U.S. Secrets](https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html) and [AVG: "Web TuneUP" extension multiple critical vulnerabilities](https://code.google.com/p/google-security-research/issues/detail?id=675). ## Gatekeeper From 182a5ec1906a432ce17992e388f880dc055d6de9 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 18 Mar 2024 16:13:17 -0500 Subject: [PATCH 340/476] wording --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0915cb2e..62ad8609 100755 --- a/README.md +++ b/README.md @@ -986,7 +986,7 @@ Applications such as [BlockBlock](https://objective-see.com/products/blockblock. Locally installed **Anti-virus** programs are generally a double-edged sword: they may catch "garden variety" malware, but also may increase the attack surface for sophisticated adversaries due to their privileged operating mode. -They also typically phone home to send samples in order to catch the newest malware. This can be a privacy concern for some. They also tend to require payment information, and have run [crypto mining software](https://www.tomsguide.com/news/norton-crypto) on their users' machines before. Usually they come bundled with lots of other "services" like VPNs and file backup programs and such. +They also typically phone home to send samples in order to catch the newest malware. This can be a privacy concern for some. They tend to require payment information, and have run [crypto mining software](https://www.tomsguide.com/news/norton-crypto) on their users' machines before. Usually they come bundled with lots of other "services" like VPNs and file backup programs and such. See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sophailv2.pdf) (pdf), [Analysis and Exploitation of an ESET Vulnerability](https://googleprojectzero.blogspot.ro/2015/06/analysis-and-exploitation-of-eset.html), [a trivial Avast RCE](https://code.google.com/p/google-security-research/issues/detail?id=546), [Popular Security Software Came Under Relentless NSA and GCHQ Attacks](https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/), [How Israel Caught Russian Hackers Scouring the World for U.S. Secrets](https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html) and [AVG: "Web TuneUP" extension multiple critical vulnerabilities](https://code.google.com/p/google-security-research/issues/detail?id=675). From 898efa9b980ec264f7a7a7c54dc473b83c001e08 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 18 Mar 2024 16:13:43 -0500 Subject: [PATCH 341/476] wording --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 62ad8609..f9350898 100755 --- a/README.md +++ b/README.md @@ -986,7 +986,7 @@ Applications such as [BlockBlock](https://objective-see.com/products/blockblock. Locally installed **Anti-virus** programs are generally a double-edged sword: they may catch "garden variety" malware, but also may increase the attack surface for sophisticated adversaries due to their privileged operating mode. -They also typically phone home to send samples in order to catch the newest malware. This can be a privacy concern for some. They tend to require payment information, and have run [crypto mining software](https://www.tomsguide.com/news/norton-crypto) on their users' machines before. Usually they come bundled with lots of other "services" like VPNs and file backup programs and such. +They also typically phone home to send samples in order to catch the newest malware. This can be a privacy concern for some. They tend to require payment information, and have run [crypto mining software](https://www.tomsguide.com/news/norton-crypto) on their users' machines before. Usually they come bundled with lots of other potentially unwanted "services" like VPNs and file backup programs and such. See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sophailv2.pdf) (pdf), [Analysis and Exploitation of an ESET Vulnerability](https://googleprojectzero.blogspot.ro/2015/06/analysis-and-exploitation-of-eset.html), [a trivial Avast RCE](https://code.google.com/p/google-security-research/issues/detail?id=546), [Popular Security Software Came Under Relentless NSA and GCHQ Attacks](https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/), [How Israel Caught Russian Hackers Scouring the World for U.S. Secrets](https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html) and [AVG: "Web TuneUP" extension multiple critical vulnerabilities](https://code.google.com/p/google-security-research/issues/detail?id=675). From 3413d1d2b8f026c34759563cc79c0c5cd657624e Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 18 Mar 2024 16:15:22 -0500 Subject: [PATCH 342/476] av info --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f9350898..04ba2037 100755 --- a/README.md +++ b/README.md @@ -986,7 +986,7 @@ Applications such as [BlockBlock](https://objective-see.com/products/blockblock. Locally installed **Anti-virus** programs are generally a double-edged sword: they may catch "garden variety" malware, but also may increase the attack surface for sophisticated adversaries due to their privileged operating mode. -They also typically phone home to send samples in order to catch the newest malware. This can be a privacy concern for some. They tend to require payment information, and have run [crypto mining software](https://www.tomsguide.com/news/norton-crypto) on their users' machines before. Usually they come bundled with lots of other potentially unwanted "services" like VPNs and file backup programs and such. +They also typically phone home to send samples in order to catch the newest malware. This can be a privacy concern for some. They tend to require payment information, and have run [crypto mining software](https://www.tomsguide.com/news/norton-crypto) on their users' machines before. Usually they come bundled with lots of other potentially unwanted "services" like VPNs, file backup programs, and browser extensions that scan all links and send them to the AV company. See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sophailv2.pdf) (pdf), [Analysis and Exploitation of an ESET Vulnerability](https://googleprojectzero.blogspot.ro/2015/06/analysis-and-exploitation-of-eset.html), [a trivial Avast RCE](https://code.google.com/p/google-security-research/issues/detail?id=546), [Popular Security Software Came Under Relentless NSA and GCHQ Attacks](https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/), [How Israel Caught Russian Hackers Scouring the World for U.S. Secrets](https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html) and [AVG: "Web TuneUP" extension multiple critical vulnerabilities](https://code.google.com/p/google-security-research/issues/detail?id=675). From 0ea25a86647c9a7d62705163e7d396ebc674b912 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 18 Mar 2024 16:15:43 -0500 Subject: [PATCH 343/476] wording --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 04ba2037..a59f3f66 100755 --- a/README.md +++ b/README.md @@ -986,7 +986,7 @@ Applications such as [BlockBlock](https://objective-see.com/products/blockblock. Locally installed **Anti-virus** programs are generally a double-edged sword: they may catch "garden variety" malware, but also may increase the attack surface for sophisticated adversaries due to their privileged operating mode. -They also typically phone home to send samples in order to catch the newest malware. This can be a privacy concern for some. They tend to require payment information, and have run [crypto mining software](https://www.tomsguide.com/news/norton-crypto) on their users' machines before. Usually they come bundled with lots of other potentially unwanted "services" like VPNs, file backup programs, and browser extensions that scan all links and send them to the AV company. +They also typically phone home to send samples in order to catch the newest malware. This can be a privacy concern for some. They tend to require payment information, and some have run [crypto mining software](https://www.tomsguide.com/news/norton-crypto) on their users' machines before. Usually they come bundled with lots of other potentially unwanted "services" like VPNs, file backup programs, and browser extensions that scan all links and send them to the AV company. See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sophailv2.pdf) (pdf), [Analysis and Exploitation of an ESET Vulnerability](https://googleprojectzero.blogspot.ro/2015/06/analysis-and-exploitation-of-eset.html), [a trivial Avast RCE](https://code.google.com/p/google-security-research/issues/detail?id=546), [Popular Security Software Came Under Relentless NSA and GCHQ Attacks](https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/), [How Israel Caught Russian Hackers Scouring the World for U.S. Secrets](https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html) and [AVG: "Web TuneUP" extension multiple critical vulnerabilities](https://code.google.com/p/google-security-research/issues/detail?id=675). From c179df4c5e03e4c5c8e7aa9347d4ff4676df2878 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 18 Mar 2024 16:16:36 -0500 Subject: [PATCH 344/476] grammar --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a59f3f66..c19587cc 100755 --- a/README.md +++ b/README.md @@ -966,7 +966,7 @@ You can use iMessage with either a [phone number or an email](https://support.ap There is an [ever-increasing](https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html) amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software! -Some malware comes bundled with both legitimate software, such as the [Java bundling Ask Toolbar](https://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/), and some with illegitimate software, such as [Mac.BackDoor.iWorm](https://docs.google.com/document/d/1YOfXRUQJgMjJSLBSoLiUaSZfiaS_vU3aG4Bvjmz6Dxs/edit?pli=1) bundled with pirated programs. Only running programs from the App Store or that is [Notarized](https://support.apple.com/guide/security/app-code-signing-process-sec3ad8e6e53/web) by Apple will help mitigate this issue. The notarization process ensures that the software is made by the real developers and that it hasn't been tampered with between the developers and your computer. App Store apps undergo a [review](https://developer.apple.com/app-store/review/guidelines/) process to catch malware. Apple automatically scans notarized apps for malware. You should also avoid programs that ask for lots of permissions and closed source programs. +Some malware comes bundled with both legitimate software, such as the [Java bundling Ask Toolbar](https://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/), and some with illegitimate software, such as [Mac.BackDoor.iWorm](https://docs.google.com/document/d/1YOfXRUQJgMjJSLBSoLiUaSZfiaS_vU3aG4Bvjmz6Dxs/edit?pli=1) bundled with pirated programs. Only running programs from the App Store or that are [Notarized](https://support.apple.com/guide/security/app-code-signing-process-sec3ad8e6e53/web) by Apple will help mitigate this issue. The notarization process ensures that the software is made by the real developers and that it hasn't been tampered with between the developers and your computer. App Store apps undergo a [review](https://developer.apple.com/app-store/review/guidelines/) process to catch malware. Apple automatically scans notarized apps for malware. You should also avoid programs that ask for lots of permissions and closed source programs. See [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) and [Malware Persistence on OS X Yosemite](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite) to learn about how garden-variety malware functions. From e7747a06457f8027e7268b5f3c62ae3fa4c1c57b Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 18 Mar 2024 17:07:46 -0500 Subject: [PATCH 345/476] re add knock knock --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c19587cc..577f3f61 100755 --- a/README.md +++ b/README.md @@ -982,7 +982,7 @@ To scan an application with multiple AV products and examine its behavior, uploa macOS comes with a built-in AV program called [XProtect](https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8). XProtect automatically runs in the background and updates its signatures that it uses to detect malware without you having to do anything. If it detects malware already running, it will work to remove and mitigate it just like any other AV program. -Applications such as [BlockBlock](https://objective-see.com/products/blockblock.html) will help. An alternative could be [maclaunch.sh](https://github.com/hazcod/maclaunch). +You could periodically run a tool like [KnockKnock](https://objective-see.org/products/knockknock.html) to examine persistent applications (e.g. scripts, binaries). But by then, it is probably too late. Applications such as [BlockBlock](https://objective-see.com/products/blockblock.html) might help. An alternative could be [maclaunch.sh](https://github.com/hazcod/maclaunch). Locally installed **Anti-virus** programs are generally a double-edged sword: they may catch "garden variety" malware, but also may increase the attack surface for sophisticated adversaries due to their privileged operating mode. From 943d0fc57ba8799fbe543372d3b6f140f6a4b2fd Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 19 Mar 2024 07:07:44 -0500 Subject: [PATCH 346/476] fix navigation --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 577f3f61..bbd3f50c 100755 --- a/README.md +++ b/README.md @@ -53,8 +53,9 @@ To suggest an improvement, send a pull request or [open an issue](https://github * [Signal](#signal) * [iMessage](#imessage) - [Viruses and malware](#viruses-and-malware) + * [Antivirus](#antivirus) + * [Gatekeeper](#gatekeeper) - [System Integrity Protection](#system-integrity-protection) -- [Gatekeeper and XProtect](#gatekeeper-and-xprotect) - [Metadata and artifacts](#metadata-and-artifacts) - [Passwords](#passwords) - [Backup](#backup) From ba61e7c7042ee27a87a26b82f3bce825140542ba Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 19 Mar 2024 07:11:00 -0500 Subject: [PATCH 347/476] add prevention section --- README.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index bbd3f50c..b89db3d2 100755 --- a/README.md +++ b/README.md @@ -53,6 +53,7 @@ To suggest an improvement, send a pull request or [open an issue](https://github * [Signal](#signal) * [iMessage](#imessage) - [Viruses and malware](#viruses-and-malware) + * [Prevention](#prevention) * [Antivirus](#antivirus) * [Gatekeeper](#gatekeeper) - [System Integrity Protection](#system-integrity-protection) @@ -967,7 +968,13 @@ You can use iMessage with either a [phone number or an email](https://support.ap There is an [ever-increasing](https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html) amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software! -Some malware comes bundled with both legitimate software, such as the [Java bundling Ask Toolbar](https://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/), and some with illegitimate software, such as [Mac.BackDoor.iWorm](https://docs.google.com/document/d/1YOfXRUQJgMjJSLBSoLiUaSZfiaS_vU3aG4Bvjmz6Dxs/edit?pli=1) bundled with pirated programs. Only running programs from the App Store or that are [Notarized](https://support.apple.com/guide/security/app-code-signing-process-sec3ad8e6e53/web) by Apple will help mitigate this issue. The notarization process ensures that the software is made by the real developers and that it hasn't been tampered with between the developers and your computer. App Store apps undergo a [review](https://developer.apple.com/app-store/review/guidelines/) process to catch malware. Apple automatically scans notarized apps for malware. You should also avoid programs that ask for lots of permissions and closed source programs. +Some malware comes bundled with both legitimate software, such as the [Java bundling Ask Toolbar](https://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/), and some with illegitimate software, such as [Mac.BackDoor.iWorm](https://docs.google.com/document/d/1YOfXRUQJgMjJSLBSoLiUaSZfiaS_vU3aG4Bvjmz6Dxs/edit?pli=1) bundled with pirated programs. + +## Prevention + +Only running programs from the App Store or that are [Notarized](https://support.apple.com/guide/security/app-code-signing-process-sec3ad8e6e53/web) by Apple will help mitigate malware. The notarization process ensures that the software is made by the real developers and that it hasn't been tampered with between the developers and your computer. App Store apps undergo a [review](https://developer.apple.com/app-store/review/guidelines/) process to catch malware. Apple performs and automated scan on notarized apps for malware. + +You should also avoid programs that ask for lots of permissions and third party closed source programs. See [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) and [Malware Persistence on OS X Yosemite](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite) to learn about how garden-variety malware functions. From 680ae01fd3efe2422a476664365bffcfc3fff48a Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 19 Mar 2024 07:14:11 -0500 Subject: [PATCH 348/476] reduce av --- README.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/README.md b/README.md index b89db3d2..e0ed6f95 100755 --- a/README.md +++ b/README.md @@ -992,9 +992,7 @@ macOS comes with a built-in AV program called [XProtect](https://support.apple.c You could periodically run a tool like [KnockKnock](https://objective-see.org/products/knockknock.html) to examine persistent applications (e.g. scripts, binaries). But by then, it is probably too late. Applications such as [BlockBlock](https://objective-see.com/products/blockblock.html) might help. An alternative could be [maclaunch.sh](https://github.com/hazcod/maclaunch). -Locally installed **Anti-virus** programs are generally a double-edged sword: they may catch "garden variety" malware, but also may increase the attack surface for sophisticated adversaries due to their privileged operating mode. - -They also typically phone home to send samples in order to catch the newest malware. This can be a privacy concern for some. They tend to require payment information, and some have run [crypto mining software](https://www.tomsguide.com/news/norton-crypto) on their users' machines before. Usually they come bundled with lots of other potentially unwanted "services" like VPNs, file backup programs, and browser extensions that scan all links and send them to the AV company. +Locally installed **Anti-virus** programs are generally a double-edged sword: they may catch "garden variety" malware, but also may increase the attack surface for sophisticated adversaries due to their privileged operating mode. They also typically phone home to send samples in order to catch the newest malware. This can be a privacy concern for some. See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sophailv2.pdf) (pdf), [Analysis and Exploitation of an ESET Vulnerability](https://googleprojectzero.blogspot.ro/2015/06/analysis-and-exploitation-of-eset.html), [a trivial Avast RCE](https://code.google.com/p/google-security-research/issues/detail?id=546), [Popular Security Software Came Under Relentless NSA and GCHQ Attacks](https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/), [How Israel Caught Russian Hackers Scouring the World for U.S. Secrets](https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html) and [AVG: "Web TuneUP" extension multiple critical vulnerabilities](https://code.google.com/p/google-security-research/issues/detail?id=675). From 22d6fa51d0afcd8f75108a902d40ef5ca3c0a32a Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 19 Mar 2024 07:22:53 -0500 Subject: [PATCH 349/476] add instructions to check for app sandbox --- README.md | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e0ed6f95..4a4bbb46 100755 --- a/README.md +++ b/README.md @@ -972,14 +972,30 @@ Some malware comes bundled with both legitimate software, such as the [Java bund ## Prevention -Only running programs from the App Store or that are [Notarized](https://support.apple.com/guide/security/app-code-signing-process-sec3ad8e6e53/web) by Apple will help mitigate malware. The notarization process ensures that the software is made by the real developers and that it hasn't been tampered with between the developers and your computer. App Store apps undergo a [review](https://developer.apple.com/app-store/review/guidelines/) process to catch malware. Apple performs and automated scan on notarized apps for malware. +Only running programs from the App Store or that are [Notarized](https://support.apple.com/guide/security/app-code-signing-process-sec3ad8e6e53/web) by Apple will help mitigate malware. The notarization process ensures that the software is made by the real developers and that it hasn't been tampered with between the developers and your computer. App Store apps undergo a [review](https://developer.apple.com/app-store/review/guidelines/) process to catch malware. Apple performs and automated scan on notarized apps for malware. + +Otherwise, get programs from trusted sources like directly from the developer's website or GitHub. Always make sure that your browser/terminal is using HTTPS when downloading any program. + +Check if a program uses the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox/protecting_user_data_with_app_sandbox) before running it by running the following command: + +```console +codesign -dvvv --entitlements - +``` + +If the App Sandbox is enabled, you will see + +```console + [Key] com.apple.security.app-sandbox + [Value] + [Bool] true +``` + +Alternatively, you can check while the app is running by opening Activity Monitor and adding the "Sandbox" column. You should also avoid programs that ask for lots of permissions and third party closed source programs. See [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) and [Malware Persistence on OS X Yosemite](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite) to learn about how garden-variety malware functions. -Local privilege escalation bugs are plenty on macOS, so always be careful when downloading and running untrusted programs or trusted programs from third party websites or downloaded over HTTP ([example](https://arstechnica.com/security/2015/08/0-day-bug-in-fully-patched-os-x-comes-under-active-exploit-to-hijack-macs/)). - Subscribe to updates at [The Safe Mac](http://www.thesafemac.com/) and [Malwarebytes Blog](https://blog.malwarebytes.com/) for current Mac security news. Also check out [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html) malware for macOS: [root installation for MacOS](https://github.com/hackedteam/vector-macos-root), [Support driver for Mac Agent](https://github.com/hackedteam/driver-macos) and [RCS Agent for Mac](https://github.com/hackedteam/core-macos), which is a good example of advanced malware with capabilities to hide from userland (e.g., `ps`, `ls`). For more, see [A Brief Analysis of an RCS Implant Installer](https://objective-see.com/blog/blog_0x0D.html) and [reverse.put.as](https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/) From 1c0e78a9460154a254c0e24d9fe802c0195c12d7 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 19 Mar 2024 07:38:52 -0500 Subject: [PATCH 350/476] navigation and more detail --- README.md | 34 +++++++++++++++++++++++++++------- 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 4a4bbb46..f683138d 100755 --- a/README.md +++ b/README.md @@ -53,7 +53,9 @@ To suggest an improvement, send a pull request or [open an issue](https://github * [Signal](#signal) * [iMessage](#imessage) - [Viruses and malware](#viruses-and-malware) - * [Prevention](#prevention) + * [Downloading Software](#downloading-software) + * [App Sandbox](#app-sandbox) + * [Hardened Runtime](#hardened-runtime) * [Antivirus](#antivirus) * [Gatekeeper](#gatekeeper) - [System Integrity Protection](#system-integrity-protection) @@ -968,14 +970,24 @@ You can use iMessage with either a [phone number or an email](https://support.ap There is an [ever-increasing](https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html) amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software! -Some malware comes bundled with both legitimate software, such as the [Java bundling Ask Toolbar](https://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/), and some with illegitimate software, such as [Mac.BackDoor.iWorm](https://docs.google.com/document/d/1YOfXRUQJgMjJSLBSoLiUaSZfiaS_vU3aG4Bvjmz6Dxs/edit?pli=1) bundled with pirated programs. +Some malware comes bundled with both legitimate software, such as the [Java bundling Ask Toolbar](https://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/), and some with illegitimate software, such as [Mac.BackDoor.iWorm](https://docs.google.com/document/d/1YOfXRUQJgMjJSLBSoLiUaSZfiaS_vU3aG4Bvjmz6Dxs/edit?pli=1) bundled with pirated programs. -## Prevention +See [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) and [Malware Persistence on OS X Yosemite](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite) to learn about how garden-variety malware functions. + +Subscribe to updates at [The Safe Mac](http://www.thesafemac.com/) and [Malwarebytes Blog](https://blog.malwarebytes.com/) for current Mac security news. + +Also check out [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html) malware for macOS: [root installation for MacOS](https://github.com/hackedteam/vector-macos-root), [Support driver for Mac Agent](https://github.com/hackedteam/driver-macos) and [RCS Agent for Mac](https://github.com/hackedteam/core-macos), which is a good example of advanced malware with capabilities to hide from userland (e.g., `ps`, `ls`). For more, see [A Brief Analysis of an RCS Implant Installer](https://objective-see.com/blog/blog_0x0D.html) and [reverse.put.as](https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/) + +## Downloading Software Only running programs from the App Store or that are [Notarized](https://support.apple.com/guide/security/app-code-signing-process-sec3ad8e6e53/web) by Apple will help mitigate malware. The notarization process ensures that the software is made by the real developers and that it hasn't been tampered with between the developers and your computer. App Store apps undergo a [review](https://developer.apple.com/app-store/review/guidelines/) process to catch malware. Apple performs and automated scan on notarized apps for malware. Otherwise, get programs from trusted sources like directly from the developer's website or GitHub. Always make sure that your browser/terminal is using HTTPS when downloading any program. +You should also avoid programs that ask for lots of permissions and third party closed source programs. + +## App Sandbox + Check if a program uses the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox/protecting_user_data_with_app_sandbox) before running it by running the following command: ```console @@ -992,13 +1004,21 @@ If the App Sandbox is enabled, you will see Alternatively, you can check while the app is running by opening Activity Monitor and adding the "Sandbox" column. -You should also avoid programs that ask for lots of permissions and third party closed source programs. +All App Store apps are required to use the App Sandbox. -See [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) and [Malware Persistence on OS X Yosemite](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite) to learn about how garden-variety malware functions. +## Hardened Runtime -Subscribe to updates at [The Safe Mac](http://www.thesafemac.com/) and [Malwarebytes Blog](https://blog.malwarebytes.com/) for current Mac security news. +Check if a program uses the Hardened Runtime before running it using the following command: -Also check out [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html) malware for macOS: [root installation for MacOS](https://github.com/hackedteam/vector-macos-root), [Support driver for Mac Agent](https://github.com/hackedteam/driver-macos) and [RCS Agent for Mac](https://github.com/hackedteam/core-macos), which is a good example of advanced malware with capabilities to hide from userland (e.g., `ps`, `ls`). For more, see [A Brief Analysis of an RCS Implant Installer](https://objective-see.com/blog/blog_0x0D.html) and [reverse.put.as](https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/) +```console +codesign --display --verbose /path/to/bundle.app +``` + +If Hardened Runtime is enabled, you will see `flags=0x10000(runtime)`. The "runtime" means Hardened Runtime is enabled. There might be other flags, but the runtime flag is what we're looking for here. + +You can enable a column in Activity Monitor called "Restricted" which is a flag that prevents programs from injecting code via macOS's [dynamic linker](https://pewpewthespells.com/blog/blocking_code_injection_on_ios_and_os_x.html). Ideally, this should say "Yes". + +Notarized apps are required to use the Hardened Runtime. ## Antivirus From 14f2618a07757f457d29bcd23bd56858618c3abe Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 19 Mar 2024 07:45:23 -0500 Subject: [PATCH 351/476] typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f683138d..2ddf546f 100755 --- a/README.md +++ b/README.md @@ -980,7 +980,7 @@ Also check out [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hac ## Downloading Software -Only running programs from the App Store or that are [Notarized](https://support.apple.com/guide/security/app-code-signing-process-sec3ad8e6e53/web) by Apple will help mitigate malware. The notarization process ensures that the software is made by the real developers and that it hasn't been tampered with between the developers and your computer. App Store apps undergo a [review](https://developer.apple.com/app-store/review/guidelines/) process to catch malware. Apple performs and automated scan on notarized apps for malware. +Only running programs from the App Store or that are [Notarized](https://support.apple.com/guide/security/app-code-signing-process-sec3ad8e6e53/web) by Apple will help mitigate malware. The notarization process ensures that the software is made by the real developers and that it hasn't been tampered with between the developers and your computer. App Store apps undergo a [review](https://developer.apple.com/app-store/review/guidelines/) process to catch malware. Apple performs an automated scan on notarized apps for malware. Otherwise, get programs from trusted sources like directly from the developer's website or GitHub. Always make sure that your browser/terminal is using HTTPS when downloading any program. From ce78926f3d92f71e349ccf24b20792480a39e62f Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 19 Mar 2024 07:47:06 -0500 Subject: [PATCH 352/476] add hardened runtime link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2ddf546f..ab808c04 100755 --- a/README.md +++ b/README.md @@ -1008,7 +1008,7 @@ All App Store apps are required to use the App Sandbox. ## Hardened Runtime -Check if a program uses the Hardened Runtime before running it using the following command: +Check if a program uses the [Hardened Runtime](https://developer.apple.com/documentation/security/hardened_runtime) before running it using the following command: ```console codesign --display --verbose /path/to/bundle.app From f0ca1d7d8e59ba5ecf20377b8662db2a5e806ebf Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 19 Mar 2024 07:47:47 -0500 Subject: [PATCH 353/476] wording --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ab808c04..f4f569bc 100755 --- a/README.md +++ b/README.md @@ -1026,7 +1026,7 @@ To scan an application with multiple AV products and examine its behavior, uploa macOS comes with a built-in AV program called [XProtect](https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8). XProtect automatically runs in the background and updates its signatures that it uses to detect malware without you having to do anything. If it detects malware already running, it will work to remove and mitigate it just like any other AV program. -You could periodically run a tool like [KnockKnock](https://objective-see.org/products/knockknock.html) to examine persistent applications (e.g. scripts, binaries). But by then, it is probably too late. Applications such as [BlockBlock](https://objective-see.com/products/blockblock.html) might help. An alternative could be [maclaunch.sh](https://github.com/hazcod/maclaunch). +You could periodically run a tool like [KnockKnock](https://objective-see.org/products/knockknock.html) to examine persistent applications (e.g. scripts, binaries). But by then, it is probably too late. Applications such as [BlockBlock](https://objective-see.com/products/blockblock.html) or [maclaunch.sh](https://github.com/hazcod/maclaunch) might help. Locally installed **Anti-virus** programs are generally a double-edged sword: they may catch "garden variety" malware, but also may increase the attack surface for sophisticated adversaries due to their privileged operating mode. They also typically phone home to send samples in order to catch the newest malware. This can be a privacy concern for some. From e95084791ae7a78e6f3fcdd55364f5c95faff4c4 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 19 Mar 2024 07:48:15 -0500 Subject: [PATCH 354/476] wording --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f4f569bc..7737409e 100755 --- a/README.md +++ b/README.md @@ -1028,7 +1028,7 @@ macOS comes with a built-in AV program called [XProtect](https://support.apple.c You could periodically run a tool like [KnockKnock](https://objective-see.org/products/knockknock.html) to examine persistent applications (e.g. scripts, binaries). But by then, it is probably too late. Applications such as [BlockBlock](https://objective-see.com/products/blockblock.html) or [maclaunch.sh](https://github.com/hazcod/maclaunch) might help. -Locally installed **Anti-virus** programs are generally a double-edged sword: they may catch "garden variety" malware, but also may increase the attack surface for sophisticated adversaries due to their privileged operating mode. They also typically phone home to send samples in order to catch the newest malware. This can be a privacy concern for some. +Locally installed **Anti-virus** programs are generally a double-edged sword: they may catch "garden variety" malware, but also may increase the attack surface for sophisticated adversaries due to their privileged operating mode. They also typically phone home to send samples in order to catch the newest malware. This can be a privacy concern. See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sophailv2.pdf) (pdf), [Analysis and Exploitation of an ESET Vulnerability](https://googleprojectzero.blogspot.ro/2015/06/analysis-and-exploitation-of-eset.html), [a trivial Avast RCE](https://code.google.com/p/google-security-research/issues/detail?id=546), [Popular Security Software Came Under Relentless NSA and GCHQ Attacks](https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/), [How Israel Caught Russian Hackers Scouring the World for U.S. Secrets](https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html) and [AVG: "Web TuneUP" extension multiple critical vulnerabilities](https://code.google.com/p/google-security-research/issues/detail?id=675). From 4de3a010a545d8887003ca7acdeba1a60cca17f3 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 19 Mar 2024 09:36:55 -0500 Subject: [PATCH 355/476] add browser note --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 7737409e..0ad4774c 100755 --- a/README.md +++ b/README.md @@ -1006,6 +1006,8 @@ Alternatively, you can check while the app is running by opening Activity Monito All App Store apps are required to use the App Sandbox. +**Note:** Browsers like Google Chrome use their own strong sandbox so they don't use the App Sandbox. This is fine, you mainly need to worry about other types of programs not being sandboxed. + ## Hardened Runtime Check if a program uses the [Hardened Runtime](https://developer.apple.com/documentation/security/hardened_runtime) before running it using the following command: From 9a283a4456a5e497334cb92e653e92ec2634e649 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 19 Mar 2024 20:45:35 -0500 Subject: [PATCH 356/476] wording --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0ad4774c..1a832707 100755 --- a/README.md +++ b/README.md @@ -980,7 +980,7 @@ Also check out [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hac ## Downloading Software -Only running programs from the App Store or that are [Notarized](https://support.apple.com/guide/security/app-code-signing-process-sec3ad8e6e53/web) by Apple will help mitigate malware. The notarization process ensures that the software is made by the real developers and that it hasn't been tampered with between the developers and your computer. App Store apps undergo a [review](https://developer.apple.com/app-store/review/guidelines/) process to catch malware. Apple performs an automated scan on notarized apps for malware. +Only running programs from the App Store or that are [Notarized](https://support.apple.com/guide/security/app-code-signing-process-sec3ad8e6e53/web) by Apple will help mitigate malware. Apple performs an automated scan on notarized apps for malware. App Store apps undergo a [review](https://developer.apple.com/app-store/review/guidelines/) process to catch malware. Otherwise, get programs from trusted sources like directly from the developer's website or GitHub. Always make sure that your browser/terminal is using HTTPS when downloading any program. From e351abd3d6a8fb526cbefcb58342cd1526d35f02 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 19 Mar 2024 20:47:18 -0500 Subject: [PATCH 357/476] add open source blurb --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1a832707..134ff944 100755 --- a/README.md +++ b/README.md @@ -984,7 +984,7 @@ Only running programs from the App Store or that are [Notarized](https://support Otherwise, get programs from trusted sources like directly from the developer's website or GitHub. Always make sure that your browser/terminal is using HTTPS when downloading any program. -You should also avoid programs that ask for lots of permissions and third party closed source programs. +You should also avoid programs that ask for lots of permissions and third party closed source programs. Open source code allows anyone to audit and examine the code for security/privacy issues. ## App Sandbox From 213f3305b267813db1ac1979b42699112810fee9 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 19 Mar 2024 20:48:31 -0500 Subject: [PATCH 358/476] added chromium sandbox link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 134ff944..1572a1ad 100755 --- a/README.md +++ b/README.md @@ -1006,7 +1006,7 @@ Alternatively, you can check while the app is running by opening Activity Monito All App Store apps are required to use the App Sandbox. -**Note:** Browsers like Google Chrome use their own strong sandbox so they don't use the App Sandbox. This is fine, you mainly need to worry about other types of programs not being sandboxed. +**Note:** Browsers like Google Chrome use their own [strong sandbox](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md) so they don't use the App Sandbox. ## Hardened Runtime From 500430768035718db8e13f1cd277718d5b1d7d7c Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 19 Mar 2024 20:50:00 -0500 Subject: [PATCH 359/476] replace .app with apps --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1572a1ad..4232c276 100755 --- a/README.md +++ b/README.md @@ -1036,11 +1036,11 @@ See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/soph ## Gatekeeper -**Gatekeeper** tries to prevent non-notarized .app files from running. +**Gatekeeper** tries to prevent non-notarized apps from running. If you try to run an app that isn't notarized, it will give you a warning. This can be easily bypassed if you open finder to where the program is and right click/control click on it and click Open. Then Gatekeeper will allow you to run it. -Gatekeeper doesn't cover all binaries, only .app files so be careful when running other file types. +Gatekeeper doesn't cover all binaries, only apps so be careful when running other file types. # System Integrity Protection From 2d51d07813cda6154a7afea114c63054d286031d Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 19 Mar 2024 20:51:18 -0500 Subject: [PATCH 360/476] wording --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4232c276..ca7ab63c 100755 --- a/README.md +++ b/README.md @@ -1038,7 +1038,7 @@ See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/soph **Gatekeeper** tries to prevent non-notarized apps from running. -If you try to run an app that isn't notarized, it will give you a warning. This can be easily bypassed if you open finder to where the program is and right click/control click on it and click Open. Then Gatekeeper will allow you to run it. +If you try to run an app that isn't notarized, Gatekeeper will give you a warning. This can be easily bypassed if you open Finder to where the program is and right click/control click on it and select Open. Then Gatekeeper will allow you to run it. Gatekeeper doesn't cover all binaries, only apps so be careful when running other file types. From 7c6f99246c73c3867d6076838460920d22343af1 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 19 Mar 2024 22:45:41 -0500 Subject: [PATCH 361/476] wording --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ca7ab63c..220ada9b 100755 --- a/README.md +++ b/README.md @@ -1006,7 +1006,7 @@ Alternatively, you can check while the app is running by opening Activity Monito All App Store apps are required to use the App Sandbox. -**Note:** Browsers like Google Chrome use their own [strong sandbox](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md) so they don't use the App Sandbox. +**Note:** Browsers like Google Chrome use their own [sandbox](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md) so they don't use the App Sandbox. ## Hardened Runtime From bb80002121440829fd8ea78f1f89a1b7bd4fd161 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 21 Mar 2024 12:30:56 -0500 Subject: [PATCH 362/476] add threat modeling --- README.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/README.md b/README.md index 220ada9b..08c63cf6 100755 --- a/README.md +++ b/README.md @@ -100,6 +100,26 @@ General security best practices apply: * Ultimately, the security of a system depends on the capabilities of its administrator. * Care should be taken when installing new software; only install from official sources that the developers indicate on their official website/github/etc. +# Threat Modeling + +The first and most important step for security and privacy is to create a threat model. After all, how can we have security when we don't even know what we're securing against? Each person will have their own needs so everyone's threat model will be different. Threat models tend to evolve over time as our situation changes, so be sure to periodically reassess your threat model. + +Step 1: Identify what you're protecting + +This is probably a lot of things: your phone, your laptop, passwords stored on your devices, internet browsing history, etc. Make an actual list of all the things you can think of that you want to protect and store it somewhere. + +Step 2: Identify threat/s + +Define what you are defending against. Examples could be a nosy roommate, passive data collection on internet infrastructure, a thief, etc. Different threats will have different capabilities, so it's useful to connect which assets you're protecting from which adversaries. For example, you might have a shared family computer so you want to protect your computer from malware but not your family, while you want to protect your phone from both your family and malware. + +Step 3: Come up with ways to mitigate the threats + +Now is when you decide the best way to counter each threat. You might avoid writing passwords down on paper so your roommate can't find them or you might encrypt the drive on your computer so a thief can't get data from it. You'll need to think about the capabilities of each threat: for example, a common thief will generally be stopped by drive encryption even with a weak password, while a high-resource adversary will have access to advanced computers that can crack weak passwords easily. + +Step 4: Implement your plan + +Start implementing your strategies. Depending on how serious or time-sensitive your situation is, you might want to ease into it so you don't burn yourself out too quickly. Sometimes you might find that a strategy you came up with isn't working for whatever reason, that's ok. Just go back and rethink that part. Eventually you will get to a workable plan that mitigates your threats and that doesn't cause undue inconvenience on your life. + # Hardware macOS is most secure running on [Apple hardware](https://support.apple.com/guide/security/hardware-security-overview-secf020d1074/1/web/1) with Apple silicon. The newer the Mac, the better. Avoid hackintoshes and Macs that don't support the latest macOS, as Apple doesn't [patch all vulnerabilities](https://support.apple.com/guide/deployment/about-software-updates-depc4c80847a) in versions that aren't the most recent one. From 055624a3f4a98e439169af574d25a5c0535246e2 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 21 Mar 2024 12:32:23 -0500 Subject: [PATCH 363/476] add nav --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 08c63cf6..b080aaad 100755 --- a/README.md +++ b/README.md @@ -12,6 +12,7 @@ To suggest an improvement, send a pull request or [open an issue](https://github - [Basics](#basics) +- [Threat Modeling](#threat-modeling) - [Hardware](#hardware) - [Installing macOS](#installing-macos) * [System activation](#system-activation) From ce56060635955cc0c9301d60eccb96f3890a2bfb Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 21 Mar 2024 12:33:29 -0500 Subject: [PATCH 364/476] wording --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b080aaad..a1d08cea 100755 --- a/README.md +++ b/README.md @@ -107,7 +107,7 @@ The first and most important step for security and privacy is to create a threat Step 1: Identify what you're protecting -This is probably a lot of things: your phone, your laptop, passwords stored on your devices, internet browsing history, etc. Make an actual list of all the things you can think of that you want to protect and store it somewhere. +This is probably a lot of things: your phone, your laptop, passwords stored on your devices, internet browsing history, etc. Make a list of all the things you can think of that you want to protect and store it somewhere. Step 2: Identify threat/s From cc6ab7e626422da29dc2f68da77ad0ac933b49d4 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Fri, 22 Mar 2024 14:01:40 -0500 Subject: [PATCH 365/476] add threat model link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a1d08cea..efea8dad 100755 --- a/README.md +++ b/README.md @@ -103,7 +103,7 @@ General security best practices apply: # Threat Modeling -The first and most important step for security and privacy is to create a threat model. After all, how can we have security when we don't even know what we're securing against? Each person will have their own needs so everyone's threat model will be different. Threat models tend to evolve over time as our situation changes, so be sure to periodically reassess your threat model. +The first and most important step for security and privacy is to create a [threat model](https://www.owasp.org/index.php/Application_Threat_Modeling). After all, how can we have security when we don't even know what we're securing against? Each person will have their own needs so everyone's threat model will be different. Threat models tend to evolve over time as our situation changes, so be sure to periodically reassess your threat model. Step 1: Identify what you're protecting From 85df91739d7ed4dbfcf5ba0b8b8c49bf68c58036 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Fri, 22 Mar 2024 14:27:19 -0500 Subject: [PATCH 366/476] change threats to adversaries --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index efea8dad..071e6aee 100755 --- a/README.md +++ b/README.md @@ -109,7 +109,7 @@ Step 1: Identify what you're protecting This is probably a lot of things: your phone, your laptop, passwords stored on your devices, internet browsing history, etc. Make a list of all the things you can think of that you want to protect and store it somewhere. -Step 2: Identify threat/s +Step 2: Identify adversaries Define what you are defending against. Examples could be a nosy roommate, passive data collection on internet infrastructure, a thief, etc. Different threats will have different capabilities, so it's useful to connect which assets you're protecting from which adversaries. For example, you might have a shared family computer so you want to protect your computer from malware but not your family, while you want to protect your phone from both your family and malware. From e15c0339a7721236a3c9ea55fd3b305e37fbfc06 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Fri, 22 Mar 2024 14:29:18 -0500 Subject: [PATCH 367/476] change what to whom --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 071e6aee..fb2b7456 100755 --- a/README.md +++ b/README.md @@ -111,7 +111,7 @@ This is probably a lot of things: your phone, your laptop, passwords stored on y Step 2: Identify adversaries -Define what you are defending against. Examples could be a nosy roommate, passive data collection on internet infrastructure, a thief, etc. Different threats will have different capabilities, so it's useful to connect which assets you're protecting from which adversaries. For example, you might have a shared family computer so you want to protect your computer from malware but not your family, while you want to protect your phone from both your family and malware. +Define whom you are defending against. Examples could be a nosy roommate, passive data collection on internet infrastructure, a thief, etc. Different threats will have different capabilities, so it's useful to connect which assets you're protecting from which adversaries. For example, you might have a shared family computer so you want to protect your computer from malware but not your family, while you want to protect your phone from both your family and malware. Step 3: Come up with ways to mitigate the threats From 227d52555571ce547a88003911f23bc4a725a223 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Fri, 22 Mar 2024 16:33:56 -0500 Subject: [PATCH 368/476] add additional reading --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index fb2b7456..771db487 100755 --- a/README.md +++ b/README.md @@ -121,6 +121,8 @@ Step 4: Implement your plan Start implementing your strategies. Depending on how serious or time-sensitive your situation is, you might want to ease into it so you don't burn yourself out too quickly. Sometimes you might find that a strategy you came up with isn't working for whatever reason, that's ok. Just go back and rethink that part. Eventually you will get to a workable plan that mitigates your threats and that doesn't cause undue inconvenience on your life. +Read more about threat modeling [here](https://www.netmeister.org/blog/threat-model-101.html). + # Hardware macOS is most secure running on [Apple hardware](https://support.apple.com/guide/security/hardware-security-overview-secf020d1074/1/web/1) with Apple silicon. The newer the Mac, the better. Avoid hackintoshes and Macs that don't support the latest macOS, as Apple doesn't [patch all vulnerabilities](https://support.apple.com/guide/deployment/about-software-updates-depc4c80847a) in versions that aren't the most recent one. From c707a6e5d9f3f8525947cc63ffb09f73b99edf1b Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Fri, 22 Mar 2024 16:41:14 -0500 Subject: [PATCH 369/476] add identify capabilities --- README.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 771db487..a1fa68a7 100755 --- a/README.md +++ b/README.md @@ -113,11 +113,15 @@ Step 2: Identify adversaries Define whom you are defending against. Examples could be a nosy roommate, passive data collection on internet infrastructure, a thief, etc. Different threats will have different capabilities, so it's useful to connect which assets you're protecting from which adversaries. For example, you might have a shared family computer so you want to protect your computer from malware but not your family, while you want to protect your phone from both your family and malware. -Step 3: Come up with ways to mitigate the threats +Step 3: Identify the adversaries' capabilities + +In order to counter your adversaries, you'll need to understand what they're capable of. + +Step 4: Come up with ways to mitigate the threats Now is when you decide the best way to counter each threat. You might avoid writing passwords down on paper so your roommate can't find them or you might encrypt the drive on your computer so a thief can't get data from it. You'll need to think about the capabilities of each threat: for example, a common thief will generally be stopped by drive encryption even with a weak password, while a high-resource adversary will have access to advanced computers that can crack weak passwords easily. -Step 4: Implement your plan +Step 5: Implement your plan Start implementing your strategies. Depending on how serious or time-sensitive your situation is, you might want to ease into it so you don't burn yourself out too quickly. Sometimes you might find that a strategy you came up with isn't working for whatever reason, that's ok. Just go back and rethink that part. Eventually you will get to a workable plan that mitigates your threats and that doesn't cause undue inconvenience on your life. From b2a559ac8d28453edcda070d914a8995ae821366 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Fri, 22 Mar 2024 16:41:40 -0500 Subject: [PATCH 370/476] wording --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a1fa68a7..c4a65536 100755 --- a/README.md +++ b/README.md @@ -115,7 +115,7 @@ Define whom you are defending against. Examples could be a nosy roommate, passiv Step 3: Identify the adversaries' capabilities -In order to counter your adversaries, you'll need to understand what they're capable of. +In order to counter your adversaries, you'll need to understand what they're capable of and what they're not capable of. Step 4: Come up with ways to mitigate the threats From 3ef2bfe027c98d4ba681683f6ba34700efe9b047 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 09:29:15 -0500 Subject: [PATCH 371/476] add table --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index c4a65536..c0384bed 100755 --- a/README.md +++ b/README.md @@ -125,6 +125,15 @@ Step 5: Implement your plan Start implementing your strategies. Depending on how serious or time-sensitive your situation is, you might want to ease into it so you don't burn yourself out too quickly. Sometimes you might find that a strategy you came up with isn't working for whatever reason, that's ok. Just go back and rethink that part. Eventually you will get to a workable plan that mitigates your threats and that doesn't cause undue inconvenience on your life. +| Asset | +|---| +| Phone | +|---| +| Adversary | Motivation | Capabilities | +|---|---|---| +| Family | See private chats or browsing history | Close proximity; can see screen or watch me type in my password | +| NSA | See contents of packets sent over the internet | Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets | + Read more about threat modeling [here](https://www.netmeister.org/blog/threat-model-101.html). # Hardware From 1af5d764bbe55fe93212635dcc3f4c69985723f4 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 09:31:02 -0500 Subject: [PATCH 372/476] table fix --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index c0384bed..a52b927a 100755 --- a/README.md +++ b/README.md @@ -126,11 +126,11 @@ Step 5: Implement your plan Start implementing your strategies. Depending on how serious or time-sensitive your situation is, you might want to ease into it so you don't burn yourself out too quickly. Sometimes you might find that a strategy you came up with isn't working for whatever reason, that's ok. Just go back and rethink that part. Eventually you will get to a workable plan that mitigates your threats and that doesn't cause undue inconvenience on your life. | Asset | -|---| +| --- | | Phone | -|---| +| --- | | Adversary | Motivation | Capabilities | -|---|---|---| +| --- | --- | --- | | Family | See private chats or browsing history | Close proximity; can see screen or watch me type in my password | | NSA | See contents of packets sent over the internet | Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets | From b2e3ebdcac2b87853cb0aeb3808906a5e26126b7 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 09:34:17 -0500 Subject: [PATCH 373/476] table --- README.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index a52b927a..ad227b4a 100755 --- a/README.md +++ b/README.md @@ -125,10 +125,8 @@ Step 5: Implement your plan Start implementing your strategies. Depending on how serious or time-sensitive your situation is, you might want to ease into it so you don't burn yourself out too quickly. Sometimes you might find that a strategy you came up with isn't working for whatever reason, that's ok. Just go back and rethink that part. Eventually you will get to a workable plan that mitigates your threats and that doesn't cause undue inconvenience on your life. -| Asset | -| --- | -| Phone | -| --- | +**Asset: Phone** + | Adversary | Motivation | Capabilities | | --- | --- | --- | | Family | See private chats or browsing history | Close proximity; can see screen or watch me type in my password | From d8d4956c4e66e55be93e81e295f067ddd28842d2 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 09:37:00 -0500 Subject: [PATCH 374/476] add mitigation --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index ad227b4a..06727214 100755 --- a/README.md +++ b/README.md @@ -127,10 +127,10 @@ Start implementing your strategies. Depending on how serious or time-sensitive y **Asset: Phone** -| Adversary | Motivation | Capabilities | -| --- | --- | --- | -| Family | See private chats or browsing history | Close proximity; can see screen or watch me type in my password | -| NSA | See contents of packets sent over the internet | Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets | +| Adversary | Motivation | Capabilities | Mitigation | +| --- | --- | --- | --- | +| Family | See private chats or browsing history | Close proximity; can see screen or watch me type in my password | Use security key or biometrics, use privacy screen, keep phone locked when I'm not using it | +| NSA | See contents of packets sent over the internet | Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets | Always use encryption for all connections | Read more about threat modeling [here](https://www.netmeister.org/blog/threat-model-101.html). From 5ca17c6f165d7a64d017fb31a149a064fcb2ea97 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 09:42:04 -0500 Subject: [PATCH 375/476] update table --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 06727214..1fcbf41f 100755 --- a/README.md +++ b/README.md @@ -131,6 +131,7 @@ Start implementing your strategies. Depending on how serious or time-sensitive y | --- | --- | --- | --- | | Family | See private chats or browsing history | Close proximity; can see screen or watch me type in my password | Use security key or biometrics, use privacy screen, keep phone locked when I'm not using it | | NSA | See contents of packets sent over the internet | Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets | Always use encryption for all connections | +| Thief | Unlock phone and steal personal info and drain bank accounts, sell phone for money | Shoulder surf to see my password, steal my phone out of my hands or when I'm not looking while it's logged in | Keep phone in sight or on my person at all times, keep locked when not in use, use biometrics to avoid typing password in public | Read more about threat modeling [here](https://www.netmeister.org/blog/threat-model-101.html). From 09624de07c036dd305bb041770820ea4f9f63b30 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 09:43:13 -0500 Subject: [PATCH 376/476] remove examples --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1fcbf41f..d5421f07 100755 --- a/README.md +++ b/README.md @@ -111,7 +111,7 @@ This is probably a lot of things: your phone, your laptop, passwords stored on y Step 2: Identify adversaries -Define whom you are defending against. Examples could be a nosy roommate, passive data collection on internet infrastructure, a thief, etc. Different threats will have different capabilities, so it's useful to connect which assets you're protecting from which adversaries. For example, you might have a shared family computer so you want to protect your computer from malware but not your family, while you want to protect your phone from both your family and malware. +Define whom you are defending against. Examples could be a nosy roommate, passive data collection on internet infrastructure, a thief, etc. Different threats will have different capabilities, so it's useful to connect which assets you're protecting from which adversaries. Step 3: Identify the adversaries' capabilities @@ -119,7 +119,7 @@ In order to counter your adversaries, you'll need to understand what they're cap Step 4: Come up with ways to mitigate the threats -Now is when you decide the best way to counter each threat. You might avoid writing passwords down on paper so your roommate can't find them or you might encrypt the drive on your computer so a thief can't get data from it. You'll need to think about the capabilities of each threat: for example, a common thief will generally be stopped by drive encryption even with a weak password, while a high-resource adversary will have access to advanced computers that can crack weak passwords easily. +Now is when you decide the best way to counter each threat. You might avoid writing passwords down on paper so your roommate can't find them or you might encrypt the drive on your computer so a thief can't get data from it. Step 5: Implement your plan From 007194a9ec982ca92f9e27144ac60c6410d19a2f Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 09:44:32 -0500 Subject: [PATCH 377/476] wording --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d5421f07..a0c35ce3 100755 --- a/README.md +++ b/README.md @@ -129,9 +129,9 @@ Start implementing your strategies. Depending on how serious or time-sensitive y | Adversary | Motivation | Capabilities | Mitigation | | --- | --- | --- | --- | -| Family | See private chats or browsing history | Close proximity; can see screen or watch me type in my password | Use security key or biometrics, use privacy screen, keep phone locked when I'm not using it | +| Family | See private chats or browsing history | Close proximity; can see screen or watch me type in my password | Use biometrics, use privacy screen, keep phone locked when I'm not using it | | NSA | See contents of packets sent over the internet | Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets | Always use encryption for all connections | -| Thief | Unlock phone and steal personal info and drain bank accounts, sell phone for money | Shoulder surf to see my password, steal my phone out of my hands or when I'm not looking while it's logged in | Keep phone in sight or on my person at all times, keep locked when not in use, use biometrics to avoid typing password in public | +| Thief | Unlock phone and steal personal info and drain bank accounts, sell phone for money | Shoulder surf to see my password, steal my phone out of my hands or when I'm not looking while it's logged in | Keep phone in sight or on my person at all times, keep locked when not in use, use biometrics to avoid typing password in public, use Find My or similar service to track stolen phone | Read more about threat modeling [here](https://www.netmeister.org/blog/threat-model-101.html). From e5e2cd786394c05c0d55eb2db11db9e232a5346d Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 09:45:15 -0500 Subject: [PATCH 378/476] add example wording --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index a0c35ce3..60ffff14 100755 --- a/README.md +++ b/README.md @@ -125,6 +125,8 @@ Step 5: Implement your plan Start implementing your strategies. Depending on how serious or time-sensitive your situation is, you might want to ease into it so you don't burn yourself out too quickly. Sometimes you might find that a strategy you came up with isn't working for whatever reason, that's ok. Just go back and rethink that part. Eventually you will get to a workable plan that mitigates your threats and that doesn't cause undue inconvenience on your life. +Here's an example of the type of table you should make for each asset you want to protect: + **Asset: Phone** | Adversary | Motivation | Capabilities | Mitigation | From cc6e424a0fc816f4c340bd70bc68acf7d18aa12b Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 09:49:07 -0500 Subject: [PATCH 379/476] wording --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 60ffff14..041212bc 100755 --- a/README.md +++ b/README.md @@ -133,7 +133,7 @@ Here's an example of the type of table you should make for each asset you want t | --- | --- | --- | --- | | Family | See private chats or browsing history | Close proximity; can see screen or watch me type in my password | Use biometrics, use privacy screen, keep phone locked when I'm not using it | | NSA | See contents of packets sent over the internet | Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets | Always use encryption for all connections | -| Thief | Unlock phone and steal personal info and drain bank accounts, sell phone for money | Shoulder surf to see my password, steal my phone out of my hands or when I'm not looking while it's logged in | Keep phone in sight or on my person at all times, keep locked when not in use, use biometrics to avoid typing password in public, use Find My or similar service to track stolen phone | +| Thief | Unlock phone and steal personal info and drain bank accounts, sell phone for money | Shoulder surf to see my password, steal my phone out of my hands or when I'm not looking while it's logged in | Keep phone in sight or on my person at all times, keep locked when not in use, use biometrics to avoid typing password in public, use Find My or similar service to track/remotely disable stolen phone | Read more about threat modeling [here](https://www.netmeister.org/blog/threat-model-101.html). From 18dda896d2d32c82333ddd18a1054e1ebadfb708 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 09:56:11 -0500 Subject: [PATCH 380/476] wording --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 041212bc..475b5635 100755 --- a/README.md +++ b/README.md @@ -105,7 +105,7 @@ General security best practices apply: The first and most important step for security and privacy is to create a [threat model](https://www.owasp.org/index.php/Application_Threat_Modeling). After all, how can we have security when we don't even know what we're securing against? Each person will have their own needs so everyone's threat model will be different. Threat models tend to evolve over time as our situation changes, so be sure to periodically reassess your threat model. -Step 1: Identify what you're protecting +Step 1: Identify valuable assets This is probably a lot of things: your phone, your laptop, passwords stored on your devices, internet browsing history, etc. Make a list of all the things you can think of that you want to protect and store it somewhere. From d680c920a12b4fa78d9ec824e9d40cb6825f8d4d Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 16:01:58 -0500 Subject: [PATCH 381/476] add sensitivity levels --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 475b5635..63ad657b 100755 --- a/README.md +++ b/README.md @@ -107,7 +107,7 @@ The first and most important step for security and privacy is to create a [threa Step 1: Identify valuable assets -This is probably a lot of things: your phone, your laptop, passwords stored on your devices, internet browsing history, etc. Make a list of all the things you can think of that you want to protect and store it somewhere. +This is probably a lot of things: your phone, your laptop, passwords stored on your devices, internet browsing history, etc. Make a list starting with the most important assets to protect. You can put them in categories based on how important they are: public, sensitive, or secret. Step 2: Identify adversaries From f74de99f46a7df8d9e90d2b719d86fcabdfc309e Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 16:04:35 -0500 Subject: [PATCH 382/476] makes steps subsections --- README.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 63ad657b..8ee06e28 100755 --- a/README.md +++ b/README.md @@ -13,6 +13,11 @@ To suggest an improvement, send a pull request or [open an issue](https://github - [Basics](#basics) - [Threat Modeling](#threat-modeling) + * [Step 1](#step-1-identify-valuable-assets) + * [Step 2](#step-2-identify-adversaries) + * [Step 3](#step-3-identify-the-adversaries-capabilities) + * [Step 4](#step-4-come-up-with-ways-to-mitigate-the-threats) + * [Step 5](#step-5-implement-your-plan) - [Hardware](#hardware) - [Installing macOS](#installing-macos) * [System activation](#system-activation) @@ -105,23 +110,23 @@ General security best practices apply: The first and most important step for security and privacy is to create a [threat model](https://www.owasp.org/index.php/Application_Threat_Modeling). After all, how can we have security when we don't even know what we're securing against? Each person will have their own needs so everyone's threat model will be different. Threat models tend to evolve over time as our situation changes, so be sure to periodically reassess your threat model. -Step 1: Identify valuable assets +## Step 1: Identify valuable assets This is probably a lot of things: your phone, your laptop, passwords stored on your devices, internet browsing history, etc. Make a list starting with the most important assets to protect. You can put them in categories based on how important they are: public, sensitive, or secret. -Step 2: Identify adversaries +## Step 2: Identify adversaries Define whom you are defending against. Examples could be a nosy roommate, passive data collection on internet infrastructure, a thief, etc. Different threats will have different capabilities, so it's useful to connect which assets you're protecting from which adversaries. -Step 3: Identify the adversaries' capabilities +## Step 3: Identify the adversaries' capabilities In order to counter your adversaries, you'll need to understand what they're capable of and what they're not capable of. -Step 4: Come up with ways to mitigate the threats +## Step 4: Come up with ways to mitigate the threats Now is when you decide the best way to counter each threat. You might avoid writing passwords down on paper so your roommate can't find them or you might encrypt the drive on your computer so a thief can't get data from it. -Step 5: Implement your plan +## Step 5: Implement your plan Start implementing your strategies. Depending on how serious or time-sensitive your situation is, you might want to ease into it so you don't burn yourself out too quickly. Sometimes you might find that a strategy you came up with isn't working for whatever reason, that's ok. Just go back and rethink that part. Eventually you will get to a workable plan that mitigates your threats and that doesn't cause undue inconvenience on your life. From 6f374a855fb6bd1db1cf1f0fbb51ed2f58739a8e Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 16:05:17 -0500 Subject: [PATCH 383/476] change basics threat modeling link to local link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8ee06e28..610d2d60 100755 --- a/README.md +++ b/README.md @@ -85,7 +85,7 @@ To suggest an improvement, send a pull request or [open an issue](https://github General security best practices apply: -- Create a [threat model](https://www.owasp.org/index.php/Application_Threat_Modeling) +- Create a [threat model](#threat-modeling) * What are you trying to protect and from whom? Is your adversary a three letter agency, a nosy eavesdropper on the network, or a determined [APT](https://en.wikipedia.org/wiki/Advanced_persistent_threat) orchestrating a campaign against you? * Recognize threats and how to reduce attack surface against them. From e851efe8b4e19f3c2b6986cb2b01cd919047c51b Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 16:06:19 -0500 Subject: [PATCH 384/476] change rhetorical question --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 610d2d60..0d15e39d 100755 --- a/README.md +++ b/README.md @@ -108,7 +108,7 @@ General security best practices apply: # Threat Modeling -The first and most important step for security and privacy is to create a [threat model](https://www.owasp.org/index.php/Application_Threat_Modeling). After all, how can we have security when we don't even know what we're securing against? Each person will have their own needs so everyone's threat model will be different. Threat models tend to evolve over time as our situation changes, so be sure to periodically reassess your threat model. +The first and most important step for security and privacy is to create a [threat model](https://www.owasp.org/index.php/Application_Threat_Modeling). You need to understand your adversaries in order to defend against them. Each person will have their own needs so everyone's threat model will be different. Threat models tend to evolve over time as our situation changes, so be sure to periodically reassess your threat model. ## Step 1: Identify valuable assets From 66e08eb84cdb793bc1f16c50f92e8d8814f09284 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 16:09:06 -0500 Subject: [PATCH 385/476] add motivation --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0d15e39d..55a3e119 100755 --- a/README.md +++ b/README.md @@ -116,7 +116,7 @@ This is probably a lot of things: your phone, your laptop, passwords stored on y ## Step 2: Identify adversaries -Define whom you are defending against. Examples could be a nosy roommate, passive data collection on internet infrastructure, a thief, etc. Different threats will have different capabilities, so it's useful to connect which assets you're protecting from which adversaries. +Define whom you are defending against. Start by defining the motivation they might have to attack your assets. [Financial gain](https://www.verizon.com/business/resources/reports/dbir/) is a big motivator for many attackers, for example. ## Step 3: Identify the adversaries' capabilities From 01762c8a7c16b8ce1bca67efbc29f2a62af88cbd Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 16:13:09 -0500 Subject: [PATCH 386/476] add capability ranking --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 55a3e119..4a00abc7 100755 --- a/README.md +++ b/README.md @@ -120,7 +120,7 @@ Define whom you are defending against. Start by defining the motivation they mig ## Step 3: Identify the adversaries' capabilities -In order to counter your adversaries, you'll need to understand what they're capable of and what they're not capable of. +In order to counter your adversaries, you'll need to understand what they're capable of and what they're not capable of. Rank adversaries from totally usophisticated to very advanced. For example, a common thief is not very sophisticated; they will likely be stopped by basic things like simply having a password and drive encryption on your device. A very advanced adversary like a state actor might require fully turning off your device when not in use to clear the keys from RAM and a long diceware password. ## Step 4: Come up with ways to mitigate the threats From fda195869f1aa5a72ea09cf3c07e052e42617bbe Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 16:14:47 -0500 Subject: [PATCH 387/476] re order table by difficulty --- README.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 4a00abc7..8b83a1fa 100755 --- a/README.md +++ b/README.md @@ -132,13 +132,11 @@ Start implementing your strategies. Depending on how serious or time-sensitive y Here's an example of the type of table you should make for each asset you want to protect: -**Asset: Phone** - | Adversary | Motivation | Capabilities | Mitigation | | --- | --- | --- | --- | -| Family | See private chats or browsing history | Close proximity; can see screen or watch me type in my password | Use biometrics, use privacy screen, keep phone locked when I'm not using it | -| NSA | See contents of packets sent over the internet | Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets | Always use encryption for all connections | +| Nation State | See contents of packets sent over the internet | Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets | Always use encryption for all connections | | Thief | Unlock phone and steal personal info and drain bank accounts, sell phone for money | Shoulder surf to see my password, steal my phone out of my hands or when I'm not looking while it's logged in | Keep phone in sight or on my person at all times, keep locked when not in use, use biometrics to avoid typing password in public, use Find My or similar service to track/remotely disable stolen phone | +| Family | See private chats or browsing history | Close proximity; can see screen or watch me type in my password | Use biometrics, use privacy screen, keep phone locked when I'm not using it | Read more about threat modeling [here](https://www.netmeister.org/blog/threat-model-101.html). From dc91b5b60c7b7ad662a70f367dc3b929107a161c Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 16:18:28 -0500 Subject: [PATCH 388/476] add hacker --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 8b83a1fa..bafd2615 100755 --- a/README.md +++ b/README.md @@ -135,6 +135,7 @@ Here's an example of the type of table you should make for each asset you want t | Adversary | Motivation | Capabilities | Mitigation | | --- | --- | --- | --- | | Nation State | See contents of packets sent over the internet | Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets | Always use encryption for all connections | +| Hacker | Infect my device with malware to steal personal info and/or money | Run unauthorized code on my computer to steal my info | Use sandboxing, enable security features in my OS, keep OS and all software updated and turn on autoupdates | | Thief | Unlock phone and steal personal info and drain bank accounts, sell phone for money | Shoulder surf to see my password, steal my phone out of my hands or when I'm not looking while it's logged in | Keep phone in sight or on my person at all times, keep locked when not in use, use biometrics to avoid typing password in public, use Find My or similar service to track/remotely disable stolen phone | | Family | See private chats or browsing history | Close proximity; can see screen or watch me type in my password | Use biometrics, use privacy screen, keep phone locked when I'm not using it | From 8c12a624aff7bf334e73744e795fd9b5cbbf4ab0 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 18:39:30 -0500 Subject: [PATCH 389/476] change nav to section titles --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index bafd2615..0c8da890 100755 --- a/README.md +++ b/README.md @@ -13,11 +13,11 @@ To suggest an improvement, send a pull request or [open an issue](https://github - [Basics](#basics) - [Threat Modeling](#threat-modeling) - * [Step 1](#step-1-identify-valuable-assets) - * [Step 2](#step-2-identify-adversaries) - * [Step 3](#step-3-identify-the-adversaries-capabilities) - * [Step 4](#step-4-come-up-with-ways-to-mitigate-the-threats) - * [Step 5](#step-5-implement-your-plan) + * [Identify Valuable Assets](#step-1-identify-valuable-assets) + * [Identify Adversaries](#step-2-identify-adversaries) + * [Identify Adversaries' Capabilities](#step-3-identify-the-adversaries-capabilities) + * [Come up with Mitigations](#step-4-come-up-with-ways-to-mitigate-the-threats) + * [Implement Your Plan](#step-5-implement-your-plan) - [Hardware](#hardware) - [Installing macOS](#installing-macos) * [System activation](#system-activation) From b319187448709a9d6192f2d43fb315afa43305d5 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 18:40:14 -0500 Subject: [PATCH 390/476] remove valuable --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0c8da890..4c89a89a 100755 --- a/README.md +++ b/README.md @@ -110,7 +110,7 @@ General security best practices apply: The first and most important step for security and privacy is to create a [threat model](https://www.owasp.org/index.php/Application_Threat_Modeling). You need to understand your adversaries in order to defend against them. Each person will have their own needs so everyone's threat model will be different. Threat models tend to evolve over time as our situation changes, so be sure to periodically reassess your threat model. -## Step 1: Identify valuable assets +## Step 1: Identify assets This is probably a lot of things: your phone, your laptop, passwords stored on your devices, internet browsing history, etc. Make a list starting with the most important assets to protect. You can put them in categories based on how important they are: public, sensitive, or secret. From 89e3074c7ff0b9653e3ad7ef0290489a4207c573 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 18:41:00 -0500 Subject: [PATCH 391/476] shorten titles --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 4c89a89a..099d04b3 100755 --- a/README.md +++ b/README.md @@ -15,8 +15,8 @@ To suggest an improvement, send a pull request or [open an issue](https://github - [Threat Modeling](#threat-modeling) * [Identify Valuable Assets](#step-1-identify-valuable-assets) * [Identify Adversaries](#step-2-identify-adversaries) - * [Identify Adversaries' Capabilities](#step-3-identify-the-adversaries-capabilities) - * [Come up with Mitigations](#step-4-come-up-with-ways-to-mitigate-the-threats) + * [Identify Capabilities](#step-3-identify-the-adversaries-capabilities) + * [Mitigations](#step-4-come-up-with-ways-to-mitigate-the-threats) * [Implement Your Plan](#step-5-implement-your-plan) - [Hardware](#hardware) - [Installing macOS](#installing-macos) @@ -118,7 +118,7 @@ This is probably a lot of things: your phone, your laptop, passwords stored on y Define whom you are defending against. Start by defining the motivation they might have to attack your assets. [Financial gain](https://www.verizon.com/business/resources/reports/dbir/) is a big motivator for many attackers, for example. -## Step 3: Identify the adversaries' capabilities +## Step 3: Identify capabilities In order to counter your adversaries, you'll need to understand what they're capable of and what they're not capable of. Rank adversaries from totally usophisticated to very advanced. For example, a common thief is not very sophisticated; they will likely be stopped by basic things like simply having a password and drive encryption on your device. A very advanced adversary like a state actor might require fully turning off your device when not in use to clear the keys from RAM and a long diceware password. From 88e77f257f1c2e755537871a4c8eaaf6739127cb Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 18:41:37 -0500 Subject: [PATCH 392/476] identify mitigations --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 099d04b3..ca3a4e90 100755 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ To suggest an improvement, send a pull request or [open an issue](https://github * [Identify Valuable Assets](#step-1-identify-valuable-assets) * [Identify Adversaries](#step-2-identify-adversaries) * [Identify Capabilities](#step-3-identify-the-adversaries-capabilities) - * [Mitigations](#step-4-come-up-with-ways-to-mitigate-the-threats) + * [Identify Mitigations](#step-4-come-up-with-ways-to-mitigate-the-threats) * [Implement Your Plan](#step-5-implement-your-plan) - [Hardware](#hardware) - [Installing macOS](#installing-macos) @@ -122,7 +122,7 @@ Define whom you are defending against. Start by defining the motivation they mig In order to counter your adversaries, you'll need to understand what they're capable of and what they're not capable of. Rank adversaries from totally usophisticated to very advanced. For example, a common thief is not very sophisticated; they will likely be stopped by basic things like simply having a password and drive encryption on your device. A very advanced adversary like a state actor might require fully turning off your device when not in use to clear the keys from RAM and a long diceware password. -## Step 4: Come up with ways to mitigate the threats +## Step 4: Identify mitigations Now is when you decide the best way to counter each threat. You might avoid writing passwords down on paper so your roommate can't find them or you might encrypt the drive on your computer so a thief can't get data from it. From 6ac3623b416a1228d558b9478add374a47e1a4c4 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 18:42:20 -0500 Subject: [PATCH 393/476] remove step 5 --- README.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/README.md b/README.md index ca3a4e90..7e93b0db 100755 --- a/README.md +++ b/README.md @@ -17,7 +17,6 @@ To suggest an improvement, send a pull request or [open an issue](https://github * [Identify Adversaries](#step-2-identify-adversaries) * [Identify Capabilities](#step-3-identify-the-adversaries-capabilities) * [Identify Mitigations](#step-4-come-up-with-ways-to-mitigate-the-threats) - * [Implement Your Plan](#step-5-implement-your-plan) - [Hardware](#hardware) - [Installing macOS](#installing-macos) * [System activation](#system-activation) @@ -126,10 +125,6 @@ In order to counter your adversaries, you'll need to understand what they're cap Now is when you decide the best way to counter each threat. You might avoid writing passwords down on paper so your roommate can't find them or you might encrypt the drive on your computer so a thief can't get data from it. -## Step 5: Implement your plan - -Start implementing your strategies. Depending on how serious or time-sensitive your situation is, you might want to ease into it so you don't burn yourself out too quickly. Sometimes you might find that a strategy you came up with isn't working for whatever reason, that's ok. Just go back and rethink that part. Eventually you will get to a workable plan that mitigates your threats and that doesn't cause undue inconvenience on your life. - Here's an example of the type of table you should make for each asset you want to protect: | Adversary | Motivation | Capabilities | Mitigation | From 1998f22c74ae40fd78f74d407529c3ef62d0e3d4 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 18:44:30 -0500 Subject: [PATCH 394/476] reverse table order --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 7e93b0db..9b0fef60 100755 --- a/README.md +++ b/README.md @@ -129,10 +129,10 @@ Here's an example of the type of table you should make for each asset you want t | Adversary | Motivation | Capabilities | Mitigation | | --- | --- | --- | --- | -| Nation State | See contents of packets sent over the internet | Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets | Always use encryption for all connections | -| Hacker | Infect my device with malware to steal personal info and/or money | Run unauthorized code on my computer to steal my info | Use sandboxing, enable security features in my OS, keep OS and all software updated and turn on autoupdates | -| Thief | Unlock phone and steal personal info and drain bank accounts, sell phone for money | Shoulder surf to see my password, steal my phone out of my hands or when I'm not looking while it's logged in | Keep phone in sight or on my person at all times, keep locked when not in use, use biometrics to avoid typing password in public, use Find My or similar service to track/remotely disable stolen phone | | Family | See private chats or browsing history | Close proximity; can see screen or watch me type in my password | Use biometrics, use privacy screen, keep phone locked when I'm not using it | +| Thief | Unlock phone and steal personal info and drain bank accounts, sell phone for money | Shoulder surf to see my password, steal my phone out of my hands or when I'm not looking while it's logged in | Keep phone in sight or on my person at all times, keep locked when not in use, use biometrics to avoid typing password in public, use Find My or similar service to track/remotely disable stolen phone | +| Hacker | Infect my device with malware to steal personal info and/or money | Run unauthorized code on my computer to steal my info | Use sandboxing, enable security features in my OS, keep OS and all software updated and turn on autoupdates | +| Nation State | See contents of packets sent over the internet | Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets | Always use encryption for all connections | Read more about threat modeling [here](https://www.netmeister.org/blog/threat-model-101.html). From a14722885758568a53c49b12cf55d4f7bef121ff Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 18:45:07 -0500 Subject: [PATCH 395/476] targeted surveillance --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9b0fef60..7680a45d 100755 --- a/README.md +++ b/README.md @@ -132,7 +132,7 @@ Here's an example of the type of table you should make for each asset you want t | Family | See private chats or browsing history | Close proximity; can see screen or watch me type in my password | Use biometrics, use privacy screen, keep phone locked when I'm not using it | | Thief | Unlock phone and steal personal info and drain bank accounts, sell phone for money | Shoulder surf to see my password, steal my phone out of my hands or when I'm not looking while it's logged in | Keep phone in sight or on my person at all times, keep locked when not in use, use biometrics to avoid typing password in public, use Find My or similar service to track/remotely disable stolen phone | | Hacker | Infect my device with malware to steal personal info and/or money | Run unauthorized code on my computer to steal my info | Use sandboxing, enable security features in my OS, keep OS and all software updated and turn on autoupdates | -| Nation State | See contents of packets sent over the internet | Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets | Always use encryption for all connections | +| Nation State | Targeted surveillance | Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets | Always use encryption for all connections | Read more about threat modeling [here](https://www.netmeister.org/blog/threat-model-101.html). From 1571abe5d0366f59edf86c90ff5dc31cba08d9d5 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 18:54:58 -0500 Subject: [PATCH 396/476] update criminal --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 7680a45d..9f07c461 100755 --- a/README.md +++ b/README.md @@ -129,9 +129,9 @@ Here's an example of the type of table you should make for each asset you want t | Adversary | Motivation | Capabilities | Mitigation | | --- | --- | --- | --- | -| Family | See private chats or browsing history | Close proximity; can see screen or watch me type in my password | Use biometrics, use privacy screen, keep phone locked when I'm not using it | -| Thief | Unlock phone and steal personal info and drain bank accounts, sell phone for money | Shoulder surf to see my password, steal my phone out of my hands or when I'm not looking while it's logged in | Keep phone in sight or on my person at all times, keep locked when not in use, use biometrics to avoid typing password in public, use Find My or similar service to track/remotely disable stolen phone | -| Hacker | Infect my device with malware to steal personal info and/or money | Run unauthorized code on my computer to steal my info | Use sandboxing, enable security features in my OS, keep OS and all software updated and turn on autoupdates | +| Family | See private chats or browsing history | Close proximity; can see screen or watch me type in password | Use biometrics, use privacy screen, keep phone locked when not using it | +| Thief | Unlock phone and steal personal info and drain bank accounts, sell phone for money | Shoulder surf to see password, steal device when not looking while it's logged in | Keep phone in sight or on person at all times, keep locked when not in use, use biometrics to avoid typing password in public, use Find My or similar service to track/remotely disable stolen device | +| Criminal | Financial | social engineering (email scams, scam calls), COTS malware, password stealing, exploiting vulnerabilities | Use sandboxing, enable security features in OS, keep OS and all software updated and turn on autoupdates | | Nation State | Targeted surveillance | Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets | Always use encryption for all connections | Read more about threat modeling [here](https://www.netmeister.org/blog/threat-model-101.html). From f71a2cfd7c9a49d2b9a3c9065163fccc4e1c082e Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 18:55:55 -0500 Subject: [PATCH 397/476] remove first person --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9f07c461..bb4e22ff 100755 --- a/README.md +++ b/README.md @@ -129,7 +129,7 @@ Here's an example of the type of table you should make for each asset you want t | Adversary | Motivation | Capabilities | Mitigation | | --- | --- | --- | --- | -| Family | See private chats or browsing history | Close proximity; can see screen or watch me type in password | Use biometrics, use privacy screen, keep phone locked when not using it | +| Family | See private chats or browsing history | Close proximity; can see screen or watch type in password | Use biometrics, use privacy screen, keep phone locked when not using it | | Thief | Unlock phone and steal personal info and drain bank accounts, sell phone for money | Shoulder surf to see password, steal device when not looking while it's logged in | Keep phone in sight or on person at all times, keep locked when not in use, use biometrics to avoid typing password in public, use Find My or similar service to track/remotely disable stolen device | | Criminal | Financial | social engineering (email scams, scam calls), COTS malware, password stealing, exploiting vulnerabilities | Use sandboxing, enable security features in OS, keep OS and all software updated and turn on autoupdates | | Nation State | Targeted surveillance | Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets | Always use encryption for all connections | From f375403cce12e3a355343dfb0e5ca1d04370cfc1 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 19:03:52 -0500 Subject: [PATCH 398/476] add balancing security and usability --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bb4e22ff..03803499 100755 --- a/README.md +++ b/README.md @@ -123,7 +123,7 @@ In order to counter your adversaries, you'll need to understand what they're cap ## Step 4: Identify mitigations -Now is when you decide the best way to counter each threat. You might avoid writing passwords down on paper so your roommate can't find them or you might encrypt the drive on your computer so a thief can't get data from it. +Now is when you decide the best way to counter each threat. You might avoid writing passwords down on paper so your roommate can't find them or you might encrypt the drive on your computer so a thief can't get data from it. It's important to balance security and usability; every mitigation should counter some capability of your adversaries, otherwise you might be making your life inconvenient for little to no gain. If you can't think of any more capabilities your adversaries might have and you've implemented mitigations for them all, your work is done. Here's an example of the type of table you should make for each asset you want to protect: From b1e5917d7b7856f82f7077601d74b712f933491e Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 19:07:19 -0500 Subject: [PATCH 399/476] advanced adversary mitigations --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 03803499..6f65d0f7 100755 --- a/README.md +++ b/README.md @@ -132,7 +132,7 @@ Here's an example of the type of table you should make for each asset you want t | Family | See private chats or browsing history | Close proximity; can see screen or watch type in password | Use biometrics, use privacy screen, keep phone locked when not using it | | Thief | Unlock phone and steal personal info and drain bank accounts, sell phone for money | Shoulder surf to see password, steal device when not looking while it's logged in | Keep phone in sight or on person at all times, keep locked when not in use, use biometrics to avoid typing password in public, use Find My or similar service to track/remotely disable stolen device | | Criminal | Financial | social engineering (email scams, scam calls), COTS malware, password stealing, exploiting vulnerabilities | Use sandboxing, enable security features in OS, keep OS and all software updated and turn on autoupdates | -| Nation State | Targeted surveillance | Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets | Always use encryption for all connections | +| Nation State | Targeted surveillance | Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets | Use open source e2ee, use strong diceware passwords for devices, use hardware with secure element for secure encryption, shut down devices when not using them | Read more about threat modeling [here](https://www.netmeister.org/blog/threat-model-101.html). From 34505055ebd978e14953f993eaeb76ae188b6923 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sat, 23 Mar 2024 19:18:34 -0500 Subject: [PATCH 400/476] add software tripware --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6f65d0f7..55a90846 100755 --- a/README.md +++ b/README.md @@ -132,7 +132,7 @@ Here's an example of the type of table you should make for each asset you want t | Family | See private chats or browsing history | Close proximity; can see screen or watch type in password | Use biometrics, use privacy screen, keep phone locked when not using it | | Thief | Unlock phone and steal personal info and drain bank accounts, sell phone for money | Shoulder surf to see password, steal device when not looking while it's logged in | Keep phone in sight or on person at all times, keep locked when not in use, use biometrics to avoid typing password in public, use Find My or similar service to track/remotely disable stolen device | | Criminal | Financial | social engineering (email scams, scam calls), COTS malware, password stealing, exploiting vulnerabilities | Use sandboxing, enable security features in OS, keep OS and all software updated and turn on autoupdates | -| Nation State | Targeted surveillance | Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets | Use open source e2ee, use strong diceware passwords for devices, use hardware with secure element for secure encryption, shut down devices when not using them | +| Nation State | Targeted surveillance | Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets | Use open source e2ee, use strong diceware passwords for devices, use hardware with secure element for secure encryption, shut down devices when not using them, software tripwire/honeypot/canary tokens | Read more about threat modeling [here](https://www.netmeister.org/blog/threat-model-101.html). From 2e183415579c5cfad511853058f788a32a4239fb Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 24 Mar 2024 10:07:19 -0500 Subject: [PATCH 401/476] fix typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 55a90846..1f218708 100755 --- a/README.md +++ b/README.md @@ -119,7 +119,7 @@ Define whom you are defending against. Start by defining the motivation they mig ## Step 3: Identify capabilities -In order to counter your adversaries, you'll need to understand what they're capable of and what they're not capable of. Rank adversaries from totally usophisticated to very advanced. For example, a common thief is not very sophisticated; they will likely be stopped by basic things like simply having a password and drive encryption on your device. A very advanced adversary like a state actor might require fully turning off your device when not in use to clear the keys from RAM and a long diceware password. +In order to counter your adversaries, you'll need to understand what they're capable of and what they're not capable of. Rank adversaries from totally unsophisticated to very advanced. For example, a common thief is not very sophisticated; they will likely be stopped by basic things like simply having a password and drive encryption on your device. A very advanced adversary like a state actor might require fully turning off your device when not in use to clear the keys from RAM and a long diceware password. ## Step 4: Identify mitigations From c780f14a7f9c332b06de1a35f074153fa84f6c26 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 24 Mar 2024 10:10:02 -0500 Subject: [PATCH 402/476] add canary tokens link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1f218708..0881b210 100755 --- a/README.md +++ b/README.md @@ -132,7 +132,7 @@ Here's an example of the type of table you should make for each asset you want t | Family | See private chats or browsing history | Close proximity; can see screen or watch type in password | Use biometrics, use privacy screen, keep phone locked when not using it | | Thief | Unlock phone and steal personal info and drain bank accounts, sell phone for money | Shoulder surf to see password, steal device when not looking while it's logged in | Keep phone in sight or on person at all times, keep locked when not in use, use biometrics to avoid typing password in public, use Find My or similar service to track/remotely disable stolen device | | Criminal | Financial | social engineering (email scams, scam calls), COTS malware, password stealing, exploiting vulnerabilities | Use sandboxing, enable security features in OS, keep OS and all software updated and turn on autoupdates | -| Nation State | Targeted surveillance | Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets | Use open source e2ee, use strong diceware passwords for devices, use hardware with secure element for secure encryption, shut down devices when not using them, software tripwire/honeypot/canary tokens | +| Nation State | Targeted surveillance | Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets | Use open source e2ee, use strong diceware passwords for devices, use hardware with secure element for secure encryption, shut down devices when not using them, software tripwire/honeypot/[canary tokens](https://canarytokens.org/) | Read more about threat modeling [here](https://www.netmeister.org/blog/threat-model-101.html). From 2ba1dab12854db57beabcb5ad0bc6c8b886a59b0 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 24 Mar 2024 10:11:07 -0500 Subject: [PATCH 403/476] change family to roommate --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0881b210..5f602ac1 100755 --- a/README.md +++ b/README.md @@ -129,7 +129,7 @@ Here's an example of the type of table you should make for each asset you want t | Adversary | Motivation | Capabilities | Mitigation | | --- | --- | --- | --- | -| Family | See private chats or browsing history | Close proximity; can see screen or watch type in password | Use biometrics, use privacy screen, keep phone locked when not using it | +| Roommate | See private chats or browsing history | Close proximity; can see screen or watch type in password | Use biometrics, use privacy screen, keep phone locked when not using it | | Thief | Unlock phone and steal personal info and drain bank accounts, sell phone for money | Shoulder surf to see password, steal device when not looking while it's logged in | Keep phone in sight or on person at all times, keep locked when not in use, use biometrics to avoid typing password in public, use Find My or similar service to track/remotely disable stolen device | | Criminal | Financial | social engineering (email scams, scam calls), COTS malware, password stealing, exploiting vulnerabilities | Use sandboxing, enable security features in OS, keep OS and all software updated and turn on autoupdates | | Nation State | Targeted surveillance | Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets | Use open source e2ee, use strong diceware passwords for devices, use hardware with secure element for secure encryption, shut down devices when not using them, software tripwire/honeypot/[canary tokens](https://canarytokens.org/) | From 26b8c7ca368c724bb95bb6d6a6e5cb2648080eff Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 24 Mar 2024 13:08:01 -0500 Subject: [PATCH 404/476] update firefox --- README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 220ada9b..09347499 100755 --- a/README.md +++ b/README.md @@ -686,29 +686,29 @@ server: GitHub.com The Web browser likely poses the largest security and privacy risk, as its fundamental job is to download and execute untrusted code from the Internet. -An important property of modern browsers Same Origin Policy ([SOP](https://en.wikipedia.org/wiki/Same-origin_policy)) which prevents a malicious script on one page from obtaining access to sensitive data on another web page through the Document Object Model (DOM). If SOP is compromised, the security of the entire browser is compromised. +An important property of modern browsers is the Same Origin Policy ([SOP](https://en.wikipedia.org/wiki/Same-origin_policy)) which prevents a malicious script on one page from obtaining access to sensitive data on another web page through the Document Object Model (DOM). If SOP is compromised, the security of the entire browser is compromised. Many browser exploits are based on social engineering as a means of gaining persistence. Always be mindful of opening untrusted sites and especially careful when downloading new software. -Another important consideration about browser security are extensions. This is an issue affecting Firefox and [Chrome](https://courses.csail.mit.edu/6.857/2016/files/24.pdf) alike. The use of browser extensions should be limited to only critically necessary ones published by trustworthy developers. +Another important consideration about browser security is extensions. This is an issue affecting Firefox and [Chrome](https://courses.csail.mit.edu/6.857/2016/files/24.pdf) alike. The use of browser extensions should be limited to only critically necessary ones published by trustworthy developers. [Mozilla Firefox](https://www.mozilla.org/en-US/firefox/new/), [Google Chrome](https://www.google.com/chrome/), [Safari](https://www.apple.com/safari/), and [Tor Browser](https://www.torproject.org/projects/torbrowser.html.en) are all recommended browsers for their own unique and individual purposes. ## Firefox -[Mozilla Firefox](https://www.mozilla.org/en-US/firefox/new/) is a popular open source browser. Firefox recently replaced major parts of its infrastructure and code base under projects [Quantum](https://wiki.mozilla.org/Quantum) and [Photon](https://wiki.mozilla.org/Firefox/Photon/Updates). Part of the Quantum project is to replace C++ code with [Rust](https://www.rust-lang.org/en-US/). Rust is a systems programming language with a focus on security and thread safety. It is expected that Rust adoption will greatly improve the overall security posture of Firefox. +[Mozilla Firefox](https://www.mozilla.org/firefox/new/) is a popular open source browser. Firefox replaced major parts of its infrastructure and code base under the projects [Quantum](https://wiki.mozilla.org/Quantum) and [Photon](https://wiki.mozilla.org/Firefox/Photon/Updates). Part of the Quantum project is to replace C++ code with [Rust](https://www.rust-lang.org). Rust is a systems programming language with a focus on security and thread safety. It is expected that Rust adoption will greatly improve the overall security posture of Firefox. -Firefox offers a similar security model to Chrome: it has a [bug bounty program](https://www.mozilla.org/en-US/security/bug-bounty/), although it is not a lucrative. Firefox follows a six-week release cycle similar to Chrome. See discussion in [issue 2](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/2) and [issue 90](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/90) for more information about certain differences in Firefox and Chrome. +Firefox offers a similar security model to Chrome: it has a [bug bounty program](https://www.mozilla.org/security/bug-bounty), although it is not as lucrative. Firefox follows a four-week release cycle similar to Chrome. -Firefox supports user-supplied configuration files. See See [drduh/config/firefox.user.js](https://github.com/drduh/config/blob/master/firefox.user.js) and [arkenfox/user.js](https://github.com/arkenfox/user.js) for recommended preferences and hardening measures. Also see [NoScript](https://noscript.net/), an extension which allows selective script blocking. +Firefox supports user-supplied configuration files. See [drduh/config/firefox.user.js](https://github.com/drduh/config/blob/master/firefox.user.js) and [arkenfox/user.js](https://github.com/arkenfox/user.js) for recommended preferences and hardening measures. Also see [NoScript](https://noscript.net/), an extension which allows selective script blocking. -Firefox [focused on user privacy](https://www.mozilla.org/en-US/firefox/privacy/). It supports [tracking protection](https://developer.mozilla.org/en-US/docs/Web/Privacy/Firefox_tracking_protection) in Private Browsing mode. The tracking protection can be enabled for the default account, although it may break the browsing experience on some websites. Another feature similar to Chrome profiles is [Firefox Multi-Account Containers](https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/). +Firefox [focuses on user privacy](https://www.mozilla.org/en-US/firefox/privacy/). It supports [tracking protection](https://developer.mozilla.org/docs/Web/Privacy/Firefox_tracking_protection) in Private Browsing mode. The tracking protection can be enabled for the default account, although it may break the browsing experience on some websites. Firefox in Strict tracking protection mode will [randomize your fingerprint](https://support.mozilla.org/kb/firefox-protection-against-fingerprinting) to foil basic tracking scripts. Firefox offers separate user [profiles](https://support.mozilla.org/kb/profile-manager-create-remove-switch-firefox-profiles). You can separate your browsing inside a profile with [Multi-Account Containers](https://support.mozilla.org/kb/containers). -Previous versions of Firefox used a Web Extension SDK that was quite invasive and offered immense freedom to developers. Sadly, that freedom also introduced a number of vulnerabilities in Firefox that greatly affected its users. Currently, Firefox only supports Web Extensions through the [Web Extension Api](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions), which is very similar to Chrome. Submission of Web Extensions in Firefox is free. Web Extensions in Firefox most of the time are open source, although certain Web Extensions are proprietary. +Firefox only supports Web Extensions through the [Web Extension Api](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions), which is very similar to Chrome. Submission of Web Extensions in Firefox is free. Web Extensions in Firefox most of the time are open source, although certain Web Extensions are proprietary. ## Chrome -[Google Chrome](https://www.google.com/chrome/) is based on the open source [Chromium project](https://www.chromium.org/Home) with certain [proprietary components](https://fossbytes.com/difference-google-chrome-vs-chromium-browser/): +[Google Chrome](https://www.google.com/chrome/) is based on the open source [Chromium project](https://www.chromium.org) with certain [proprietary components](https://fossbytes.com/difference-google-chrome-vs-chromium-browser/): * Automatic updates with GoogleSoftwareUpdateDaemon * Usage tracking and crash reporting, which can be disabled through Chrome's settings @@ -717,7 +717,7 @@ Previous versions of Firefox used a Web Extension SDK that was quite invasive an * PDF viewer * Non-optional tracking. Google Chrome installer includes a randomly generated token. The token is sent to Google after the installation completes in order to measure the success rate. The RLZ identifier stores information – in the form of encoded strings – like the source of chrome download and installation week. It doesn’t include any personal information and it’s used to measure the effectiveness of a promotional campaign. **Chrome downloaded from Google’s website doesn’t have the RLZ identifier**. The source code to decode the strings is made open by Google. -Chrome offers account sync between multiple devices. Part of the sync data includes credentials to Web sites. The data is are encrypted with the account password. +Chrome offers account sync between multiple devices. Part of the sync data includes credentials to Web sites. The data is encrypted with the account password. Chrome's Web Store for extensions requires a [5 USD lifetime fee](https://developer.chrome.com/webstore/publish#pay-the-developer-signup-fee) in order to submit extensions. The low cost allows the development of many quality Open Source Web Extensions that do not aim to monetize through usage. From f71835ac1cc12e7246d224c4b919453f8899aafe Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 24 Mar 2024 13:24:19 -0500 Subject: [PATCH 405/476] update chrome --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 09347499..a805c0b5 100755 --- a/README.md +++ b/README.md @@ -708,7 +708,7 @@ Firefox only supports Web Extensions through the [Web Extension Api](https://dev ## Chrome -[Google Chrome](https://www.google.com/chrome/) is based on the open source [Chromium project](https://www.chromium.org) with certain [proprietary components](https://fossbytes.com/difference-google-chrome-vs-chromium-browser/): +[Google Chrome](https://www.google.com/chrome) is based on the open source [Chromium project](https://www.chromium.org) with certain [proprietary components](https://fossbytes.com/difference-google-chrome-vs-chromium-browser): * Automatic updates with GoogleSoftwareUpdateDaemon * Usage tracking and crash reporting, which can be disabled through Chrome's settings @@ -719,13 +719,13 @@ Firefox only supports Web Extensions through the [Web Extension Api](https://dev Chrome offers account sync between multiple devices. Part of the sync data includes credentials to Web sites. The data is encrypted with the account password. -Chrome's Web Store for extensions requires a [5 USD lifetime fee](https://developer.chrome.com/webstore/publish#pay-the-developer-signup-fee) in order to submit extensions. The low cost allows the development of many quality Open Source Web Extensions that do not aim to monetize through usage. +Chrome's Web Store for extensions requires a [5 USD lifetime fee](https://developer.chrome.com/docs/webstore/register) in order to submit extensions. The low cost allows the development of many quality Open Source Web Extensions that do not aim to monetize through usage. -Chrome has the largest share of global usage and is the preferred target platform for the majority of developers. Major technologies are based on Chrome's Open Source components, such as [node.js](https://nodejs.org/en/) which uses [Chrome's V8](https://developers.google.com/v8/) Engine and the [Electron](https://electron.atom.io/) framework, which is based on Chromium and node.js. Chrome's vast user base makes it the most attractive target for threat actors and security researchers. Despite under constants attacks, Chrome has retained an impressive security track record over the years. This is not a small feat. +Chrome has the largest share of global usage and is the preferred target platform for the majority of developers. Major technologies are based on Chrome's Open Source components, such as [node.js](https://nodejs.org) which uses [Chrome's V8](https://developers.google.com/v8) Engine and the [Electron](https://electron.atom.io) framework, which is based on Chromium and node.js. Chrome's vast user base makes it the most attractive target for threat actors and security researchers. Despite constant attacks, Chrome has retained an impressive security track record over the years. This is not a small feat. -Chrome offers [separate profiles](https://www.chromium.org/user-experience/multi-profiles), [robust sandboxing](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md), [frequent updates](https://chromereleases.googleblog.com/), and carries [impressive credentials](https://www.chromium.org/Home/chromium-security/brag-sheet). In addition, Google offers a very lucrative [bounty program](https://bughunters.google.com/about/rules/5745167867576320/chrome-vulnerability-reward-program-rules) for reporting vulnerabilities, along with its own [Project Zero](https://googleprojectzero.blogspot.com/) team. This means that a large number of highly talented and motivated people are constantly auditing and securing Chrome code. +Chrome offers [separate profiles](https://www.chromium.org/user-experience/multi-profiles), [robust sandboxing](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md), [frequent updates](https://chromereleases.googleblog.com), and carries [impressive credentials](https://www.chromium.org/Home/chromium-security/brag-sheet). In addition, Google offers a very lucrative [bounty program](https://bughunters.google.com/about/rules/5745167867576320/chrome-vulnerability-reward-program-rules) for reporting vulnerabilities, along with its own [Project Zero](https://googleprojectzero.blogspot.com/) team. This means that a large number of highly talented and motivated people are constantly auditing and securing Chrome code. -Create separate Chrome profiles to reduce XSS risk and compartmentalize cookies/identities. In each profile, either disable Javascript in Chrome settings and configure allowed origins - or use [uBlock Origin](https://github.com/gorhill/uBlock) to manage Javascript. +Create separate Chrome profiles to reduce XSS risk and compartmentalize cookies/identities. In each profile, either disable Javascript in Chrome settings and configure allowed origins. You should also disable the V8 Optimizer for sites where you do use Javascript to further reduce attack surface. You can block trackers with [uBlock Origin Lite](https://chromewebstore.google.com/detail/ublock-origin-lite/ddkjiahejlhfcafbddmgiahcphecmpfh). Change the default search engine from Google to reduce additional tracking. From fe57b80db721b8a1ef900936abb078058ef7c644 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 24 Mar 2024 13:39:36 -0500 Subject: [PATCH 406/476] update safari --- README.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index a805c0b5..41a43edb 100755 --- a/README.md +++ b/README.md @@ -735,20 +735,18 @@ Read [Chromium Security](https://www.chromium.org/Home/chromium-security) and [C ## Safari -[Safari](https://www.apple.com/safari/) is the default browser on macOS. It is also the most optimized browser for reducing battery use. Safari, like Chrome, has both Open Source and proprietary components. Safari is based on the open source Web Engine [WebKit](https://en.wikipedia.org/wiki/WebKit), which is ubiquitous among the macOS ecosystem. WebKit is used by Apple apps such as Mail, iTunes, iBooks, and the App Store. Chrome's [Blink](https://www.chromium.org/blink) engine is a fork of WebKit and both engines share a number of similarities. +[Safari](https://www.apple.com/safari) is the default browser on macOS. It is also the most optimized browser for reducing battery use. Safari, like Chrome, has both Open Source and proprietary components. Safari is based on the open source Web Engine [WebKit](https://webkit.org), which is ubiquitous among the macOS ecosystem. WebKit is used by Apple apps such as Mail, iTunes, iBooks, and the App Store. Chrome's [Blink](https://www.chromium.org/blink) engine is a fork of WebKit and both engines share a number of similarities. -Safari supports certain unique features that benefit user security and privacy. [Content blockers](https://webkit.org/blog/3476/content-blockers-first-look/) enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory use, security, and privacy. Safari 11 introduced [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/), which removes tracking data stored in Safari after a period of non-interaction by the user from the tracker's website. +Safari supports certain unique features that benefit user security and privacy. [Content blockers](https://webkit.org/blog/3476/content-blockers-first-look) enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory use, security, and privacy. Safari 11 introduced [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention), which removes tracking data stored in Safari after a period of non-interaction by the user from the tracker's website. Safari can randomize your fingerprint to reduce tracking. Safari doesn't support certain features like WebUSB or the Battery API intentionally for security and privacy reasons. Private tabs in Safari have isolated cookies and cache that is destroyed when you close the tab. Safari also support Profiles which are equivalent to Firefox's Multi-Account Containers for separating cookies and browsing. Read more about [tracking prevention](https://webkit.org/tracking-prevention) in Safari. -Safari offers an invite-only [bounty program](https://developer.apple.com/bug-reporting/) for bug reporting to a select number of security researchers. The bounty program was announced during Apple's [presentation](https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf) at [BlackHat](https://www.blackhat.com/us-16/briefings.html#behind-the-scenes-of-ios-security) 2016. +Safari offers an invite-only [bounty program](https://developer.apple.com/bug-reporting) for bug reporting to a select number of security researchers. The bounty program was announced during Apple's [presentation](https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf) at [BlackHat](https://www.blackhat.com/us-16/briefings.html#behind-the-scenes-of-ios-security) 2016. -Web Extensions in Safari have an additional option to use native code in the Safari's sandbox environment, in addition to Web Extension APIs. Web Extensions in Safari are also distributed through Apple's App store. App store submission comes with the added benefit of Web Extension code being audited by Apple. On the other hand App store submission comes at a steep cost. Yearly [developer subscription](https://developer.apple.com/support/compare-memberships/) fee costs 100 USD (in contrast to Chrome's 5 USD fee and Firefox's free submission). The high cost is prohibitive for the majority of Open Source developers. As a result, Safari has very few extensions to choose from. However, you should keep the high cost in mind when installing extensions. It is expected that most Web Extensions will have some way of monetizing usage in order to cover developer costs. Be wary of Web Extensions whose source code is not open. +Web Extensions in Safari have an additional option to use native code in the Safari's sandbox environment, in addition to Web Extension APIs. Web Extensions in Safari are also distributed through Apple's App store. App store submission comes with the added benefit of Web Extension code being audited by Apple. On the other hand App store submission comes at a steep cost. Yearly [developer subscription](https://developer.apple.com/support/compare-memberships) fee costs 100 USD (in contrast to Chrome's 5 USD fee and Firefox's free submission). The high cost is prohibitive for the majority of Open Source developers. As a result, Safari has very few extensions to choose from. However, you should keep the high cost in mind when installing extensions. It is expected that most Web Extensions will have some way of monetizing usage in order to cover developer costs. Be wary of Web Extensions whose source code is not open. -Safari syncs user preferences and passwords with [iCloud Keychain](https://support.apple.com/en-gb/HT202303). In order to be viewed in plain text, a user must input the account password of the current device. This means that users can sync data across devices with added security. +Safari syncs user preferences and passwords with [iCloud Keychain](https://support.apple.com/HT202303). In order to be viewed in plain text, a user must input the account password of the current device. This means that users can sync data across devices with added security. Safari follows a slower release cycle than Chrome and Firefox (3-4 minor releases, 1 major release, per year). Newer features are slower to be adopted to the stable channel. Security updates in Safari are handled independent of the stable release schedule and are installed through the App Store. -An example of using Safari content blockers is available at [dgraham/Ka-Block](https://github.com/dgraham/Ka-Block). - See also [el1t/uBlock-Safari](https://github.com/el1t/uBlock-Safari/wiki/Disable-hyperlink-auditing-beacon) to disable hyperlink auditing beacons. ## Other browsers From fd9b0c97c7d6da02c711d9c9da282c3efdbdb62c Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 24 Mar 2024 13:42:43 -0500 Subject: [PATCH 407/476] add lockdown mode --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 41a43edb..14fb0c08 100755 --- a/README.md +++ b/README.md @@ -737,7 +737,7 @@ Read [Chromium Security](https://www.chromium.org/Home/chromium-security) and [C [Safari](https://www.apple.com/safari) is the default browser on macOS. It is also the most optimized browser for reducing battery use. Safari, like Chrome, has both Open Source and proprietary components. Safari is based on the open source Web Engine [WebKit](https://webkit.org), which is ubiquitous among the macOS ecosystem. WebKit is used by Apple apps such as Mail, iTunes, iBooks, and the App Store. Chrome's [Blink](https://www.chromium.org/blink) engine is a fork of WebKit and both engines share a number of similarities. -Safari supports certain unique features that benefit user security and privacy. [Content blockers](https://webkit.org/blog/3476/content-blockers-first-look) enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory use, security, and privacy. Safari 11 introduced [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention), which removes tracking data stored in Safari after a period of non-interaction by the user from the tracker's website. Safari can randomize your fingerprint to reduce tracking. Safari doesn't support certain features like WebUSB or the Battery API intentionally for security and privacy reasons. Private tabs in Safari have isolated cookies and cache that is destroyed when you close the tab. Safari also support Profiles which are equivalent to Firefox's Multi-Account Containers for separating cookies and browsing. Read more about [tracking prevention](https://webkit.org/tracking-prevention) in Safari. +Safari supports certain unique features that benefit user security and privacy. [Content blockers](https://webkit.org/blog/3476/content-blockers-first-look) enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory use, security, and privacy. Safari 11 introduced [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention), which removes tracking data stored in Safari after a period of non-interaction by the user from the tracker's website. Safari can randomize your fingerprint to reduce tracking. Safari doesn't support certain features like WebUSB or the Battery API intentionally for security and privacy reasons. Private tabs in Safari have isolated cookies and cache that is destroyed when you close the tab. Safari also support Profiles which are equivalent to Firefox's Multi-Account Containers for separating cookies and browsing. Safari can be made significantly more secure with [lockdown mode](#lockdown-mode), which you can disable per-site. Read more about [tracking prevention](https://webkit.org/tracking-prevention) in Safari. Safari offers an invite-only [bounty program](https://developer.apple.com/bug-reporting) for bug reporting to a select number of security researchers. The bounty program was announced during Apple's [presentation](https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf) at [BlackHat](https://www.blackhat.com/us-16/briefings.html#behind-the-scenes-of-ios-security) 2016. From 3af2a3676d93601271ff4a617f6a3f54be35ba9e Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 24 Mar 2024 13:50:31 -0500 Subject: [PATCH 408/476] safari webrtc --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 14fb0c08..1a0c991d 100755 --- a/README.md +++ b/README.md @@ -761,9 +761,9 @@ Web browsers reveal information in several ways, for example through the [Naviga For more information about security conscious browsing and what data is sent by your browser, see [HowTo: Privacy & Security Conscious Browsing](https://gist.github.com/atcuno/3425484ac5cce5298932), [browserleaks.com](https://browserleaks.com/), [Am I Unique?](https://amiunique.org/fingerprint) and [EFF Cover Your Tracks](https://coveryourtracks.eff.org/) resources. -To hinder third party trackers, it is recommended to **disable third-party cookies** altogether. A third party cookie is a cookie associated with a file requested by a different domain than the one the user is currently viewing. Most of the time third-party cookies are used to create browsing profiles by tracking a user's movement on the web. Disabling third-party cookies prevents HTTP responses and scripts from other domains from setting cookies. Moreover, cookies are removed from requests to domains that are not the document origin domain, so cookies are only sent to the current site that is being viewed. +To hinder third party trackers, it is recommended to **disable third-party cookies** altogether. Safari, Firefox, and Chrome all block third party cookies by default. A third party cookie is a cookie associated with a file requested by a different domain than the one the user is currently viewing. Most of the time third-party cookies are used to create browsing profiles by tracking a user's movement on the web. Disabling third-party cookies prevents HTTP responses and scripts from other domains from setting cookies. Moreover, cookies are removed from requests to domains that are not the document origin domain, so cookies are only sent to the current site that is being viewed. -Also be aware of [WebRTC](https://en.wikipedia.org/wiki/WebRTC#Concerns), which may reveal your local or public (if connected to VPN) IP address(es). In Firefox and Chrome/Chromium this can be disabled with extensions such as [uBlock Origin](https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address) and [rentamob/WebRTC-Leak-Prevent](https://github.com/rentamob/WebRTC-Leak-Prevent). Disabling WebRTC in Safari is only possible with a [system hack](https://github.com/JayBrown/Disable-and-toggle-WebRTC-in-macOS-Safari). +Also be aware of [WebRTC](https://en.wikipedia.org/wiki/WebRTC#Concerns), which may reveal your local or public (if connected to VPN) IP address(es). In Firefox and Chrome/Chromium this can be disabled with extensions such as [uBlock Origin](https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address). [Lockdown mode](#lockdown-mode) disables WebRTC in Safari. # Tor From ba3d89f2ea9a2ec62f537f2a9f562b4ade54c32a Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 24 Mar 2024 18:28:04 -0500 Subject: [PATCH 409/476] grammar --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1a0c991d..0dca57cb 100755 --- a/README.md +++ b/README.md @@ -737,7 +737,7 @@ Read [Chromium Security](https://www.chromium.org/Home/chromium-security) and [C [Safari](https://www.apple.com/safari) is the default browser on macOS. It is also the most optimized browser for reducing battery use. Safari, like Chrome, has both Open Source and proprietary components. Safari is based on the open source Web Engine [WebKit](https://webkit.org), which is ubiquitous among the macOS ecosystem. WebKit is used by Apple apps such as Mail, iTunes, iBooks, and the App Store. Chrome's [Blink](https://www.chromium.org/blink) engine is a fork of WebKit and both engines share a number of similarities. -Safari supports certain unique features that benefit user security and privacy. [Content blockers](https://webkit.org/blog/3476/content-blockers-first-look) enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory use, security, and privacy. Safari 11 introduced [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention), which removes tracking data stored in Safari after a period of non-interaction by the user from the tracker's website. Safari can randomize your fingerprint to reduce tracking. Safari doesn't support certain features like WebUSB or the Battery API intentionally for security and privacy reasons. Private tabs in Safari have isolated cookies and cache that is destroyed when you close the tab. Safari also support Profiles which are equivalent to Firefox's Multi-Account Containers for separating cookies and browsing. Safari can be made significantly more secure with [lockdown mode](#lockdown-mode), which you can disable per-site. Read more about [tracking prevention](https://webkit.org/tracking-prevention) in Safari. +Safari supports certain unique features that benefit user security and privacy. [Content blockers](https://webkit.org/blog/3476/content-blockers-first-look) enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory use, security, and privacy. Safari 11 introduced [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention), which removes tracking data stored in Safari after a period of non-interaction by the user from the tracker's website. Safari can randomize your fingerprint to reduce tracking. Safari doesn't support certain features like WebUSB or the Battery API intentionally for security and privacy reasons. Private tabs in Safari have isolated cookies and cache that is destroyed when you close the tab. Safari also support Profiles which are equivalent to Firefox's Multi-Account Containers for separating cookies and browsing. Safari can be made significantly more secure with [lockdown mode](#lockdown-mode), which can be disabled per-site. Read more about [tracking prevention](https://webkit.org/tracking-prevention) in Safari. Safari offers an invite-only [bounty program](https://developer.apple.com/bug-reporting) for bug reporting to a select number of security researchers. The bounty program was announced during Apple's [presentation](https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf) at [BlackHat](https://www.blackhat.com/us-16/briefings.html#behind-the-scenes-of-ios-security) 2016. From 336271203c4294306d653295fd45b4fbf5308da6 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 24 Mar 2024 18:42:21 -0500 Subject: [PATCH 410/476] add instructions for v8 optimizer --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 0dca57cb..e01846c9 100755 --- a/README.md +++ b/README.md @@ -725,7 +725,11 @@ Chrome has the largest share of global usage and is the preferred target platfor Chrome offers [separate profiles](https://www.chromium.org/user-experience/multi-profiles), [robust sandboxing](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md), [frequent updates](https://chromereleases.googleblog.com), and carries [impressive credentials](https://www.chromium.org/Home/chromium-security/brag-sheet). In addition, Google offers a very lucrative [bounty program](https://bughunters.google.com/about/rules/5745167867576320/chrome-vulnerability-reward-program-rules) for reporting vulnerabilities, along with its own [Project Zero](https://googleprojectzero.blogspot.com/) team. This means that a large number of highly talented and motivated people are constantly auditing and securing Chrome code. -Create separate Chrome profiles to reduce XSS risk and compartmentalize cookies/identities. In each profile, either disable Javascript in Chrome settings and configure allowed origins. You should also disable the V8 Optimizer for sites where you do use Javascript to further reduce attack surface. You can block trackers with [uBlock Origin Lite](https://chromewebstore.google.com/detail/ublock-origin-lite/ddkjiahejlhfcafbddmgiahcphecmpfh). +Create separate Chrome profiles to reduce XSS risk and compartmentalize cookies/identities. In each profile, either disable Javascript in Chrome settings and configure allowed origins. You should also disable the V8 Optimizer for sites where you do use Javascript to further reduce attack surface. Go to **Settings** -> **Privacy and security** -> **Security** -> **Manage v8 security** -> **Don't allow sites to use the V8 optimizer** + +Read more about the benefits of disabling this [here](https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode). + +You can block trackers with [uBlock Origin Lite](https://chromewebstore.google.com/detail/ublock-origin-lite/ddkjiahejlhfcafbddmgiahcphecmpfh). Change the default search engine from Google to reduce additional tracking. From dac445696fc8b1adadeac19e098a7618a166f706 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 24 Mar 2024 18:43:23 -0500 Subject: [PATCH 411/476] webrtc citation --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e01846c9..0e993db9 100755 --- a/README.md +++ b/README.md @@ -767,7 +767,7 @@ For more information about security conscious browsing and what data is sent by To hinder third party trackers, it is recommended to **disable third-party cookies** altogether. Safari, Firefox, and Chrome all block third party cookies by default. A third party cookie is a cookie associated with a file requested by a different domain than the one the user is currently viewing. Most of the time third-party cookies are used to create browsing profiles by tracking a user's movement on the web. Disabling third-party cookies prevents HTTP responses and scripts from other domains from setting cookies. Moreover, cookies are removed from requests to domains that are not the document origin domain, so cookies are only sent to the current site that is being viewed. -Also be aware of [WebRTC](https://en.wikipedia.org/wiki/WebRTC#Concerns), which may reveal your local or public (if connected to VPN) IP address(es). In Firefox and Chrome/Chromium this can be disabled with extensions such as [uBlock Origin](https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address). [Lockdown mode](#lockdown-mode) disables WebRTC in Safari. +Also be aware of [WebRTC](https://en.wikipedia.org/wiki/WebRTC#Concerns), which may reveal your local or public (if connected to VPN) IP address(es). In Firefox and Chrome/Chromium this can be disabled with extensions such as [uBlock Origin](https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address). [Lockdown mode](#lockdown-mode) [disables WebRTC](https://www.sevarg.net/2022/07/20/ios16-lockdown-mode-browser-analysis) in Safari. # Tor From bf93bf13c4cfaac73f7abf91f4ddeb91ac84b044 Mon Sep 17 00:00:00 2001 From: drduh Date: Sun, 24 Mar 2024 17:56:42 -0700 Subject: [PATCH 412/476] Add corporation adversary, tidy TOC --- README.md | 47 +++++++++++++++++++++++------------------------ 1 file changed, 23 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index 2da222b5..256c1b99 100755 --- a/README.md +++ b/README.md @@ -10,13 +10,12 @@ This guide is provided on an 'as is' basis without any warranties of any kind. O To suggest an improvement, send a pull request or [open an issue](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues). - - [Basics](#basics) -- [Threat Modeling](#threat-modeling) - * [Identify Valuable Assets](#step-1-identify-valuable-assets) - * [Identify Adversaries](#step-2-identify-adversaries) - * [Identify Capabilities](#step-3-identify-the-adversaries-capabilities) - * [Identify Mitigations](#step-4-come-up-with-ways-to-mitigate-the-threats) +- [Threat modeling](#threat-modeling) + * [Identify assets](#identify-assets) + * [Identify adversaries](#identify-adversaries) + * [Identify capabilities](#identify-capabilities) + * [Identify mitigations](#identify-mitigations) - [Hardware](#hardware) - [Installing macOS](#installing-macos) * [System activation](#system-activation) @@ -89,7 +88,7 @@ General security best practices apply: * Recognize threats and how to reduce attack surface against them. - Keep the system and software up to date - * Patch the operating system and all installed software reguarly. + * Patch the operating system and all installed software regularly. * macOS system updates can be completed in the [settings](https://support.apple.com/guide/mac-help/keep-your-mac-up-to-date-mchlpx1065) and set to automatically install. You can also use the `softwareupdate` command-line utility - neither requires registering an Apple account. * Subscribe to announcement mailing lists like [Apple security-announce](https://lists.apple.com/mailman/listinfo/security-announce). @@ -105,34 +104,35 @@ General security best practices apply: * Ultimately, the security of a system depends on the capabilities of its administrator. * Care should be taken when installing new software; only install from official sources that the developers indicate on their official website/github/etc. -# Threat Modeling +# Threat modeling The first and most important step for security and privacy is to create a [threat model](https://www.owasp.org/index.php/Application_Threat_Modeling). You need to understand your adversaries in order to defend against them. Each person will have their own needs so everyone's threat model will be different. Threat models tend to evolve over time as our situation changes, so be sure to periodically reassess your threat model. -## Step 1: Identify assets +## Identify assets This is probably a lot of things: your phone, your laptop, passwords stored on your devices, internet browsing history, etc. Make a list starting with the most important assets to protect. You can put them in categories based on how important they are: public, sensitive, or secret. -## Step 2: Identify adversaries +## Identify adversaries Define whom you are defending against. Start by defining the motivation they might have to attack your assets. [Financial gain](https://www.verizon.com/business/resources/reports/dbir/) is a big motivator for many attackers, for example. -## Step 3: Identify capabilities +## Identify capabilities In order to counter your adversaries, you'll need to understand what they're capable of and what they're not capable of. Rank adversaries from totally unsophisticated to very advanced. For example, a common thief is not very sophisticated; they will likely be stopped by basic things like simply having a password and drive encryption on your device. A very advanced adversary like a state actor might require fully turning off your device when not in use to clear the keys from RAM and a long diceware password. -## Step 4: Identify mitigations +## Identify mitigations Now is when you decide the best way to counter each threat. You might avoid writing passwords down on paper so your roommate can't find them or you might encrypt the drive on your computer so a thief can't get data from it. It's important to balance security and usability; every mitigation should counter some capability of your adversaries, otherwise you might be making your life inconvenient for little to no gain. If you can't think of any more capabilities your adversaries might have and you've implemented mitigations for them all, your work is done. Here's an example of the type of table you should make for each asset you want to protect: -| Adversary | Motivation | Capabilities | Mitigation | -| --- | --- | --- | --- | -| Roommate | See private chats or browsing history | Close proximity; can see screen or watch type in password | Use biometrics, use privacy screen, keep phone locked when not using it | -| Thief | Unlock phone and steal personal info and drain bank accounts, sell phone for money | Shoulder surf to see password, steal device when not looking while it's logged in | Keep phone in sight or on person at all times, keep locked when not in use, use biometrics to avoid typing password in public, use Find My or similar service to track/remotely disable stolen device | -| Criminal | Financial | social engineering (email scams, scam calls), COTS malware, password stealing, exploiting vulnerabilities | Use sandboxing, enable security features in OS, keep OS and all software updated and turn on autoupdates | -| Nation State | Targeted surveillance | Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets | Use open source e2ee, use strong diceware passwords for devices, use hardware with secure element for secure encryption, shut down devices when not using them, software tripwire/honeypot/[canary tokens](https://canarytokens.org/) | +Adversary | Motivation | Capabilities | Mitigation +-|-|-|- +Roommate | See private chats or browsing history | Close proximity; can see screen or watch type in password | Use biometrics, use privacy screen, keep phone locked when not using it +Thief | Unlock phone and steal personal info and drain bank accounts, sell phone for money | Shoulder surf to see password, steal device when not looking while it's logged in | Keep phone in sight or on person at all times, keep locked when not in use, use biometrics to avoid typing password in public, use Find My or similar service to track/remotely disable stolen device +Criminal | Financial | Social engineering, readily-available malware, password reuse, exploiting vulnerabilities | Use sandboxing, enable security features in OS, keep OS and all software updated and turn on automatic updates +Corporation | User data marketing | Telemetry and behavioral data collection | Block network connections, reset unique identifiers, avoid adding payment data +Nation State/APT | Targeted surveillance | Passive surveillance of internet infrastructure, advanced computers for cracking encryption/analysis of packets | Use open source e2ee, use strong diceware passwords for devices, use hardware with secure element for secure encryption, shut down devices when not using them, software tripwire/honeypot/[canary tokens](https://canarytokens.org/) Read more about threat modeling [here](https://www.netmeister.org/blog/threat-model-101.html). @@ -146,9 +146,9 @@ If you want to use a wireless keyboard, mouse, headphones or other accessory, th # Installing macOS -There are several ways to [install macOS](https://support.apple.com/102662). Choose your preferred method from the available options. +There are several ways to [install macOS](https://support.apple.com/102662). Choose your preferred method from the available options. - **You should install the latest version of macOS that's compatible with your Mac**. More recent versions have security patches and other improvements that older versions lack. + **You should install the latest version of macOS that is compatible with your Mac**. More recent versions have security patches and other improvements that older versions lack. ## System activation @@ -232,11 +232,11 @@ See also [this post](https://superuser.com/a/395738) for more information about # Firmware -You should check that firmware security settings are set to [Full Security](https://support.apple.com/en-au/guide/mac-help/mchl768f7291/mac) to prevent tampering with your OS. This is the default setting. +You should check that firmware security settings are set to [Full Security](https://support.apple.com/guide/mac-help/mchl768f7291/mac) to prevent tampering with your OS. This is the default setting. # FileVault -All Mac models with Apple silicon are encrypted by default. Enabling [FileVault](https://support.apple.com/en-au/guide/mac-help/mh11785/mac) makes it so that you need to enter a password in order to access the data on your drive. The EFF has a guide on generating [strong but memorable passwords](https://www.eff.org/dice). +All Mac models with Apple silicon are encrypted by default. Enabling [FileVault](https://support.apple.com/guide/mac-help/mh11785/mac) makes it so that you need to enter a password in order to access the data on your drive. The EFF has a guide on generating [strong but memorable passwords](https://www.eff.org/dice). Your FileVault password also acts as a [firmware password](https://support.apple.com/en-us/102384) that will prevent people that don't know it from booting from anything other than the designated startup disk, accessing [Recovery](https://support.apple.com/guide/mac-help/macos-recovery-a-mac-apple-silicon-mchl82829c17/14.0/mac/14.0#mchl5abfbb29), and [reviving](https://support.apple.com/en-us/108900) it with DFU mode. @@ -690,7 +690,7 @@ Or to just block Facebook domains, for example: fb*.akamaihd.net ``` -Note that wildcards are supported. +Wildcards are also supported. See [drduh/config/privoxy/config](https://github.com/drduh/config/blob/master/privoxy/config) and [drduh/config/privoxy/user.action](https://github.com/drduh/config/blob/master/privoxy/user.action) for additional Privoxy examples. Privoxy does **not** need to be restarted after editing `user.action` filter rules. @@ -1865,7 +1865,6 @@ drwx------ 2 kevin staff 64 Dec 4 12:27 umask_testing_dir * [CISOfy/lynis](https://github.com/CISOfy/lynis) - Cross-platform security auditing tool and assists with compliance testing and system hardening. * [Zentral](https://github.com/zentralopensource/zentral) - A log and configuration server for santa and osquery. Run audit and probes on inventory, events, logfiles, combine with point-in-time alerting. A full Framework and Django web server build on top of the elastic stack (formerly known as ELK stack). * [osquery](https://github.com/osquery/osquery) - Can be used to retrieve low level system information. Users can write SQL queries to retrieve system information. -* [google/grr](https://github.com/google/grr) - Incident response framework focused on remote live forensics. # Additional resources From c59c8e6adfe006645f274286c118f464baf302d5 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 25 Mar 2024 11:08:17 -0500 Subject: [PATCH 413/476] remove spikeroak --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 256c1b99..3a69841f 100755 --- a/README.md +++ b/README.md @@ -1373,7 +1373,6 @@ hdiutil eject /Volumes/secretStuff Additional applications and services which offer backups include: * [Tresorit](https://www.tresorit.com) -* [SpiderOak](https://www.spideroak.com) * [Arq](https://www.arqbackup.com) * [Espionage](https://www.espionageapp.com/) * [restic](https://restic.github.io) From 10e4b22a5b72c4a9699a6cbd09405e58308ded74 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 25 Mar 2024 11:09:51 -0500 Subject: [PATCH 414/476] remove outdated HFS+ --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3a69841f..fa40f99b 100755 --- a/README.md +++ b/README.md @@ -1361,7 +1361,7 @@ tar zxvf ~/Desktop/decrypted-backup.tar.gz Encrypted volumes can also be created using **Disk Utility** or `hdiutil`: ```console -hdiutil create ~/Desktop/encrypted.dmg -encryption -size 50M -volname "secretStuff" -fs JHFS+ +hdiutil create ~/Desktop/encrypted.dmg -encryption -size 50M -volname "secretStuff" hdiutil mount ~/Desktop/encrypted.dmg From 46293bea1f82d49b6523276298d52366060dfd8a Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 27 Mar 2024 15:45:22 -0500 Subject: [PATCH 415/476] add time machine --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index fa40f99b..257c25fe 100755 --- a/README.md +++ b/README.md @@ -1342,6 +1342,12 @@ Ensure all eligible online accounts have [multi-factor authentication](https://e Encrypt files locally before backing them up to external media or online services. +You should follow the [3-2-1 backup model](https://www.cisa.gov/sites/default/files/publications/data_backup_options.pdf) as outlined by CISA. + +[Time Machine](https://support.apple.com/104984) is the built-in tool for handling backups on macOS. Get an external drive or network drive to back up to and [encrypt](https://support.apple.com/guide/mac-help/keep-your-time-machine-backup-disk-secure-mh21241) your backups. + +You can also do backups manually if you want. + GnuPG can be used with a static password or public key (with the private key stored on [YubiKey](https://github.com/drduh/YubiKey-Guide)). Compress and encrypt a directory using with a password: From d1260cfbc0670112fe9b0fa9b390241b90f10983 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 27 Mar 2024 18:11:15 -0500 Subject: [PATCH 416/476] add explanation of 3 2 1 backups --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 257c25fe..c86d4277 100755 --- a/README.md +++ b/README.md @@ -1342,7 +1342,7 @@ Ensure all eligible online accounts have [multi-factor authentication](https://e Encrypt files locally before backing them up to external media or online services. -You should follow the [3-2-1 backup model](https://www.cisa.gov/sites/default/files/publications/data_backup_options.pdf) as outlined by CISA. +You should follow the [3-2-1 backup model](https://www.cisa.gov/sites/default/files/publications/data_backup_options.pdf) as outlined by CISA. Keep 3 copies: the original and two backups. Keep backups on 2 different media types, e.g. on a local drive and cloud storage. Store 1 copy offsite. [Time Machine](https://support.apple.com/104984) is the built-in tool for handling backups on macOS. Get an external drive or network drive to back up to and [encrypt](https://support.apple.com/guide/mac-help/keep-your-time-machine-backup-disk-secure-mh21241) your backups. From bd0f6c624cf074cffcb2c80d2a5856e7c8b5f049 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 27 Mar 2024 18:12:12 -0500 Subject: [PATCH 417/476] remove manual backup --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index c86d4277..9b9eacb2 100755 --- a/README.md +++ b/README.md @@ -1346,8 +1346,6 @@ You should follow the [3-2-1 backup model](https://www.cisa.gov/sites/default/fi [Time Machine](https://support.apple.com/104984) is the built-in tool for handling backups on macOS. Get an external drive or network drive to back up to and [encrypt](https://support.apple.com/guide/mac-help/keep-your-time-machine-backup-disk-secure-mh21241) your backups. -You can also do backups manually if you want. - GnuPG can be used with a static password or public key (with the private key stored on [YubiKey](https://github.com/drduh/YubiKey-Guide)). Compress and encrypt a directory using with a password: From 0ecb02e2ec32488599492fe687085a6a0860b5c3 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 27 Mar 2024 19:12:37 -0500 Subject: [PATCH 418/476] add threat model disclaimer --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9b9eacb2..1ac9c3a8 100755 --- a/README.md +++ b/README.md @@ -1342,7 +1342,7 @@ Ensure all eligible online accounts have [multi-factor authentication](https://e Encrypt files locally before backing them up to external media or online services. -You should follow the [3-2-1 backup model](https://www.cisa.gov/sites/default/files/publications/data_backup_options.pdf) as outlined by CISA. Keep 3 copies: the original and two backups. Keep backups on 2 different media types, e.g. on a local drive and cloud storage. Store 1 copy offsite. +If your threat model allows it, you should follow the [3-2-1 backup model](https://www.cisa.gov/sites/default/files/publications/data_backup_options.pdf) as outlined by CISA. Keep 3 copies: the original and two backups. Keep backups on 2 different media types, e.g. on a local drive and cloud storage. Store 1 copy offsite. [Time Machine](https://support.apple.com/104984) is the built-in tool for handling backups on macOS. Get an external drive or network drive to back up to and [encrypt](https://support.apple.com/guide/mac-help/keep-your-time-machine-backup-disk-secure-mh21241) your backups. From 7748766bab4e831db6cd411a6230495de9f3b8df Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 1 Apr 2024 14:27:30 -0500 Subject: [PATCH 419/476] Replace HFS+ with APFS --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1ac9c3a8..d8f8a10d 100755 --- a/README.md +++ b/README.md @@ -1086,7 +1086,7 @@ To verify SIP is enabled, use the command `csrutil status`, which should return: # Metadata and artifacts -macOS attaches metadata ([HFS+ extended attributes](https://en.wikipedia.org/wiki/Extended_file_attributes#OS_X)) to downloaded files, which can be viewed with the `mdls` and `xattr` commands: +macOS attaches metadata ([APFS extended attributes](https://en.wikipedia.org/wiki/Extended_file_attributes#OS_X)) to downloaded files, which can be viewed with the `mdls` and `xattr` commands: ```console $ ls -l@ ~/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg From b6402475bec6fa37ec66a5ae2599469a8d1e318e Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 1 Apr 2024 14:30:53 -0500 Subject: [PATCH 420/476] fix broken link in the index --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1ac9c3a8..c4730d06 100755 --- a/README.md +++ b/README.md @@ -34,7 +34,7 @@ To suggest an improvement, send a pull request or [open an issue](https://github * [Third party firewalls](#third-party-firewalls) * [Kernel level packet filtering](#kernel-level-packet-filtering) - [Services](#services) -- [Siri Suggestions & Spotlight](#siri-suggestions-spotlight) +- [Siri Suggestions and Spotlight](#siri-suggestions-and-spotlight) - [Homebrew](#homebrew) - [DNS](#dns) * [DNS profiles](#dns-profiles) @@ -420,7 +420,7 @@ Annotated lists of launch daemons and agents, the respective program executed, a Read more about launchd and where login items can be found on [Apple's website](https://support.apple.com/guide/terminal/script-management-with-launchd-apdc6c1077b-5d5d-4d35-9c19-60f2397b2369). -# Siri Suggestions & Spotlight +# Siri Suggestions and Spotlight Apple is moving to on-device processing for a lot of Siri functions, but some info is still sent to Apple when you use Siri Suggestions or Spotlight. You can read Apple's [Privacy Policy](https://www.apple.com/legal/privacy/data/en/siri-suggestions-search/) to see exactly what is sent and how to disable it. From 62c84014ebec52abe37768cee9247e57c19743cd Mon Sep 17 00:00:00 2001 From: beerisgood Date: Mon, 6 May 2024 13:50:35 +0200 Subject: [PATCH 421/476] PR for https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/467 - removed dangerous recommendation - instructions about Homebrew slightly changed - Xcode stuff removed as Homebrew install everything by itself - "HOMEBREW_CASK_OPTS=--require-sha" removed as looks like it is default already --- README.md | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 148ebe93..f6908853 100755 --- a/README.md +++ b/README.md @@ -426,19 +426,15 @@ Apple is moving to on-device processing for a lot of Siri functions, but some in # Homebrew -Consider using [Homebrew](https://brew.sh/) to make software installations easier and to update userland tools. +If your program isn't available through Apple AppStore you can consider using [Homebrew](https://brew.sh/). -**Note** If you have not already installed Xcode or Command Line Tools, use `xcode-select --install` to download and install them, or check Apple's developer site. +**Important!** Note that Homebrew asks you to grant “App Management” (or “Full Disk Access”) permission to your terminal. This is a bad idea, as it would make you vulnerable to these attacks again: any non-sandboxed application can execute code with the TCC permissions of your terminal by adding a malicious command to (e.g.) ~/.zshrc. Granting “App Management” or “Full Disk Access” to your terminal should be considered the same as disabling TCC completely. -Homebrew uses SSL/TLS to talk with GitHub and verifies integrity of downloaded packages, so it's [fairly secure](https://brew.sh/2022/05/17/homebrew-security-audit/). - -Remember to periodically run `brew upgrade` on trusted and secure networks to download and install software updates. To get information on a package before installation, run `brew info ` and check its formula online. +Remember to periodically run `brew upgrade` on trusted and secure networks to download and install software updates. To get information on a package before installation, run `brew info ` and check its formula online. You may also wish to enable [additional security options](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/138), such as `HOMEBREW_NO_INSECURE_REDIRECT=1` According to [Homebrew's Anonymous Analytics](https://docs.brew.sh/Analytics), Homebrew gathers anonymous analytics and reports these to a self-hosted InfluxDB instance. - To opt out of Homebrew's analytics, you can set `export HOMEBREW_NO_ANALYTICS=1` in your environment or shell rc file, or use `brew analytics off` -You may also wish to enable [additional security options](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/138), such as `HOMEBREW_NO_INSECURE_REDIRECT=1` and `HOMEBREW_CASK_OPTS=--require-sha` # DNS From dcbe65276857539d0ef4b8baaa88d7ada1884431 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 16 May 2024 22:32:47 -0500 Subject: [PATCH 422/476] Delete launchd directory --- launchd/14F27_launchd.csv | 473 ---------------------------- launchd/15B42_launchd.csv | 522 ------------------------------- launchd/16A323_launchd.csv | 574 ---------------------------------- launchd/comments.csv | 511 ------------------------------ launchd/read_launch_plists.py | 104 ------ 5 files changed, 2184 deletions(-) delete mode 100644 launchd/14F27_launchd.csv delete mode 100644 launchd/15B42_launchd.csv delete mode 100644 launchd/16A323_launchd.csv delete mode 100644 launchd/comments.csv delete mode 100644 launchd/read_launch_plists.py diff --git a/launchd/14F27_launchd.csv b/launchd/14F27_launchd.csv deleted file mode 100644 index 7884c1b2..00000000 --- a/launchd/14F27_launchd.csv +++ /dev/null @@ -1,473 +0,0 @@ -filename,label,program,sha256,runatload,comment -/System/Library/LaunchDaemons/bootps.plist,com.apple.bootpd,"['/usr/libexec/bootpd']",ee73728229f1b355607144e202043aa7e822621dff103b0b4015c014b9638a6d,False,DHCP/BOOTP/NetBoot server -/System/Library/LaunchDaemons/com.apple.afpfs_afpLoad.plist,com.apple.afpfs_afpLoad,"['/System/Library/Filesystems/AppleShare/afpLoad']",2b0ca270a16f3654d55be53b146af628eeea0aee96b19a6cd15f054a4232ef13,False, -/System/Library/LaunchDaemons/com.apple.afpfs_checkafp.plist,com.apple.afpfs_checkafp,"['/System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp']",8a5d384fc83f1c010124b32096ce0f750b19212aabe1b35bb5f1f99df045b58a,False, -/System/Library/LaunchDaemons/com.apple.AirPlayXPCHelper.plist,com.apple.AirPlayXPCHelper,"['/usr/libexec/AirPlayXPCHelper']",74df0f6db061a04037133a6d3a9d9970ee82632d49a996194a5552b95433edf1,False, -/System/Library/LaunchDaemons/com.apple.airport.wps.plist,com.apple.airport.wps,"['/usr/libexec/wps']",eb30b37a6b113db509948aabaf65d0fd7ddd7b55150b271f4b2a9b21c3f77724,False, -/System/Library/LaunchDaemons/com.apple.airportd.plist,com.apple.airportd,"['/usr/libexec/airportd']",26f3ddafa9a9489c345eaf25770f3a10f10c0d238b418c6007ffd8eb777ac929,False, -/System/Library/LaunchDaemons/com.apple.alf.agent.plist,com.apple.alf,"['/usr/libexec/ApplicationFirewall/socketfilterfw']",117255f04e921f738ae19145e800c369e16362ea4abc203c64198960625d7c98,False, -/System/Library/LaunchDaemons/com.apple.AppleFileServer.plist,com.apple.AppleFileServer,"['/usr/sbin/AppleFileServer']",ceaa969e4eb22a35293a58c61782860353c769c2c0903d6036fc229f2bef62eb,False, -/System/Library/LaunchDaemons/com.apple.appleseed.fbahelperd.plist,com.apple.appleseed.fbahelperd,"['/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/fbahelperd']",4b287990324f732c11f4b86f3374366ac6a9314a476bf390239022bc62a01339,False, -/System/Library/LaunchDaemons/com.apple.applessdstatistics.plist,com.apple.applessdstatistics,"['/usr/libexec/applessdstatistics']",a8bab887ace97ce90189dc8786ad21276a56710bbfd7caa55f4b647a73d07bba,False, -/System/Library/LaunchDaemons/com.apple.apsd.plist,com.apple.apsd,"['/System/Library/PrivateFrameworks/ApplePushService.framework/apsd']",9e0627438a243c51acfe86f5ae66594c6b4a7f80891eadd7d0195038610e3715,True,Apple Push Notification service daemon -/System/Library/LaunchDaemons/com.apple.aslmanager.plist,com.apple.aslmanager,"['/usr/sbin/aslmanager']",afd40621bc22222dd930cef843240777314cc33ff61a1884609ae4588ad11cf4,False,"Manages rotated files and ASL data written by the syslogd server" -/System/Library/LaunchDaemons/com.apple.AssetCacheLocatorService.plist,com.apple.AssetCacheLocatorService,"['/System/Library/CoreServices/AssetCacheLocatorService']",b27a1b8140d334f07e627cbab3d2cb6bb303856b0145eccccec2022c184836ca,False, -/System/Library/LaunchDaemons/com.apple.atrun.plist,com.apple.atrun,"['/usr/libexec/atrun']",de8f7ccd23aa3ca4b6a2da5d6618f36cdd28194b45d637b3500ddd795ee7f348,False, -/System/Library/LaunchDaemons/com.apple.audio.coreaudiod.plist,com.apple.audio.coreaudiod,"['/usr/sbin/coreaudiod']",244478d343fb1cb734145ea4878528bfcec99c1e3165df09f7fa399904b2f77a,False,daemon used for Core Audio related purposes -/System/Library/LaunchDaemons/com.apple.auditd.plist,com.apple.auditd,"['/usr/sbin/auditd']",ad5cbbd63073582d87976b9b13dc002c8c7da757113dcae7f56950b50463cc8e,False, -/System/Library/LaunchDaemons/com.apple.autofsd.plist,com.apple.autofsd,"['/usr/libexec/autofsd']",9586e46faeacf8d658385146e506ae8ff182e02d106a3e5daeaf58544f1c1245,False, -/System/Library/LaunchDaemons/com.apple.automountd.plist,com.apple.automountd,"['/usr/libexec/automountd']",0a40f0d0a320b820d4fedb8c67f3a5b06d1da52afd4df3405ec8327741a7689b,False, -/System/Library/LaunchDaemons/com.apple.awacsd.plist,com.apple.awacsd,"['/usr/libexec/awacsd']",c7afa36b1135d419311cff418f0444eedff304308636e6c39a48a2724987b905,False, -/System/Library/LaunchDaemons/com.apple.awdd.plist,com.apple.awdd,"['/System/Library/PrivateFrameworks/WirelessDiagnostics.framework/Support/awdd']",c2cd1c8df06775bdfe11816acff1e0082f12543628afcc58931f4c0fe73f2dfc,False, -/System/Library/LaunchDaemons/com.apple.backupd-auto.plist,com.apple.backupd-auto,"['/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd-helper', '-launchd']",b89b8b764f5f3fad583f0a4270a77f3c28c3e7038924c8cca6cc0483eadeccfd,True, -/System/Library/LaunchDaemons/com.apple.backupd.plist,com.apple.backupd,"['/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd']",b2bb5f51b3a22940eeddb91527ee7bf1fa85f8141ead9d83d85112e2977a549f,False, -/System/Library/LaunchDaemons/com.apple.blued.plist,com.apple.blued,"['/usr/sbin/blued']",9ba4274e527b7600b3139bcfd47e9fff45076a50b59c54d87bd913491cb39203,False, -/System/Library/LaunchDaemons/com.apple.bluetoothaudiod.plist,com.apple.bluetoothaudiod,"['/usr/sbin/bluetoothaudiod']",78092909d56f9dbb73d2d01faf4e540788dd6b14c4a158f8ec9f186aafdc5065,False, -/System/Library/LaunchDaemons/com.apple.bluetoothReporter.plist,com.apple.bluetoothReporter,"['/System/Library/Frameworks/IOBluetooth.framework/Versions/A/Resources/BluetoothReporter', '--dumpPacketLog', '/private/var/log/bluetooth.pklg']",752664d7e3cf56e7963bcb7baba2469576582b0a97d0dfe4569e1f967bab631b,False, -/System/Library/LaunchDaemons/com.apple.bnepd.plist,com.apple.bnepd,"['/usr/sbin/bnepd']",c569041b7381f1ed8963c3c890872597fc7067c054365f0fb005cd0ef53db332,False, -/System/Library/LaunchDaemons/com.apple.bsd.dirhelper.plist,com.apple.bsd.dirhelper,"['/usr/libexec/dirhelper']",95b66b9e9b011a7586132c28fac0c546063cde4576c45a9f83e0f5dc813b8929,True, -/System/Library/LaunchDaemons/com.apple.cache_delete.plist,com.apple.cache_delete,"['/System/Library/PrivateFrameworks/CacheDelete.framework/deleted']",911430f12769f2bad289697879b9368a483b617aaeaf21d8f70b9c6f6f246ac6,False, -/System/Library/LaunchDaemons/com.apple.cfprefsd.xpc.daemon.plist,com.apple.cfprefsd.xpc.daemon,"['/usr/sbin/cfprefsd', 'daemon']",ee0443bdcc80cc7b43c308b65ea6df39092c8d7ab8072ee20be1863d6f737565,False, -/System/Library/LaunchDaemons/com.apple.cloudfamilyrestrictionsd-mac.plist,com.apple.cloudfamilyrestrictionsd,"['/System/Library/PrivateFrameworks/CloudFamilyRestrictions.framework/cloudfamilyrestrictionsd']",fd81c20bf7774f746b8dd29a04ab1108e712b1db4e0d85432dfeb31065e4e7dc,False, -/System/Library/LaunchDaemons/com.apple.cmio.AppleCameraAssistant.plist,com.apple.cmio.AppleCameraAssistant,"['/Library/CoreMediaIO/Plug-Ins/DAL/AppleCamera.plugin/Contents/Resources/AppleCameraAssistant']",000e71ea89fb4e27fe4f58335e845eeeb8d2710d79d3b9bedd33bc35519fcd05,False, -/System/Library/LaunchDaemons/com.apple.cmio.AVCAssistant.plist,com.apple.cmio.AVCAssistant,"['/System/Library/Frameworks/CoreMediaIO.framework/Resources/AVC.plugin/Contents/Resources/AVCAssistant']",ed8c0826150c6f679e52e75d7acbaa456b9bbffa2334989f4ff97367da0a703d,False, -/System/Library/LaunchDaemons/com.apple.cmio.IIDCVideoAssistant.plist,com.apple.cmio.IIDCVideoAssistant,"['/System/Library/Frameworks/CoreMediaIO.framework/Resources/IIDC.plugin/Contents/Resources/IIDCVideoAssistant']",3b5b28e060f170823dfebd146fc1e4da69dc9a0343f723320b5e7e5443d308ce,False, -/System/Library/LaunchDaemons/com.apple.cmio.iOSScreenCaptureAssistant.plist,com.apple.cmio.iOSScreenCaptureAssistant,"['/Library/CoreMediaIO/Plug-Ins/DAL/iOSScreenCapture.plugin/Contents/Resources/iOSScreenCaptureAssistant']",1edbe422d274cbfa7a654ca6dba06787c7e7126d6e58f9e8b827c37461ef2b43,False, -/System/Library/LaunchDaemons/com.apple.cmio.VDCAssistant.plist,com.apple.cmio.VDCAssistant,"['/System/Library/Frameworks/CoreMediaIO.framework/Resources/VDC.plugin/Contents/Resources/VDCAssistant']",327c9f4cd7bcbecd5715e05f4f2a5c7017fa4b50700ad5c3b16b1daa99380163,False, -/System/Library/LaunchDaemons/com.apple.comsat.plist,com.apple.comsat,"['/usr/libexec/comsat']",48fc089c0f46835804c2c43de8bb46570f8aa0c2153c0709622057b88aad6de0,False, -/System/Library/LaunchDaemons/com.apple.configd.plist,com.apple.configd,"['/usr/libexec/configd']",5e46c09664bf4ff1a9f9fbe3377a32d9964db91b5e97f1d346ba6044888c6a68,False, -/System/Library/LaunchDaemons/com.apple.configureLocalKDC.plist,com.apple.configureLocalKDC,"['/usr/libexec/configureLocalKDC']",f6afc2f328af2217addc06c515158cb41af43099e1bbe0f200429e5bba46385d,False, -/System/Library/LaunchDaemons/com.apple.coreduetd.osx.plist,com.apple.coreduetd,"['/usr/libexec/coreduetd']",5a4b3b719cf075110fe712bb426581fc7e04201889181b2cd2e265726b05babc,True, -/System/Library/LaunchDaemons/com.apple.CoreRAID.plist,com.apple.CoreRAID,"['/System/Library/PrivateFrameworks/CoreRAID.framework/Resources/CoreRAIDServer']",2bb00530d9834a90e558d056dba365e6177b7a74e2ddf900843164e41708106e,True, -/System/Library/LaunchDaemons/com.apple.coreservices.appleevents.plist,com.apple.coreservices.appleevents,"['/System/Library/CoreServices/appleeventsd', '--server']",8750a65885a5967349da317cc37ef0416ff15e9914535c879b262fcb0a5cd5c5,True, -/System/Library/LaunchDaemons/com.apple.coreservices.appleid.passwordcheck.plist,com.apple.coreservices.appleid.passwordcheck,"['/System/Library/CoreServices/AppleIDAuthAgent', '--checkpassword']",e953287f86876b6f6f7c612a002bbee12257584238d0cc00108844610cd337c5,False, -/System/Library/LaunchDaemons/com.apple.coreservices.launchservicesd.plist,com.apple.coreservices.launchservicesd,"['/System/Library/CoreServices/launchservicesd']",1c7f99fdf56022209e54ea11d3df163647ac4da3de7fc7e327b36ad438e35183,True, -/System/Library/LaunchDaemons/com.apple.coreservicesd.plist,com.apple.coreservicesd,"['/System/Library/CoreServices/coreservicesd']",1b53a88adef807e454dbb9ac295eb2816b17f141edbceec7fb34294983faa3c4,False, -/System/Library/LaunchDaemons/com.apple.corestorage.corestoraged.plist,com.apple.corestorage.corestoraged,"['/usr/libexec/corestoraged']",14352f9fa45cf099c45fcafa0e304977a22b7b0e7b1f76a2daf3805f10729312,False, -/System/Library/LaunchDaemons/com.apple.corestorage.corestoragehelperd.plist,com.apple.corestorage.corestoragehelperd,"['/usr/libexec/corestoragehelperd']",08783fcdc6b8e662c46b53f64f5f8e3661f7c543870eb3110e8f8c066e433414,False, -/System/Library/LaunchDaemons/com.apple.coresymbolicationd.plist,com.apple.coresymbolicationd,"['/System/Library/PrivateFrameworks/CoreSymbolication.framework/coresymbolicationd']",7b7da74376add4d2a2387d75de663d30e17e4d359356cf4bcc32c7142c3f5e95,False, -/System/Library/LaunchDaemons/com.apple.CrashReporterSupportHelper.plist,com.apple.CrashReporterSupportHelper,"['/System/Library/CoreServices/CrashReporterSupportHelper', 'server-init']",db89e8d3bc6437e0c8b1863f8559eba60cbd2fa27307375e94d8503311a0f652,False, -/System/Library/LaunchDaemons/com.apple.ctkd.plist,com.apple.ctkd,"['/System/Library/Frameworks/CryptoTokenKit.framework/ctkd', '-s']",98b1ce0f11935bd05f648670a85f0a95c6f7901229e097e3fc0cd6b48b15c7f3,False, -/System/Library/LaunchDaemons/com.apple.cvmsServ.plist,com.apple.cvmsServ,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/CVMServer']",fc887d34d2140ffd5c2da196e35afc4af769cd15a338dd06a9ede90fb38c164e,False, -/System/Library/LaunchDaemons/com.apple.DesktopServicesHelper.plist,com.apple.DesktopServicesHelper,"['/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper']",09c24ddc3093efbec45e325c4c8d360679abaae1d43bc589d07aa4c1cb23fefe,False, -/System/Library/LaunchDaemons/com.apple.diagnosticd.plist,com.apple.diagnosticd,"['/usr/libexec/diagnosticd']",bc7ddb0a3fa8a68e822300fd69ea03049ac4f1862161350fb84a5ab8f8260adc,False, -/System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist,com.apple.diskarbitrationd,"['/usr/libexec/diskarbitrationd']",6b7fb8cf028fe061153012bbaad89787b3ba7acc63143e4a63ae77092bbd04fc,False, -/System/Library/LaunchDaemons/com.apple.diskmanagementd.plist,com.apple.diskmanagementd,"['/usr/sbin/diskmanagementd']",6f148d0fbd992ee18ba8279b77dfb7498740e8ba377eb78af09ba9810e7681be,False, -/System/Library/LaunchDaemons/com.apple.displaypolicyd.plist,com.apple.displaypolicyd,"['/usr/libexec/displaypolicyd']",ebab1741c8a8a89585bec10edd34d86fa2a5e12890c8445d9a042a8854351c33,True, -/System/Library/LaunchDaemons/com.apple.distnoted.xpc.daemon.plist,com.apple.distnoted.xpc.daemon,"['/usr/sbin/distnoted', 'daemon']",4ebd678363ad903feb5d1b1a47841be323126de20ca2ceb4a82fb7c7fad305f6,False, -/System/Library/LaunchDaemons/com.apple.dnsextd.plist,com.apple.dnsextd,"['/usr/sbin/dnsextd', '-launchd']",7065ed06690308de7969b08ada0ff9a787f429d64424551965073b3b9b6a5d95,False, -/System/Library/LaunchDaemons/com.apple.dpaudiothru.plist,com.apple.dpaudiothru,"['/usr/libexec/dpaudiothru']",e4b7bfd8553d088da7921f321ca7f9e7907f8288d0f1e0cc7a91f4ccc3595429,False, -/System/Library/LaunchDaemons/com.apple.dpd.plist,com.apple.dpd,"['/usr/libexec/dpd']",bbb6b265dfb52de30afa36817ec4c4ca5ef8ce5e955a3217630bf4d5d565ddbd,False, -/System/Library/LaunchDaemons/com.apple.dspluginhelperd.plist,com.apple.dspluginhelperd,"['/usr/libexec/dspluginhelperd']",cfbf61bb44791035853cd90ed096b0644ea614330c44d86349040c84a35c0efa,False, -/System/Library/LaunchDaemons/com.apple.DumpGPURestart.plist,com.apple.DumpGPURestart,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/DumpGPURestart']",00520b19a06325a8309c25684dc1641893915fdbb6d9995b1cef15361a9e0b59,False, -/System/Library/LaunchDaemons/com.apple.DumpPanic.plist,com.apple.DumpPanic,"['/System/Library/CoreServices/DumpPanic']",55e668726f7c265bae2202f21a186ad9c27157d373e5d8bfce6fa846aeb7e49b,True, -/System/Library/LaunchDaemons/com.apple.dvdplayback.setregion.plist,com.apple.dvdplayback.setregion,"['/usr/bin/setregion']",ac4c6cd6cc5ddcd23e11e9125d81dc128fae513534d6d383ea7e8f898be8f2c0,False, -/System/Library/LaunchDaemons/com.apple.dynamic_pager.plist,com.apple.dynamic_pager,"['/sbin/dynamic_pager', '-F', '/private/var/vm/swapfile']",71efeae467ad751380d2d005533601318a50bb8f5d4d4226e0c659f124849b3f,False, -/System/Library/LaunchDaemons/com.apple.eapolcfg_auth.plist,com.apple.eapolcfg_auth,"['/System/Library/PrivateFrameworks/EAP8021X.framework/Resources/eapolcfg_auth']",d9b258f3fa2e40714910a1ea4d3befaf0d18b8bfad1fa1d348ec667d309bb1e9,False, -/System/Library/LaunchDaemons/com.apple.efax.plist,com.apple.efax,"['/usr/bin/fax', 'answer']",2ac62536538d805afb108c26c8b2fe81ae2ab00700b175661ece2ec2af22a341,False, -/System/Library/LaunchDaemons/com.apple.efilogin-helper.plist,com.apple.efilogin-helper,"['/System/Library/PrivateFrameworks/EFILogin.framework/Resources/efilogin-helper']",b927b543a2de72b1a03b7cdc22150c27a7d052659c3cc4b38c2f105464e63e9f,False, -/System/Library/LaunchDaemons/com.apple.emlog.plist,com.apple.emlog,"['/usr/libexec/emlog.pl']",5328f0d109c2b421f0845c0d0fe0efb58734297dca5f8708dc5bda4fea57f634,False, -/System/Library/LaunchDaemons/com.apple.emond.aslmanager.plist,com.apple.emond.aslmanager,"['/usr/sbin/aslmanager', '-s', '/var/log/eventmonitor']",afd40621bc22222dd930cef843240777314cc33ff61a1884609ae4588ad11cf4,False, -/System/Library/LaunchDaemons/com.apple.emond.plist,com.apple.emond,"['/sbin/emond']",882a32ecc92f1e4d319d338a14c772b5a879db61fa35c9423461d4b8594f1f70,False, -/System/Library/LaunchDaemons/com.apple.eppc.plist,com.apple.AEServer,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/AE.framework/Versions/A/Support/AEServer', '--debug']",84f873b2f93195c65dbb979ccbc983887d8ce78408ca0a9c448c72b1ec23562a,False, -/System/Library/LaunchDaemons/com.apple.familycontrols.plist,com.apple.familycontrols,"['/System/Library/PrivateFrameworks/FamilyControls.framework/Resources/parentalcontrolsd']",bc47958d6df458640bc7f417cefee4a0e17f7a1c7b6d0132e6db2840c9913559,False, -/System/Library/LaunchDaemons/com.apple.FileCoordination.plist,com.apple.FileCoordination,"['/usr/sbin/filecoordinationd']",2c85be3ee7964309b1cdab1ae7711837b1fbf9727ea3109fbabe844423351c96,False, -/System/Library/LaunchDaemons/com.apple.FileSyncAgent.sshd.plist,com.apple.FileSyncAgent.sshd,"['/System/Library/CoreServices/FileSyncAgent.app/Contents/Resources/FileSyncAgent_sshd-keygen-wrapper', '-i', '-f', '/System/Library/CoreServices/FileSyncAgent.app/Contents/Resources/FileSyncAgent_sshd_config']",d24e7e74b9b82c2e0ac6ac47e1f29248d81246d7b58ae4efaf84f34d1a74ef93,False, -/System/Library/LaunchDaemons/com.apple.findmymac.plist,com.apple.findmymacd,"['/System/Library/PrivateFrameworks/FindMyMac.framework/Resources/FindMyMacd']",2ad3b4f3264316a60fe5d5a7d191abc545f2df4f063a9591ede892ccd2ff386b,False, -/System/Library/LaunchDaemons/com.apple.findmymacmessenger.plist,com.apple.findmymacmessenger,"['/System/Library/PrivateFrameworks/FindMyMac.framework/Resources/FindMyMacMessenger.app/Contents/MacOS/FindMyMacMessenger']",44f224b2846ea0e7e6d920f396bc54e64c6ed629c33d2a8820515738be5cdb6d,False,"iCloud Find My Mac feature daemon" -/System/Library/LaunchDaemons/com.apple.firmwaresyncd.plist,com.apple.firmwaresyncd,"['/usr/libexec/firmwaresyncd']",989ac9675f4d52eb23efc79a0174c756f8d0dd38ef8153563b23c79c32cbab89,True, -/System/Library/LaunchDaemons/com.apple.fontd.plist,com.apple.fontd,"['/System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/fontd']",dc55f9e3fb42a2ad38aac323e66223fc3d4a924fe7fc834f3934c8111b5c2141,False, -/System/Library/LaunchDaemons/com.apple.fontmover.plist,com.apple.fontmover,"['/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Support/fontmover', '-d']",928ad77ae1e1afbd6d72d86804a2070e3f5511939aec23a30d42d6bd40ede922,False, -/System/Library/LaunchDaemons/com.apple.FontWorker.plist,com.apple.FontWorker,"['/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Support/fontworker']",236492be703611b65e521c918c895a156171665767ab6830e3a4478c4df5e881,False, -/System/Library/LaunchDaemons/com.apple.fseventsd.plist,com.apple.fseventsd,"['/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/FSEvents.framework/Versions/A/Support/fseventsd']",b527479c44fd984191e2791b78aef6417a107b474c3f51ecbe762a4ba565e31b,False, -/System/Library/LaunchDaemons/com.apple.ftp-proxy.plist,com.apple.ftp-proxy,"['/usr/libexec/ftp-proxy']",a09af3a7a9e14313fd37aef137fd0149aec0084b972bde9e05327e98776108b5,False, -/System/Library/LaunchDaemons/com.apple.GameController.gamecontrollerd.plist,com.apple.GameController.gamecontrollerd,"['/usr/libexec/gamecontrollerd']",e05f63d76fffeecd142baaabe49ca73fbcaf21641bf06e057f4a12a0d6b20f6e,False, -/System/Library/LaunchDaemons/com.apple.getty.plist,com.apple.getty,"['/usr/libexec/getty', 'std.9600', 'console']",ee02574d38415e8af9cc0ec4323cb33383ca3261ff3c5cc266927afdab5fc70e,False, -/System/Library/LaunchDaemons/com.apple.gkreport.plist,com.apple.gkreport,"['/usr/libexec/gkreport']",67d87aca1bb268cbb4578f637f0c2ceec3cc1d6cc259eb7584bec0eac2fb34c7,False, -/System/Library/LaunchDaemons/com.apple.GSSCred.plist,com.apple.GSSCred,"['/System/Library/Frameworks/GSS.framework/Helpers/com.apple.GSSCred']",77c0ddfc39112b0da7e3ff361c898a0f723fad4f478075951ffc00409ccde71a,False, -/System/Library/LaunchDaemons/com.apple.gssd.plist,com.apple.gssd,"['/usr/sbin/gssd']",f3ef230d1452a6a07feab3401d54b5d74c64abe6c5918fb41973cf948a758814,False, -/System/Library/LaunchDaemons/com.apple.hdiejectd.plist,com.apple.hdiejectd,"['/System/Library/PrivateFrameworks/DiskImages.framework/Resources/hdiejectd']",438ef740356633dabbccd6c5783361a88798666c1ad79f7ec1843b1a3b56854e,False, -/System/Library/LaunchDaemons/com.apple.hidd.plist,com.apple.hidd,"['/usr/libexec/hidd']",53c6e91c199a34950005dae13c1e3938bc1f539e00f91ee18435369b7b6003bf,False, -/System/Library/LaunchDaemons/com.apple.icloud.findmydeviced.plist,com.apple.icloud.findmydeviced,"['/usr/libexec/findmydeviced']",a1e92e968f08a3608edd19e58554d612593c689a8fb4f8c4884961af73d2a77b,False, -/System/Library/LaunchDaemons/com.apple.iconservices.iconservicesagent.plist,com.apple.iconservices.iconservicesagent,"['/System/Library/CoreServices/iconservicesagent']",05a40a54c28ec6b2ab3d550e90125f7fad3709e5111a0dff7b1946c07f05b9fb,True, -/System/Library/LaunchDaemons/com.apple.iconservices.iconservicesd.plist,com.apple.iconservices.iconservicesd,"['/System/Library/CoreServices/iconservicesd']",b93d87270c6f30b2febd86f8c07af5e4654ae2cc0b6fda9081f97285c2a4e1cc,True, -/System/Library/LaunchDaemons/com.apple.IFCStart.plist,com.apple.IFCStart,"['/usr/libexec/ifcstart']",4eb0f6ec472ab5431b50dad038bf1711134e785c832840d0a56db680f020969b,True, -/System/Library/LaunchDaemons/com.apple.ifdreader.plist,com.apple.ifdreader,"['/System/Library/CryptoTokenKit/com.apple.ifdreader.slotd/Contents/MacOS/com.apple.ifdreader']",77d5836c8ea1f5c9836848996d7a5faf7f76de6cb11640b91fbec5442da3423e,False, -/System/Library/LaunchDaemons/com.apple.installandsetup.systemmigrationd.plist,com.apple.installandsetup.systemmigrationd,"['/System/Library/PrivateFrameworks/SystemMigration.framework/Resources/systemmigrationd']",c1e2b96f17dd60ae36b56759fd9d15b220c846ded904b47503e42a573479d9cd,False, -/System/Library/LaunchDaemons/com.apple.installd.plist,com.apple.installd,"['/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd']",b46bc3a8209f8530f7e16a5fd29f988d0cdccaa6a15dd445e3ce3d5e0697a2b5,False, -/System/Library/LaunchDaemons/com.apple.IOAccelMemoryInfoCollector.plist,com.apple.IOAccelMemoryInfoCollector,"['/usr/libexec/IOAccelMemoryInfoCollector']",889eb805fcc8d4c68d5bbbf50f4b7715b65b43fb67731a13f8167c8c0a493b34,False, -/System/Library/LaunchDaemons/com.apple.IOBluetoothUSBDFU.plist,com.apple.IOBluetoothUSBDFU,"['/System/Library/Extensions/IOBluetoothFamily.kext/Contents/PlugIns/IOBluetoothUSBDFU.kext/Contents/Resources/IOBluetoothUSBDFUTool']",2d34c22b0b50aefca31d5bc556867cc4822019c4e81cb9dd8ae41d6ac92dc1a1,False, -/System/Library/LaunchDaemons/com.apple.kcproxy.plist,com.apple.kcproxy,"['/usr/libexec/kcproxy']",7992ec521b021a8377bdb5c1ab5683eb4fe7cb958f5baaa9d09fbc41ee138398,False, -/System/Library/LaunchDaemons/com.apple.kdumpd.plist,com.apple.kdumpd,"['/usr/libexec/kdumpd', '/PanicDumps']",fd4ea4b00b93e4dd1fb0d30b703ce6aff011ae80faca9fa60aa4dd5956a4e8b5,False, -/System/Library/LaunchDaemons/com.apple.Kerberos.digest-service.plist,com.apple.Kerberos.digest-service,"['/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/digest-service']",22851ca673f960c0e9086c00b4da61a03515d42d8464b8108f5fa85cfeb2a699,False, -/System/Library/LaunchDaemons/com.apple.Kerberos.kadmind.plist,com.apple.Kerberos.kadmind,"['/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kadmind']",73f0206d7667b0facf57033253474a022357432afc80926df1463d1f55af9402,False, -/System/Library/LaunchDaemons/com.apple.Kerberos.kcm.plist,com.apple.Kerberos.kcm,"['/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kcm', '--launchd']",62f8f7d25e41f07eb61b28a1d7377eefd2b16cfc4a4947bb2a83e3ae5a365532,False, -/System/Library/LaunchDaemons/com.apple.Kerberos.kdc.plist,com.apple.Kerberos.kdc,"['/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kdc']",78fb0995e32980948b242e49474ff96b08a7445d2b2d6236fbf53cc102dec79e,False, -/System/Library/LaunchDaemons/com.apple.Kerberos.kpasswdd.plist,com.apple.Kerberos.kpasswdd,"['/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kpasswdd']",b27c723d30de5763c45a81de77a700ff6bde24118bd2dc06428a511468389424,False, -/System/Library/LaunchDaemons/com.apple.KernelEventAgent.plist,com.apple.KernelEventAgent,"['/usr/sbin/KernelEventAgent']",daddcc7434163375810ca3867165b1471b30818b2ddbd3c1ad5aa5268e886cb1,False,"Responsible for displaying disk full and unresponsive file server messages" -/System/Library/LaunchDaemons/com.apple.kextd.plist,com.apple.kextd,"['/usr/libexec/kextd']",7f0ce8497cca7dae5150fb10c84e33b0b2bed0b87d82fef5c0de4a4e04670ac8,False, -/System/Library/LaunchDaemons/com.apple.kuncd.plist,com.apple.kuncd,"['/usr/libexec/kuncd']",19459bd269e33f99c3b10b48161709ee63b15bdc482872a6e3f543c2a731c694,False, -/System/Library/LaunchDaemons/com.apple.locate.plist,com.apple.locate,"['/usr/libexec/locate.updatedb']",42bdf79e638bb3f4db220b39475edd8b83d441580a192c71ea3285735e066eea,False, -/System/Library/LaunchDaemons/com.apple.locationd.plist,com.apple.locationd,"['/usr/libexec/locationd']",0736e0dd1ce04ff499c968a23a3eb18d2d8d900086968c407341c94dc9d10099,False,Location daemon -/System/Library/LaunchDaemons/com.apple.lockd.plist,com.apple.lockd,"['/usr/sbin/rpc.lockd']",7597b85ae9fc0612e46d4b87ef7f0434d35a07696b04b6d44f03ea5bf257d06a,False, -/System/Library/LaunchDaemons/com.apple.logind.plist,com.apple.logind,"['/System/Library/CoreServices/logind']",83f00af483a362e86df65fc0313d47653b05c0d1b3b5913bd50b870b702faac3,True, -/System/Library/LaunchDaemons/com.apple.loginwindow.LFVTracer.plist,com.apple.loginwindow.LFVTracer,"['/System/Library/CoreServices/loginwindow.app/Contents/Resources/LegacyFileVaultMessageTracer']",ec96c6326a7923d656ac96325e5c5669f0fccfae61083cf292f7ff0289f106da,False, -/System/Library/LaunchDaemons/com.apple.loginwindow.plist,com.apple.loginwindow,"['/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow', 'console']",c14aa55ac8c5fea96f50d08d5b533e1c516701d385444b20860c20a1247df4e1,False, -/System/Library/LaunchDaemons/com.apple.logkextloadsd.plist,com.apple.logkextloadsd,"['/usr/libexec/logkextloadsd']",f38715cbe145f7d3429af16293cab23455b201f9fdd19fdb1b230529554dcc9b,False, -/System/Library/LaunchDaemons/com.apple.ManagedClient.cloudconfigurationd.plist,com.apple.ManagedClient.cloudconfigurationd,"['/usr/libexec/cloudconfigurationd']",1e54e92cc9dca9bb25ce3fe9b5c7db754312a0b6f3b107667e5fe7fad73ce932,False, -/System/Library/LaunchDaemons/com.apple.ManagedClient.enroll.plist,com.apple.ManagedClient.enroll,"['/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient', '-e']",b2c8ee5eb2db75ccfa21dd664488ade48fde5e95b988fe33d1e2e12be4452c35,False, -/System/Library/LaunchDaemons/com.apple.ManagedClient.plist,com.apple.ManagedClient,"['/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient']",b2c8ee5eb2db75ccfa21dd664488ade48fde5e95b988fe33d1e2e12be4452c35,False, -/System/Library/LaunchDaemons/com.apple.ManagedClient.startup.plist,com.apple.ManagedClient.startup,"['/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient', '-i']",b2c8ee5eb2db75ccfa21dd664488ade48fde5e95b988fe33d1e2e12be4452c35,True, -/System/Library/LaunchDaemons/com.apple.mbicloudsetupd.plist,com.apple.mbicloudsetupd,"['/System/Library/CoreServices/Setup Assistant.app/Contents/Resources/mbicloudsetupd']",723dfefe0192e4ad9e25f11899306e0bfaa2f07ab5e023ce1d73bc45c0a88ce9,False, -/System/Library/LaunchDaemons/com.apple.mdmclient.daemon.plist,com.apple.mdmclient.daemon,"['/usr/libexec/mdmclient', 'daemon']",8b29d46bf93f8b33ead6d9d4d4341f25256ef8d61389978ac39e90dd3fed4617,True, -/System/Library/LaunchDaemons/com.apple.mDNSResponder.plist,com.apple.mDNSResponder.reloaded,"['/usr/sbin/mDNSResponder', '-launchd', '-noMulticastAdvertisements']",db34b37c427762aeb76a9eef26f33dc3586ffe8eaffdf4d1f8492c99a0477db6,False, -/System/Library/LaunchDaemons/com.apple.mDNSResponderHelper.plist,com.apple.mDNSResponderHelper.reloaded,"['/usr/sbin/mDNSResponderHelper']",8a600f239de7716fbb7ddd1615b261919050f5c722638a0a409cc97fd0ac8f84,False, -/System/Library/LaunchDaemons/com.apple.metadata.mds.index.plist,com.apple.metadata.mds.index,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mds_stores']",7869efc52c2e822a313f21674d320a044f8042e7b8b6d641b918e9a3e263e6ec,False, -/System/Library/LaunchDaemons/com.apple.metadata.mds.plist,com.apple.metadata.mds,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Support/mds']",2b22795c111c8512c461ffdf438eec611b08036bbd467b344301f2169af9a30a,False, -/System/Library/LaunchDaemons/com.apple.metadata.mds.scan.plist,com.apple.metadata.mds.scan,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'mdworker-scan', '-c', 'MDSSyncScanWorker', '-m', 'com.apple.metadata.mds.scan']",2938803e03f7a91177a8cdb5cc163a14fa6897cd940e36a080caf4397237b24b,False, -/System/Library/LaunchDaemons/com.apple.metadata.mds.spindump.plist,com.apple.metadata.mds.spindump,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'none', '-c', 'MDSSpinDumpWorker', '-m', 'com.apple.metadata.mds.spindump']",2938803e03f7a91177a8cdb5cc163a14fa6897cd940e36a080caf4397237b24b,False, -/System/Library/LaunchDaemons/com.apple.MobileFileIntegrity.plist,com.apple.MobileFileIntegrity,"['/usr/libexec/amfid']",8e6585e67d76a2f7897d0a89e27c4fe21349640ab237d7b0afc2db194e123cfb,False, -/System/Library/LaunchDaemons/com.apple.msrpc.echosvc.plist,com.apple.msrpc.echosvc,"['/usr/libexec/rpcsvchost', '-launchd', 'echosvc.bundle']",2ab324d33fc4b1853877528c3e46c4919b913b5a485532df22d190ccaa808fc5,False, -/System/Library/LaunchDaemons/com.apple.msrpc.lsarpc.plist,com.apple.msrpc.lsarpc,"['/usr/libexec/rpcsvchost', '-launchd', '-sandbox', 'lsarpc.bundle', 'dssetup.bundle']",2ab324d33fc4b1853877528c3e46c4919b913b5a485532df22d190ccaa808fc5,False, -/System/Library/LaunchDaemons/com.apple.msrpc.mdssvc.plist,com.apple.msrpc.mdssvc,"['/usr/libexec/rpcsvchost', '-launchd', '-sandbox', 'mdssvc.bundle']",2ab324d33fc4b1853877528c3e46c4919b913b5a485532df22d190ccaa808fc5,False, -/System/Library/LaunchDaemons/com.apple.msrpc.netlogon.plist,com.apple.msrpc.netlogon,"['/usr/libexec/rpcsvchost', '-launchd', 'netlogon.bundle']",2ab324d33fc4b1853877528c3e46c4919b913b5a485532df22d190ccaa808fc5,False, -/System/Library/LaunchDaemons/com.apple.msrpc.srvsvc.plist,com.apple.msrpc.srvsvc,"['/usr/libexec/rpcsvchost', '-launchd', '-sandbox', 'srvsvc.bundle']",2ab324d33fc4b1853877528c3e46c4919b913b5a485532df22d190ccaa808fc5,False, -/System/Library/LaunchDaemons/com.apple.msrpc.wkssvc.plist,com.apple.msrpc.wkssvc,"['/usr/libexec/rpcsvchost', '-launchd', '-sandbox', 'wkssvc.bundle']",2ab324d33fc4b1853877528c3e46c4919b913b5a485532df22d190ccaa808fc5,False, -/System/Library/LaunchDaemons/com.apple.mtmd.plist,com.apple.mtmd,"['/System/Library/CoreServices/backupd.bundle/Contents/Resources/mtmd']",9a8133c80a4ff974c3cc94aa2e7e71bfdb74d5a7b3ce8e52e9c06cea3afd88d5,True, -/System/Library/LaunchDaemons/com.apple.mtmfs.plist,com.apple.mtmfs,"['/System/Library/CoreServices/backupd.bundle/Contents/Resources/mtmfs', '--tcp', '--resvport', '--listen', 'localhost', '--oneshot', '--noportmap', '--nobrowse']",73ab85c294c7b79123dbcda1c25711280307d45d7daa3ea039c706bb2010cced,True, -/System/Library/LaunchDaemons/com.apple.nehelper.plist,com.apple.nehelper,"['/usr/libexec/nehelper']",58a612c581062b6f1f0ae1bbf581f5348154f7553a82677d92330491935646e4,False, -/System/Library/LaunchDaemons/com.apple.nesessionmanager.plist,com.apple.nesessionmanager,"['/usr/libexec/nesessionmanager']",7948674dcc024f9c44514470288c4070c76b7efef83a961b161007c1edbd2b82,False, -/System/Library/LaunchDaemons/com.apple.netauth.sys.auth.plist,com.apple.netauth.sys.auth,"['/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent', '--sys']",15e3d0f498e5fbd131fa0fe32ac54af6c7595d618ab98cf38cb1adfac7063a88,False, -/System/Library/LaunchDaemons/com.apple.netauth.sys.gui.plist,com.apple.netauth.sys.gui,"['/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent', '--sys']",5e1ff53d5740591660f0f85d909a61bb5b08491cdd29c4dc57a3cf7e28825e49,False, -/System/Library/LaunchDaemons/com.apple.netbiosd.plist,com.apple.netbiosd,"['/usr/sbin/netbiosd']",d8af971604b8617c9f4c776e31463c0d1f994b3636e8983739f5a41a61306cf8,False,"netbiosd is responsible for interacting with NetBIOS networks." -/System/Library/LaunchDaemons/com.apple.NetBootClientStatus.plist,com.apple.NetBootClientStatus,"['/usr/sbin/NetBootClientStatus']",818bbf68426f3187915ffdea714004eb57de594f098e7be7ef83e65645cc7ecb,True, -/System/Library/LaunchDaemons/com.apple.networkd.plist,com.apple.networkd,"['/usr/libexec/networkd']",b99aa46133eeb9f82b5c431455cf249616fb98303e591587408ea1280185a20b,False,network daemon -/System/Library/LaunchDaemons/com.apple.networkd_privileged.plist,com.apple.networkd_privileged,"['/usr/libexec/networkd_privileged']",e773080f87880ed0b24bdd222fd8497b4e2f84d44035caaeefc41359592af8d8,False, -/System/Library/LaunchDaemons/com.apple.NetworkDiagnostics.plist,com.apple.NetworkDiagnostics,"['/System/Library/CoreServices/Network Diagnostics.app/Contents/MacOS/Network Diagnostics']",065eb6ca7c5e3ec8f97cdeef69d65939a81e7a4c9fe2656c47c70f4de0841443,False, -/System/Library/LaunchDaemons/com.apple.NetworkLinkConditioner.plist,com.apple.nlcd,"['/usr/libexec/nlcd']",5281f78356fffb4e9844bac54bd83659a6bde537609884c61d4bf10890ddee23,False, -/System/Library/LaunchDaemons/com.apple.NetworkSharing.plist,com.apple.NetworkSharing,"['/usr/libexec/InternetSharing']",c651196eb946fb6f0675e12f39743b568a96eb18ac3af58dc069eecfd8a10578,False, -/System/Library/LaunchDaemons/com.apple.newsyslog.plist,com.apple.newsyslog,"['/usr/sbin/newsyslog']",adb6b77c997727d03b9087879dd546e513b337fb311de5897b767d53a9aec624,False, -/System/Library/LaunchDaemons/com.apple.nfsconf.plist,com.apple.nfsconf,"['/sbin/mount_nfs', 'configupdate']",7bee79771a2e8af2e6d4d9714a245997c0426a7b3fe0ab779eaa87b2bed1bc82,True, -/System/Library/LaunchDaemons/com.apple.nfsd.plist,com.apple.nfsd,"['/sbin/nfsd']",fe31798175817576a226b53322be7ce0c5e7224c1bc0b5d7e21254a848dc0c36,False, -/System/Library/LaunchDaemons/com.apple.nis.ypbind.plist,com.apple.nis.ypbind,"['/usr/sbin/ypbind']",2a7d40ecb1189a64b11062aad0ee15557193a714792de7f879a04cb00c7af627,False, -/System/Library/LaunchDaemons/com.apple.noticeboard.state.plist,com.apple.noticeboard.state,"['/System/Library/PrivateFrameworks/Noticeboard.framework/Versions/A/Resources/nbstated']",9d5cb80f6d4df2ab0efc7ca2bc4e2980cc655fa82d8ee355845692eeab938cf7,False, -/System/Library/LaunchDaemons/com.apple.notifyd.plist,com.apple.notifyd,"['/usr/sbin/notifyd']",1c09e946ed973590916a4daf082a8bb596d2d8c74992e17f7f1efd4d5663d0a0,False, -/System/Library/LaunchDaemons/com.apple.nsurlsessiond.plist,com.apple.nsurlsessiond_privileged,"['/usr/libexec/nsurlsessiond', '--privileged']",13718923aa29862e4225846e29f29ab9ab5109dcb87727fc414d7d2be788ef08,False, -/System/Library/LaunchDaemons/com.apple.nsurlstoraged.plist,com.apple.nsurlstoraged,"['/usr/libexec/nsurlstoraged']",5ff8b9555bc60225f879c89f8588872d42508f99d5bae9b4d84c529a912a22e7,False, -/System/Library/LaunchDaemons/com.apple.ocspd.plist,com.apple.ocspd,"['/usr/sbin/ocspd']",a2d569b138a894e0a83bd791ef5f2af36f0d85bfaec4610c08e86051c9396e7d,False,"Performs caching and network fetching of CRLs and OCSP responses, used by Security.framework during certificate verification" -/System/Library/LaunchDaemons/com.apple.odproxyd.plist,com.apple.odproxyd,"['/usr/libexec/odproxyd']",2af2d6649b37271b3d1f4569f66247687c2eea5537972da8c21d8c4093e920fe,False, -/System/Library/LaunchDaemons/com.apple.ODSAgent.plist,com.apple.ODSAgent,"['/System/Library/CoreServices/ODSAgent.app/Contents/MacOS/ODSAgent', '-launchd']",86b1e8701eb55aea3fb086a35306b9149f2b8ed7515cbe524eb35cf0505395f0,False, -/System/Library/LaunchDaemons/com.apple.opendirectoryd.plist,com.apple.opendirectoryd,"['/usr/libexec/opendirectoryd']",70a25df43706e9fa5e653e2990526ad5ff9ced360ec16a5ade2333544213cbba,False, -/System/Library/LaunchDaemons/com.apple.pacemaker.plist,com.apple.pacemaker,"['/usr/libexec/pacemaker', '-b', '-e', '0.0001', '-a', '10']",64c7210d8161f862ced2603e7e716bbbf3dd6c85802cebaeba1a88e65d2cb424,False, -/System/Library/LaunchDaemons/com.apple.PasswordService.plist,com.apple.PasswordService,"['/usr/sbin/PasswordService', '-n']",1b2e8ee7b929b24defd3b612189db99ab0966bc09da5bf483675b72fc1dbbec6,False, -/System/Library/LaunchDaemons/com.apple.PCIELaneConfigTool.plist,com.apple.PCIELaneConfigTool,"['/System/Library/CoreServices/Expansion Slot Utility.app/Contents/Resources/PCIELaneConfigTool']",a76bbbe759aad613ff18ad6c26dcab5aa7d0b4994a658f48628ffc319bb13962,False, -/System/Library/LaunchDaemons/com.apple.periodic-daily.plist,com.apple.periodic-daily,"['/usr/libexec/periodic-wrapper', 'daily']",48c844734fd94e7a4b22f6180d3c15202bd411cd5ffaa835105b8c2c66ec2ec8,False, -/System/Library/LaunchDaemons/com.apple.periodic-monthly.plist,com.apple.periodic-monthly,"['/usr/libexec/periodic-wrapper', 'monthly']",48c844734fd94e7a4b22f6180d3c15202bd411cd5ffaa835105b8c2c66ec2ec8,False, -/System/Library/LaunchDaemons/com.apple.periodic-weekly.plist,com.apple.periodic-weekly,"['/usr/libexec/periodic-wrapper', 'weekly']",48c844734fd94e7a4b22f6180d3c15202bd411cd5ffaa835105b8c2c66ec2ec8,False, -/System/Library/LaunchDaemons/com.apple.pfctl.plist,com.apple.pfctl,"['/sbin/pfctl']",41a9ea890f187bc62b9cb8789db3f1ac533a1f0af2a221029eab59e36551ca5e,True, -/System/Library/LaunchDaemons/com.apple.pfd.plist,com.apple.pfd,"['/usr/libexec/pfd', '-d']",ae82283592ce9d60b3f16f8e6e10fc79e8d4d7dd75bce6ff239eeb3fef79df13,False, -/System/Library/LaunchDaemons/com.apple.platform.ptmd.plist,com.apple.platform.ptmd,"['/usr/libexec/ptmd']",1a0badf94c446ad897fa9014c73322af742b857e9453c42ebcb93f0d50808067,True, -/System/Library/LaunchDaemons/com.apple.postgres.plist,com.apple.postgres,"['/Applications/Server.app/Contents/ServerRoot/usr/bin/xpostgres', '-a', '/Library/Server/PostgreSQL For Server Services/Config/com.apple.postgres.plist']",UNKNOWN,False,Legacy or server app -/System/Library/LaunchDaemons/com.apple.powerd.plist,com.apple.powerd,"['/System/Library/CoreServices/powerd.bundle/powerd']",d1f5caece5dcb79e7ec4c954e3a77bb3b8477bbd74f52cc1ac34504796587246,False, -/System/Library/LaunchDaemons/com.apple.powerd.swd.plist,com.apple.powerd.swd,"['/System/Library/CoreServices/powerd.bundle/swd']",997e33b28b0abc345a3720f3d0459fb7d15d0e8be06d1e91ba8d2efb5e3f664f,False, -/System/Library/LaunchDaemons/com.apple.preferences.timezone.admintool.plist,com.apple.preferences.timezone.admintool,"['/System/Library/PreferencePanes/DateAndTime.prefPane/Contents/Resources/TimeZone.prefPane/Contents/Resources/TimeZoneAdminTool']",ee6e51396a9b649947bf78abea8c9206b0f0c0e4cfe98544371d4367231d81bd,False, -/System/Library/LaunchDaemons/com.apple.preferences.timezone.auto.plist,com.apple.preferences.timezone.auto,"['/System/Library/PreferencePanes/DateAndTime.prefPane/Contents/Resources/TimeZone.prefPane/Contents/Resources/timezoned.app/Contents/MacOS/timezoned']",97f3f470b3f41919dc5b4e0b218a2c902e80da0a8c9b849350698406ccb0dc34,False, -/System/Library/LaunchDaemons/com.apple.printtool.daemon.plist,com.apple.printtool.daemon,"['/System/Library/Frameworks/ApplicationServices.framework/Frameworks/PrintCore.framework/Versions/A/printtool', 'daemon']",8d7167dfdcac008960d3e370517196ef8bf04859e8f907c78f7807aff2598ae8,False, -/System/Library/LaunchDaemons/com.apple.racoon.plist,com.apple.racoon,"['/usr/sbin/racoon', '-D']",7d69b41215112484bc41607e071415155e85bcf7d54d40ce5f1576de380e0b6d,False,Built-in VPN key management daemon -/System/Library/LaunchDaemons/com.apple.RemoteDesktop.PrivilegeProxy.plist,com.apple.RemoteDesktop.PrivilegeProxy,"['/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy']",d88f0f33186868aa6636871e22b9d25de96d046b1cd0acb34a4e19b7a52926d7,False, -/System/Library/LaunchDaemons/com.apple.remotepairtool.plist,com.apple.RemotePairTool,"['/System/Library/CoreServices/RemotePairTool']",750a4f32df8c5e1ff9d992e90a98990efd6c4d0d033f3d0778ca3b50c986df56,False, -/System/Library/LaunchDaemons/com.apple.ReportCrash.Root.plist,com.apple.ReportCrash.Root,"['/System/Library/CoreServices/ReportCrash']",11d31bae0610afec73405f2f2defd1b1db18d8ee690df09c7140af4710881709,False, -/System/Library/LaunchDaemons/com.apple.ReportPanicService.plist,com.apple.ReportPanicService,"['/System/Library/CoreServices/ReportPanicService']",a5863a88099a5f14a6992235dc4828d56f2bba2c4a011c34f1501edef877913c,False, -/System/Library/LaunchDaemons/com.apple.revisiond.plist,com.apple.revisiond,"['/System/Library/PrivateFrameworks/GenerationalStorage.framework/Versions/A/Support/revisiond']",f1ba71b754f622fdd9b5b3c34f08ff71b857a5173059dc754ac7a9869bcccf06,True, -/System/Library/LaunchDaemons/com.apple.RFBEventHelper.plist,com.apple.RFBEventHelper,"['/System/Library/CoreServices/RFBEventHelper.bundle/Contents/MacOS/RFBEventHelperd']",c4c826afee190df98c9d0c5eacf303dd13c8870626d20c6850b300325a3da48d,False, -/System/Library/LaunchDaemons/com.apple.rpcbind.plist,com.apple.rpcbind,"['/usr/sbin/rpcbind']",40798e3aa867b98814c6c5ffaacd15e56514d8ab866d2ef2f86f921e4489f357,False, -/System/Library/LaunchDaemons/com.apple.sandboxd.plist,com.apple.sandboxd,"['/usr/libexec/sandboxd', '-n', 'PluginProcess', '-n', '']",40f3402bf6d084c319f50b7e6989d286706325c5f90b7068c3ceaddad99aa8bb,False, -/System/Library/LaunchDaemons/com.apple.SCHelper.plist,com.apple.SCHelper,"['/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/Helpers/SCHelper']",3a5463904d73efa07bdc972afdaa8183d83739f6543ad445e2f6e402fdb513ff,False, -/System/Library/LaunchDaemons/com.apple.screensharing.plist,com.apple.screensharing,"['/System/Library/CoreServices/RemoteManagement/screensharingd.bundle/Contents/MacOS/screensharingd']",c02003ee7ba729185c2b3272aae7c8829854de3e251575492195856cc4b74a8f,False, -/System/Library/LaunchDaemons/com.apple.scsid.plist,com.apple.scsid,"['/usr/libexec/scsid']",d94baf8458de18da383cadc52b6c3a56bab7fb7d15bbca6250737dea80909120,True, -/System/Library/LaunchDaemons/com.apple.secinitd.plist,com.apple.secinitd,"['/usr/libexec/secinitd']",2d479d0a9c84e0cfe65d9bd81e1f593de621612f0374b0daf5e69e548bd66b80,False, -/System/Library/LaunchDaemons/com.apple.security.agentMain.plist,com.apple.security.agentMain,"['/System/Library/Frameworks/Security.framework/Versions/A/XPCServices/SecurityAgent.xpc/Contents/MacOS/SecurityAgent']",68ac4c762911f781c1c047c7ab92d6466e621cc3d78fed6b78d8eb688abc57a6,False, -/System/Library/LaunchDaemons/com.apple.security.authhost.plist,com.apple.security.authhost,"['/System/Library/Frameworks/Security.framework/Versions/A/XPCServices/authorizationhost.xpc/Contents/MacOS/authorizationhost']",7aec336bd38bad27dbe6d56fc5cc07fb00895505bf776697dbf19424af360d5f,False, -/System/Library/LaunchDaemons/com.apple.security.FDERecoveryAgent.plist,com.apple.security.FDERecoveryAgent,"['/usr/libexec/FDERecoveryAgent']",0d1982ce9d8ade6dd6c8ceca641e31c2f98c9f2c5ca8c544201aef21e7a23f89,True, -/System/Library/LaunchDaemons/com.apple.security.syspolicy.plist,com.apple.security.syspolicy,"['/usr/libexec/syspolicyd']",254f85025403cbab37b89a5fc641a2b35c2be26767a2fbfcf9e4726068a8b40a,False, -/System/Library/LaunchDaemons/com.apple.securityd.plist,com.apple.securityd,"['/usr/sbin/securityd', '-i']",4f748e5caec6d87df71991110c7f1c48a1d7808314cd3dd78c24f44a5cd327c6,True, -/System/Library/LaunchDaemons/com.apple.securityd_service.plist,com.apple.securityd_service,"['/usr/libexec/securityd_service']",5019cb7c55e6b593d7cc5165bda671a4e2b918dab9a331741255e40f72711289,False, -/System/Library/LaunchDaemons/com.apple.sessionlogoutd.plist,com.apple.sessionlogoutd,"['/System/Library/CoreServices/sessionlogoutd']",b1a5b7b09f11940150172cf152239ee3c55a4667270e111f530f80c51f242146,False, -/System/Library/LaunchDaemons/com.apple.smb.preferences.plist,com.apple.smb.preferences,"['/usr/libexec/smb-sync-preferences']",6a03ec8037b35207a4269757e6d4d4543a1523fe9694a90ecda5684b6ea5966b,True, -/System/Library/LaunchDaemons/com.apple.smbd.plist,com.apple.smbd,"['/usr/sbin/smbd']",a2037aa53864f50db0bd0b3aeeeb85bc3b6281128c3da9375db0d790d939aaec,False, -/System/Library/LaunchDaemons/com.apple.softwareupdate_download_service.plist,com.apple.softwareupdate_download_service,"['/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdate_download_service']",57434feed2c56cdfb486f80f20646bde3aff1489033c2dde6a5b78a764ab54f7,False, -/System/Library/LaunchDaemons/com.apple.softwareupdate_firstrun_tasks.plist,com.apple.softwareupdatecheck.initial,"['/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdate_firstrun_tasks', '-BuildTagCache', 'YES']",a54ecf8d1c486df0874f51b743c6dcd502bccd5c0e8911b136e608e0a969b249,True, -/System/Library/LaunchDaemons/com.apple.softwareupdated.plist,com.apple.softwareupdated,"['/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated']",9b58f4fe20cf11b4b2bd8035db3e61db56a6f8aaac22d1baace5e6f15b68b913,False, -/System/Library/LaunchDaemons/com.apple.speech.speechsynthesisd.plist,com.apple.speech.speechsynthesisd,"['/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd']",77800391daaf9b9dd56eda8222c7c75d743d0433039b886764d0c7ba6dc03908,False, -/System/Library/LaunchDaemons/com.apple.spindump.plist,com.apple.spindump,"['/usr/sbin/spindump']",80f552b7561ceb2017cf47d729ff38903e1183886c4da6860411108ac7eece56,False, -/System/Library/LaunchDaemons/com.apple.stackshot.plist,com.apple.stackshot,"['/usr/libexec/stackshot', '-t', '-O']",69f19ff0cc6caa239b328737e771b9d5158e2a590740d990f305dfb4658b0c0e,False, -/System/Library/LaunchDaemons/com.apple.statd.notify.plist,com.apple.statd.notify,"['/usr/sbin/rpc.statd', '-n']",81ee4af0e22e6451ad599b737b47fb4ae544f7891ad83960b8aac9f1d23197da,True, -/System/Library/LaunchDaemons/com.apple.storagekitd.plist,com.apple.storagekitd,"['/System/Library/PrivateFrameworks/StorageKit.framework/Resources/storagekitd']",504b92896aa152dee22e407c299119d354d8e756eac9f8852db3179dc3e2394c,False, -/System/Library/LaunchDaemons/com.apple.storereceiptinstaller.plist,com.apple.storereceiptinstaller,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/ReceiptInstaller']",401d0a39bb34eabd11ce2bc6ae76a5cc244435a58e91d3b843edef53026e0b08,False, -/System/Library/LaunchDaemons/com.apple.SubmitDiagInfo.plist,com.apple.SubmitDiagInfo,"['/System/Library/CoreServices/SubmitDiagInfo', 'server-init']",95eb5aa7761667ad373c4478ee9a52e32a224dbee86be1726b699b60f1ddebcd,False,"Sends diagnostic information to Apple" -/System/Library/LaunchDaemons/com.apple.suhelperd.plist,com.apple.suhelperd,"['/System/Library/PrivateFrameworks/SoftwareUpdate.framework/Resources/suhelperd']",d751262ea13269bb5d3d929bf6cbddd2db2dee555482bcda0aeac381216a780d,False, -/System/Library/LaunchDaemons/com.apple.syslogd.plist,com.apple.syslogd,"['/usr/sbin/syslogd']",f262ae3cee8001ec63e5c72a4228b7b3ca9b9c84a59e73e801952fd6ead570bb,False, -/System/Library/LaunchDaemons/com.apple.sysmond.plist,com.apple.sysmond,"['/usr/libexec/sysmond']",f1042a555db65ae1d15cd6003f5f5ea01a351dc2fa1687594069dc1b7fd62ed6,False, -/System/Library/LaunchDaemons/com.apple.systemkeychain.plist,com.apple.systemkeychain,"['/usr/sbin/systemkeychain', '-d']",ad4c1616df2786f1847457655ca1cfa41e665929a8f9869c034be19a2e04e7fd,False, -/System/Library/LaunchDaemons/com.apple.systempreferences.installer.plist,com.apple.systempreferences.install,"['/Applications/System Preferences.app/Contents/Resources/installAssistant']",49adcce27e18e86c86a9a0615c2959f74d7ab0c235fdb83f660ffc3c898282b5,False, -/System/Library/LaunchDaemons/com.apple.systemstats.analysis.plist,com.apple.systemstats.analysis,"['/usr/sbin/systemstats', '--xpc']",4aecb7d07b0b2989e9a24b35002680cdbc87754831bea1d32d5efec7d124501e,False, -/System/Library/LaunchDaemons/com.apple.systemstats.daily.plist,com.apple.systemstats.daily,"['/usr/sbin/systemstats', '--daily']",4aecb7d07b0b2989e9a24b35002680cdbc87754831bea1d32d5efec7d124501e,False, -/System/Library/LaunchDaemons/com.apple.systemstatsd.plist,com.apple.systemstatsd,"['/usr/libexec/systemstatsd']",33bd61c3c82f6c1b00ec2f7d756f58809cb33f0566af3e23daa768f51089de6b,False, -/System/Library/LaunchDaemons/com.apple.taskgated-helper.plist,com.apple.taskgated-helper,"['/usr/libexec/taskgated-helper']",98b5ffe6898d34734b511944e26f05683ef20d71682be0e1bfff42495e7193a9,False, -/System/Library/LaunchDaemons/com.apple.taskgated.plist,com.apple.taskgated,"['/usr/libexec/taskgated', '-s']",4c8b36e8c78728e75f00f86711bd7247a82b90230fe69929c8e9d41f113a99e9,False, -/System/Library/LaunchDaemons/com.apple.tccd.system.plist,com.apple.tccd.system,"['/System/Library/PrivateFrameworks/TCC.framework/Resources/tccd', 'system']",a796f973dea81ada2768b828ce95a2ecda4a8d39e12634a119b8333ac5004f30,False, -/System/Library/LaunchDaemons/com.apple.thermald.plist,com.apple.thermald,"['/usr/libexec/thermald']",8e50866ebe64bbc7e46cbbdea75c30fb61bf18c43d3bcbc2f650ec760e29188a,True,"Thermal management daemon" -/System/Library/LaunchDaemons/com.apple.TMCacheDelete.plist,com.apple.TMCacheDelete,"['/System/Library/CoreServices/backupd.bundle/Contents/Resources/TMCacheDelete']",279541928916eac0a538f6f4208f604fc29008149ad721d18adcbf02b8911d58,False, -/System/Library/LaunchDaemons/com.apple.TrustEvaluationAgent.system.plist,com.apple.TrustEvaluationAgent.system,"['/System/Library/PrivateFrameworks/TrustEvaluationAgent.framework/Resources/trustevaluationagent']",1b26f322605aaee84eca81cc8b4481593682276a1efe28080374a12e97b4bd49,False, -/System/Library/LaunchDaemons/com.apple.ucupdate.plist,com.apple.ucupdate.plist,"['/usr/libexec/ucupdate', '-m', '/usr/share/ucupdate/microcode.dat']",5c158c23b4e241dc9e73e2edc162cbea1d791b5c83933518092032767e6e235d,True, -/System/Library/LaunchDaemons/com.apple.uninstalld.plist,com.apple.uninstalld,"['/System/Library/PrivateFrameworks/Uninstall.framework/Resources/uninstalld']",a6021d9950561452543f2c06de4d85a5fc0a7c5644ba87a69e829180574beaf9,False, -/System/Library/LaunchDaemons/com.apple.unmountassistant.sysagent.plist,com.apple.unmountassistant.sysagent,"['/System/Library/CoreServices/UnmountAssistantAgent.app/Contents/Resources/UASysAgent']",cb2daefe26b63909776500dedf26b07288d4bf72e3b9360c60cd2a9f1ab03fd3,False, -/System/Library/LaunchDaemons/com.apple.updateEFIDesktopPicture.plist,com.apple.updateEFIDesktopPicture,"['/usr/sbin/kextcache', '-u', '/']",6ccd8e5f5f074ebc2ccc7e4847c94fbcd68e7cb83a42a3cc1baeee098aceb886,False, -/System/Library/LaunchDaemons/com.apple.usbd.plist,com.apple.usbd,"['/usr/libexec/usbd']",01b0d0b102932f46d3e4ed89cbdf987c7614aa536def7a731f2cdad557ebe70c,False, -/System/Library/LaunchDaemons/com.apple.usbmuxd.plist,com.apple.usbmuxd,"['/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/Resources/usbmuxd', '-launchd']",3437dd791960d11e9b8baea43f2896222bd38201e6bb7e0ed3607ba8145169f5,True, -/System/Library/LaunchDaemons/com.apple.UserEventAgent-System.plist,com.apple.UserEventAgent-System,"['/usr/libexec/UserEventAgent', '(System)']",f7796fba68d4936f231fccc098c5b8ddfee88c2c04da85217374736724604527,False, -/System/Library/LaunchDaemons/com.apple.UserNotificationCenter.plist,com.apple.UserNotificationCenter,"['/System/Library/CoreServices/uncd']",cffa1c92e97e69903cc65e0c31c9a4ce3d6dbf820cfb0ce771c388620af114c6,False, -/System/Library/LaunchDaemons/com.apple.uucp.plist,com.apple.uucp,"['/usr/sbin/uucico', '-l', '-D']",aff3ee38a7b21d8f0132420a0c273e6a0fd8c9a260bc07e71fa827fb55472aa9,False, -/System/Library/LaunchDaemons/com.apple.var-db-dslocal-backup.plist,com.apple.var-db-dslocal-backup,"['/usr/bin/xar', '-c', '-f', 'dslocal-backup.xar', 'dslocal']",1c21d4b35c8a3b57d0a1c01b98bcb24cb8b22361437443252bd9745e9ffa721a,False, -/System/Library/LaunchDaemons/com.apple.vsdbutil.plist,com.apple.vsdbutil,"['/usr/sbin/vsdbutil', '-i']",9f7471376fb2065bc795d3b10eec1b73f01d56d18c1ea698b9d1e3cb23f84914,False, -/System/Library/LaunchDaemons/com.apple.warmd.plist,com.apple.warmd,"['/usr/libexec/warmd']",ab5f216da4b534a7954d81e6346cabe40fb0b61ae68820cd1dbcf5bc40215010,True, -/System/Library/LaunchDaemons/com.apple.watchdogd.plist,com.apple.watchdogd,"['/usr/libexec/watchdogd']",1a902c228dc0205a15952c4e32e5904b71ed31b5d07d5f561170c093df959714,True, -/System/Library/LaunchDaemons/com.apple.wdhelper.plist,com.apple.wdhelper,"['/usr/libexec/wdhelper']",58e5bc3281d3df4a78fe709cae5b2ee9e03d60388a111f6fef746ffb7a4ff985,True, -/System/Library/LaunchDaemons/com.apple.wifid.plist,com.apple.wifid,"['/usr/libexec/wifid']",3b39e4c4f727dadb2408a103f888ccc3b3bd36c81354cfd1b5f8d60a56e7c17e,False, -/System/Library/LaunchDaemons/com.apple.WindowServer.plist,com.apple.WindowServer,"['/System/Library/Frameworks/ApplicationServices.framework/Frameworks/CoreGraphics.framework/Resources/WindowServer', '-daemon']",5aeef41aa1d11765fcf945f0f4fd06d92b9f9e9321c9fff3630292e91f116856,False, -/System/Library/LaunchDaemons/com.apple.wirelessproxd.plist,com.apple.wirelessproxd,"['/usr/sbin/wirelessproxd']",01f61680ba859fe47639d13feb0ac561717e439e151e42160cc185ad150283da,False, -/System/Library/LaunchDaemons/com.apple.wwand.plist,com.apple.wwand,"['/System/Library/Extensions/IOSerialFamily.kext/Contents/PlugIns/AppleWWANSupport.kext/Contents/Resources/wwand']",5e06305b18b0a825c4838a36198d88affda212531b79536a9556e9e6aca7e39f,False, -/System/Library/LaunchDaemons/com.apple.xpc.smd.plist,com.apple.xpc.smd,"['/usr/libexec/smd']",0c7ab24c6ca525eff9862cddcb85604f64d275a21d69d81f4fa598e4ca6a3a8d,False, -/System/Library/LaunchDaemons/com.apple.xsan.plist,com.apple.xsan,"['/System/Library/Filesystems/acfs.fs/Contents/bin/xsand']",6b4eb0c3926ed6881b54806ecb09adcfda60884e712998bdb1fd665a3b9044b4,False, -/System/Library/LaunchDaemons/com.apple.xsandaily.plist,com.apple.xsandaily,"['/System/Library/Filesystems/acfs.fs/Contents/bin/xsandaily']",8e4b2ce51250d0ced9283308e72f449fbc825e9d36abd96f001b4b9ab0a29788,False, -/System/Library/LaunchDaemons/com.apple.xscertadmin.plist,com.apple.xscertadmin,"['/usr/sbin/xscertadmin', 'update']",ce4b29f44c6f36b013acc14ba74e3cfba60bf6065e8897587c1e9870b8389d21,False, -/System/Library/LaunchDaemons/com.apple.xscertd-helper.plist,com.apple.xscertd-helper,"['/usr/libexec/xscertd-helper']",452904eda1b18e60f1f8a9ef25263a46109b0a55139899ef31c0ca9d9c424cb1,False, -/System/Library/LaunchDaemons/com.apple.xscertd.plist,com.apple.xscertd,"['/usr/libexec/xscertd']",2497a607b54d53632711982723ce41ab4b234a3bd840e15663b44f86add25910,False, -/System/Library/LaunchDaemons/com.vix.cron.plist,com.vix.cron,"['/usr/sbin/cron']",990449103d9ac9e1b203a533dcb129aca703f95fd8769cce296fd152c0656593,False, -/System/Library/LaunchDaemons/exec.plist,com.apple.rexecd,"['/usr/libexec/rexecd']",6291e0322167fcd46e1270f204aa37579507d5b8b1be533517d008fb8e8c2fe5,False, -/System/Library/LaunchDaemons/finger.plist,com.apple.fingerd,"['/usr/libexec/fingerd', '-s']",9368bf01f1745d59f05510271b150b6eb9b5f910582a9ec69d6a09f5b8a6dd38,False, -/System/Library/LaunchDaemons/ftp.plist,com.apple.ftpd,"['/usr/libexec/ftpd']",3e349907a6ac1966f57015e640fcecf57bbf639551e17e8ceb3a8da4a926d132,False, -/System/Library/LaunchDaemons/login.plist,com.apple.rlogind,"['/usr/libexec/rlogind']",16555925df9bfb05f95409e50b7d0ef2cd9e29ac448684336dbc83007824c7ce,False, -/System/Library/LaunchDaemons/ntalk.plist,com.apple.ntalkd,"['/usr/libexec/ntalkd']",68dc8a0d4c9db33c10abcc8264dd0f32c902c8d637cc9734db22b77b44b4a0b6,False, -/System/Library/LaunchDaemons/org.apache.httpd.plist,org.apache.httpd,"['/usr/sbin/httpd', '-D', 'FOREGROUND']",eeb139ccc447210b45fc2acd54fdeb04173016b545b865461b34c00c9752f59a,False, -/System/Library/LaunchDaemons/org.cups.cups-lpd.plist,org.cups.cups-lpd,"['/usr/libexec/cups/daemon/cups-lpd', '-o', 'document-format=application/octet-stream']",18dea332a780110ff8a605f2788200e4d0f8ddf70505771190036952a63670b7,False, -/System/Library/LaunchDaemons/org.cups.cupsd.plist,org.cups.cupsd,"['/usr/sbin/cupsd', '-l']",UNKNOWN,False, -/System/Library/LaunchDaemons/org.net-snmp.snmpd.plist,org.net-snmp.snmpd,"['/usr/sbin/snmpd']",48e7e796bfad1ff6ab945bc08140e2a115699db9beffd2bff867484990c7b18c,False, -/System/Library/LaunchDaemons/org.ntp.ntpd.plist,org.ntp.ntpd,"['/usr/libexec/ntpd-wrapper']",20064c70f48c140d8e6f2ba4f50f518ca56c22388828160ad3148f958e6fdbbd,False,"Wrapper for ntpdate/ntpd called by launchd" -/System/Library/LaunchDaemons/org.openldap.slapd.plist,org.openldap.slapd,"['/usr/libexec/slapd']",b4a31b1764470ec25a610c83143bb0d4b5fa7ae37177d0745bbd4bf9fe75ed67,False,"Slapd is the stand-alone LDAP daemon." -/System/Library/LaunchDaemons/org.postfix.master.plist,org.postfix.master,"['/usr/libexec/postfix/master']",a290d7bebe616c34445cd5ce779452ff968a389350c74f6d5369b40c2331f9ae,False, -/System/Library/LaunchDaemons/shell.plist,com.apple.rshd,"['/usr/libexec/rshd']",314a3d1daab34881d1c40ab6dabe76636088781b84a7735c662b43b977a0e9de,False,"Remote shell server" -/System/Library/LaunchDaemons/ssh.plist,com.openssh.sshd,"['/usr/libexec/sshd-keygen-wrapper']",9c89666fd071abd203f044ab7b3fd416decafe4468ff2e20a50b6d72f94809e2,False,"Wrapper for OpenSSH SSH daemon called by launchd" -/System/Library/LaunchDaemons/telnet.plist,com.apple.telnetd,"['/usr/libexec/telnetd']",ee525304d91db1dc97dfcc96ed53ff5095f15ccad8940ff102f562470d1eeba1,False, -/System/Library/LaunchDaemons/tftp.plist,com.apple.tftpd,"['/usr/libexec/tftpd', '-i', '/private/tftpboot']",3cadaf30dce95d1be9c1f93ba5a621ab5f76308f22fa104fe38e31e6ea338aac,False,"TFTP server daemon" -/System/Library/LaunchAgents/com.apple.accountsd.plist,com.apple.accountsd,"['/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd']",3d7a899b4daf02c6c6bf7360491d65ec3cd143b361ff7fd1e13bd2f00cadaa25,False, -/System/Library/LaunchAgents/com.apple.AddressBook.abd.plist,com.apple.AddressBook.abd,"['/System/Library/Frameworks/AddressBook.framework/Versions/A/Helpers/AddressBookManager.app/Contents/MacOS/AddressBookManager']",df7326b58ca754838bcdbd5792bd469079e92290149491a5a3ff96ba6711eefd,False, -/System/Library/LaunchAgents/com.apple.AddressBook.AssistantService.plist,com.apple.AddressBook.AssistantService,"['/System/Library/Frameworks/AddressBook.framework/Versions/A/Helpers/ABAssistantService.app/Contents/MacOS/ABAssistantService']",7f8133585bf640e5824a192e5d76b1168e2c02f588a498c3086a7369679d34f0,False, -/System/Library/LaunchAgents/com.apple.AddressBook.SourceSync.plist,com.apple.AddressBook.SourceSync,"['/System/Library/Frameworks/AddressBook.framework/Versions/A/Helpers/AddressBookSourceSync.app/Contents/MacOS/AddressBookSourceSync']",349631eda29cc48a5e878aa2ccbe15003fff29b220b85db47fe8570456d157b6,False, -/System/Library/LaunchAgents/com.apple.AirPlayUIAgent.plist,com.apple.AirPlayUIAgent,"['/System/Library/CoreServices/AirPlayUIAgent.app/Contents/MacOS/AirPlayUIAgent', '--launchd']",06ffda934d168537e6b8d5465754990d4a93ae956ac3e66aae8d42112b4b3690,False, -/System/Library/LaunchAgents/com.apple.AirPortBaseStationAgent.plist,com.apple.AirPortBaseStationAgent,"['/System/Library/CoreServices/AirPort Base Station Agent.app/Contents/MacOS/AirPort Base Station Agent', '--launchd']",7f354b607cb9ace16f14e9799dfbb28a2a256745bc72ce8266d9278a2da12090,False, -/System/Library/LaunchAgents/com.apple.alf.useragent.plist,com.apple.alf.useragent,"['/usr/libexec/ApplicationFirewall/Firewall']",b380dd676502c4b8e720de167e34a2d9764952e9f89814d946a8d0531488a5f4,False, -/System/Library/LaunchAgents/com.apple.aos.migrate.plist,com.apple.aos.migrate,"['/System/Library/CoreServices/AOSMigrateAgent']",f564c52c1f64f4349a6914f676b01b7d3182c709ab36f5fa22000a6c5139e4b5,False, -/System/Library/LaunchAgents/com.apple.AOSHeartbeat.plist,com.apple.AOSHeartbeat,"['/System/Library/PrivateFrameworks/AOSKit.framework/Helpers/AOSHeartbeat.app/Contents/MacOS/AOSHeartbeat']",53663a1eae9ffa5de50cd9967b04330ce8d80bfc87a7fff0a61efdd19e711309,True, -/System/Library/LaunchAgents/com.apple.AOSPushRelay.plist,com.apple.AOSPushRelay,"['/System/Library/PrivateFrameworks/AOSKit.framework/Helpers/AOSPushRelay.app/Contents/MacOS/AOSPushRelay']",b9a95a920964fc77a6bfcbd1338b7c7eb12b837ac3a312a6b68e036b6a4a16e1,False, -/System/Library/LaunchAgents/com.apple.AppleGraphicsWarning.plist,com.apple.AppleGraphicsWarning,"['/System/Library/CoreServices/AppleGraphicsWarning.app/Contents/MacOS/AppleGraphicsWarning']",a935862ecfe10ae6064abffdf84a144cab899b4efb387bfd88bb62b042e3163b,False, -/System/Library/LaunchAgents/com.apple.appleseed.seedusaged.plist,com.apple.appleseed.seedusaged,"['/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged']",9fdb2f54a618daec5bea7b30bca7438772bf8226d3cca89acc937cdaa7f34166,True, -/System/Library/LaunchAgents/com.apple.appsleepd.plist,com.apple.appsleep,"['/usr/sbin/appsleepd']",be713f379b4ebbb4f55a92911c884b5caf4fd8d8baaf4fee48641ec778b1c378,False, -/System/Library/LaunchAgents/com.apple.appstoreupdateagent.plist,com.apple.appstoreupdateagent,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/appstoreupdateagent']",b19cac536d8f3781ecdca762e787e5e439c9ff7427d5c9192c2f3ac40c312006,False, -/System/Library/LaunchAgents/com.apple.apsctl.plist,com.apple.apsctl,"['/System/Library/PrivateFrameworks/ApplePushService.framework/apsctl', 'login']",144a7dc16c23ff48e7a7eb0a971236a38451a4ba42527401fb4ab2e121c2d08e,True, -/System/Library/LaunchAgents/com.apple.askpermissiond.plist,com.apple.askpermissiond,"['/System/Library/PrivateFrameworks/AskPermission.framework/Versions/A/Resources/askpermissiond']",d2cd4af641f2c3374db6293716ac9d871d87c8d2d59b1edfc1be32fdce0c952f,True, -/System/Library/LaunchAgents/com.apple.AskPermissionUI.plist,com.apple.AskPermissionUI,"['/System/Library/PrivateFrameworks/AskPermission.framework/Versions/A/Resources/AskPermissionUI.app/Contents/MacOS/AskPermissionUI']",1095261fa0a0692816c891e5b79d625b110a5d0e64d3d5988caae0fd9bc1d95d,False, -/System/Library/LaunchAgents/com.apple.assistant_service.plist,com.apple.assistant_service,"['/System/Library/PrivateFrameworks/AssistantServices.framework/assistant_service']",a961d88edbb88b1fb56d9ca0114b7460e9c3db239f845ae2f2fd82eb31c43a30,False, -/System/Library/LaunchAgents/com.apple.assistantd.plist,com.apple.assistantd,"['/System/Library/PrivateFrameworks/AssistantServices.framework/assistantd']",ba86929e8e25563fece6c4751caa10f4c8d66d218980b2da9c7e204cf79e7eb4,False, -/System/Library/LaunchAgents/com.apple.AssistiveControl.plist,com.apple.AssistiveControl,"['/System/Library/Input Methods/Switch Control.app/Contents/MacOS/Switch Control', 'launchd', '-s']",bac8fd238e96a4827022dd96ecafa17f6c45de52fc1170368795df5922600592,False, -/System/Library/LaunchAgents/com.apple.BezelUI.plist,com.apple.BezelUIServer,"['/System/Library/LoginPlugins/BezelServices.loginPlugin/Contents/Resources/BezelUI/BezelUIServer']",3adab7f03a370748ff6f5bf64cdb6a14829b9af2afe6f847b3d6abc5d43f149c,False, -/System/Library/LaunchAgents/com.apple.bird.plist,com.apple.bird,"['/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird']",b5a7ff5f26909c61e1b74ebf05175c4f36f351040805b9690b0ae30b7e76c91e,False,Documents in the Cloud feature daemon -/System/Library/LaunchAgents/com.apple.bluetoothUIServer.plist,com.apple.bluetoothUIServer,"['/System/Library/CoreServices/BluetoothUIServer.app/Contents/MacOS/BluetoothUIServer']",30185d9a2fb77c91ee54847908e914d825d2ecfc98a45b29742b4b1a56105463,False, -/System/Library/LaunchAgents/com.apple.btsa.plist,com.apple.btsa,"['/System/Library/CoreServices/Bluetooth Setup Assistant.app/Contents/MacOS/Bluetooth Setup Assistant', '-autoConfigure']",ecc195a5184bc049c1c28e153a10294e5557c1521c66880d0f812810cab4d031,False, -/System/Library/LaunchAgents/com.apple.CalendarAgent.plist,com.apple.CalendarAgent,"['/System/Library/PrivateFrameworks/CalendarAgent.framework/Executables/CalendarAgent']",5aceef7a44e8d33af5c667213503d11a66d454d1a152418bcef5bd272c8b3709,True, -/System/Library/LaunchAgents/com.apple.CallHistoryPluginHelper.plist,com.apple.CallHistoryPluginHelper,"['/System/Library/PrivateFrameworks/CallHistory.framework/Support/CallHistoryPluginHelper']",38f73a67ff9bf0182f1571d126608cf0f84a3f1395d6d25d3bdc1a4685b81d9c,False, -/System/Library/LaunchAgents/com.apple.CallHistorySyncHelper.plist,com.apple.CallHistorySyncHelper,"['/System/Library/PrivateFrameworks/CallHistory.framework/Support/CallHistorySyncHelper']",7b5ab82587c0ddc9ce5dae2edbce8204754ee9bc745fc747ef9fa57701fce92a,False, -/System/Library/LaunchAgents/com.apple.cfnetwork.AuthBrokerAgent.plist,com.apple.cfnetwork.AuthBrokerAgent,"['/System/Library/CoreServices/AuthBrokerAgent']",65e1e94ecc5423f400c96d6d05cd772dc31a69853ee085eec06ce0a068538f3f,False, -/System/Library/LaunchAgents/com.apple.cfnetwork.cfnetworkagent.plist,com.apple.cfnetwork.cfnetworkagent,"['/System/Library/CoreServices/CFNetworkAgent']",6f6cb9c91afd47d5cba567ecd0e47169984439808861f9e4ce412d5edfd9083e,False, -/System/Library/LaunchAgents/com.apple.cfprefsd.xpc.agent.plist,com.apple.cfprefsd.xpc.agent,"['/usr/sbin/cfprefsd', 'agent']",ee0443bdcc80cc7b43c308b65ea6df39092c8d7ab8072ee20be1863d6f737565,False, -/System/Library/LaunchAgents/com.apple.cloudd.plist,com.apple.cloudd,"['/System/Library/PrivateFrameworks/CloudKitDaemon.framework/Support/cloudd']",09f5a3d9efc27cdfa8a12d3178838a325428eb7f27de0c312189a3a4caf08499,False, -/System/Library/LaunchAgents/com.apple.cloudfamilyrestrictionsd-mac.plist,com.apple.cloudfamilyrestrictionsd,"['/System/Library/PrivateFrameworks/CloudFamilyRestrictions.framework/cloudfamilyrestrictionsd']",fd81c20bf7774f746b8dd29a04ab1108e712b1db4e0d85432dfeb31065e4e7dc,False, -/System/Library/LaunchAgents/com.apple.cloudpaird.plist,com.apple.cloudpaird,"['/System/Library/CoreServices/cloudpaird']",2fbeeead9c6842e3dfe18980677b94338c1266269a83825e918ff84a2381d01a,False, -/System/Library/LaunchAgents/com.apple.cloudphotosd.plist,com.apple.cloudphotosd,"['/System/Library/CoreServices/cloudphotosd.app/Contents/MacOS/cloudphotosd']",e2061ceed1d0fc5d2f0044920ba40caa8ab82a877c3950eb995b2ff37d198761,False, -/System/Library/LaunchAgents/com.apple.cmfsyncagent.plist,com.apple.cmfsyncagent,"['/System/Library/PrivateFrameworks/CommunicationsFilter.framework/CMFSyncAgent.app/Contents/MacOS/CMFSyncAgent']",a60d57386a7bcc9434b75e738ecf2168d890848515196e73845338e15dff94a1,False, -/System/Library/LaunchAgents/com.apple.ContainerRepairAgent.plist,com.apple.ContainerRepairAgent,"['/usr/libexec/AppSandbox/ContainerRepairAgent']",639a03ffc1d1b1ae1e51dd254dfe1ff1fc3c2aab3eac3ef5f67a3573d944106f,False, -/System/Library/LaunchAgents/com.apple.CoreAuthentication.daemon.plist,com.apple.CoreAuthentication.daemon,"['/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd']",55e1f916f65afdc5b193ed86e09aa9368d7de7baef68eab534dd06573959c7af,False, -/System/Library/LaunchAgents/com.apple.coredata.externalrecordswriter.plist,com.apple.coredata.externalrecordswriter,"['/System/Library/Frameworks/CoreData.framework/Versions/A/Resources/ExternalRecordsWriter']",ee43c511f248140043308d2f81201bf1cc98e966f26679927990eb617cdf7b45,False, -/System/Library/LaunchAgents/com.apple.CoreLocationAgent.plist,com.apple.CoreLocationAgent,"['/System/Library/CoreServices/CoreLocationAgent.app/Contents/MacOS/CoreLocationAgent']",c7cfb6c1f02fc6d4e70c952ddbeb9743e434770c06af54995ea3e5062fda2a42,False, -/System/Library/LaunchAgents/com.apple.CoreRAIDAgent.plist,com.apple.CoreRAIDAgent,"['/System/Library/PrivateFrameworks/CoreRAID.framework/Versions/A/Resources/CoreRAIDAgent']",83b7084552d7986f390fc787244e9c5d1ec09f597a36aff7431150bc2a2c40a3,False, -/System/Library/LaunchAgents/com.apple.coreservices.appleid.authentication.plist,com.apple.coreservices.appleid.authentication,"['/System/Library/CoreServices/AppleIDAuthAgent']",e953287f86876b6f6f7c612a002bbee12257584238d0cc00108844610cd337c5,True, -/System/Library/LaunchAgents/com.apple.coreservices.lsactivity.plist,com.apple.coreservices.lsactivity,"['/System/Library/CoreServices/lsuseractivityd']",a37bdd06bf1aa72a5cdb313f0448383a85e193c53ce95547ef7cc6669e4bd585,False, -/System/Library/LaunchAgents/com.apple.coreservices.uiagent.plist,com.apple.coreservices.uiagent,"['/System/Library/CoreServices/CoreServicesUIAgent.app/Contents/MacOS/CoreServicesUIAgent']",3c51d870fc698d88c268aa6ff0d570f576db8d2608bd3297bb42b32aad56cc40,False, -/System/Library/LaunchAgents/com.apple.csuseragent.plist,com.apple.csuseragent,"['/System/Library/CoreServices/CSUserAgent']",0257c7be5b94332a7da97bac8c8078e436da36330814293b694a6b882596bb11,False, -/System/Library/LaunchAgents/com.apple.cvmsCompAgent_i386.plist,com.apple.cvmsCompAgent_i386,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/CVMCompiler', '2']",ef4533621bf2fec7241e31a823c1a5f196634eb0e90e23b671ea2443c1f72cd2,False, -/System/Library/LaunchAgents/com.apple.cvmsCompAgent_i386_1.plist,com.apple.cvmsCompAgent_i386_1,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/CVMCompiler', '3']",ef4533621bf2fec7241e31a823c1a5f196634eb0e90e23b671ea2443c1f72cd2,False, -/System/Library/LaunchAgents/com.apple.cvmsCompAgent_x86_64.plist,com.apple.cvmsCompAgent_x86_64,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/CVMCompiler', '2']",ef4533621bf2fec7241e31a823c1a5f196634eb0e90e23b671ea2443c1f72cd2,False, -/System/Library/LaunchAgents/com.apple.cvmsCompAgent_x86_64_1.plist,com.apple.cvmsCompAgent_x86_64_1,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/CVMCompiler', '3']",ef4533621bf2fec7241e31a823c1a5f196634eb0e90e23b671ea2443c1f72cd2,False, -/System/Library/LaunchAgents/com.apple.cvmsCompAgentLegacy_i386.plist,com.apple.cvmsCompAgentLegacy_i386,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/Legacy/CVMCompiler']",2c0ce33a125ebe67574cac63fed946e005bef67a8b98423e5345d286d5fea1eb,False, -/System/Library/LaunchAgents/com.apple.cvmsCompAgentLegacy_i386_1.plist,com.apple.cvmsCompAgentLegacy_i386_1,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/Legacy/CVMCompiler', '1']",2c0ce33a125ebe67574cac63fed946e005bef67a8b98423e5345d286d5fea1eb,False, -/System/Library/LaunchAgents/com.apple.cvmsCompAgentLegacy_x86_64.plist,com.apple.cvmsCompAgentLegacy_x86_64,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/Legacy/CVMCompiler']",2c0ce33a125ebe67574cac63fed946e005bef67a8b98423e5345d286d5fea1eb,False, -/System/Library/LaunchAgents/com.apple.cvmsCompAgentLegacy_x86_64_1.plist,com.apple.cvmsCompAgentLegacy_x86_64_1,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/Legacy/CVMCompiler', '1']",2c0ce33a125ebe67574cac63fed946e005bef67a8b98423e5345d286d5fea1eb,False, -/System/Library/LaunchAgents/com.apple.DiagnosticReportCleanup.plist,com.apple.DiagnosticReportCleanup.plist,"['/System/Library/CoreServices/SubmitDiagInfo', 'cleanup']",95eb5aa7761667ad373c4478ee9a52e32a224dbee86be1726b699b60f1ddebcd,False, -/System/Library/LaunchAgents/com.apple.diagnostics_agent.plist,com.apple.diagnostics_agent,"['/System/Library/CoreServices/diagnostics_agent']",e54ee7df0479e93e40e06021cb8ce6acd41ceec6ecc520ef2c920532142dfbba,True, -/System/Library/LaunchAgents/com.apple.DictationIM.plist,com.apple.DictationIM,"['/System/Library/Input Methods/DictationIM.app/Contents/MacOS/DictationIM']",91428895cdc80ac1882d4bdba81f216cf768aa24509d7921aa4c17ef00fb244a,False, -/System/Library/LaunchAgents/com.apple.DiskArbitrationAgent.plist,com.apple.DiskArbitrationAgent,"['/System/Library/Frameworks/DiskArbitration.framework/Versions/A/Support/DiskArbitrationAgent']",86cc9ec535453f8bbf1c0a54585a6fe2e2c4e72d32f9ed6a5c2950614b8f26fc,False, -/System/Library/LaunchAgents/com.apple.distnoted.xpc.agent.plist,com.apple.distnoted.xpc.agent,"['/usr/sbin/distnoted', 'agent']",4ebd678363ad903feb5d1b1a47841be323126de20ca2ceb4a82fb7c7fad305f6,False, -/System/Library/LaunchAgents/com.apple.Dock.plist,com.apple.Dock.agent,"['/System/Library/CoreServices/Dock.app/Contents/MacOS/Dock']",91044587bcdc7240fab5f956316a4097e228b85b1bdd7f4278b71160d9d71008,False, -/System/Library/LaunchAgents/com.apple.dt.CommandLineTools.installondemand.plist,com.apple.dt.CommandLineTools.installondemand,"['/System/Library/CoreServices/Install Command Line Developer Tools.app/Contents/MacOS/Install Command Line Developer Tools']",743c4811145ec52a34ef4008a6ab7056c80fb43be79e075e49d4c760c65e6ad1,False, -/System/Library/LaunchAgents/com.apple.EscrowSecurityAlert.plist,com.apple.EscrowSecurityAlert,"['/System/Library/PrivateFrameworks/CloudServices.framework/Resources/EscrowSecurityAlert.app/Contents/MacOS/EscrowSecurityAlert']",5979f434dac0d288074d4e83d58e256f8ac5a83b646cfab6e60118e98c583580,False, -/System/Library/LaunchAgents/com.apple.familycircled.plist,com.apple.familycircled,"['/System/Library/PrivateFrameworks/FamilyCircle.framework/Versions/A/Resources/familycircled']",ab782e1434b26f7d8add4d4c5c535194e5979970e3522d413ae760b354925fce,False, -/System/Library/LaunchAgents/com.apple.familycontrols.useragent.plist,com.apple.familycontrols.useragent,"['/System/Library/PrivateFrameworks/FamilyControls.framework/Resources/ParentalControls.app/Contents/MacOS/ParentalControls']",58e953e2acac88574e2a492f2ecb6847e11d24a35951e6e80f4a351e51afa847,False, -/System/Library/LaunchAgents/com.apple.familynotificationd.plist,com.apple.familynotificationd,"['/System/Library/PrivateFrameworks/FamilyNotification.framework/Versions/A/Resources/Family.app/Contents/MacOS/Family']",0babebdc1ab35fd1b61f42d95c25a3bf1837e130fa6ce3b77af8797fb83a21bc,False, -/System/Library/LaunchAgents/com.apple.FileStatsAgent.plist,com.apple.FileStatsAgent,"['/usr/sbin/FileStatsAgent']",53295110bb131d02aa26d3f1ea97e64aab89456bc01e577568331f4299658fb4,False, -/System/Library/LaunchAgents/com.apple.FileSyncAgent.PHD.plist,com.apple.FileSyncAgent.PHD,"['/System/Library/CoreServices/FileSyncAgent.app/Contents/MacOS/FileSyncAgent', '-launchedByLaunchd', '-PHDPlist']",72ab59cd59ec866d0ada2c57d6c169986697bcf27c648aa433dd310a6419a6b2,False, -/System/Library/LaunchAgents/com.apple.FilesystemUI.plist,com.apple.FilesystemUI,"['/System/Library/CoreServices/KernelEventAgent.bundle/FileSystemUIAgent.app/Contents/MacOS/FileSystemUIAgent']",48b3f83d79a50e81db200efde01b157dcc3c7bdfeebccf3476e53604cf726743,False, -/System/Library/LaunchAgents/com.apple.Finder.plist,com.apple.Finder,"['/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder']",b94ef8d3893fefb91c4ab7c7048fadbcaae4ffbb70f10f3f0a2059baee57bc5c,False, -/System/Library/LaunchAgents/com.apple.findmymacmessenger.plist,com.apple.findmymacmessenger,"['/System/Library/PrivateFrameworks/FindMyMac.framework/Resources/FindMyMacMessenger.app/Contents/MacOS/FindMyMacMessenger']",44f224b2846ea0e7e6d920f396bc54e64c6ed629c33d2a8820515738be5cdb6d,False, -/System/Library/LaunchAgents/com.apple.fontd.useragent.plist,com.apple.fontd,"['/System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/fontd']",dc55f9e3fb42a2ad38aac323e66223fc3d4a924fe7fc834f3934c8111b5c2141,False, -/System/Library/LaunchAgents/com.apple.FontRegistryUIAgent.plist,com.apple.FontRegistryUIAgent,"['/System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/FontRegistryUIAgent.app/Contents/MacOS/FontRegistryUIAgent']",f25d23090740ac62b44e40633d95473581bfd3e2aef6b6ee577b7fe02f0e950d,False, -/System/Library/LaunchAgents/com.apple.FontValidator.plist,com.apple.ATS.FontValidator,"['/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Support/FontValidator']",b834051e4de54a8c272055bcc6d585150b5296cb93211d520537e56784dc86e4,False, -/System/Library/LaunchAgents/com.apple.FontValidatorConduit.plist,com.apple.ATS.FontValidatorConduit,"['/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Support/FontValidatorConduit']",687132f17b7902037a653ec9e9f604a6c9fc9b358d5b19b2749956e1bd44deba,False, -/System/Library/LaunchAgents/com.apple.FontWorker.plist,com.apple.FontWorker,"['/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Support/fontworker']",236492be703611b65e521c918c895a156171665767ab6830e3a4478c4df5e881,False,"Registers and validates font for the system" -/System/Library/LaunchAgents/com.apple.gamed.plist,com.apple.gamed,"['/System/Library/PrivateFrameworks/GameCenterFoundation.framework/Versions/A/gamed']",de1f435de0332d441f35699811ce2fcfa5627d17d1720d51b94bb66589b50e91,False, -/System/Library/LaunchAgents/com.apple.helpd.plist,com.apple.helpd,"['/System/Library/PrivateFrameworks/HelpData.framework/Versions/A/Resources/helpd']",1db419e7a9bb1326bc88e2d5f980e43868675ded4aa92320d365b67f6b4285f1,True, -/System/Library/LaunchAgents/com.apple.icbaccountsd.plist,com.apple.icbaccountsd,"['/usr/libexec/icbaccountsd']",36d50465f7d96755c34311af525ccf826b17ed6182b13c25d72055eb990f8ffa,False, -/System/Library/LaunchAgents/com.apple.icloud.fmfd.plist,com.apple.icloud.fmfd,"['/usr/libexec/fmfd']",d4445bf99b575d68979eba1afad8cf96bcbd6da3a49988a35f48c165cba0abe7,False, -/System/Library/LaunchAgents/com.apple.iCloudUserNotifications.plist,com.apple.iCloudUserNotificationsd,"['/System/Library/PrivateFrameworks/AOSAccounts.framework/Versions/A/Resources/iCloudUserNotificationsd.app/Contents/MacOS/iCloudUserNotificationsd']",bb1c90dbc526615a8fb847f64eecf4313f85015fd83a8530f02497ae5ce5d05c,False, -/System/Library/LaunchAgents/com.apple.iconservices.iconservicesagent.plist,com.apple.iconservices.iconservicesagent,"['/System/Library/CoreServices/iconservicesagent']",05a40a54c28ec6b2ab3d550e90125f7fad3709e5111a0dff7b1946c07f05b9fb,True, -/System/Library/LaunchAgents/com.apple.identityservicesd.plist,com.apple.identityservicesd,"['/System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/Contents/MacOS/identityservicesd']",7598133371db81cd70f857fdb18af8e1c740c7d3829e50f98ce4a751567656f0,False, -/System/Library/LaunchAgents/com.apple.idsremoteurlconnectionagent.plist,com.apple.idsfoundation.IDSRemoteURLConnectionAgent,"['/System/Library/PrivateFrameworks/IDSFoundation.framework/IDSRemoteURLConnectionAgent.app/Contents/MacOS/IDSRemoteURLConnectionAgent']",16b5a0539db8d741cb8670a49cd44b2659812ae0199fe07f3dc82a8534d315d2,False, -/System/Library/LaunchAgents/com.apple.imagent.plist,com.apple.imagent,"['/System/Library/PrivateFrameworks/IMCore.framework/imagent.app/Contents/MacOS/imagent']",4125a42e700e756cfcb8c75f2c6f05766294ae696ad27f6d5200a701ccc006c2,False, -/System/Library/LaunchAgents/com.apple.imklaunchagent.plist,com.apple.imklaunchagent,"['/System/Library/Frameworks/InputMethodKit.framework/Resources/imklaunchagent']",8fb3918f5f54e6d28b66fd6221b270d394d602c687779c070fafee9c3a741e12,False, -/System/Library/LaunchAgents/com.apple.IMLoggingAgent.plist,com.apple.IMLoggingAgent,"['/System/Library/PrivateFrameworks/IMFoundation.framework/IMLoggingAgent']",5f4e679211fde7698a97c3437a44d93c176371faf1d1403bb225de385aaf2b86,False, -/System/Library/LaunchAgents/com.apple.imtransferagent.plist,com.apple.imcore.imtransferagent,"['/System/Library/PrivateFrameworks/IMTransferServices.framework/IMTransferAgent.app/Contents/MacOS/IMTransferAgent']",8785487c2a3441b9b8d3467f2623ea5369b39d491dafe4bef2a027dde293ed11,False, -/System/Library/LaunchAgents/com.apple.installd.user.plist,com.apple.installd.user,"['/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd']",b46bc3a8209f8530f7e16a5fd29f988d0cdccaa6a15dd445e3ce3d5e0697a2b5,False, -/System/Library/LaunchAgents/com.apple.isst.plist,com.apple.isst,"['/System/Library/CoreServices/Menu Extras/TextInput.menu/Contents/SharedSupport/isst']",f0a644be0ca75851ecc9fa1cc138a26bb51e9b026b41413d2dbcfb712c5460a5,True, -/System/Library/LaunchAgents/com.apple.java.InstallOnDemand.plist,com.apple.java.InstallOnDemandAgent,"['/System/Library/Java/Support/CoreDeploy.bundle/Contents/Download Java Components.app/Contents/MacOS/Download Java Components']",fffbc4080e9f82b938d4d1936e2a1bd71ad34079a3a60aec9d9ed0ec82b340ec,False, -/System/Library/LaunchAgents/com.apple.java.updateSharing.plist,com.apple.java.updateSharing,"['/System/Library/Frameworks/JavaVM.framework/Versions/A/Resources/bin/updateSharingD']",9915961f73f12784b52312c6a33e790277a4f63d68856df40dabf11a6689a6aa,False, -/System/Library/LaunchAgents/com.apple.lateragent.plist,com.apple.lateragent,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Resources/LaterAgent.app/Contents/MacOS/LaterAgent']",c54755a4963612ea977b67c3ce010dee57ab9edd7bed040a445d3a3ca82906be,False, -/System/Library/LaunchAgents/com.apple.locationmenu.plist,com.apple.locationmenu,"['/System/Library/CoreServices/LocationMenu.app/Contents/MacOS/LocationMenu']",686a3164f78304cd257fb3fc4e3aaaf6ae00b655c9200e679c815f6d422da596,False, -/System/Library/LaunchAgents/com.apple.lookupd.plist,com.apple.lookupd,"['/System/Library/PrivateFrameworks/Lookup.framework/Resources/com.apple.lookupd']",bcafd8702e3873c70d854f979de6ab1a795144c76d34a9f4468291b225bc84d6,False, -/System/Library/LaunchAgents/com.apple.ManagedClientAgent.agent.plist,com.apple.ManagedClientAgent.agent,"['/System/Library/CoreServices/ManagedClient.app/Contents/Resources/ManagedClientAgent', '-a']",82837b866c39e09e59cc7571d91f4b0ff03bcae2172d792040346809e44f61f3,False, -/System/Library/LaunchAgents/com.apple.ManagedClientAgent.enrollagent.plist,com.apple.ManagedClientAgent.enrollagent,"['/System/Library/CoreServices/ManagedClient.app/Contents/Resources/ManagedClientAgent', '-j']",82837b866c39e09e59cc7571d91f4b0ff03bcae2172d792040346809e44f61f3,False, -/System/Library/LaunchAgents/com.apple.Maps.pushdaemon.plist,com.apple.Maps.mapspushd,"['/System/Library/CoreServices/mapspushd']",14f9533a178a67b07ad41909bb975ccce8eeb65598a3ed688f3e677c2548de24,False, -/System/Library/LaunchAgents/com.apple.maspushagent.plist,com.apple.maspushagent,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/maspushagent']",4dd458c87050ce1ff872f5fdcde52248bc560359e1e2df10bd3edc167ab162a7,False, -/System/Library/LaunchAgents/com.apple.mbloginhelper.user.plist,com.apple.mbloginhelper.user,"['/System/Library/CoreServices/Setup Assistant.app/Contents/Resources/mbloginhelper']",3d82e300b9b4b9d55f6ed502a7ed57b4c0a1b54d2f15f211ca03faa4a7d2b363,False, -/System/Library/LaunchAgents/com.apple.mbpluginhost.user.plist,com.apple.mbpluginhost.user,"['/System/Library/CoreServices/Setup Assistant.app/Contents/Resources/mbpluginhost']",efecf1f7975a645585503638ad64da6e962896eb271838063fb94778e205c8fe,False, -/System/Library/LaunchAgents/com.apple.mdmclient.agent.plist,com.apple.mdmclient.agent,"['/usr/libexec/mdmclient', 'agent']",8b29d46bf93f8b33ead6d9d4d4341f25256ef8d61389978ac39e90dd3fed4617,False, -/System/Library/LaunchAgents/com.apple.mdmclient.cloudconfig.agent.plist,com.apple.mdmclient.cloudconfig.agent,"['/usr/libexec/mdmclient', 'cloudconfig']",8b29d46bf93f8b33ead6d9d4d4341f25256ef8d61389978ac39e90dd3fed4617,False, -/System/Library/LaunchAgents/com.apple.mdworker.32bit.plist,com.apple.mdworker.32bit,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker32', '-s', 'mdworker-lsb', '-c', 'MDSImporterWorker', '-m', 'com.apple.mdworker.32bit']",c6cc15ce98e449c50e65d3c608873ab643d498a880d47fc8600c54271824f419,False, -/System/Library/LaunchAgents/com.apple.mdworker.bundles.plist,com.apple.mdworker.bundles,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'mdworker-bundle', '-c', 'MDSImporterBundleFinder', '-m', 'com.apple.mdworker.bundles']",2938803e03f7a91177a8cdb5cc163a14fa6897cd940e36a080caf4397237b24b,False, -/System/Library/LaunchAgents/com.apple.mdworker.isolation.plist,com.apple.mdworker.isolation,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'mdworker', '-c', 'MDSImporterWorker', '-m', 'com.apple.mdworker.isolation']",2938803e03f7a91177a8cdb5cc163a14fa6897cd940e36a080caf4397237b24b,False, -/System/Library/LaunchAgents/com.apple.mdworker.lsb.plist,com.apple.mdworker.lsb,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'mdworker-lsb', '-c', 'MDSImporterWorker', '-m', 'com.apple.mdworker.lsb']",2938803e03f7a91177a8cdb5cc163a14fa6897cd940e36a080caf4397237b24b,False, -/System/Library/LaunchAgents/com.apple.mdworker.mail.plist,com.apple.mdworker.mail,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'mdworker-mail', '-c', 'MDSImporterWorker', '-m', 'com.apple.mdworker.mail']",2938803e03f7a91177a8cdb5cc163a14fa6897cd940e36a080caf4397237b24b,False, -/System/Library/LaunchAgents/com.apple.mdworker.shared.plist,com.apple.mdworker.shared,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'mdworker', '-c', 'MDSImporterWorker', '-m', 'com.apple.mdworker.shared']",2938803e03f7a91177a8cdb5cc163a14fa6897cd940e36a080caf4397237b24b,False, -/System/Library/LaunchAgents/com.apple.mdworker.single.plist,com.apple.mdworker.single,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'mdworker', '-c', 'MDSImporterWorker', '-m', 'com.apple.mdworker.single']",2938803e03f7a91177a8cdb5cc163a14fa6897cd940e36a080caf4397237b24b,False, -/System/Library/LaunchAgents/com.apple.mdworker.sizing.plist,com.apple.mdworker.sizing,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'mdworker-sizing', '-c', 'MDSSizingWorker', '-m', 'com.apple.mdworker.sizing']",2938803e03f7a91177a8cdb5cc163a14fa6897cd940e36a080caf4397237b24b,False, -/System/Library/LaunchAgents/com.apple.metadata.mdflagwriter.plist,com.apple.metadata.mdflagwriter,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdflagwriter']",6568285a864541b1fba665d3435cf1edb47a1abad433a03ede780fde1285ca67,False, -/System/Library/LaunchAgents/com.apple.metadata.mdwrite.plist,com.apple.metadata.mdwrite,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdwrite']",9f877be1f5aad67a4ba30b48eafd360b17510820ac191ea21ab306f57a20ad24,False, -/System/Library/LaunchAgents/com.apple.metadata.SpotlightNetHelper.plist,com.apple.metadata.SpotlightNetHelper,"['/System/Library/PrivateFrameworks/ParsecUI.framework/Versions/A/Support/SpotlightNetHelper.app/Contents/MacOS/SpotlightNetHelper']",3f514febde925557180e545d66f56b7103c3213571f46fffa679f4613b78b958,False, -/System/Library/LaunchAgents/com.apple.midiserver.plist,com.apple.midiserver,"['/System/Library/Frameworks/CoreMIDI.framework/MIDIServer']",322512311919f457dbb444120355d97a2b3693340173e98e2ca023a123d9715f,False, -/System/Library/LaunchAgents/com.apple.neagent.plist,com.apple.neagent,"['/usr/libexec/neagent']",0ccc6239f32d17a38b4d14f66cdfe6a519b723dc2c8a04d8f5909e8a342c24cd,False, -/System/Library/LaunchAgents/com.apple.netauth.user.auth.plist,com.apple.netauth.user.auth,"['/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent']",15e3d0f498e5fbd131fa0fe32ac54af6c7595d618ab98cf38cb1adfac7063a88,False, -/System/Library/LaunchAgents/com.apple.netauth.user.gui.plist,com.apple.netauth.user.gui,"['/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent']",5e1ff53d5740591660f0f85d909a61bb5b08491cdd29c4dc57a3cf7e28825e49,False, -/System/Library/LaunchAgents/com.apple.NetworkDiagnostics.plist,com.apple.NetworkDiagnostics,"['/System/Library/CoreServices/Network Diagnostics.app/Contents/MacOS/Network Diagnostics']",065eb6ca7c5e3ec8f97cdeef69d65939a81e7a4c9fe2656c47c70f4de0841443,False, -/System/Library/LaunchAgents/com.apple.noticeboard.agent.plist,com.apple.noticeboard.agent,"['/System/Library/PrivateFrameworks/Noticeboard.framework/Versions/A/Resources/nbagent.app/Contents/MacOS/nbagent']",7f1a6566b86116397ca7f45d4c34427ddac9336f96860320241b46e3649557d5,False, -/System/Library/LaunchAgents/com.apple.notificationcenterui.plist,com.apple.notificationcenterui.agent,"['/System/Library/CoreServices/NotificationCenter.app/Contents/MacOS/NotificationCenter']",f96a3150a159eb7366838ec2cf46bfa46dc8a72aa3138174ecb05431eaf3604a,False, -/System/Library/LaunchAgents/com.apple.nsurlsessiond.plist,com.apple.nsurlsessiond,"['/usr/libexec/nsurlsessiond']",13718923aa29862e4225846e29f29ab9ab5109dcb87727fc414d7d2be788ef08,False, -/System/Library/LaunchAgents/com.apple.nsurlstoraged.plist,com.apple.nsurlstoraged,"['/usr/libexec/nsurlstoraged']",5ff8b9555bc60225f879c89f8588872d42508f99d5bae9b4d84c529a912a22e7,False, -/System/Library/LaunchAgents/com.apple.PackageKit.InstallStatus.plist,com.apple.PackageKit.InstallStatus,"['/System/Library/CoreServices/Install in Progress.app/Contents/MacOS/Install in Progress']",ce64d192639f14beb40b19cdebda7115be7ca8f9cf0cd47f70b53ef10a424bea,False, -/System/Library/LaunchAgents/com.apple.parentalcontrols.check.plist,com.apple.parentalcontrols.check,"['/System/Library/PrivateFrameworks/FamilyControls.framework/Resources/pcdCheck']",7c2914dee11946ab55e77fdd6b053e0a587a45528f97e9700da48e3ba20de4f9,True, -/System/Library/LaunchAgents/com.apple.pboard.plist,com.apple.pboard,"['/usr/sbin/pboard']",e3c03ab4aa169ae62d5336b594b9ab5b8d4025eaf86c67bb499a4f7ec94c4e89,False, -/System/Library/LaunchAgents/com.apple.pbs.plist,com.apple.pbs,"['/System/Library/CoreServices/pbs']",eeb35b878409a4525ccb04813751b9d73c95ace512aa7b445d6b224e0dd90aeb,False,Services menu daemon -/System/Library/LaunchAgents/com.apple.PCIESlotCheck.plist,com.apple.PCIESlotCheck,"['/System/Library/CoreServices/Expansion Slot Utility.app/Contents/Resources/PCIESlotCheck']",ad373c88713ef9eb0b08ce7620f9ab7a4025a396d636a4bcd2e93924c6bd8194,True, -/System/Library/LaunchAgents/com.apple.photolibraryd.plist,com.apple.photolibraryd,"['/System/Library/PrivateFrameworks/PhotoLibraryPrivate.framework/Versions/A/Support/photolibraryd']",634627fe240899fefe142fd98e7a8f039c2e00f7851aba6b838893a870e5c3fa,False, -/System/Library/LaunchAgents/com.apple.PhotoLibraryMigrationUtility.XPC.plist,com.apple.PhotoLibraryMigrationUtility.XPC,"['/System/Library/CoreServices/Photo Library Migration Utility.app/Contents/MacOS/Photo Library Migration Utility', '-server']",94e77d46f8b69f475458e54e589c14896fd8b056e5af6e864da668e7d409a921,False, -/System/Library/LaunchAgents/com.apple.pictd.plist,com.apple.pictd,"['/usr/sbin/pictd']",760cf3c134aa0424d821c76e208cccb7790a99ab6e8eb1d7652e066e6d7d3868,False, -/System/Library/LaunchAgents/com.apple.pluginkit.pkd.plist,com.apple.pluginkit.pkd,"['/usr/libexec/pkd']",b908c4aa13948b1beb720f37662e68a51ea5702a075fac7baa4c334ec5fe213b,False, -/System/Library/LaunchAgents/com.apple.pluginkit.pkreporter.plist,com.apple.pluginkit.pkreporter,"['/usr/libexec/pkreporter']",f52278285a36f07e78dcd61c3f4ee5a130506eb9fffbe346f6b8725005fce930,False, -/System/Library/LaunchAgents/com.apple.powerchime.plist,com.apple.powerchime,"['/System/Library/CoreServices/PowerChime.app/Contents/MacOS/PowerChime']",3ee542b421c0532d99da6c7cdafd29f5e08ec1a24d1ca742e21da656999bc64f,True, -/System/Library/LaunchAgents/com.apple.printtool.agent.plist,com.apple.printtool.agent,"['/System/Library/Frameworks/ApplicationServices.framework/Frameworks/PrintCore.framework/Versions/A/printtool', 'agent']",8d7167dfdcac008960d3e370517196ef8bf04859e8f907c78f7807aff2598ae8,False, -/System/Library/LaunchAgents/com.apple.printuitool.agent.plist,com.apple.printuitool.agent,"['/System/Library/PrivateFrameworks/PrintingPrivate.framework/Versions/A/PrintUITool']",8b42723e266feea8cd110735b209fcba53aa9b11946bd0ac6f77cfb9a0797d01,False, -/System/Library/LaunchAgents/com.apple.PubSub.Agent.plist,com.apple.PubSub.Agent,"['/System/Library/Frameworks/PubSub.framework/Versions/A/Resources/PubSubAgent.app/Contents/MacOS/PubSubAgent']",696f83554c3c1bb5b9593094b9e8d185245f6358913ba65d4b50b829a05e773b,False, -/System/Library/LaunchAgents/com.apple.quicklook.32bit.plist,com.apple.quicklook.32bit,"['/System/Library/Frameworks/QuickLook.framework/Resources/quicklookd32.app/Contents/MacOS/quicklookd32']",be61b836c97057226e5d37a4d06112c874ecb6424e8d3982866c778ded00207b,False, -/System/Library/LaunchAgents/com.apple.quicklook.config.plist,com.apple.quicklook.config,"['/System/Library/Frameworks/QuickLook.framework/Resources/quicklookconfig']",7df47f9165a05306f12c9f8249f43306f613e0ef83db32a5a8e5b9efec3392bb,False, -/System/Library/LaunchAgents/com.apple.quicklook.plist,com.apple.quicklook,"['/System/Library/Frameworks/QuickLook.framework/Resources/quicklookd.app/Contents/MacOS/quicklookd']",aa4eda5e8f424c13a674d2a2c0ee1fdfa414da8f222b5fbf135c5ebd9b7c0f37,False, -/System/Library/LaunchAgents/com.apple.quicklook.ui.helper.plist,com.apple.quicklook.ui.helper,"['/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper']",b967b916ec565e14e196034805057b9a0baf285272d476bb8667e828c5e7b325,False, -/System/Library/LaunchAgents/com.apple.rcd.plist,com.apple.rcd,"['/System/Library/CoreServices/rcd.app/Contents/MacOS/rcd']",5ebc2a9d3a8f0faea36473802c73c10c72cb183027b5f4f5653cb456e12ec6eb,False, -/System/Library/LaunchAgents/com.apple.recentsd.plist,com.apple.recentsd,"['/System/Library/PrivateFrameworks/CoreRecents.framework/Versions/A/Support/recentsd']",8cc5699c84d27fec401202f2ca3111dbf44d5c729086c2af561b8a2e950bf2eb,False, -/System/Library/LaunchAgents/com.apple.ReclaimSpaceAgent.plist,com.apple.reclaimspace,"['/System/Library/CoreServices/backupd.bundle/Contents/Resources/ReclaimSpaceAgent.app/Contents/MacOS/ReclaimSpaceAgent']",13f86bf0b5b633b5f625eb28f27c36b59d34e7d7394f1acd8134584a78d6415f,False, -/System/Library/LaunchAgents/com.apple.RemoteDesktop.plist,com.apple.RemoteDesktop.agent,"['/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent']",9824ce5f1e6d1437c61995b9bb2c5dcf6699eaf8ed265ffa2db2724a33277068,False, -/System/Library/LaunchAgents/com.apple.ReportCrash.plist,com.apple.ReportCrash,"['/System/Library/CoreServices/ReportCrash']",11d31bae0610afec73405f2f2defd1b1db18d8ee690df09c7140af4710881709,False,"Analyzes crashing processes and saves a crash report to disk" -/System/Library/LaunchAgents/com.apple.ReportCrash.Self.plist,com.apple.ReportCrash.Self,"['/System/Library/CoreServices/ReportCrash']",11d31bae0610afec73405f2f2defd1b1db18d8ee690df09c7140af4710881709,False, -/System/Library/LaunchAgents/com.apple.ReportGPURestart.plist,com.apple.ReportGPURestart,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/ReportGPURestart']",99017bae5bc7224f0b4de7fa25dfeff36624d04ccbfc8bacbd8c981f8e077298,False, -/System/Library/LaunchAgents/com.apple.ReportPanic.plist,com.apple.ReportPanic,"['/System/Library/CoreServices/ReportPanic.app/Contents/MacOS/ReportPanic']",3d617b0f9fdc355dcaef7cf13bb90f495cb7b1cacd95223ab32fe459b1832559,False, -/System/Library/LaunchAgents/com.apple.rtcreportingd.plist,com.apple.rtcreportingd,"['/usr/libexec/rtcreportingd']",3fbeb636957805aa0b6fc97561229382a99b4f66e69636065aed30e2c7dd34a0,False, -/System/Library/LaunchAgents/com.apple.SafariCloudHistoryPushAgent.plist,com.apple.SafariCloudHistoryPushAgent,"['/usr/libexec/SafariCloudHistoryPushAgent']",4fbae811ff1e29e87db1767bbb9ba7fd2a7a33677be10081aa07e2ebe2ccef5f,False, -/System/Library/LaunchAgents/com.apple.safaridavclient.plist,com.apple.safaridavclient,"['/System/Library/PrivateFrameworks/BookmarkDAV.framework/Helpers/SafariDAVClient']",31c5020a85ad516b4dd1664e0df835262e184ad4524a3e873e0ded83bf2c3028,False, -/System/Library/LaunchAgents/com.apple.SafariNotificationAgent.plist,com.apple.SafariNotificationAgent,"['/usr/libexec/SafariNotificationAgent']",005fbc2d29562ad1391cd91f2a442515e8c9d41746747c48891efc2d34949a6b,False, -/System/Library/LaunchAgents/com.apple.sbd.plist,com.apple.sbd,"['/System/Library/PrivateFrameworks/CloudServices.framework/Resources/com.apple.sbd']",34e1d75751bf7cf4cdfe37f24939e36768528ef7829f28e3de65fda2090a7027,False, -/System/Library/LaunchAgents/com.apple.scopedbookmarkagent.xpc.plist,com.apple.scopedbookmarksagent.xpc,"['/System/Library/CoreServices/ScopedBookmarkAgent']",b6b63e6ca3a8c72c291ac885e23f7fd1289f4d2350ee0ef45a49ee7da17dea9b,False, -/System/Library/LaunchAgents/com.apple.ScreenReaderUIServer.plist,com.apple.ScreenReaderUIServer,"['/System/Library/PrivateFrameworks/ScreenReader.framework/Resources/ScreenReaderUIServer.app/Contents/MacOS/ScreenReaderUIServer']",066a2429a4bee41fa5108fc974be643d38d070d8115db3475345be238974af1a,False, -/System/Library/LaunchAgents/com.apple.screensharing.agent.plist,com.apple.screensharing.agent,"['/System/Library/CoreServices/RemoteManagement/ScreensharingAgent.bundle/Contents/MacOS/ScreensharingAgent']",05ca7b40ad7185ba8fbb7daee5c27613439d7d65916783ea99b4b523a4918843,False, -/System/Library/LaunchAgents/com.apple.screensharing.MessagesAgent.plist,com.apple.screensharing.MessagesAgent,"['/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/MacOS/AppleVNCServer']",9d373f654b3126a17da5732847ce53bc508f88fd0c9a04958503a8b39e6797c4,False, -/System/Library/LaunchAgents/com.apple.scrod.plist,com.apple.scrod,"['/System/Library/PrivateFrameworks/ScreenReader.framework/Frameworks/ScreenReaderOutput.framework/Resources/scrod']",563f4b919dc884e3e6c3442189b432a853eab9b27d40f2d54e2d45b769db9067,False, -/System/Library/LaunchAgents/com.apple.secd.plist,com.apple.secd,"['/usr/libexec/secd']",27e902dcb1bbc233aba270cdc47dc3f180eea82054451e9f82493a38ea5768e4,False, -/System/Library/LaunchAgents/com.apple.secinitd.plist,com.apple.secinitd,"['/usr/libexec/secinitd']",2d479d0a9c84e0cfe65d9bd81e1f593de621612f0374b0daf5e69e548bd66b80,False, -/System/Library/LaunchAgents/com.apple.security.agentStub.plist,com.apple.security.agentStub,"['/System/Library/Frameworks/Security.framework/Versions/A/XPCServices/com.apple.security.agentStub.xpc/Contents/MacOS/com.apple.security.agentStub']",48751d407580ef6d5791e11f64abcdb1759d8fd5092b19f3c31d745b94f8cfb5,False, -/System/Library/LaunchAgents/com.apple.security.cloudkeychainproxy.plist,com.apple.security.cloudkeychainproxy3,"['/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy']",ba369d61cdf991b7a2cfbe6ae58163419085f41524a1f066e65efa3279623c34,False, -/System/Library/LaunchAgents/com.apple.security.DiskUnmountWatcher.plist,com.apple.security.DiskUnmountWatcher,"['/System/Library/PrivateFrameworks/KerberosHelper/Helpers/DiskUnmountWatcher']",7f32e4d95b443c24a15e949b71bb8dc2573a519add226b5a6d0956faa268820e,False, -/System/Library/LaunchAgents/com.apple.security.keychain-circle-notification.plist,com.apple.security.keychain-circle-notification,"['/System/Library/CoreServices/Keychain Circle Notification.app/Contents/MacOS/Keychain Circle Notification']",17badb80843863d7f0de2dc5c714c504d5bd5ba9a156ac5b495b21d14f77baa1,True, -/System/Library/LaunchAgents/com.apple.sharingd.plist,com.apple.sharingd,"['/usr/libexec/sharingd']",7d2a323dd30d24a485d6353062c25904a135dd3661e3900e3c1f207261941340,True,"Sharing Daemon that enables AirDrop, Handoff, Instant Hotspot, Shared Computers, and Remote Disc in the Finder" -/System/Library/LaunchAgents/com.apple.soagent.plist,com.apple.soagent,"['/System/Library/PrivateFrameworks/MessagesKit.framework/Resources/soagent.app/Contents/MacOS/soagent']",7824f5fa09a221ccc0f1e43cc885f14e4e74ab32b5f12f13433bd3fc4c01bc78,True, -/System/Library/LaunchAgents/com.apple.SocialPushAgent.plist,com.apple.SocialPushAgent,"['/System/Library/CoreServices/SocialPushAgent.app/Contents/MacOS/SocialPushAgent']",09e95ef3e1a63a082d48c9ea262aa7c38c829120c92a4fe519853c20f840e70b,True, -/System/Library/LaunchAgents/com.apple.softwareupdate_notify_agent.plist,com.apple.softwareupdate_notify_agent,"['/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdate_notify_agent']",03ceb53da607d7ba9e74281b6b375b370a199a70cabee627789410d653945dd2,False, -/System/Library/LaunchAgents/com.apple.speech.speechdatainstallerd.plist,com.apple.speech.speechdatainstallerd,"['/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd']",56203560e0b8a7718c38cf31b2078172aa8f516d940e17954607e2ab039e22c1,False, -/System/Library/LaunchAgents/com.apple.speech.speechsynthesisd.plist,com.apple.speech.speechsynthesisd,"['/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd']",77800391daaf9b9dd56eda8222c7c75d743d0433039b886764d0c7ba6dc03908,False, -/System/Library/LaunchAgents/com.apple.speech.synthesisserver.plist,com.apple.speech.synthesisserver,"['/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/SpeechSynthesis.framework/Versions/A/SpeechSynthesisServer.app/Contents/MacOS/SpeechSynthesisServer', 'launchd']",fdcaaf3587864ea44b2be1ff3ac1b5abcd3b002d900802e38924935572a6c1bd,False, -/System/Library/LaunchAgents/com.apple.spindump_agent.plist,com.apple.spindump_agent,"['/usr/libexec/spindump_agent']",117f4e8f70a6ae4df035e6cf8331c47bfd8476bdad52befea8ee899c3feaf779,True, -/System/Library/LaunchAgents/com.apple.Spotlight.plist,com.apple.Spotlight,"['/System/Library/CoreServices/Spotlight.app/Contents/MacOS/Spotlight']",00f3e93555b31d091aa3a3eae64cc9b40866b88ff6443debb5551496c76cf286,False, -/System/Library/LaunchAgents/com.apple.SSInvitationAgent.plist,com.apple.ssinvitationagent,"['/System/Library/CoreServices/RemoteManagement/ScreensharingAgent.bundle/Contents/Support/SSInvitationAgent.app/Contents/MacOS/SSInvitationAgent']",00147d867d1877289befb788585d2b52d587affd2106ebbe4942b98e9d3e1ac0,False, -/System/Library/LaunchAgents/com.apple.storeaccountd.plist,com.apple.storeaccountd,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeaccountd']",782e9096108b989cb2727f3f3690e3c8c1c4e730a4a3f64d6ac01c68d2c217c0,False, -/System/Library/LaunchAgents/com.apple.storeassetd.plist,com.apple.storeassetd,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeassetd']",af9f96f90046ae642530b6361515bb3b3f12da5cf35e6902bd91bb9d1fc9b64b,False, -/System/Library/LaunchAgents/com.apple.storedownloadd.plist,com.apple.storedownloadd,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd']",21f76e85a125d921da627889035e7492f24f69d97911f62126c5d1f2a99c4751,False, -/System/Library/LaunchAgents/com.apple.storeinappd.plist,com.apple.storeinappd,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeinappd']",6960315a31de1202225c02b2e8a800a2e36881340e54b9c70f188dc5f64c1b2e,False, -/System/Library/LaunchAgents/com.apple.storelegacy.plist,com.apple.storelegacy,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storelegacy']",849148c3139a043345f8a6cd4a05b4bfa480e92f8dab7a244f4460cce48259e1,False, -/System/Library/LaunchAgents/com.apple.storeuid.plist,com.apple.storeuid,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid']",286744bc1a08efb34b092a5b5f4db5ce6f73ca2944d9024bbdb131d489efbe43,False, -/System/Library/LaunchAgents/com.apple.syncdefaultsd.plist,com.apple.syncdefaultsd,"['/System/Library/PrivateFrameworks/SyncedDefaults.framework/Support/syncdefaultsd']",afa1bf425723ed04e8cf7cc735d62aa108a1c718745248b372e30768454c321c,False, -/System/Library/LaunchAgents/com.apple.syncservices.SyncServer.plist,com.apple.syncservices.SyncServer,"['/System/Library/Frameworks/SyncServices.framework/Versions/Current/Resources/SyncServer.app/Contents/MacOS/SyncServer']",6be4cf2b4b7b2349bd14f7267016ed95a1c8efd55b58e3a728ca56a4365541c6,False, -/System/Library/LaunchAgents/com.apple.syncservices.uihandler.plist,com.apple.syncservices.uihandler,"['/System/Library/PrivateFrameworks/SyncServicesUI.framework/Versions/Current/Resources/syncuid.app/Contents/MacOS/syncuid']",97d5e255e450d1c540c2b2455d87c254d4324104d85bea865dc55a9ac2899997,False, -/System/Library/LaunchAgents/com.apple.systemprofiler.plist,com.apple.systemprofiler,"['/Applications/Utilities/System Information.app/Contents/MacOS/System Information']",4ed286261ac32d3127b874c762e03b3e17e995ece61d4f876b438543a8e08c5b,False, -/System/Library/LaunchAgents/com.apple.SystemUIServer.plist,com.apple.SystemUIServer.agent,"['/System/Library/CoreServices/SystemUIServer.app/Contents/MacOS/SystemUIServer']",78129cc82bb67111d03393b7847dc3dfe8d4a8e65bdd2a507c576f1030c9caa5,False, -/System/Library/LaunchAgents/com.apple.talagent.plist,com.apple.talagent,"['/System/Library/CoreServices/talagent']",e4d0287de8a5564a63ea58c08491f9cb2e10d10e4b44d05e30f4a897fbe0a419,True, -/System/Library/LaunchAgents/com.apple.tccd.plist,com.apple.tccd,"['/System/Library/PrivateFrameworks/TCC.framework/Resources/tccd']",a796f973dea81ada2768b828ce95a2ecda4a8d39e12634a119b8333ac5004f30,False, -/System/Library/LaunchAgents/com.apple.telephonyutilities.callservicesd.plist,com.apple.telephonyutilities.callservicesd,"['/System/Library/PrivateFrameworks/TelephonyUtilities.framework/callservicesd']",35dc7976267cb9ebc5a32c7da07b71b7c1fe17ac059750ab80f5149343d4d9fa,False, -/System/Library/LaunchAgents/com.apple.thermaltrap.plist,com.apple.thermaltrap,"['/System/Library/CoreServices/ThermalTrap.app/Contents/MacOS/ThermalTrap']",0112552c9f8a427d28a514546ec50f20cbadfb42b04012e34bab3bbcbbe6e3ae,False, -/System/Library/LaunchAgents/com.apple.tiswitcher.plist,com.apple.tiswitcher,"['/System/Library/CoreServices/Menu Extras/TextInput.menu/Contents/SharedSupport/TISwitcher.app/Contents/MacOS/TISwitcher']",4b66318ea1458489cf88b5d835833fb741b6c50f6054aff9712a5b24c6dd5600,False, -/System/Library/LaunchAgents/com.apple.TMHelperAgent.plist,com.apple.TMHelperAgent,"['/System/Library/CoreServices/backupd.bundle/Contents/Resources/TMHelperAgent.app/Contents/MacOS/TMHelperAgent']",15b8a5f63c2e7a0e2714b56cad095ea7a771105665573dc7e1d8ead6aeac17a5,False, -/System/Library/LaunchAgents/com.apple.TMHelperAgent.SetupOffer.plist,com.apple.TMHelperAgent.SetupOffer,"['/System/Library/CoreServices/backupd.bundle/Contents/Resources/TMHelperAgent.app/Contents/MacOS/TMHelperAgent', '-offer']",15b8a5f63c2e7a0e2714b56cad095ea7a771105665573dc7e1d8ead6aeac17a5,False, -/System/Library/LaunchAgents/com.apple.TrustEvaluationAgent.plist,com.apple.TrustEvaluationAgent,"['/System/Library/PrivateFrameworks/TrustEvaluationAgent.framework/Resources/trustevaluationagent']",1b26f322605aaee84eca81cc8b4481593682276a1efe28080374a12e97b4bd49,False, -/System/Library/LaunchAgents/com.apple.universalaccessAuthWarn.plist,com.apple.universalaccessAuthWarn,"['/System/Library/PrivateFrameworks/UniversalAccess.framework/Versions/A/Resources/universalAccessAuthWarn.app/Contents/MacOS/universalAccessAuthWarn', 'launchd', '-s']",ad7e1bf892cb003b79e36f16976efc5824481f9928aa833cb9c0df344f759734,False, -/System/Library/LaunchAgents/com.apple.universalaccesscontrol.plist,com.apple.universalaccesscontrol,"['/System/Library/CoreServices/UniversalAccessControl.app/Contents/MacOS/UniversalAccessControl', 'launchd', '-s']",d9ad78e0bfdd13fc7dd83f2da99e36ae1ef9d15cda0bbcdb7a51bffade3b2c85,False, -/System/Library/LaunchAgents/com.apple.universalaccessd.plist,com.apple.universalaccessd,"['/usr/sbin/universalaccessd', 'launchd', '-s']",8dcfb866a9cb760a84e684abb64e2184a58d7499bc2ab49eb0231ba7b9c2326c,True, -/System/Library/LaunchAgents/com.apple.unmountassistant.useragent.plist,com.apple.unmountassistant.useragent,"['/System/Library/CoreServices/UnmountAssistantAgent.app/Contents/MacOS/UnmountAssistantAgent']",03e73b1faaf0e2b3288abbbe99b24e80f68ee50142ed33c2967681376de2c686,False, -/System/Library/LaunchAgents/com.apple.USBAgent.plist,com.apple.USBAgent,"['/usr/libexec/USBAgent']",0901226b5aa286df8e066f63c56721fd2b33a77ea3003378ee3b6edc38c230e6,False, -/System/Library/LaunchAgents/com.apple.UserEventAgent-Aqua.plist,com.apple.UserEventAgent-Aqua,"['/usr/libexec/UserEventAgent', '(Aqua)']",f7796fba68d4936f231fccc098c5b8ddfee88c2c04da85217374736724604527,False, -/System/Library/LaunchAgents/com.apple.UserEventAgent-LoginWindow.plist,com.apple.UserEventAgent-LoginWindow,"['/usr/libexec/UserEventAgent', '(LoginWindow)']",f7796fba68d4936f231fccc098c5b8ddfee88c2c04da85217374736724604527,False, -/System/Library/LaunchAgents/com.apple.usernoted.plist,com.apple.usernoted,"['/usr/sbin/usernoted']",d3443ebd1a3c4cfac65450a0b604921545ca6f00a0c31f561fd62d685b0fe652,True, -/System/Library/LaunchAgents/com.apple.UserNotificationCenterAgent-LoginWindow.plist,com.apple.UserNotificationCenterAgent-LoginWindow,"['/System/Library/CoreServices/UserNotificationCenter.app/Contents/MacOS/UserNotificationCenter', '-loginwindow']",1bf235701e0342eff339c58d31145ca04c2c294710ebdbf2e44c7c4a19054986,False, -/System/Library/LaunchAgents/com.apple.UserNotificationCenterAgent.plist,com.apple.UserNotificationCenterAgent,"['/System/Library/CoreServices/UserNotificationCenter.app/Contents/MacOS/UserNotificationCenter']",1bf235701e0342eff339c58d31145ca04c2c294710ebdbf2e44c7c4a19054986,False, -/System/Library/LaunchAgents/com.apple.VoiceOver.plist,com.apple.VoiceOver,"['/System/Library/CoreServices/VoiceOver.app/Contents/MacOS/VoiceOver', 'launchd', '-s']",09b3af75553c02abeee20440df42aa53a60d6ebe5dbf9117b026e3c225af3342,False, -/System/Library/LaunchAgents/com.apple.warmd_agent.plist,com.apple.warmd_agent,"['/usr/libexec/warmd_agent']",a69ce892b387e921abd4e37b9bc20e2acc4fd7240df4a1cffb5b7b07e13bf46a,False, -/System/Library/LaunchAgents/com.apple.webinspectord.plist,com.apple.webinspectord,"['/usr/libexec/webinspectord']",f7627044d750976d1a2950a51a5cce6c8ac2862e5cca0114991f660e87db4c89,False, -/System/Library/LaunchAgents/com.apple.WebKit.PluginAgent.plist,com.apple.WebKit.PluginAgent,"['/System/Library/Frameworks/WebKit.framework/Frameworks/WebKitLegacy.framework/WebKitPluginAgent']",485183b5b26a740788fb5b750f49d53faf1375c226c2102e06a2fdcd16440a8b,False, -/System/Library/LaunchAgents/com.apple.wifi.WiFiAgent.plist,com.apple.wifi.WiFiAgent,"['/System/Library/CoreServices/WiFiAgent.app/Contents/MacOS/WiFiAgent']",a17532f72e22aba9b0da2313e13a513604ce88ea4f46d395dc48f1e333d838d8,True, -/System/Library/LaunchAgents/com.apple.xmigrationhelper.user.plist,com.apple.xmigrationhelper.user,"['/System/Library/PrivateFrameworks/SystemMigration.framework/Resources/XibalbaHelper.bundle/Contents/Resources/XibalbaHelper']",08425dbb5195627ab4128486d0412888279d3a71a4c79281f6242e06ad144c57,False, -/System/Library/LaunchAgents/com.apple.xpc.loginitemregisterd.plist,com.apple.xpc.loginitemregisterd,"['/usr/libexec/loginitemregisterd']",71cb24c70e28758ad51fc6254b185ad2307e655a7f89ab9cb71214e9ad29d673,False, -/System/Library/LaunchAgents/com.apple.xpc.otherbsd.plist,com.apple.xpc.otherbsd,"['/usr/libexec/otherbsd']",cfab8357f446fe8d01429793f09a3557ddd339dc800154973f72c2f85b341a8f,False, -/System/Library/LaunchAgents/com.apple.ZoomWindow.plist,com.apple.ZoomWindow,"['/System/Library/CoreServices/ZoomWindow.app/Contents/MacOS/ZoomWindowStarter', 'launchd', '-s']",651fe76ae8123d49a86f5f985d7f8d992b5c0fb0c12624f76c9dc9c067b306c7,False, -/System/Library/LaunchAgents/org.openbsd.ssh-agent.plist,org.openbsd.ssh-agent,"['/usr/bin/ssh-agent', '-l']",f935284f985656128e89666cea294a54973187f9df616c5c507d874e1131333a,False, diff --git a/launchd/15B42_launchd.csv b/launchd/15B42_launchd.csv deleted file mode 100644 index 12a270b0..00000000 --- a/launchd/15B42_launchd.csv +++ /dev/null @@ -1,522 +0,0 @@ -filename,label,program,sha256,runatload,comment -/System/Library/LaunchDaemons/bootps.plist,com.apple.bootpd,"['/usr/libexec/bootpd']",1fb58c6e6d793a8aae7c7a3c2ee8105b6a4dacc1e0a0d4b933e13796efe32bad,False, -/System/Library/LaunchDaemons/com.apple.afpfs_afpLoad.plist,com.apple.afpfs_afpLoad,"['/System/Library/Filesystems/AppleShare/afpLoad']",aa7ee53b418c76045eae3602d48a1d50fa18c4dec80c626c66d4a7d0b6f23b13,False, -/System/Library/LaunchDaemons/com.apple.afpfs_checkafp.plist,com.apple.afpfs_checkafp,"['/System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp']",402b5da2b144083411b530832cc2e7934f0ef21fc4a4d0973941fd1c801e9a9d,False, -/System/Library/LaunchDaemons/com.apple.airplaydiagnostics.server.mac.plist,com.apple.airplaydiagnostics.server.mac,"['/AppleInternal/Applications/AirPlayDiagnostics.app/Contents/Resources/AirPlayDiagnosticsServer']",UNKNOWN,False, -/System/Library/LaunchDaemons/com.apple.AirPlayXPCHelper.plist,com.apple.AirPlayXPCHelper,"['/usr/libexec/AirPlayXPCHelper']",e52378179e2440645f35320f0d300e211d78a24e1b0668725876e1134644d563,False, -/System/Library/LaunchDaemons/com.apple.airport.wps.plist,com.apple.airport.wps,"['/usr/libexec/wps']",eb9a83daa1d26b5706c8c3266a646379d97f4cd19e385c35ecb95982634b3960,False, -/System/Library/LaunchDaemons/com.apple.airportd.plist,com.apple.airportd,"['/usr/libexec/airportd']",720b9e284fa9e7ae75fbc767ee451c0d2a0925220a81c2f2b9a0a4be0f3cec1a,False, -/System/Library/LaunchDaemons/com.apple.akd.plist,com.apple.akd,"['/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd']",ebe9a30b733eba1ac21dfdcd6aaa171552fcbdf8cec766ab92599e4d28ad01e9,False, -/System/Library/LaunchDaemons/com.apple.alf.agent.plist,com.apple.alf,"['/usr/libexec/ApplicationFirewall/socketfilterfw']",f239a31b93995d1e190e01b14609c62c7cdecd8af658359a0bc4e533c16f5a58,False, -/System/Library/LaunchDaemons/com.apple.AppleFileServer.plist,com.apple.AppleFileServer,"['/usr/sbin/AppleFileServer']",4551009dfe94a2cd3f94db58b1c8c0aca1799d84e8ea777ecb79b03fd83fcfb8,False, -/System/Library/LaunchDaemons/com.apple.appleseed.fbahelperd.plist,com.apple.appleseed.fbahelperd,"['/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/fbahelperd']",bacb0de6d48a7ded43153e5cd9a1f526772c5b296bba8a56524a03da792a78cc,False, -/System/Library/LaunchDaemons/com.apple.applessdstatistics.plist,com.apple.applessdstatistics,"['/usr/libexec/applessdstatistics']",a78fdd395d3f65aa3983442b36d8576d0ac60c847814b51689659c3702c501b9,False, -/System/Library/LaunchDaemons/com.apple.apsd.plist,com.apple.apsd,"['/System/Library/PrivateFrameworks/ApplePushService.framework/apsd']",6e87998c7147683f37f100718d20f4acecc7a3fd4b51828fe9fa3a9c6918c4e0,True, -/System/Library/LaunchDaemons/com.apple.aslmanager.plist,com.apple.aslmanager,"['/usr/sbin/aslmanager']",0cc960b8e81af9c707b3eadde2cd58cd25f75eee9e9d13743564260b7aae93f8,False, -/System/Library/LaunchDaemons/com.apple.AssetCacheLocatorService.plist,com.apple.AssetCacheLocatorService,"['/System/Library/PrivateFrameworks/AssetCacheServices.framework/XPCServices/AssetCacheLocatorService.xpc/Contents/MacOS/AssetCacheLocatorService', '-d']",9fc8f8803aef72446b8e88d3451351e572d8e0f26f0fa8ede7632721c6b50b91,False, -/System/Library/LaunchDaemons/com.apple.atrun.plist,com.apple.atrun,"['/usr/libexec/atrun']",7e5e95eaa7f1b1b217cb2267ac61704def4d935b47221cff47f235e8b40212be,False, -/System/Library/LaunchDaemons/com.apple.audio.coreaudiod.plist,com.apple.audio.coreaudiod,"['/usr/sbin/coreaudiod']",98816f79011049b952ac5474c46b957c9deecc30e480567bca7ac280ef6c4556,False, -/System/Library/LaunchDaemons/com.apple.audio.systemsoundserverd.plist,com.apple.audio.systemsoundserverd,"['/usr/sbin/systemsoundserverd']",dccab8c15098c6344dadfb3b8b5db34459f2b07a9ff4493b1f019217ac63671f,False, -/System/Library/LaunchDaemons/com.apple.auditd.plist,com.apple.auditd,"['/usr/sbin/auditd']",ba1306ee0249524dbde802311fd8161e50c56e375cbd2f4ff394cb2fb022d1a7,False, -/System/Library/LaunchDaemons/com.apple.autofsd.plist,com.apple.autofsd,"['/usr/libexec/autofsd']",d6f95edbf0789c83d2b704b696062e565c2e9df28c90597c21bb1f459851c552,False, -/System/Library/LaunchDaemons/com.apple.automountd.plist,com.apple.automountd,"['/usr/libexec/automountd']",b34f4e1d646c3e88d5448175e70f8303f26b6dc99f7ffebee402d5d6ee49d82b,False, -/System/Library/LaunchDaemons/com.apple.avbdeviced.plist,com.apple.avbdeviced,"['/usr/sbin/avbdeviced']",434b32980a150b5a64ebfd82becb4df02547de46c4e8aae2a5787e2ca1eb5a39,False, -/System/Library/LaunchDaemons/com.apple.awacsd.plist,com.apple.awacsd,"['/usr/libexec/awacsd']",bae0f1f532e40daf2d5995b85e31588567566a3bdc8871b87cc24ce9bb856e72,False, -/System/Library/LaunchDaemons/com.apple.awdd.plist,com.apple.awdd,"['/System/Library/PrivateFrameworks/WirelessDiagnostics.framework/Support/awdd']",1a7b9d2d1c6ebec84820ad8dfbaf66d2d8ae1407962314d23d23427ce899bddf,False, -/System/Library/LaunchDaemons/com.apple.backupd-auto.plist,com.apple.backupd-auto,"['/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd-helper', '-launchd']",463de5a4dd856de8cafb3a49581b473495d93f799247c56c613ed9628b707e3a,True, -/System/Library/LaunchDaemons/com.apple.backupd.plist,com.apple.backupd,"['/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd']",9e6ab70e56424b9bde5dd283233d8cb4db33a22a88ec95938f74b883f8b92ad0,False, -/System/Library/LaunchDaemons/com.apple.blued.plist,com.apple.blued,"['/usr/sbin/blued']",1f15f61cd44acc2ca1c595089cda9b066197129efe3b82bb4a7f3d517bec90fc,False, -/System/Library/LaunchDaemons/com.apple.bluetoothaudiod.plist,com.apple.bluetoothaudiod,"['/usr/sbin/bluetoothaudiod']",70574f069a56cbb42564e2fdacbbea02abdd624aa85be237a43dbcf7646970ea,False, -/System/Library/LaunchDaemons/com.apple.bluetoothReporter.plist,com.apple.bluetoothReporter,"['/System/Library/Frameworks/IOBluetooth.framework/Versions/A/Resources/BluetoothReporter', '--dumpPacketLog', '/private/var/log/bluetooth.pklg']",7cf5b2aa9e40a598cb51081a2e19447c5240cf3378f252f2371d1e6e1f7ab729,False, -/System/Library/LaunchDaemons/com.apple.bnepd.plist,com.apple.bnepd,"['/usr/sbin/bnepd']",b781c32b04e04444f677f99ba95d75da247512cf46701e49cc931d5e03459d5a,False, -/System/Library/LaunchDaemons/com.apple.bsd.dirhelper.plist,com.apple.bsd.dirhelper,"['/usr/libexec/dirhelper']",6cd5a61231f96039fa54d878675711bd175b0bd228b9ad8a5810e0bd29828ac3,True, -/System/Library/LaunchDaemons/com.apple.cache_delete.plist,com.apple.cache_delete,"['/System/Library/PrivateFrameworks/CacheDelete.framework/deleted']",d6bdf4bd8ad09611d88088c8c9d6dd760280eed839069b5d4d4bbac4ca002927,False, -/System/Library/LaunchDaemons/com.apple.cfprefsd.xpc.daemon.plist,com.apple.cfprefsd.xpc.daemon,"['/usr/sbin/cfprefsd', 'daemon']",a61315c2cf11733e6a511a0fdb0ffd239e402b0d00cc6a9e408a458d32e447c2,False, -/System/Library/LaunchDaemons/com.apple.cloudfamilyrestrictionsd-mac.plist,com.apple.cloudfamilyrestrictionsd,"['/System/Library/PrivateFrameworks/CloudFamilyRestrictions.framework/cloudfamilyrestrictionsd']",591cd2e0c50ab5dd84d2225eb80928c9717c523a0f2c98289b72639bec31a5ea,False, -/System/Library/LaunchDaemons/com.apple.cmio.AppleCameraAssistant.plist,com.apple.cmio.AppleCameraAssistant,"['/Library/CoreMediaIO/Plug-Ins/DAL/AppleCamera.plugin/Contents/Resources/AppleCameraAssistant']",c53c282b68f2a974da4ce2ea8524333733861618d7106f22b89edcbf859ace21,False, -/System/Library/LaunchDaemons/com.apple.cmio.AVCAssistant.plist,com.apple.cmio.AVCAssistant,"['/System/Library/Frameworks/CoreMediaIO.framework/Resources/AVC.plugin/Contents/Resources/AVCAssistant']",e43851b70cd29c6c9486ab187898c9fe15084ecd600d71af36cf816785759e7a,False, -/System/Library/LaunchDaemons/com.apple.cmio.IIDCVideoAssistant.plist,com.apple.cmio.IIDCVideoAssistant,"['/System/Library/Frameworks/CoreMediaIO.framework/Resources/IIDC.plugin/Contents/Resources/IIDCVideoAssistant']",64fc8d3d53ac72e7b9b8a09dfdfe00b42869319a73bb52d5533454e3a54bd2b9,False, -/System/Library/LaunchDaemons/com.apple.cmio.iOSScreenCaptureAssistant.plist,com.apple.cmio.iOSScreenCaptureAssistant,"['/Library/CoreMediaIO/Plug-Ins/DAL/iOSScreenCapture.plugin/Contents/Resources/iOSScreenCaptureAssistant']",f41e9b740b9f6bc51126db22645415106af892e1a72077f31eec2ba8bf55cc0d,False, -/System/Library/LaunchDaemons/com.apple.cmio.VDCAssistant.plist,com.apple.cmio.VDCAssistant,"['/System/Library/Frameworks/CoreMediaIO.framework/Resources/VDC.plugin/Contents/Resources/VDCAssistant']",71753e97cfb4215f45e1bd744b9de737516f763f34e41d34d02b3d1157f687a5,False, -/System/Library/LaunchDaemons/com.apple.colorsyncd.plist,com.apple.colorsyncd,"['/usr/libexec/colorsyncd']",0cdbec11c6840f05f458fec60b62f0e41daf94ce7b8db32795b8e253c6c8b463,False, -/System/Library/LaunchDaemons/com.apple.CommCenterRootHelper.plist,com.apple.CommCenterRootHelper,"['/System/Library/Frameworks/CoreTelephony.framework/Support/CommCenterRootHelper']",7fb5a0fae07635e91d7ab57c8ac002f80faa35fce52591c0ba89328973d631fd,False, -/System/Library/LaunchDaemons/com.apple.comsat.plist,com.apple.comsat,"['/usr/libexec/comsat']",2fadf4f2c86ce2e5c2e101e501bc08aac2ae6b1e646ec6f4f8323f5204b0126d,False, -/System/Library/LaunchDaemons/com.apple.configd.plist,com.apple.configd,"['/usr/libexec/configd']",65f14d0d63c194f12589dd192fbf6710acaf6fab54afc585a292bf2be66a3258,False, -/System/Library/LaunchDaemons/com.apple.configureLocalKDC.plist,com.apple.configureLocalKDC,"['/usr/libexec/configureLocalKDC']",f6afc2f328af2217addc06c515158cb41af43099e1bbe0f200429e5bba46385d,False, -/System/Library/LaunchDaemons/com.apple.corecaptured.plist,com.apple.corecaptured,"['/usr/libexec/corecaptured']",dfc0b7dc5e73be4877181e784276952b5b9df428cb1d3ef6da6a8d272226debc,False, -/System/Library/LaunchDaemons/com.apple.coreduetd.osx.plist,com.apple.coreduetd,"['/usr/libexec/coreduetd']",9c09263200a3c46d6a7286b25fac0bf98af33ea28da48956041007bb591a887f,True, -/System/Library/LaunchDaemons/com.apple.CoreRAID.plist,com.apple.CoreRAID,"['/System/Library/PrivateFrameworks/CoreRAID.framework/Resources/CoreRAIDServer']",bd664036790b56c5935292eb90e4f02a4d4f11e9db43e084674f9e05159688d2,True, -/System/Library/LaunchDaemons/com.apple.coreservices.appleevents.plist,com.apple.coreservices.appleevents,"['/System/Library/CoreServices/appleeventsd', '--server']",515a0dda7baaf7b33738bb9296fe39816674c5945fdcbc2657d8024e9598d13b,True, -/System/Library/LaunchDaemons/com.apple.coreservices.appleid.passwordcheck.plist,com.apple.coreservices.appleid.passwordcheck,"['/System/Library/CoreServices/AppleIDAuthAgent', '--checkpassword']",6dc9534c6040b6a73a0e0291bd1061e87353163866cbf100df04c94fd5f60f09,False, -/System/Library/LaunchDaemons/com.apple.coreservices.launchservicesd.plist,com.apple.coreservices.launchservicesd,"['/System/Library/CoreServices/launchservicesd']",02e165a00bf1aa54d36f86f7694056a124f2923a6f951de50ccbb2354e33245f,True, -/System/Library/LaunchDaemons/com.apple.coreservices.sharedfilelistd.plist,com.apple.coreservices.sharedfilelistd,"['/System/Library/CoreServices/sharedfilelistd', '--enable-legacy-services']",f97eb14ce64afc014edb83bd0d24f1fa26bce7ae5613a8175e723b500fe3af09,False, -/System/Library/LaunchDaemons/com.apple.coreservicesd.plist,com.apple.coreservicesd,"['/System/Library/CoreServices/coreservicesd']",5ef5417a64a68c97d14fd8c9dcff54620ccbb852ef96e48c5bf5df6cf53aeedf,False, -/System/Library/LaunchDaemons/com.apple.corestorage.corestoraged.plist,com.apple.corestorage.corestoraged,"['/usr/libexec/corestoraged']",b3776610b17659e667844e6a7684e70c425af58585f562f8a8086d41a997052a,False, -/System/Library/LaunchDaemons/com.apple.corestorage.corestoragehelperd.plist,com.apple.corestorage.corestoragehelperd,"['/usr/libexec/corestoragehelperd']",669adc725a3a8fb6511757e609fc9c5f9c00621613d736418b39be832ee5eb2f,False, -/System/Library/LaunchDaemons/com.apple.coresymbolicationd.plist,com.apple.coresymbolicationd,"['/System/Library/PrivateFrameworks/CoreSymbolication.framework/coresymbolicationd']",d9eb1142fec68ee8fc0931bb9fe97230481d058e0058179a6638c5d64ca7f26f,False, -/System/Library/LaunchDaemons/com.apple.CrashReporterSupportHelper.plist,com.apple.CrashReporterSupportHelper,"['/System/Library/CoreServices/CrashReporterSupportHelper', 'server-init']",dc023b52c431da09ba4a65741413f4e612e89730f9329b94a58be5344bde264c,False, -/System/Library/LaunchDaemons/com.apple.csrutil.report.plist,com.apple.csrutil.report,"['/usr/bin/csrutil', 'report']",427d32edd4d5257fad9820bd8504bc9ac8b0416e1a8ce066c10c16ab6d3b23bd,False, -/System/Library/LaunchDaemons/com.apple.ctkd.plist,com.apple.ctkd,"['/System/Library/Frameworks/CryptoTokenKit.framework/ctkd', '-s']",1eefefb7ebb56ce8f642eda690b261aa09fa9c2b1286ea2a4962cd7fd9f16956,False, -/System/Library/LaunchDaemons/com.apple.cvmsServ.plist,com.apple.cvmsServ,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/CVMServer']",064116685e4da7a2a7c38e3f650cdc32a7b0278d6b273c05fecd11ef00af75a6,False, -/System/Library/LaunchDaemons/com.apple.DesktopServicesHelper.plist,com.apple.DesktopServicesHelper,"['/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper']",0c3b2d3f59b1ed40f7021caa1ced41db61d956407a52a16654f7cb51e8f44211,False, -/System/Library/LaunchDaemons/com.apple.diagnostic.uuidpathd.plist,com.apple.diagnostic.uuidpathd,"['/usr/libexec/uuidpathd']",64aa9d7f87b0b36f91dd103ff7867d6e59f7e48793e74fda279c282fa0e0efb0,False, -/System/Library/LaunchDaemons/com.apple.diagnosticd.plist,com.apple.diagnosticd,"['/usr/libexec/diagnosticd']",f83fbaaa2b27061f59d70dc71a6a3e5ff4a57be2f13b9898fd62b869e964666d,False, -/System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist,com.apple.diskarbitrationd,"['/usr/libexec/diskarbitrationd']",7d422098b13b036e5cda7c7104e49fda409f18e4b4483ea4aca3cd0ba49172df,False, -/System/Library/LaunchDaemons/com.apple.diskmanagementd.plist,com.apple.diskmanagementd,"['/usr/libexec/diskmanagementd']",a9d94066d046e9aa65ab5cdeade5468c70849ebb3a9fb88ca8ffe5fdd9e4f0b4,False, -/System/Library/LaunchDaemons/com.apple.diskmanagementstartup.plist,com.apple.diskmanagementstartup,"['/usr/libexec/diskmanagementstartup']",8d41a35e3cbde7162c45e9a49bde7608c4516bdde254794d1da23a01716a315e,True, -/System/Library/LaunchDaemons/com.apple.displaypolicyd.plist,com.apple.displaypolicyd,"['/usr/libexec/displaypolicyd']",53fd267f8d3b090edc83de9b82dda314f368ee068857ee8e33fd155d2c845415,True, -/System/Library/LaunchDaemons/com.apple.distnoted.xpc.daemon.plist,com.apple.distnoted.xpc.daemon,"['/usr/sbin/distnoted', 'daemon']",cd4d8ac051c418b02bd98e36191638e5733f17521e23594bed2e579a24b3b77e,False, -/System/Library/LaunchDaemons/com.apple.dnsextd.plist,com.apple.dnsextd,"['/usr/sbin/dnsextd', '-launchd']",3f9c88f85a9c9b8c06fe2694ab782e54b886ba9b4958946a7f0f904d91656514,False, -/System/Library/LaunchDaemons/com.apple.dpaudiothru.plist,com.apple.dpaudiothru,"['/usr/libexec/dpaudiothru']",1aa55a38d9e2b2d3576009aee77321c69d80bace5319f264a3ae9c8bbb4dfe58,False, -/System/Library/LaunchDaemons/com.apple.dpd.plist,com.apple.dpd,"['/usr/libexec/dpd']",8294d9fd036ceb0365bb3770703fced22dd433c100febbc1a4ddb6a719e8d73e,False, -/System/Library/LaunchDaemons/com.apple.dspluginhelperd.plist,com.apple.dspluginhelperd,"['/usr/libexec/dspluginhelperd']",25c7361bca24e2cb561d3fc1ad63db309f83861704a5fb3e944e3980726c72fc,False, -/System/Library/LaunchDaemons/com.apple.DumpGPURestart.plist,com.apple.DumpGPURestart,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/DumpGPURestart']",efa156603c492d9e270329aabfd089d68b4d3adddc75145d879c92045f88dbca,False, -/System/Library/LaunchDaemons/com.apple.DumpPanic.plist,com.apple.DumpPanic,"['/System/Library/CoreServices/DumpPanic']",cbf53abc262d011d7ef4ad567fbd880f9f69e7e44dff90be88bb471f7d2bc275,True, -/System/Library/LaunchDaemons/com.apple.dvdplayback.setregion.plist,com.apple.dvdplayback.setregion,"['/usr/bin/setregion']",86a184c4235a51dede14e5cba3bc313f096162827b88ee826ae3611399757cb6,False, -/System/Library/LaunchDaemons/com.apple.dynamic_pager.plist,com.apple.dynamic_pager,"['/sbin/dynamic_pager', '-F', '/private/var/vm/swapfile']",fe0b55fae0d5267c5e720e602fa96e46d3401814e9333c0c4741503e7a9b8c14,False, -/System/Library/LaunchDaemons/com.apple.eapolcfg_auth.plist,com.apple.eapolcfg_auth,"['/System/Library/PrivateFrameworks/EAP8021X.framework/Resources/eapolcfg_auth']",5335b841273eaaee3420ee29a3a5c662f7399d8f701960c48dfabaa69a49a87e,False, -/System/Library/LaunchDaemons/com.apple.efax.plist,com.apple.efax,"['/usr/bin/fax', 'answer']",2ac62536538d805afb108c26c8b2fe81ae2ab00700b175661ece2ec2af22a341,False, -/System/Library/LaunchDaemons/com.apple.efilogin-helper.plist,com.apple.efilogin-helper,"['/System/Library/PrivateFrameworks/EFILogin.framework/Resources/efilogin-helper']",bdfbcfb0a99a5f7a64b87e793c0289980feb6158beebd061f4a8cdfd47b98a25,False, -/System/Library/LaunchDaemons/com.apple.emlog.plist,com.apple.emlog,"['/usr/libexec/emlog.pl']",5328f0d109c2b421f0845c0d0fe0efb58734297dca5f8708dc5bda4fea57f634,False, -/System/Library/LaunchDaemons/com.apple.emond.aslmanager.plist,com.apple.emond.aslmanager,"['/usr/sbin/aslmanager', '-s', '/var/log/eventmonitor']",0cc960b8e81af9c707b3eadde2cd58cd25f75eee9e9d13743564260b7aae93f8,False, -/System/Library/LaunchDaemons/com.apple.emond.plist,com.apple.emond,"['/sbin/emond']",194e418cc6489f10b50e68f62da52b946346fdeb419f085f07aa0e9377d8039f,False, -/System/Library/LaunchDaemons/com.apple.eppc.plist,com.apple.AEServer,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/AE.framework/Versions/A/Support/AEServer', '--debug']",44244e09a2b2f6f5e298719c08570211cea022f975a7f2e8900df41643f52012,False, -/System/Library/LaunchDaemons/com.apple.familycontrols.plist,com.apple.familycontrols,"['/System/Library/PrivateFrameworks/FamilyControls.framework/Resources/parentalcontrolsd']",54c666480aed445003bfb6767a5264d7b61047d9c89ad2fe84b13d3c4d5349d5,False, -/System/Library/LaunchDaemons/com.apple.FileCoordination.plist,com.apple.FileCoordination,"['/usr/sbin/filecoordinationd']",4f7b2e113c093392944863a1ca2de032f6ac43cca40137877baf92dc434df1eb,False, -/System/Library/LaunchDaemons/com.apple.FileSyncAgent.sshd.plist,com.apple.FileSyncAgent.sshd,"['/System/Library/CoreServices/FileSyncAgent.app/Contents/Resources/FileSyncAgent_sshd-keygen-wrapper', '-i', '-f', '/System/Library/CoreServices/FileSyncAgent.app/Contents/Resources/FileSyncAgent_sshd_config']",d24e7e74b9b82c2e0ac6ac47e1f29248d81246d7b58ae4efaf84f34d1a74ef93,False, -/System/Library/LaunchDaemons/com.apple.findmymac.plist,com.apple.findmymacd,"['/System/Library/PrivateFrameworks/FindMyMac.framework/Resources/FindMyMacd']",0d29a187da15d0b06899e696af28f705fd4e85b9fea17928ec5aa70c995066b2,False, -/System/Library/LaunchDaemons/com.apple.findmymacmessenger.plist,com.apple.findmymacmessenger,"['/System/Library/PrivateFrameworks/FindMyMac.framework/Resources/FindMyMacMessenger.app/Contents/MacOS/FindMyMacMessenger']",dfab96f82fd0b7c27876f6ef598f83fc8cacc252821712618c7841c9c7fe468f,False, -/System/Library/LaunchDaemons/com.apple.firmwaresyncd.plist,com.apple.firmwaresyncd,"['/usr/libexec/firmwaresyncd']",d0e9d3fd0b08d12f17d45f8384be14e6ab76593eb40490297bb0d49671f61037,True, -/System/Library/LaunchDaemons/com.apple.fontd.plist,com.apple.fontd,"['/System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/fontd']",ad981c152635554225f9de818e4bad5aa563fc0cec4ee78193e3c99a7c225bc9,False, -/System/Library/LaunchDaemons/com.apple.fontmover.plist,com.apple.fontmover,"['/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Support/fontmover', '-d']",45a5edbf9c0b1411a13eeedf4d4c067b23c140086b917dbfaab8e58b4243e861,False, -/System/Library/LaunchDaemons/com.apple.FontWorker.plist,com.apple.FontWorker,"['/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Support/fontworker']",efa01df0e9fb04d45f32142447a1f68f6b53e58a47ba0998f468180fc809ad5e,False, -/System/Library/LaunchDaemons/com.apple.fseventsd.plist,com.apple.fseventsd,"['/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/FSEvents.framework/Versions/A/Support/fseventsd']",79bfd8f34542aefd860b21f4fe8645299a0f01b9b4b16558e54c23e5b952f086,False, -/System/Library/LaunchDaemons/com.apple.ftp-proxy.plist,com.apple.ftp-proxy,"['/usr/libexec/ftp-proxy']",de5f7986646c213543d65dd535ca54a89d464876077034f45160a095050f8f90,False, -/System/Library/LaunchDaemons/com.apple.GameController.gamecontrollerd.plist,com.apple.GameController.gamecontrollerd,"['/usr/libexec/gamecontrollerd']",edbb7239e048aa2cd9ce5f31c26f09ca8de7dcfd2526136128ee4b27686302e3,False, -/System/Library/LaunchDaemons/com.apple.getty.plist,com.apple.getty,"['/usr/libexec/getty', 'std.9600', 'console']",885afd28fa1bbd68ee27bc9983b412b443021c7b4297386706e1a49cc297d1ce,False, -/System/Library/LaunchDaemons/com.apple.gkreport.plist,com.apple.gkreport,"['/usr/libexec/gkreport']",67d87aca1bb268cbb4578f637f0c2ceec3cc1d6cc259eb7584bec0eac2fb34c7,False, -/System/Library/LaunchDaemons/com.apple.GSSCred.plist,com.apple.GSSCred,"['/System/Library/Frameworks/GSS.framework/Helpers/com.apple.GSSCred']",ad0f1d1f6d98f9e7320dec7d49a725d288a1e7aa752ee0147bae9a30cfd7cb68,False, -/System/Library/LaunchDaemons/com.apple.gssd.plist,com.apple.gssd,"['/usr/sbin/gssd']",36cc87f599fafd8e202d819cc0eeca5c140ee38a1a600e69624ba2a00018fcf1,False, -/System/Library/LaunchDaemons/com.apple.hdiejectd.plist,com.apple.hdiejectd,"['/System/Library/PrivateFrameworks/DiskImages.framework/Resources/hdiejectd']",9837c0e92de00c8dfe221c97eebe4ed642844fe350763f5fc2d036ca2aaba017,False, -/System/Library/LaunchDaemons/com.apple.hidd.plist,com.apple.hidd,"['/usr/libexec/hidd']",91fa103c7ff732206ea7d8ab1cca5efceee7de21808c4a8fd60370e75e11a500,False, -/System/Library/LaunchDaemons/com.apple.icloud.findmydeviced.plist,com.apple.icloud.findmydeviced,"['/usr/libexec/findmydeviced']",eeef03f698d14e2b7317e577f9a4ef65280bddc53d515a495505f58581ff9058,False, -/System/Library/LaunchDaemons/com.apple.iconservices.iconservicesagent.plist,com.apple.iconservices.iconservicesagent,"['/System/Library/CoreServices/iconservicesagent']",3d34e9c0ae870a64ab4c125f390c8cb06319a5ab32892cedc9e989e9c1a88e7e,True, -/System/Library/LaunchDaemons/com.apple.iconservices.iconservicesd.plist,com.apple.iconservices.iconservicesd,"['/System/Library/CoreServices/iconservicesd']",f6d8f438269e769ccb7d09533078eea4d6d662ec6d8de67c9ecf537050e411c5,True, -/System/Library/LaunchDaemons/com.apple.IFCStart.plist,com.apple.IFCStart,"['/usr/libexec/ifcstart']",4c7c871770303a7089d40c1480e07357f76f5756f9e65a0ae43502cdca38dd4b,True, -/System/Library/LaunchDaemons/com.apple.ifdreader.plist,com.apple.ifdreader,"['/System/Library/CryptoTokenKit/com.apple.ifdreader.slotd/Contents/MacOS/com.apple.ifdreader']",81b2a0d4265bcb486a9a71e0975d8e70f35e84ab8b05f71162aa0a58ffd6f177,False, -/System/Library/LaunchDaemons/com.apple.installandsetup.systemmigrationd.plist,com.apple.installandsetup.systemmigrationd,"['/System/Library/PrivateFrameworks/SystemMigration.framework/Resources/systemmigrationd']",9bc779cb6fbe18a2c0bac6b2ea7d554533ad9e86661706bc85430fa50dd2a847,False, -/System/Library/LaunchDaemons/com.apple.installd.plist,com.apple.installd,"['/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd']",2f77472bb65211af39ce134b58e658d20d3c6be47f2e7c58b4379dbfd5afdc84,False, -/System/Library/LaunchDaemons/com.apple.IOAccelMemoryInfoCollector.plist,com.apple.IOAccelMemoryInfoCollector,"['/usr/libexec/IOAccelMemoryInfoCollector']",2766758db975dc0cc44e7888d87ec86d1fcc415da3be243d45afbca3d88b9837,False, -/System/Library/LaunchDaemons/com.apple.IOBluetoothUSBDFU.plist,com.apple.IOBluetoothUSBDFU,"['/System/Library/Extensions/IOBluetoothFamily.kext/Contents/PlugIns/IOBluetoothUSBDFU.kext/Contents/Resources/IOBluetoothUSBDFUTool']",1d3f5aa86cd2e9c77c02fa77b0c48f700f213e212aa24442d4000197223a3a1e,False, -/System/Library/LaunchDaemons/com.apple.kcproxy.plist,com.apple.kcproxy,"['/usr/libexec/kcproxy']",dfe1f9e68ffaff049f60bb967b4c32a6461b6ceda834e91dac31a913e92dd59e,False, -/System/Library/LaunchDaemons/com.apple.kdumpd.plist,com.apple.kdumpd,"['/usr/libexec/kdumpd', '/PanicDumps']",06a0e32e932425e82b413e564dc218fe5bffffbc14acb72e155e21a805634a05,False, -/System/Library/LaunchDaemons/com.apple.Kerberos.digest-service.plist,com.apple.Kerberos.digest-service,"['/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/digest-service']",20a343b40a169a6eaa0c2cc19ffe91749f511e701fad86b8ecc4a0b82baa0cc7,False, -/System/Library/LaunchDaemons/com.apple.Kerberos.kadmind.plist,com.apple.Kerberos.kadmind,"['/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kadmind']",b88d5ee34747cb2afd3cb9b4ac213682be74600c7e994a6b94f860116784109c,False, -/System/Library/LaunchDaemons/com.apple.Kerberos.kcm.plist,com.apple.Kerberos.kcm,"['/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kcm', '--launchd']",5edfa5393097d09daa469c60361df048fb87c0d7f03160d863d4e122b5f53a8a,False, -/System/Library/LaunchDaemons/com.apple.Kerberos.kdc.plist,com.apple.Kerberos.kdc,"['/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kdc']",a6f984bcf0e87778136662144a544fc2fbad8f2eb40af414de6a8dd1b8f347f9,False, -/System/Library/LaunchDaemons/com.apple.Kerberos.kpasswdd.plist,com.apple.Kerberos.kpasswdd,"['/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kpasswdd']",bcb7dcb7b6fb9345f38741c312ac62de1a8343fb8c14ae972d5d652ebcb9c29d,False, -/System/Library/LaunchDaemons/com.apple.KernelEventAgent.plist,com.apple.KernelEventAgent,"['/usr/sbin/KernelEventAgent']",79e28be4bae151beab177c2661c95b931914d767764f814a421d92582de65308,False, -/System/Library/LaunchDaemons/com.apple.kextd.plist,com.apple.kextd,"['/usr/libexec/kextd']",1ef94235560d0c31a9f0e5c28cf93e09c0d393bbc455509519be3daf90b4037e,False, -/System/Library/LaunchDaemons/com.apple.kuncd.plist,com.apple.kuncd,"['/usr/libexec/kuncd']",e6adf70e4b136810bd7e2562789c1d24a34ecfbb650873cc0e193a0a3448e889,False, -/System/Library/LaunchDaemons/com.apple.locate.plist,com.apple.locate,"['/usr/libexec/locate.updatedb']",7bf77fbcfaec0c33e7649a919872c45584fe65b8d1924cbe25b14ed799b6ff1c,False, -/System/Library/LaunchDaemons/com.apple.locationd.plist,com.apple.locationd,"['/usr/libexec/locationd']",b063f485bb452df54b3977816137cf23a60c4fc70482351e48e232f48a5fdc17,False, -/System/Library/LaunchDaemons/com.apple.lockd.plist,com.apple.lockd,"['/usr/sbin/rpc.lockd']",bdb41337fd056b91300672b3b44b5b5f909d23e1b8b62ce2cdf04d9ab69a0f78,False, -/System/Library/LaunchDaemons/com.apple.logd.plist,com.apple.logd,"['/usr/libexec/logd']",7014ea36fcbcc80321a7e22df8d591596d877e0192ebdb7727b5e435cc976107,True, -/System/Library/LaunchDaemons/com.apple.logind.plist,com.apple.logind,"['/System/Library/CoreServices/logind']",0cd65b6d45eebc9c0df9a46bb88c7fa25fa6b0e626e24bda7211e80ea7b43efa,True, -/System/Library/LaunchDaemons/com.apple.loginwindow.LFVTracer.plist,com.apple.loginwindow.LFVTracer,"['/System/Library/CoreServices/loginwindow.app/Contents/Resources/LegacyFileVaultMessageTracer']",e48c0ac206c813cd06efc899507c7e59ca64a52c18c9815019754b2c48aee644,False, -/System/Library/LaunchDaemons/com.apple.loginwindow.plist,com.apple.loginwindow,"['/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow', 'console']",c99873eb5994929a1c7792b0c0288070664dc4de9126cb75a082c90812560152,False, -/System/Library/LaunchDaemons/com.apple.logkextloadsd.plist,com.apple.logkextloadsd,"['/usr/libexec/logkextloadsd']",eda47f8f5ed23ea182c70ed0f720c1b4085e7374a1c752e8c810e4eb33fafcca,False, -/System/Library/LaunchDaemons/com.apple.lsd.plist,com.apple.lsd,"['/usr/libexec/lsd', 'runAsRoot']",5f54e2a9dd876c03213dcdd294d8165c429fb786f051a1b40bc69035e2cf8079,False, -/System/Library/LaunchDaemons/com.apple.ManagedClient.cloudconfigurationd.plist,com.apple.ManagedClient.cloudconfigurationd,"['/usr/libexec/cloudconfigurationd']",13c2c6bf07431f210db40a247a05f663adebda9a6400072b47ab60043f531b81,False, -/System/Library/LaunchDaemons/com.apple.ManagedClient.enroll.plist,com.apple.ManagedClient.enroll,"['/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient', '-e']",e37c0e34123ce48234f9ddbd179c1fadeaa747180000e17540f008cdd78affbc,False, -/System/Library/LaunchDaemons/com.apple.ManagedClient.plist,com.apple.ManagedClient,"['/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient']",e37c0e34123ce48234f9ddbd179c1fadeaa747180000e17540f008cdd78affbc,False, -/System/Library/LaunchDaemons/com.apple.ManagedClient.startup.plist,com.apple.ManagedClient.startup,"['/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient', '-i']",e37c0e34123ce48234f9ddbd179c1fadeaa747180000e17540f008cdd78affbc,True, -/System/Library/LaunchDaemons/com.apple.mbsystemadministration.plist,com.apple.mbsystemadministration,"['/System/Library/CoreServices/Setup Assistant.app/Contents/Resources/mbsystemadministration']",5716feebfbfd9f3da7b9ccb823db3e0225e71876bc7c22c4c5bbae91453b1437,False, -/System/Library/LaunchDaemons/com.apple.mbusertrampoline.plist,com.apple.mbusertrampoline,"['/System/Library/CoreServices/Setup Assistant.app/Contents/Resources/mbusertrampoline']",85d7e15bad797c2ad011a8d6df0dc024461beda3c52bc8036176df467ffcdfae,False, -/System/Library/LaunchDaemons/com.apple.mdmclient.daemon.plist,com.apple.mdmclient.daemon,"['/usr/libexec/mdmclient', 'daemon']",845d83d0c8a98dfeffef7f13ef0335e77e3b08fe168e9c9bf15f0beaccf7b6c0,False, -/System/Library/LaunchDaemons/com.apple.mdmclient.daemon.runatboot.plist,com.apple.mdmclient.daemon.runatboot,"['/usr/libexec/mdmclient', 'rundaemon']",845d83d0c8a98dfeffef7f13ef0335e77e3b08fe168e9c9bf15f0beaccf7b6c0,True, -/System/Library/LaunchDaemons/com.apple.mDNSResponder.plist,com.apple.mDNSResponder.reloaded,"['/usr/sbin/mDNSResponder']",db4e9fc88de00590c7be95cf003668f61dbfbb3f793357597450e9f807053948,False, -/System/Library/LaunchDaemons/com.apple.mDNSResponderHelper.plist,com.apple.mDNSResponderHelper.reloaded,"['/usr/sbin/mDNSResponderHelper']",1ba3ba8cc50e061ba61200464df157141a97ae27fbe1bbbb9f89646f377b9d86,False, -/System/Library/LaunchDaemons/com.apple.metadata.mds.index.plist,com.apple.metadata.mds.index,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mds_stores']",a9a0a98ac69312bf38c4f7b8ed62a790c33d43cc13a8d88eb2c149b7615e6850,False, -/System/Library/LaunchDaemons/com.apple.metadata.mds.plist,com.apple.metadata.mds,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Support/mds']",23d92cbcac06a44a36d5e8b4061a197e0a071b6a2fcc875d4a232ecf98a540a8,False, -/System/Library/LaunchDaemons/com.apple.metadata.mds.scan.plist,com.apple.metadata.mds.scan,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'mdworker-scan', '-c', 'MDSSyncScanWorker', '-m', 'com.apple.metadata.mds.scan']",81eafcc77285d470f97d89668a79be80ffef08aab64a59d446e4f2bd150c290c,False, -/System/Library/LaunchDaemons/com.apple.metadata.mds.spindump.plist,com.apple.metadata.mds.spindump,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'none', '-c', 'MDSSpinDumpWorker', '-m', 'com.apple.metadata.mds.spindump']",81eafcc77285d470f97d89668a79be80ffef08aab64a59d446e4f2bd150c290c,False, -/System/Library/LaunchDaemons/com.apple.MobileFileIntegrity.plist,com.apple.MobileFileIntegrity,"['/usr/libexec/amfid']",000ba7f2d3047f51e1743ef198f5843ddb1c65e63b9a7f9677366a58ade1bba8,False, -/System/Library/LaunchDaemons/com.apple.MRTd.plist,com.apple.MRTd,"['/System/Library/CoreServices/MRT.app/Contents/MacOS/MRT', '-d']",fd07a1f4ed10706cc4eb6c3c12ed46c4cb5f52ccd73f55ca847dffc67dc879bf,True, -/System/Library/LaunchDaemons/com.apple.msrpc.echosvc.plist,com.apple.msrpc.echosvc,"['/usr/libexec/rpcsvchost', '-launchd', 'echosvc.bundle']",876b184c384087a310fe0b26a22b4d2a996f476c8c828aec9e38b63dc2c927ff,False, -/System/Library/LaunchDaemons/com.apple.msrpc.lsarpc.plist,com.apple.msrpc.lsarpc,"['/usr/libexec/rpcsvchost', '-launchd', '-sandbox', 'lsarpc.bundle', 'dssetup.bundle']",876b184c384087a310fe0b26a22b4d2a996f476c8c828aec9e38b63dc2c927ff,False, -/System/Library/LaunchDaemons/com.apple.msrpc.mdssvc.plist,com.apple.msrpc.mdssvc,"['/usr/libexec/rpcsvchost', '-launchd', '-sandbox', 'mdssvc.bundle']",876b184c384087a310fe0b26a22b4d2a996f476c8c828aec9e38b63dc2c927ff,False, -/System/Library/LaunchDaemons/com.apple.msrpc.netlogon.plist,com.apple.msrpc.netlogon,"['/usr/libexec/rpcsvchost', '-launchd', 'netlogon.bundle']",876b184c384087a310fe0b26a22b4d2a996f476c8c828aec9e38b63dc2c927ff,False, -/System/Library/LaunchDaemons/com.apple.msrpc.srvsvc.plist,com.apple.msrpc.srvsvc,"['/usr/libexec/rpcsvchost', '-launchd', '-sandbox', 'srvsvc.bundle']",876b184c384087a310fe0b26a22b4d2a996f476c8c828aec9e38b63dc2c927ff,False, -/System/Library/LaunchDaemons/com.apple.msrpc.wkssvc.plist,com.apple.msrpc.wkssvc,"['/usr/libexec/rpcsvchost', '-launchd', '-sandbox', 'wkssvc.bundle']",876b184c384087a310fe0b26a22b4d2a996f476c8c828aec9e38b63dc2c927ff,False, -/System/Library/LaunchDaemons/com.apple.mtmd.plist,com.apple.mtmd,"['/System/Library/CoreServices/backupd.bundle/Contents/Resources/mtmd']",79c2dea61a2e812683d29f00c7f984b9433719d6d8b95cad08169712a16d4057,False, -/System/Library/LaunchDaemons/com.apple.mtmfs.plist,com.apple.mtmfs,"['/System/Library/CoreServices/backupd.bundle/Contents/Resources/mtmfs', '--tcp', '--resvport', '--listen', 'localhost', '--oneshot', '--noportmap', '--nobrowse']",d344f5463bb6817548c64a9c117014e1a38efd6661eec32531ebf1ac12eec34d,True, -/System/Library/LaunchDaemons/com.apple.nehelper.plist,com.apple.nehelper,"['/usr/libexec/nehelper']",1b82e1fcafd2e1e2ae2abb09e23f75400ceb75ff44c5d72b79d8bbab9c40b12f,False, -/System/Library/LaunchDaemons/com.apple.nesessionmanager.plist,com.apple.nesessionmanager,"['/usr/libexec/nesessionmanager']",cbc122a6f2f76251ec21c4735ab95442a9f00ad4a93a7cc1e6ff1938ed88ff9b,False, -/System/Library/LaunchDaemons/com.apple.netauth.sys.auth.plist,com.apple.netauth.sys.auth,"['/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent', '--sys']",bc6707a055c064d3c6659fe6083663aac071d10973b2dbb571896307db16647c,False, -/System/Library/LaunchDaemons/com.apple.netauth.sys.gui.plist,com.apple.netauth.sys.gui,"['/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent', '--sys']",650d221ceb76eb2138ee9a1efea86f89db23cfe45a7e62dd8e7fc033f005926a,False, -/System/Library/LaunchDaemons/com.apple.netbiosd.plist,com.apple.netbiosd,"['/usr/sbin/netbiosd']",7f5f498e9c1be02f7e73672a116dbc423b9b3063479e13492cb3a5006dcfd300,False, -/System/Library/LaunchDaemons/com.apple.NetBootClientStatus.plist,com.apple.NetBootClientStatus,"['/usr/sbin/NetBootClientStatus']",457bee1cedce7e8f0d9354b87ca41490671ae428886614ab7d3031a438fc7f28,True, -/System/Library/LaunchDaemons/com.apple.networkd.plist,com.apple.networkd,"['/usr/libexec/networkd']",ca2d23da69ea172f37213edfc53728e4b477c992381d693ba4eeb64261b6740e,False, -/System/Library/LaunchDaemons/com.apple.networkd_privileged.plist,com.apple.networkd_privileged,"['/usr/libexec/networkd_privileged']",319b7209060696ef53cfb71967d5197976c781266795858a357379823c0be6b3,False, -/System/Library/LaunchDaemons/com.apple.NetworkDiagnostics.plist,com.apple.NetworkDiagnostics,"['/System/Library/CoreServices/Network Diagnostics.app/Contents/MacOS/Network Diagnostics']",2018ea3b60a0970bd160664568aac6997e34e8a9fbc6e65ec030612246182011,False, -/System/Library/LaunchDaemons/com.apple.NetworkLinkConditioner.plist,com.apple.nlcd,"['/usr/libexec/nlcd']",20279ef5f2c185d64f35e59fc08a7db916dbb32825766fda02dc40b7d51afee2,False, -/System/Library/LaunchDaemons/com.apple.NetworkSharing.plist,com.apple.NetworkSharing,"['/usr/libexec/InternetSharing']",44347c551ff5b882df1618647db0ec663ae712a7bcfa71a8a43b9db3843fe7b0,False, -/System/Library/LaunchDaemons/com.apple.newsyslog.plist,com.apple.newsyslog,"['/usr/sbin/newsyslog']",f079751ed5bcaa6ba01cd9d6e5c0279411407efe0023f6e42aa6b6c10067dce3,False, -/System/Library/LaunchDaemons/com.apple.nfsconf.plist,com.apple.nfsconf,"['/sbin/mount_nfs', 'configupdate']",642bf9a07ebfefa168d8bb09e4d441b3ed535219b8601acb46c561bd386519ee,True, -/System/Library/LaunchDaemons/com.apple.nfsd.plist,com.apple.nfsd,"['/sbin/nfsd']",d38bdd71f905570243b84c77f439665ece61a7625aaa96fed3d43ac694c0a4f4,False, -/System/Library/LaunchDaemons/com.apple.nis.ypbind.plist,com.apple.nis.ypbind,"['/usr/sbin/ypbind']",456154e12b63eeec7a63cbc6501c0fd4d02297d2e85a2d90fde26b7a05e3d916,False, -/System/Library/LaunchDaemons/com.apple.noticeboard.state.plist,com.apple.noticeboard.state,"['/System/Library/PrivateFrameworks/Noticeboard.framework/Versions/A/Resources/nbstated']",6bfc2b70f815fa00ad5da3bf02a974c13f48f69d1d9bb9c875d071c6bbe70b2f,False, -/System/Library/LaunchDaemons/com.apple.notifyd.plist,com.apple.notifyd,"['/usr/sbin/notifyd']",b18d29855cb886519407893efd1d5eafbd411d574b48eca84c67ea3d9b46195e,False, -/System/Library/LaunchDaemons/com.apple.nsurlsessiond.plist,com.apple.nsurlsessiond_privileged,"['/usr/libexec/nsurlsessiond', '--privileged']",5fdabcf4f5b12868ff14ec56b871ec89d37446b456c05109d35927058accce01,False, -/System/Library/LaunchDaemons/com.apple.nsurlstoraged.plist,com.apple.nsurlstoraged,"['/usr/libexec/nsurlstoraged']",24ae6fd6e474e3e50f88f616cceabeec6d17d731031dcfa69e66f52b2c0d21bf,False, -/System/Library/LaunchDaemons/com.apple.ocspd.plist,com.apple.ocspd,"['/usr/sbin/ocspd']",f4d7b4a1a390329262ba241084dbddc66acd8bb628b6091930316849a4173d8d,False, -/System/Library/LaunchDaemons/com.apple.odproxyd.plist,com.apple.odproxyd,"['/usr/libexec/odproxyd']",67b0197f4a31934562dad4904324007d132c03c7550a217fc0bde9358235ca32,False, -/System/Library/LaunchDaemons/com.apple.ODSAgent.plist,com.apple.ODSAgent,"['/System/Library/CoreServices/ODSAgent.app/Contents/MacOS/ODSAgent', '-launchd']",8bc555deb37cf228954b7079fb81bd50eb1d48126e1fd08970672908de133256,False, -/System/Library/LaunchDaemons/com.apple.opendirectoryd.plist,com.apple.opendirectoryd,"['/usr/libexec/opendirectoryd']",d27e619a792013b9b9d3ac0eec70ba93d94cabdae6d992877949735b2663dd0a,False, -/System/Library/LaunchDaemons/com.apple.PasswordService.plist,com.apple.PasswordService,"['/usr/sbin/PasswordService', '-n']",c8cabed9b550f7910f98b818a438e2b360808299368a64b4c4a0bdf09df4a9c8,False, -/System/Library/LaunchDaemons/com.apple.PCIELaneConfigTool.plist,com.apple.PCIELaneConfigTool,"['/System/Library/CoreServices/Expansion Slot Utility.app/Contents/Resources/PCIELaneConfigTool']",bb868ecd445789d7bd0f761037c0a1072fa3da8560d24c78d390647e015284df,False, -/System/Library/LaunchDaemons/com.apple.periodic-daily.plist,com.apple.periodic-daily,"['/usr/libexec/periodic-wrapper', 'daily']",9223655f1ac125b9c2bb4ba883e9e1900c3028f3d4a676a614ae068f0847ce44,False, -/System/Library/LaunchDaemons/com.apple.periodic-monthly.plist,com.apple.periodic-monthly,"['/usr/libexec/periodic-wrapper', 'monthly']",9223655f1ac125b9c2bb4ba883e9e1900c3028f3d4a676a614ae068f0847ce44,False, -/System/Library/LaunchDaemons/com.apple.periodic-weekly.plist,com.apple.periodic-weekly,"['/usr/libexec/periodic-wrapper', 'weekly']",9223655f1ac125b9c2bb4ba883e9e1900c3028f3d4a676a614ae068f0847ce44,False, -/System/Library/LaunchDaemons/com.apple.pfctl.plist,com.apple.pfctl,"['/sbin/pfctl']",a330d21f4e7f050d1aea6d4160394b7c03a0e237681027b47bdc4ef5de32c037,True, -/System/Library/LaunchDaemons/com.apple.pfd.plist,com.apple.pfd,"['/usr/libexec/pfd', '-d']",7ae7717a0abc450d30dbd4616c09e19b13b1d8aca9a49e0a1cad1a6e07044e90,False, -/System/Library/LaunchDaemons/com.apple.platform.ptmd.plist,com.apple.platform.ptmd,"['/usr/libexec/ptmd']",91a8847fd5d3ce96ce6875d431aba4e9cf669efd610d49f4bc3f39110b885572,True, -/System/Library/LaunchDaemons/com.apple.powerd.plist,com.apple.powerd,"['/System/Library/CoreServices/powerd.bundle/powerd']",503461333d31f71cc0a061fd89a1400731e219af03df9ccad9052cc1b365f6ce,False, -/System/Library/LaunchDaemons/com.apple.powerd.swd.plist,com.apple.powerd.swd,"['/System/Library/CoreServices/powerd.bundle/swd']",71f09b1627216a3ab616e757a60d8612853c22e6b2f0d1530c98b8cd9d4f18a5,False, -/System/Library/LaunchDaemons/com.apple.preferences.timezone.admintool.plist,com.apple.preferences.timezone.admintool,"['/System/Library/PreferencePanes/DateAndTime.prefPane/Contents/Resources/TimeZone.prefPane/Contents/Resources/TimeZoneAdminTool']",633da31eacab5317839720ad92e9f7b02d8ad6c9e3c79b31de41fcc291cd44ae,False, -/System/Library/LaunchDaemons/com.apple.preferences.timezone.auto.plist,com.apple.preferences.timezone.auto,"['/System/Library/PreferencePanes/DateAndTime.prefPane/Contents/Resources/TimeZone.prefPane/Contents/Resources/timezoned.app/Contents/MacOS/timezoned']",4913a1e15b44ef2a0e407d7a1e780367b141bd1300ab80f2a716e7000163c48e,False, -/System/Library/LaunchDaemons/com.apple.printtool.daemon.plist,com.apple.printtool.daemon,"['/System/Library/Frameworks/ApplicationServices.framework/Frameworks/PrintCore.framework/Versions/A/printtool', 'daemon']",243cd1b7895f770292615f6384e5972c2d80ff1593e57621ece01a0c996b1c22,False, -/System/Library/LaunchDaemons/com.apple.racoon.plist,com.apple.racoon,"['/usr/sbin/racoon', '-D']",073868a9fd93ea07b5f55ebaa6814b3c6e592f0b8d1c08b45cf529541c631113,False, -/System/Library/LaunchDaemons/com.apple.RemoteDesktop.PrivilegeProxy.plist,com.apple.RemoteDesktop.PrivilegeProxy,"['/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy']",58ade2c73b2eb1480e2532f1df23170895ec03c80744843a936a06e2f8bb8ab1,False, -/System/Library/LaunchDaemons/com.apple.remotepairtool.plist,com.apple.RemotePairTool,"['/System/Library/CoreServices/RemotePairTool']",054b27191118cd4b48522e18de1f8b8b816ef10d73c776041cd24f8a931045e3,False, -/System/Library/LaunchDaemons/com.apple.ReportCrash.Root.plist,com.apple.ReportCrash.Root,"['/System/Library/CoreServices/ReportCrash']",41edcb12813290dbd05b5dce02e772c01f2c2f149b66bc0c867bc8f42a402410,False, -/System/Library/LaunchDaemons/com.apple.ReportPanicService.plist,com.apple.ReportPanicService,"['/System/Library/CoreServices/ReportPanicService']",6ac2c62a5ad79cface8b4f4458e4656e327a55cd341e58dd522e9852805e2e07,False, -/System/Library/LaunchDaemons/com.apple.revisiond.plist,com.apple.revisiond,"['/System/Library/PrivateFrameworks/GenerationalStorage.framework/Versions/A/Support/revisiond']",fbf3c20a2ff691a592d3131c877a71bdbf63068e38655b0a22d0fc9e12cb2064,True, -/System/Library/LaunchDaemons/com.apple.RFBEventHelper.plist,com.apple.RFBEventHelper,"['/System/Library/CoreServices/RFBEventHelper.bundle/Contents/MacOS/RFBEventHelperd']",7560caea18efb2c6b9119e5278a9b63d38833d9ba2da55cff7add4e1f8d85f17,False, -/System/Library/LaunchDaemons/com.apple.rootless.init.plist,com.apple.rootless.init,"['/usr/libexec/rootless-init']",31cf85fa4a73f631a1903bf448c7f444364a1a66e194bc616b03b989f3120a42,False, -/System/Library/LaunchDaemons/com.apple.rpcbind.plist,com.apple.rpcbind,"['/usr/sbin/rpcbind']",803243e6d80b6612613e8751272819f426681f952e870130d57d9c1330b46c06,False, -/System/Library/LaunchDaemons/com.apple.sandboxd.plist,com.apple.sandboxd,"['/usr/libexec/sandboxd']",434eea3bf2e4fc9e135e778c67a34d9f421b07d01fc641ee3de7e7088dd45e1e,False, -/System/Library/LaunchDaemons/com.apple.SCHelper.plist,com.apple.SCHelper,"['/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/Helpers/SCHelper']",2a7d93627517a4bc0dccb48735f25587c02e1ab0325808cef21f2367880b657e,False, -/System/Library/LaunchDaemons/com.apple.screensharing.plist,com.apple.screensharing,"['/System/Library/CoreServices/RemoteManagement/screensharingd.bundle/Contents/MacOS/screensharingd']",83563e826daecdc174862911cf4cef520993c78c7f60dbab6cf7f0bcc8c535bb,False, -/System/Library/LaunchDaemons/com.apple.scsid.plist,com.apple.scsid,"['/usr/libexec/scsid']",8d949a6288a87173fd1bb0f60ddfba2a687e3236a533635b3e1f0e91f157dda0,True, -/System/Library/LaunchDaemons/com.apple.secinitd.plist,com.apple.secinitd,"['/usr/libexec/secinitd']",a31c423ec982340a5b15b735eef84e748da246b7425b697d038a1f5f29ca7e23,False, -/System/Library/LaunchDaemons/com.apple.security.agent.login.plist,com.apple.security.agent.login,"['/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent']",f8db70fc362763faab1f3a7f1bfa70c410244f3b2b4e86a55e0859ee0303c10a,False, -/System/Library/LaunchDaemons/com.apple.security.authhost.plist,com.apple.security.authhost,"['/System/Library/Frameworks/Security.framework/Versions/A/MachServices/authorizationhost.bundle/Contents/MacOS/authorizationhost']",fbffa52111b603a63e0e5e97db73471c9ce46ad47a7a73a0197e866095b37272,False, -/System/Library/LaunchDaemons/com.apple.security.FDERecoveryAgent.plist,com.apple.security.FDERecoveryAgent,"['/usr/libexec/FDERecoveryAgent']",01ee2a5f5e14b6adf6f743059f4641961254f99ff5e13a97d29bd3465eab302e,True, -/System/Library/LaunchDaemons/com.apple.security.syspolicy.plist,com.apple.security.syspolicy,"['/usr/libexec/syspolicyd']",26c7d90d879f0a0c337a70c8125cb00e460c19ae7a71c94081be46432960f8b6,False, -/System/Library/LaunchDaemons/com.apple.securityd.plist,com.apple.securityd,"['/usr/sbin/securityd', '-i']",c37d85290537dd10facee5c39e348aa57ee8dafc3975cdcf0ded943b8144c13c,True, -/System/Library/LaunchDaemons/com.apple.securityd_service.plist,com.apple.securityd_service,"['/usr/libexec/securityd_service']",aadd73a1ab9e07688f1a3c6175f659408360c27eceb0eea686005a5e5dbf75f0,False, -/System/Library/LaunchDaemons/com.apple.sessionlogoutd.plist,com.apple.sessionlogoutd,"['/System/Library/CoreServices/sessionlogoutd']",b6ef2b6da7a986eec66b71d8d6d32b8260420c793434f0bd2c18e92b5f49aef7,False, -/System/Library/LaunchDaemons/com.apple.smb.preferences.plist,com.apple.smb.preferences,"['/usr/libexec/smb-sync-preferences']",f33f3b292b79dbffb5dde568cb5d2a0f30018d7990466c34008ab53cd04e4aed,True, -/System/Library/LaunchDaemons/com.apple.smbd.plist,com.apple.smbd,"['/usr/sbin/smbd']",bb37c43972926944130879f76ed1765556d2b36a2a2c96c5b516dae8b53dd254,False, -/System/Library/LaunchDaemons/com.apple.softwareupdate_download_service.plist,com.apple.softwareupdate_download_service,"['/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdate_download_service']",477db02f3a71f4c004c89f8c657fd0f48b1da88bbc7c5b7e982b201184ee8199,False, -/System/Library/LaunchDaemons/com.apple.softwareupdate_firstrun_tasks.plist,com.apple.softwareupdatecheck.initial,"['/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdate_firstrun_tasks', '-BuildTagCache', 'YES']",e08d74112223633bb58d56e5ffea55e41d0a558e421b867567ff66da004b0938,True, -/System/Library/LaunchDaemons/com.apple.softwareupdated.plist,com.apple.softwareupdated,"['/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated']",1032b15bd2d192a4466e1988ada226f50baddf4e6234a5965007938d4af2649e,False, -/System/Library/LaunchDaemons/com.apple.speech.speechsynthesisd.plist,com.apple.speech.speechsynthesisd,"['/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd']",7f32d7dede4838b2ebd3d0b5e903519378241fec16395acdf22c5520b9c84925,False, -/System/Library/LaunchDaemons/com.apple.spindump.plist,com.apple.spindump,"['/usr/sbin/spindump']",493ba41a4930ac49aba43663812c926085e0f5a123ef8faba33b332cc78c144a,False, -/System/Library/LaunchDaemons/com.apple.statd.notify.plist,com.apple.statd.notify,"['/usr/sbin/rpc.statd', '-n']",dba091d634be64a9de829c325663e6651c758fad05a0acc1ede05cc71e4dab1a,True, -/System/Library/LaunchDaemons/com.apple.storagekitd.plist,com.apple.storagekitd,"['/System/Library/PrivateFrameworks/StorageKit.framework/Resources/storagekitd']",30cf74c6d82fda719e421fca42ccc2d6893f1c56d537f8a077740f83a2cb0037,False, -/System/Library/LaunchDaemons/com.apple.storeaccountd.daemon.plist,com.apple.storeaccountd.daemon,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeaccountd', 'daemon']",0b4f8d38f3cf9752a1422f1c922c0c306c0448e03274ae8be17ca7827514c04c,False, -/System/Library/LaunchDaemons/com.apple.storeagent.daemon.plist,com.apple.storeagent.daemon,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storelegacy', 'daemon']",da5c5c34b09127c07a3915b00517c737f66da6d3aadad2bd5dd04b949100c1af,False, -/System/Library/LaunchDaemons/com.apple.storeassetd.daemon.plist,com.apple.storeassetd.daemon,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeassetd', 'daemon']",0018c00d6553533011b015987a509cb85b1bb0229f0dd4d4e57342e36ce2b39e,False, -/System/Library/LaunchDaemons/com.apple.storedownloadd.daemon.plist,com.apple.storedownloadd.daemon,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd', 'daemon']",f36336a0bac12f1896bb32f6256976189acf5244534dcc10255fd17b1f26ffcd,False, -/System/Library/LaunchDaemons/com.apple.storereceiptinstaller.plist,com.apple.storereceiptinstaller,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/ReceiptInstaller']",b7fa2b41593721d816587954d72780c9b81cbf82e74356cd90cd26da8017acce,False, -/System/Library/LaunchDaemons/com.apple.SubmitDiagInfo.plist,com.apple.SubmitDiagInfo,"['/System/Library/CoreServices/SubmitDiagInfo', 'server-init']",a972269ddbb2eeb86e947b6829fc274c2e614f936d8c67fe4d05e3cf33cbf932,False, -/System/Library/LaunchDaemons/com.apple.suhelperd.plist,com.apple.suhelperd,"['/System/Library/PrivateFrameworks/SoftwareUpdate.framework/Resources/suhelperd']",519ac796224f5bb7d0b5cb747afca0ac6c2edf425eddcfbce93d7011b0f5b4fa,False, -/System/Library/LaunchDaemons/com.apple.symptomsd.plist,com.apple.symptomsd,"['/usr/libexec/symptomsd']",29af370574efe5534186ca36e568bd6ec07c3f3d6f73d533b606f43a849cd7dd,False, -/System/Library/LaunchDaemons/com.apple.sysdiagnose.plist,com.apple.sysdiagnose,"['/usr/bin/sysdiagnose']",597ecd43f94c46ea39f0b888db3472ddf7814c7b2c98c7d4bf9ab6f0d63bf790,False, -/System/Library/LaunchDaemons/com.apple.syslogd.plist,com.apple.syslogd,"['/usr/sbin/syslogd']",6aecd6234a41ee0f267862c1d73e45b3cdd8208187222cb38168d4915853bcc0,False, -/System/Library/LaunchDaemons/com.apple.sysmond.plist,com.apple.sysmond,"['/usr/libexec/sysmond']",d2326cb783d325a481c0e0ea82ee5ccb7992785f6ac647794870e9a98e9bf7eb,False, -/System/Library/LaunchDaemons/com.apple.system_installd.plist,com.apple.system_installd,"['/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd']",1ce613f11ce2a54f7a79dd71b734cb2c2e4bff0edd8eef935989b9ecdf6b984c,False, -/System/Library/LaunchDaemons/com.apple.systemkeychain.plist,com.apple.systemkeychain,"['/usr/sbin/systemkeychain', '-d']",fd1b0cf617d49de5a5dceb539c7bfcc072b1280d44ae19c88f716fbf417a7e0d,False, -/System/Library/LaunchDaemons/com.apple.systempreferences.installer.plist,com.apple.systempreferences.install,"['/Applications/System Preferences.app/Contents/Resources/installAssistant']",a8b7c03f53db4a5adfd242eced60ddcaca62a061b10facad4c38372fccb12a6e,False, -/System/Library/LaunchDaemons/com.apple.systemstats.analysis.plist,com.apple.systemstats.analysis,"['/usr/sbin/systemstats', '--xpc']",b0e45dbc3e76647be9df1ab9c21f3e96c8dcbbaefb64071a4948aeb2acc8c163,False, -/System/Library/LaunchDaemons/com.apple.systemstats.daily.plist,com.apple.systemstats.daily,"['/usr/sbin/systemstats', '--daily']",b0e45dbc3e76647be9df1ab9c21f3e96c8dcbbaefb64071a4948aeb2acc8c163,False, -/System/Library/LaunchDaemons/com.apple.systemstatsd.plist,com.apple.systemstatsd,"['/usr/libexec/systemstatsd']",3f52febab3f6ecde4175168ff6318e81037f7227d5ff8fb30b2261fcc2c4fdda,False, -/System/Library/LaunchDaemons/com.apple.taskgated-helper.plist,com.apple.taskgated-helper,"['/usr/libexec/taskgated-helper']",347e6009b4a1779f95e5c03473a878283260237dcde25e4f54db2ec341ee1e13,False, -/System/Library/LaunchDaemons/com.apple.taskgated.plist,com.apple.taskgated,"['/usr/libexec/taskgated', '-s']",9cbee07e9d624de487b8b6700b678eebd44162056c7f7f5a5bd9f7a815fb7402,False, -/System/Library/LaunchDaemons/com.apple.tccd.system.plist,com.apple.tccd.system,"['/System/Library/PrivateFrameworks/TCC.framework/Resources/tccd', 'system']",3b76b97f21c0e1d1a29493f2c97760b526839c0ca872226548ed34d120a45eb6,False, -/System/Library/LaunchDaemons/com.apple.thermald.plist,com.apple.thermald,"['/usr/libexec/thermald']",c1cfd842e69e2f34d0e9a2bb127953edda58e07de2c69780a4ed39ebf0143b97,False, -/System/Library/LaunchDaemons/com.apple.TMCacheDelete.plist,com.apple.TMCacheDelete,"['/System/Library/CoreServices/backupd.bundle/Contents/Resources/TMCacheDelete']",4da4f3b1eb34c3859cfb0f60f1e66a6094d8f8687c5295fa7f05d63118d49eaf,False, -/System/Library/LaunchDaemons/com.apple.trustd.plist,com.apple.trustd,"['/usr/libexec/trustd']",90d89a19c2d761d3752c63a41fe2fb0cd6e1f09ab3970ad38dcbe5605d6e00e4,False, -/System/Library/LaunchDaemons/com.apple.TrustEvaluationAgent.system.plist,com.apple.TrustEvaluationAgent.system,"['/System/Library/PrivateFrameworks/TrustEvaluationAgent.framework/Resources/trustevaluationagent']",9f2f2656365a6fa3bb08a91dfd1f3a567761a12e65baeb7c513b235a65a6cf72,False, -/System/Library/LaunchDaemons/com.apple.ucupdate.plist,com.apple.ucupdate.plist,"['/usr/libexec/ucupdate', '-m', '/usr/share/ucupdate/microcode.dat']",90942773921d51181ebfc94026bda6fd0cf3300af42926c8a7b3742b44db4aa2,True, -/System/Library/LaunchDaemons/com.apple.uninstalld.plist,com.apple.uninstalld,"['/System/Library/PrivateFrameworks/Uninstall.framework/Resources/uninstalld']",a0c81020db45f32b0873cf83b18a9e1adef9378126c9f70ee8c591e9f9222a12,False, -/System/Library/LaunchDaemons/com.apple.unmountassistant.sysagent.plist,com.apple.unmountassistant.sysagent,"['/System/Library/CoreServices/UnmountAssistantAgent.app/Contents/Resources/UASysAgent']",a38db126dfc2f1827c97e57d9c8623c590ffed55e3523c886fa1bde600585180,False, -/System/Library/LaunchDaemons/com.apple.updateEFIDesktopPicture.plist,com.apple.updateEFIDesktopPicture,"['/usr/sbin/kextcache', '-u', '/']",55f22a5ded28e1faa2545b977f9cc9a44f650c1d5b2b6f47e2ba8ee973f12be6,False, -/System/Library/LaunchDaemons/com.apple.usbd.plist,com.apple.usbd,"['/usr/libexec/usbd']",838af1744b163755a32b0ce8d7c155367cd8834bdadb2203bdf7e8cfde148952,False, -/System/Library/LaunchDaemons/com.apple.usbmuxd.plist,com.apple.usbmuxd,"['/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/Resources/usbmuxd', '-launchd']",0ae32ac3cca65bbaa112205164f536e95f77b0fb979b73e8e829a5257e88b5b1,True, -/System/Library/LaunchDaemons/com.apple.UserEventAgent-System.plist,com.apple.UserEventAgent-System,"['/usr/libexec/UserEventAgent', '(System)']",3ef66f06d6a10a8de1ccd6630a6d18caf49ed467d62ea4d8b22005ff75bdccdf,False, -/System/Library/LaunchDaemons/com.apple.UserNotificationCenter.plist,com.apple.UserNotificationCenter,"['/System/Library/CoreServices/uncd']",593f02197ed23ac8db1091e83d0c6cce3f75e244ff280b91fa3b1a366fcbb786,False, -/System/Library/LaunchDaemons/com.apple.uucp.plist,com.apple.uucp,"['/usr/sbin/uucico', '-l', '-D']",1b2e5d7bbc04a74055898ee5e8a59f343685788dcba1757e07642bef8dfa7cf2,False, -/System/Library/LaunchDaemons/com.apple.var-db-dslocal-backup.plist,com.apple.var-db-dslocal-backup,"['/usr/bin/xar', '-c', '-f', 'dslocal-backup.xar', 'dslocal']",1cd84998b33c048595ca68aa3e2a848c347447f366efa32956301f67f34be718,False, -/System/Library/LaunchDaemons/com.apple.vsdbutil.plist,com.apple.vsdbutil,"['/usr/sbin/vsdbutil', '-i']",22983e6ab425b63a5dbbb522eeaba0abeb34f25cc87c586f154bca41fa0072b2,False, -/System/Library/LaunchDaemons/com.apple.warmd.plist,com.apple.warmd,"['/usr/libexec/warmd']",1b1767b643c62ec99e9ff69edd0df12f288bfd9571e80317e52ebfe333f9777c,True, -/System/Library/LaunchDaemons/com.apple.watchdogd.plist,com.apple.watchdogd,"['/usr/libexec/watchdogd']",33dfb02323bff9d38484c36d30ceca981d2aa0c9f2442264251c8a78f5a16a95,False, -/System/Library/LaunchDaemons/com.apple.wdhelper.plist,com.apple.wdhelper,"['/usr/libexec/wdhelper']",ddff2adc475f55c47c641d77a2c5bd5cffb946270ece09c7affe3f01496476d5,True, -/System/Library/LaunchDaemons/com.apple.wifid.plist,com.apple.wifid,"['/usr/libexec/wifid']",423e802478c458494ab46adf736dc9e226ecd29ff9bb406145a2d8c57dc83fa4,False, -/System/Library/LaunchDaemons/com.apple.WindowServer.plist,com.apple.WindowServer,"['/System/Library/Frameworks/ApplicationServices.framework/Frameworks/CoreGraphics.framework/Resources/WindowServer', '-daemon']",8e14b909a342459c5a9b5df05f8bf921ef5312fdbb6fe0e1825a15293713cc32,False, -/System/Library/LaunchDaemons/com.apple.wirelessproxd.plist,com.apple.wirelessproxd,"['/usr/sbin/wirelessproxd']",ffaee618da90b99eab91612feb95faa70af79eb68d27a5984393ef47121dfaf6,False, -/System/Library/LaunchDaemons/com.apple.WirelessRadioManagerd-osx.plist,com.apple.WirelessRadioManagerd-osx,"['/usr/sbin/WirelessRadioManagerd']",3062cfa7e8f6a3c04f919122e7e371c468eba51f9a2b8fd11e4e906fb50a277e,False, -/System/Library/LaunchDaemons/com.apple.wwand.plist,com.apple.wwand,"['/System/Library/Extensions/IOSerialFamily.kext/Contents/PlugIns/AppleWWANSupport.kext/Contents/Resources/wwand']",b779d9a603cdc90597968a0eb7b50f201fcc6ef5537fac4a973533fe88339503,False, -/System/Library/LaunchDaemons/com.apple.xpc.smd.plist,com.apple.xpc.smd,"['/usr/libexec/smd']",fc1b22d1a80dd8396b635df1236aa1851e940a4b8f9bf4baf0dfd094459fdbc0,False, -/System/Library/LaunchDaemons/com.apple.xpc.uscwoap.plist,com.apple.xpc.uscwoap,"['/bin/bash']",8e144f5dc41946ee1ae8b60e5861190b215e1ad923dddb368392658c09f9e42d,False, -/System/Library/LaunchDaemons/com.apple.xsan.plist,com.apple.xsan,"['/System/Library/Filesystems/acfs.fs/Contents/bin/xsand']",3fbddbf5f158849fbd4a8138e2188805abbbb5539398fcb5188b6f905115b217,False, -/System/Library/LaunchDaemons/com.apple.xsandaily.plist,com.apple.xsandaily,"['/System/Library/Filesystems/acfs.fs/Contents/bin/xsandaily']",5f729b885df7f40138d6e913144550a99a8e85eb8cc2c58ae372afcfe15e04f9,False, -/System/Library/LaunchDaemons/com.apple.xscertadmin.plist,com.apple.xscertadmin,"['/usr/sbin/xscertadmin', 'update']",a5e496625c4bcf000d1ba4d8520a8d0193cc4e169f9cbe5fce95e5339f307553,False, -/System/Library/LaunchDaemons/com.apple.xscertd-helper.plist,com.apple.xscertd-helper,"['/usr/libexec/xscertd-helper']",a676c4c2a1e3d62124a9d81821a650d5cccac395d9a8c768eac3a6d162e4ca29,False, -/System/Library/LaunchDaemons/com.apple.xscertd.plist,com.apple.xscertd,"['/usr/libexec/xscertd']",4f196292fe0d48c11df4fd233e84e54ef4b34b3da893f9e25507a7d39401b720,False, -/System/Library/LaunchDaemons/com.vix.cron.plist,com.vix.cron,"['/usr/sbin/cron']",e82c6b8abd80b664fe1ca930e0b7e89f101e0dd23138ca2a1bf9bab0d7513f54,False, -/System/Library/LaunchDaemons/exec.plist,com.apple.rexecd,"['/usr/libexec/rexecd']",0f97680bc8ea35e35b71b4ae25d7f52c4764300a87f5e18fa85f394083a2f25d,False, -/System/Library/LaunchDaemons/finger.plist,com.apple.fingerd,"['/usr/libexec/fingerd', '-s']",e31de7a64e7c8c22ecf9237e77444e504e91cbb912413cd573aa28a5a53ab8dc,False, -/System/Library/LaunchDaemons/ftp.plist,com.apple.ftpd,"['/usr/libexec/ftpd']",e27bb72c9848ba9ffec0df9f0280606d3d90e476522f6b55bcc1d24e0152de5f,False, -/System/Library/LaunchDaemons/login.plist,com.apple.rlogind,"['/usr/libexec/rlogind']",8607d0fe83e477d902984be875e105319745bd15845b5dd818161b34616fd66d,False, -/System/Library/LaunchDaemons/ntalk.plist,com.apple.ntalkd,"['/usr/libexec/ntalkd']",e66746d2cadc706c9cda8fa2e21ef4506081572119f034e5f9ecd51c62735ed4,False, -/System/Library/LaunchDaemons/org.apache.httpd.plist,org.apache.httpd,"['/usr/sbin/httpd-wrapper', '-D', 'FOREGROUND']",c79a53bc3347ad16ca7e86753eb64733569e7e7d65fc1daeac2a41922f1dfa09,False, -/System/Library/LaunchDaemons/org.cups.cups-lpd.plist,org.cups.cups-lpd,"['/usr/libexec/cups/daemon/cups-lpd', '-o', 'document-format=application/octet-stream']",cdf72bfe77a8d7cb4332007256de785cbf63f9d00100e30b0e34e7e82e2cb93b,False, -/System/Library/LaunchDaemons/org.cups.cupsd.plist,org.cups.cupsd,"['/usr/sbin/cupsd', '-l']",54a63def25e18eba9771367b4c682954e0a91b5d3d91fb660618bcb567e0075c,False, -/System/Library/LaunchDaemons/org.net-snmp.snmpd.plist,org.net-snmp.snmpd,"['/usr/sbin/snmpd']",48e7e796bfad1ff6ab945bc08140e2a115699db9beffd2bff867484990c7b18c,False, -/System/Library/LaunchDaemons/org.ntp.ntpd.plist,org.ntp.ntpd,"['/usr/libexec/ntpd-wrapper']",20064c70f48c140d8e6f2ba4f50f518ca56c22388828160ad3148f958e6fdbbd,False, -/System/Library/LaunchDaemons/org.openldap.slapd.plist,org.openldap.slapd,"['/usr/libexec/slapd']",dc93647ec1ca8e237e4e0f282b727a3425d7998d815ada30522c2f3680aff58d,False, -/System/Library/LaunchDaemons/org.postfix.master.plist,org.postfix.master,"['/usr/libexec/postfix/master']",c0a67a90cbda8e219406c8bb944c2cc247201586c79a826f7e33fd0e7a2e4360,False, -/System/Library/LaunchDaemons/org.postfix.newaliases.plist,org.postfix.newaliases,"['/usr/libexec/postfix/check-aliases.sh']",85836505e7beee66772dc51df302e9c2eefcfe3f2349681a43fb3c0a1c51ad74,True, -/System/Library/LaunchDaemons/shell.plist,com.apple.rshd,"['/usr/libexec/rshd']",0098fad53fd7a856e8138e488ab100f2f59c2af4382346a0dbf656786e8bfec6,False, -/System/Library/LaunchDaemons/ssh.plist,com.openssh.sshd,"['/usr/libexec/sshd-keygen-wrapper']",7be93674eea1e11e1c3c9b83a436181bcfcee262977e74e6612c3aa59ce52fa5,False, -/System/Library/LaunchDaemons/telnet.plist,com.apple.telnetd,"['/usr/libexec/telnetd']",e7a272aff55f96e3ed83f369cebcc9751e74148e09d4750c2d84c883c85c18a6,False, -/System/Library/LaunchDaemons/tftp.plist,com.apple.tftpd,"['/usr/libexec/tftpd', '-i', '/private/tftpboot']",f44cc9d3dac43f8eefbc8aa2df9d30ba690fa325e95c7295416b0ce78595076a,False, -/System/Library/LaunchAgents/com.apple.accountsd.plist,com.apple.accountsd,"['/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd']",9eaa7d6ab54ffe3ed635a99b34cb3751c0d3874e66af491d34a5dce527d9e9b1,False, -/System/Library/LaunchAgents/com.apple.AddressBook.abd.plist,com.apple.AddressBook.abd,"['/System/Library/Frameworks/AddressBook.framework/Versions/A/Helpers/AddressBookManager.app/Contents/MacOS/AddressBookManager']",9b66f5d52dca22e8a0669e611289512916f7763ce841552776ffdff8ea7aba51,False, -/System/Library/LaunchAgents/com.apple.AddressBook.AssistantService.plist,com.apple.AddressBook.AssistantService,"['/System/Library/Frameworks/AddressBook.framework/Versions/A/Helpers/ABAssistantService.app/Contents/MacOS/ABAssistantService']",a746d808ac34b4afb8e5a14fd3ab29e77850b37f67b13e83993bf9d7a6dffca3,False, -/System/Library/LaunchAgents/com.apple.AddressBook.SourceSync.plist,com.apple.AddressBook.SourceSync,"['/System/Library/Frameworks/AddressBook.framework/Versions/A/Helpers/AddressBookSourceSync.app/Contents/MacOS/AddressBookSourceSync']",1f4fb0c8784407d90d163f22d5a8a700dec8330f9133b68d0356e9c0c556cfbd,False, -/System/Library/LaunchAgents/com.apple.AirPlayUIAgent.plist,com.apple.AirPlayUIAgent,"['/System/Library/CoreServices/AirPlayUIAgent.app/Contents/MacOS/AirPlayUIAgent', '--launchd']",adcea449fcd97fee5bb943128bf18c6f4d2c6bd7aa01e17f0bb08a7d43dc45c5,True, -/System/Library/LaunchAgents/com.apple.AirPortBaseStationAgent.plist,com.apple.AirPortBaseStationAgent,"['/System/Library/CoreServices/AirPort Base Station Agent.app/Contents/MacOS/AirPort Base Station Agent', '--launchd']",e87536f54d489913f5c871a72dc8f59489fc087311b486b4084643ed4f552f0c,False, -/System/Library/LaunchAgents/com.apple.akd.plist,com.apple.akd,"['/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd']",ebe9a30b733eba1ac21dfdcd6aaa171552fcbdf8cec766ab92599e4d28ad01e9,False, -/System/Library/LaunchAgents/com.apple.alf.useragent.plist,com.apple.alf.useragent,"['/usr/libexec/ApplicationFirewall/Firewall']",248f51a0c9cd3a99ab1dc90ee82056151ca7ab7cc6e878805b24571e76c50385,False, -/System/Library/LaunchAgents/com.apple.aos.migrate.plist,com.apple.aos.migrate,"['/System/Library/CoreServices/AOSMigrateAgent']",304ee3120fae53b27361d05321ccbd71ffe8e8c1bf1688c5a08f4be7815a7a50,False, -/System/Library/LaunchAgents/com.apple.AOSHeartbeat.plist,com.apple.AOSHeartbeat,"['/System/Library/PrivateFrameworks/AOSKit.framework/Helpers/AOSHeartbeat.app/Contents/MacOS/AOSHeartbeat']",1f2cd45683f52dd58c6de7a0ed1b4d1b9901e7fb915a4a9798420e9ea8258406,True, -/System/Library/LaunchAgents/com.apple.AOSPushRelay.plist,com.apple.AOSPushRelay,"['/System/Library/PrivateFrameworks/AOSKit.framework/Helpers/AOSPushRelay.app/Contents/MacOS/AOSPushRelay']",cf333af6239bde03ab7d5572b44d21edf6fab4c36dc67c26aa03a48073cb0d8d,False, -/System/Library/LaunchAgents/com.apple.AppleGraphicsWarning.plist,com.apple.AppleGraphicsWarning,"['/System/Library/CoreServices/AppleGraphicsWarning.app/Contents/MacOS/AppleGraphicsWarning']",42ad645be85bbbff2dc4571ebd32592b4b24279eaef0395826c7030fbb89673f,False, -/System/Library/LaunchAgents/com.apple.appleseed.seedusaged.plist,com.apple.appleseed.seedusaged,"['/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged']",06410330cbcd05f0d15db7a6622ba62332060dc602000391ead1183d7a81660d,True, -/System/Library/LaunchAgents/com.apple.appsleepd.plist,com.apple.appsleep,"['/usr/sbin/appsleepd']",d21696515729c326124a9c48ab0a6f5a3edc75ffa82a6fc83bfbbeac461e2573,False, -/System/Library/LaunchAgents/com.apple.appstoreupdateagent.plist,com.apple.appstoreupdateagent,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/appstoreupdateagent']",a08102f2165392ab9884bf571bf70d7a606ef4dd49afbdec5a9aa0d4811703bd,False, -/System/Library/LaunchAgents/com.apple.apsctl.plist,com.apple.apsctl,"['/System/Library/PrivateFrameworks/ApplePushService.framework/apsctl', 'login']",e67b8ddcdcbb4893f147eea48c714898088c37802b057d9084a487cd587d163f,True, -/System/Library/LaunchAgents/com.apple.askpermissiond.plist,com.apple.askpermissiond,"['/System/Library/PrivateFrameworks/AskPermission.framework/Versions/A/Resources/askpermissiond']",a2d13ed478425a07286b01dd102f6b49170d57d7fdf9f209088bf486f5a24240,True, -/System/Library/LaunchAgents/com.apple.AskPermissionUI.plist,com.apple.AskPermissionUI,"['/System/Library/PrivateFrameworks/AskPermission.framework/Versions/A/Resources/AskPermissionUI.app/Contents/MacOS/AskPermissionUI']",c7255737db5a419eb275ff1fb36082be81640fcb43b8a424a5d1b6510476eeb4,False, -/System/Library/LaunchAgents/com.apple.AssetCacheLocatorService.plist,com.apple.AssetCacheLocatorService,"['/System/Library/PrivateFrameworks/AssetCacheServices.framework/XPCServices/AssetCacheLocatorService.xpc/Contents/MacOS/AssetCacheLocatorService', '-a']",9fc8f8803aef72446b8e88d3451351e572d8e0f26f0fa8ede7632721c6b50b91,False, -/System/Library/LaunchAgents/com.apple.assistant_service.plist,com.apple.assistant_service,"['/System/Library/PrivateFrameworks/AssistantServices.framework/assistant_service']",6f33260615963c8067fcacfd2f421f806e11c87042a134e53d89abeb859733e0,False, -/System/Library/LaunchAgents/com.apple.assistantd.plist,com.apple.assistantd,"['/System/Library/PrivateFrameworks/AssistantServices.framework/assistantd']",3361b8a1c6f426a691a54241735df2f9de1d2e819a8cec55620f3db77f3b8e26,False, -/System/Library/LaunchAgents/com.apple.AssistiveControl.plist,com.apple.AssistiveControl,"['/System/Library/Input Methods/Switch Control.app/Contents/MacOS/Switch Control', 'launchd', '-s']",b394fe8f77ed3cbb1a2326ca20395d5d758774a73d9b4cb531d2288ffd0963a7,False, -/System/Library/LaunchAgents/com.apple.BezelUI.plist,com.apple.BezelUIServer,"['/System/Library/LoginPlugins/BezelServices.loginPlugin/Contents/Resources/BezelUI/BezelUIServer']",c3643e01c318a4f600ab78cde62682a11977b1d58326e9161b54cfeffa19b735,False, -/System/Library/LaunchAgents/com.apple.bird.plist,com.apple.bird,"['/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird']",188a738b273968bbf8628e562a317a3e7ec05d0a0067de40a233bce90c3def1e,False, -/System/Library/LaunchAgents/com.apple.bluetoothUIServer.plist,com.apple.bluetoothUIServer,"['/System/Library/CoreServices/BluetoothUIServer.app/Contents/MacOS/BluetoothUIServer']",169f0f8b6be6d34ebf4e97552ac5e1a7ee90fac20ab62e6e8a742505d5b2163f,False, -/System/Library/LaunchAgents/com.apple.btsa.plist,com.apple.btsa,"['/System/Library/CoreServices/Bluetooth Setup Assistant.app/Contents/MacOS/Bluetooth Setup Assistant', '-autoConfigure']",641c8eabcaa958a289a6226157d16e9422fe4e7b66f5cf2fa852a7d3403cf84a,False, -/System/Library/LaunchAgents/com.apple.CalendarAgent.plist,com.apple.CalendarAgent,"['/System/Library/PrivateFrameworks/CalendarAgent.framework/Executables/CalendarAgent']",8ade870942636edcb9dd6eb9e8e38b1c4c4f0e93f6d1f226f133511425dc6f00,True, -/System/Library/LaunchAgents/com.apple.CallHistoryPluginHelper.plist,com.apple.CallHistoryPluginHelper,"['/System/Library/PrivateFrameworks/CallHistory.framework/Support/CallHistoryPluginHelper']",9318f99d48487f7d1d8d8bbf265e14ebeac9eb95ee4a3d8e8bda4911adeb4f93,False, -/System/Library/LaunchAgents/com.apple.CallHistorySyncHelper.plist,com.apple.CallHistorySyncHelper,"['/System/Library/PrivateFrameworks/CallHistory.framework/Support/CallHistorySyncHelper']",06e28555fd55f4afb4e3dcf9e3f40a7e10cc250af23d6b43a20ced1821b43b3c,False, -/System/Library/LaunchAgents/com.apple.cdpd.plist,com.apple.cdpd,"['/System/Library/PrivateFrameworks/CoreCDP.framework/Versions/A/Resources/cdpd']",9fd2665321b76e8cd5a63fa0eec474bf036d873a192f59009121e3a594ad0149,False, -/System/Library/LaunchAgents/com.apple.cfnetwork.AuthBrokerAgent.plist,com.apple.cfnetwork.AuthBrokerAgent,"['/System/Library/CoreServices/AuthBrokerAgent']",93cfc6b591597dc13d886b8e847b931a75593dc77c180a7f232952fda28b42bb,False, -/System/Library/LaunchAgents/com.apple.cfnetwork.cfnetworkagent.plist,com.apple.cfnetwork.cfnetworkagent,"['/System/Library/CoreServices/CFNetworkAgent']",b9b8f4381896f42dedb8e4a82a0c0f8efbdd1fb30849895eeda3401a5bdc3a72,False, -/System/Library/LaunchAgents/com.apple.cfprefsd.xpc.agent.plist,com.apple.cfprefsd.xpc.agent,"['/usr/sbin/cfprefsd', 'agent']",a61315c2cf11733e6a511a0fdb0ffd239e402b0d00cc6a9e408a458d32e447c2,False, -/System/Library/LaunchAgents/com.apple.cloudd.plist,com.apple.cloudd,"['/System/Library/PrivateFrameworks/CloudKitDaemon.framework/Support/cloudd']",e6af1328085c70601546483261ed5ae35099543cef74a19b3a862490ecffeea6,False, -/System/Library/LaunchAgents/com.apple.cloudfamilyrestrictionsd-mac.plist,com.apple.cloudfamilyrestrictionsd,"['/System/Library/PrivateFrameworks/CloudFamilyRestrictions.framework/cloudfamilyrestrictionsd']",591cd2e0c50ab5dd84d2225eb80928c9717c523a0f2c98289b72639bec31a5ea,False, -/System/Library/LaunchAgents/com.apple.cloudpaird.plist,com.apple.cloudpaird,"['/System/Library/CoreServices/cloudpaird']",21a849f7f1fdfe2ce7d07bd582087351ff7c2b2f227135f4f633d12db5d18d90,False, -/System/Library/LaunchAgents/com.apple.cloudphotosd.plist,com.apple.cloudphotosd,"['/System/Library/CoreServices/cloudphotosd.app/Contents/MacOS/cloudphotosd']",155af97356db0ad3f239579988144cd6332089302dfd46d76c566ebdc7d0b175,False, -/System/Library/LaunchAgents/com.apple.cmfsyncagent.plist,com.apple.cmfsyncagent,"['/System/Library/PrivateFrameworks/CommunicationsFilter.framework/CMFSyncAgent.app/Contents/MacOS/CMFSyncAgent']",5499a07213884e79a7fb59d4d6a6d3e0aa2f0135978cfa614a9398d8de120d04,False, -/System/Library/LaunchAgents/com.apple.CommCenter-osx.plist,com.apple.CommCenter,"['/System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter']",28fe93931b1bb3f869762e5a74aeb97b5b969ca8de243ca5b616eb6b76cfa1a3,False, -/System/Library/LaunchAgents/com.apple.ContainerRepairAgent.plist,com.apple.ContainerRepairAgent,"['/usr/libexec/AppSandbox/ContainerRepairAgent']",a207fc30476ad0b8cf4429f6a8e0a0234866591e95257921f3e14f69d639c55c,False, -/System/Library/LaunchAgents/com.apple.CoreAuthentication.daemon.plist,com.apple.CoreAuthentication.daemon,"['/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd']",cd2a25d00bc79188a8529a9c0a3ecae0c3c3668cea5ef3bc2041c1e270b43364,False, -/System/Library/LaunchAgents/com.apple.coredata.externalrecordswriter.plist,com.apple.coredata.externalrecordswriter,"['/System/Library/Frameworks/CoreData.framework/Versions/A/Resources/ExternalRecordsWriter']",4697a4e5237275e37bd942a8a9fb5f141052ef4116dafe6faf581efec01849f6,False, -/System/Library/LaunchAgents/com.apple.CoreLocationAgent.plist,com.apple.CoreLocationAgent,"['/System/Library/CoreServices/CoreLocationAgent.app/Contents/MacOS/CoreLocationAgent']",a6b53997560f638d025394f0f4fb451ab5495538812bef52b1832c93e0d1fa1b,False, -/System/Library/LaunchAgents/com.apple.CoreRAIDAgent.plist,com.apple.CoreRAIDAgent,"['/System/Library/PrivateFrameworks/CoreRAID.framework/Versions/A/Resources/CoreRAIDAgent']",601c112a3398e0c3a5ed4f2ed7770f9a70b63e3aca51a9bd9b25e3fb42fdb59d,False, -/System/Library/LaunchAgents/com.apple.coreservices.appleid.authentication.plist,com.apple.coreservices.appleid.authentication,"['/System/Library/CoreServices/AppleIDAuthAgent']",6dc9534c6040b6a73a0e0291bd1061e87353163866cbf100df04c94fd5f60f09,True, -/System/Library/LaunchAgents/com.apple.coreservices.lsactivity.plist,com.apple.coreservices.useractivityd,"['/System/Library/PrivateFrameworks/UserActivity.framework/Agents/useractivityd']",774015953e9a6e2f62732880e86dd1620b89f8d9e069349d02ebd03a0582c8c7,False, -/System/Library/LaunchAgents/com.apple.coreservices.sharedfilelistd.plist,com.apple.coreservices.sharedfilelistd,"['/System/Library/CoreServices/sharedfilelistd']",f97eb14ce64afc014edb83bd0d24f1fa26bce7ae5613a8175e723b500fe3af09,False, -/System/Library/LaunchAgents/com.apple.coreservices.uiagent.plist,com.apple.coreservices.uiagent,"['/System/Library/CoreServices/CoreServicesUIAgent.app/Contents/MacOS/CoreServicesUIAgent']",540acf607aabc99deda8f0527fbbabc7632a27f171d22da9a791673f2fbbdc72,False, -/System/Library/LaunchAgents/com.apple.csuseragent.plist,com.apple.csuseragent,"['/System/Library/CoreServices/CSUserAgent']",362171c4269096c1b9cb8825f2e973f2fe2e7fc4a3cb18884da781fae162bf61,False, -/System/Library/LaunchAgents/com.apple.ctkd.plist,com.apple.ctkd,"['/System/Library/Frameworks/CryptoTokenKit.framework/ctkd', '-tw']",1eefefb7ebb56ce8f642eda690b261aa09fa9c2b1286ea2a4962cd7fd9f16956,False, -/System/Library/LaunchAgents/com.apple.cvmsCompAgent3600_i386.plist,com.apple.cvmsCompAgent3600_i386,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/3600/CVMCompiler', '4']",57744b2d25b61cf98210389e59d07cd034f39876ebb6dd701d54670fd761e803,False, -/System/Library/LaunchAgents/com.apple.cvmsCompAgent3600_i386_1.plist,com.apple.cvmsCompAgent3600_i386_1,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/3600/CVMCompiler', '5']",57744b2d25b61cf98210389e59d07cd034f39876ebb6dd701d54670fd761e803,False, -/System/Library/LaunchAgents/com.apple.cvmsCompAgent3600_x86_64.plist,com.apple.cvmsCompAgent3600_x86_64,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/3600/CVMCompiler', '4']",57744b2d25b61cf98210389e59d07cd034f39876ebb6dd701d54670fd761e803,False, -/System/Library/LaunchAgents/com.apple.cvmsCompAgent3600_x86_64_1.plist,com.apple.cvmsCompAgent3600_x86_64_1,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/3600/CVMCompiler', '5']",57744b2d25b61cf98210389e59d07cd034f39876ebb6dd701d54670fd761e803,False, -/System/Library/LaunchAgents/com.apple.cvmsCompAgent_i386.plist,com.apple.cvmsCompAgent_i386,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/CVMCompiler', '2']",50c53d37aaf2f6222842ab231d5e54e2c4e90fd163e2bab0bc053f32aa410c7d,False, -/System/Library/LaunchAgents/com.apple.cvmsCompAgent_i386_1.plist,com.apple.cvmsCompAgent_i386_1,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/CVMCompiler', '3']",50c53d37aaf2f6222842ab231d5e54e2c4e90fd163e2bab0bc053f32aa410c7d,False, -/System/Library/LaunchAgents/com.apple.cvmsCompAgent_x86_64.plist,com.apple.cvmsCompAgent_x86_64,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/CVMCompiler', '2']",50c53d37aaf2f6222842ab231d5e54e2c4e90fd163e2bab0bc053f32aa410c7d,False, -/System/Library/LaunchAgents/com.apple.cvmsCompAgent_x86_64_1.plist,com.apple.cvmsCompAgent_x86_64_1,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/CVMCompiler', '3']",50c53d37aaf2f6222842ab231d5e54e2c4e90fd163e2bab0bc053f32aa410c7d,False, -/System/Library/LaunchAgents/com.apple.cvmsCompAgentLegacy_i386.plist,com.apple.cvmsCompAgentLegacy_i386,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/Legacy/CVMCompiler']",8be3552a6fd4ee83993b0cb30d3f9431fcbbd89a1c348247ff6584b84741ec55,False, -/System/Library/LaunchAgents/com.apple.cvmsCompAgentLegacy_i386_1.plist,com.apple.cvmsCompAgentLegacy_i386_1,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/Legacy/CVMCompiler', '1']",8be3552a6fd4ee83993b0cb30d3f9431fcbbd89a1c348247ff6584b84741ec55,False, -/System/Library/LaunchAgents/com.apple.cvmsCompAgentLegacy_x86_64.plist,com.apple.cvmsCompAgentLegacy_x86_64,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/Legacy/CVMCompiler']",8be3552a6fd4ee83993b0cb30d3f9431fcbbd89a1c348247ff6584b84741ec55,False, -/System/Library/LaunchAgents/com.apple.cvmsCompAgentLegacy_x86_64_1.plist,com.apple.cvmsCompAgentLegacy_x86_64_1,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/Legacy/CVMCompiler', '1']",8be3552a6fd4ee83993b0cb30d3f9431fcbbd89a1c348247ff6584b84741ec55,False, -/System/Library/LaunchAgents/com.apple.DiagnosticReportCleanup.plist,com.apple.DiagnosticReportCleanup.plist,"['/System/Library/CoreServices/SubmitDiagInfo', 'cleanup']",a972269ddbb2eeb86e947b6829fc274c2e614f936d8c67fe4d05e3cf33cbf932,False, -/System/Library/LaunchAgents/com.apple.diagnostics_agent.plist,com.apple.diagnostics_agent,"['/System/Library/CoreServices/diagnostics_agent']",8d00a160fbe0368271233dc626d7cf2ccaf0b8fba87c4d95eee6f1e3e91187a5,True, -/System/Library/LaunchAgents/com.apple.DictationIM.plist,com.apple.DictationIM,"['/System/Library/Input Methods/DictationIM.app/Contents/MacOS/DictationIM']",1209a520a47949a7f925cd641aaf1ca6ecded539c2fba926fcc52eeb7e7fb7e1,False, -/System/Library/LaunchAgents/com.apple.DiskArbitrationAgent.plist,com.apple.DiskArbitrationAgent,"['/System/Library/Frameworks/DiskArbitration.framework/Versions/A/Support/DiskArbitrationAgent']",04af3a3fe5fa7e746787855aa157111b597001fe34a0eb6bfdb40dec15bc53fd,False, -/System/Library/LaunchAgents/com.apple.distnoted.xpc.agent.plist,com.apple.distnoted.xpc.agent,"['/usr/sbin/distnoted', 'agent']",cd4d8ac051c418b02bd98e36191638e5733f17521e23594bed2e579a24b3b77e,False, -/System/Library/LaunchAgents/com.apple.Dock.plist,com.apple.Dock.agent,"['/System/Library/CoreServices/Dock.app/Contents/MacOS/Dock']",f5e2a54a002fde9936addb0558331db4db13aebfaffbf30b7fa8cdd68808c205,False, -/System/Library/LaunchAgents/com.apple.dt.CommandLineTools.installondemand.plist,com.apple.dt.CommandLineTools.installondemand,"['/System/Library/CoreServices/Install Command Line Developer Tools.app/Contents/MacOS/Install Command Line Developer Tools']",535627b8d7d0706f97806e19547394020406a7d601b962ea33be2f6c58d62420,False, -/System/Library/LaunchAgents/com.apple.EscrowSecurityAlert.plist,com.apple.EscrowSecurityAlert,"['/System/Library/CoreServices/EscrowSecurityAlert.app/Contents/MacOS/EscrowSecurityAlert']",43ef5afec6e96ee32b6956d68459a3dad00fdb89fc0a5ee2ea785ec5514a85e0,False, -/System/Library/LaunchAgents/com.apple.familycircled.plist,com.apple.familycircled,"['/System/Library/PrivateFrameworks/FamilyCircle.framework/Versions/A/Resources/familycircled']",b295dbbf04b79d142cfcf23b279a1a98e9c50e93261d68bbf18af9382d665773,False, -/System/Library/LaunchAgents/com.apple.familycontrols.useragent.plist,com.apple.familycontrols.useragent,"['/System/Library/PrivateFrameworks/FamilyControls.framework/Resources/ParentalControls.app/Contents/MacOS/ParentalControls']",739b9a0c0f9be69eda1798d656f892f436c6e2523fbc2dbccf327eea36eba205,False, -/System/Library/LaunchAgents/com.apple.familynotificationd.plist,com.apple.familynotificationd,"['/System/Library/PrivateFrameworks/FamilyNotification.framework/Versions/A/Resources/Family.app/Contents/MacOS/Family']",0ed93717dd93c19accc8a0cd68ad2526b40568d6af2992623fa9ab93b23676f6,False, -/System/Library/LaunchAgents/com.apple.FileStatsAgent.plist,com.apple.FileStatsAgent,"['/usr/sbin/FileStatsAgent']",2652430cd2be197371b8d459b6c5f30b9918bb986f241e296c0952812610b43b,False, -/System/Library/LaunchAgents/com.apple.FileSyncAgent.PHD.plist,com.apple.FileSyncAgent.PHD,"['/System/Library/CoreServices/FileSyncAgent.app/Contents/MacOS/FileSyncAgent', '-launchedByLaunchd', '-PHDPlist']",5bd5eae425245c882549a777b3b6d9fd9c5a1d1f9058e588fa2842f27ff30971,False, -/System/Library/LaunchAgents/com.apple.FilesystemUI.plist,com.apple.FilesystemUI,"['/System/Library/CoreServices/KernelEventAgent.bundle/Contents/Resources/FileSystemUIAgent.app/Contents/MacOS/FileSystemUIAgent']",11478b629bcd9652aa96bb987076f9dc8cb165b997c850820ef591d53338b2b0,False, -/System/Library/LaunchAgents/com.apple.Finder.plist,com.apple.Finder,"['/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder']",3484edc08424a780d3b62b73c235c07dd7825d7a56f989c9ebe736d9cee4def6,False, -/System/Library/LaunchAgents/com.apple.findmymacmessenger.plist,com.apple.findmymacmessenger,"['/System/Library/PrivateFrameworks/FindMyMac.framework/Resources/FindMyMacMessenger.app/Contents/MacOS/FindMyMacMessenger']",dfab96f82fd0b7c27876f6ef598f83fc8cacc252821712618c7841c9c7fe468f,False, -/System/Library/LaunchAgents/com.apple.FolderActionsDispatcher.plist,com.apple.FolderActionsDispatcher,"['/System/Library/CoreServices/FolderActionsDispatcher.app/Contents/MacOS/FolderActionsDispatcher']",fb6407d3c347a7b1e9c2a54a46f77a93b476fbf7b0a032ba02307cc9aec180c2,True, -/System/Library/LaunchAgents/com.apple.followupd.plist,com.apple.followupd,"['/System/Library/PrivateFrameworks/CoreFollowUp.framework/Versions/A/Support/followupd']",53ac3b46f21b17f293bb81411b7d1b47d59774eca891620a44fbdff160b0655a,False, -/System/Library/LaunchAgents/com.apple.FollowUpUI.plist,com.apple.FollowUpUI,"['/System/Library/PrivateFrameworks/CoreFollowUp.framework/Versions/A/Resources/FollowUpUI.app/Contents/MacOS/FollowUpUI']",0a4ab08882ef0b85262060b253a855c139fac76152ca8f858b4cdf6e23a3b20f,False, -/System/Library/LaunchAgents/com.apple.fontd.useragent.plist,com.apple.fontd,"['/System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/fontd']",ad981c152635554225f9de818e4bad5aa563fc0cec4ee78193e3c99a7c225bc9,False, -/System/Library/LaunchAgents/com.apple.FontRegistryUIAgent.plist,com.apple.FontRegistryUIAgent,"['/System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/FontRegistryUIAgent.app/Contents/MacOS/FontRegistryUIAgent']",a4d43da3350bafede3ad05d6deabf7f9de871683b4f117d3237e50aedd5e1e28,False, -/System/Library/LaunchAgents/com.apple.FontValidator.plist,com.apple.ATS.FontValidator,"['/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Support/FontValidator']",025f88e8420e8e9c6e5ac91cdbf0d2073545ff67f37bce6853dfc51ce0b4bcaa,False, -/System/Library/LaunchAgents/com.apple.FontValidatorConduit.plist,com.apple.ATS.FontValidatorConduit,"['/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Support/FontValidatorConduit']",f1ab77b9310d544e356e5f6cf22973463fd5a56356d7a167111605452bfb27d7,False, -/System/Library/LaunchAgents/com.apple.FontWorker.plist,com.apple.FontWorker,"['/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Support/fontworker']",efa01df0e9fb04d45f32142447a1f68f6b53e58a47ba0998f468180fc809ad5e,False, -/System/Library/LaunchAgents/com.apple.gamed.plist,com.apple.gamed,"['/System/Library/PrivateFrameworks/GameCenterFoundation.framework/Versions/A/gamed']",5aa596fa5a7b2fd18df6ba295f7abd7ffd55ba21c697d126d4eebf4af659dfd0,False, -/System/Library/LaunchAgents/com.apple.helpd.plist,com.apple.helpd,"['/System/Library/PrivateFrameworks/HelpData.framework/Versions/A/Resources/helpd']",26e68c7b0eef29fa7e31be818d967790e2aefe047437e2c08139c568425e9ef2,True, -/System/Library/LaunchAgents/com.apple.icdd.plist,com.apple.icdd,"['/System/Library/Image Capture/Support/icdd']",bbd1c77a1e8d8fb2308e34c1397ee5c8809cbd63636074526a4f989f3d039175,False, -/System/Library/LaunchAgents/com.apple.icloud.findmydeviced.findmydevice-user-agent.plist,com.apple.icloud.findmydeviced.findmydevice-user-agent,"['/usr/libexec/findmydevice-user-agent']",8658d7cf7bc13e52a90834196e54f63fe8116fe814df663f618d2492950a413c,False, -/System/Library/LaunchAgents/com.apple.icloud.fmfd.plist,com.apple.icloud.fmfd,"['/usr/libexec/fmfd']",34b2a3bf6e684f92fb0a3ca2540c974aed437f70e952d6628ce51fb27017e8a4,False, -/System/Library/LaunchAgents/com.apple.iCloudUserNotifications.plist,com.apple.iCloudUserNotificationsd,"['/System/Library/PrivateFrameworks/AOSAccounts.framework/Versions/A/Resources/iCloudUserNotificationsd.app/Contents/MacOS/iCloudUserNotificationsd']",1f68daeaef20aa648466f1568978ff0e0cfb5d2bf21b985aa84ad741c39b40f3,False, -/System/Library/LaunchAgents/com.apple.iconservices.iconservicesagent.plist,com.apple.iconservices.iconservicesagent,"['/System/Library/CoreServices/iconservicesagent']",3d34e9c0ae870a64ab4c125f390c8cb06319a5ab32892cedc9e989e9c1a88e7e,True, -/System/Library/LaunchAgents/com.apple.identityservicesd.plist,com.apple.identityservicesd,"['/System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/Contents/MacOS/identityservicesd']",7b9d9a7dcbe7791254bbb4bf55f82d9ce83fc5231d94756c17333ca6d1e7f21d,False, -/System/Library/LaunchAgents/com.apple.idsremoteurlconnectionagent.plist,com.apple.idsfoundation.IDSRemoteURLConnectionAgent,"['/System/Library/PrivateFrameworks/IDSFoundation.framework/IDSRemoteURLConnectionAgent.app/Contents/MacOS/IDSRemoteURLConnectionAgent']",e37f16a36ee84cfc3533fb7917b4fa67411af6cb7bdbb65c7c1be8be3c87f1ff,False, -/System/Library/LaunchAgents/com.apple.imagent.plist,com.apple.imagent,"['/System/Library/PrivateFrameworks/IMCore.framework/imagent.app/Contents/MacOS/imagent']",ffc8f3f6f4b655a5a0cce87296159b259a00dac88277bb7c5970bad9108d07cf,False, -/System/Library/LaunchAgents/com.apple.imavagent.plist,com.apple.imavagent,"['/System/Library/PrivateFrameworks/IMAVCore.framework/imavagent.app/Contents/MacOS/imavagent']",4bf2d5074b74ed9ec596b021abe207717cbbc05bf5342e32fcfb935f5085198c,False, -/System/Library/LaunchAgents/com.apple.imklaunchagent.plist,com.apple.imklaunchagent,"['/System/Library/Frameworks/InputMethodKit.framework/Resources/imklaunchagent']",de451e44bf8a7d3fa3d1f5053f05bdfa61c847ad4df300c8409a5d098222e543,False, -/System/Library/LaunchAgents/com.apple.IMLoggingAgent.plist,com.apple.IMLoggingAgent,"['/System/Library/PrivateFrameworks/IMFoundation.framework/IMLoggingAgent']",ce1ba7447b44a2ee413a4f0058c91ba6d645f1ba3c4b2b15aa328384486ca094,False, -/System/Library/LaunchAgents/com.apple.imtransferagent.plist,com.apple.imcore.imtransferagent,"['/System/Library/PrivateFrameworks/IMTransferServices.framework/IMTransferAgent.app/Contents/MacOS/IMTransferAgent']",6e2882198770d875fed670dbf232ce7728bd224a658fb742478a434c873be88d,False, -/System/Library/LaunchAgents/com.apple.installandsetup.migrationhelper.user.plist,com.apple.installandsetup.migrationhelper.user,"['/System/Library/PrivateFrameworks/SystemMigration.framework/Resources/migrationhelper']",bbe23ad345c6bcebfe3f8137dcff3115dcdf4be4348881db4378a47886eee879,False, -/System/Library/LaunchAgents/com.apple.installd.user.plist,com.apple.installd.user,"['/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd']",2f77472bb65211af39ce134b58e658d20d3c6be47f2e7c58b4379dbfd5afdc84,False, -/System/Library/LaunchAgents/com.apple.isst.plist,com.apple.isst,"['/System/Library/CoreServices/Menu Extras/TextInput.menu/Contents/SharedSupport/isst']",f3c99243e9cdc68a5c6a38edc218e7e4e25d03cef5c03d83d67e67a68f4886ef,True, -/System/Library/LaunchAgents/com.apple.java.InstallOnDemand.plist,com.apple.java.InstallOnDemand,"['/System/Library/Java/Support/CoreDeploy.bundle/Contents/Download Java Components.app/Contents/MacOS/Download Java Components']",e02bb35ec94f19c38e4343b75dceb35f6753ebaaf78795c44c1f990aeeccde00,False, -/System/Library/LaunchAgents/com.apple.java.updateSharing.plist,com.apple.java.updateSharing,"['/System/Library/Frameworks/JavaVM.framework/Versions/A/Resources/bin/updateSharingD']",1b88f9e6c6281a84ca7229e172b3669e57fcfc48651d787ee75bce7e7c9c81f3,False, -/System/Library/LaunchAgents/com.apple.lateragent.plist,com.apple.lateragent,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Resources/LaterAgent.app/Contents/MacOS/LaterAgent']",9483ea730503e2c84311a0cc75687f923208a2351897a9cddf2a3a32de78873b,False, -/System/Library/LaunchAgents/com.apple.locationmenu.plist,com.apple.locationmenu,"['/System/Library/CoreServices/LocationMenu.app/Contents/MacOS/LocationMenu']",b8d7d7c47e9fe5f89d164d68d0fa7d80018cb1ee8aefb49aab7ef566ca3d0da8,False, -/System/Library/LaunchAgents/com.apple.lsd.plist,com.apple.lsd,"['/usr/libexec/lsd']",5f54e2a9dd876c03213dcdd294d8165c429fb786f051a1b40bc69035e2cf8079,False, -/System/Library/LaunchAgents/com.apple.ManagedClientAgent.agent.plist,com.apple.ManagedClientAgent.agent,"['/System/Library/CoreServices/ManagedClient.app/Contents/Resources/ManagedClientAgent', '-a']",de856cd882c50ef4ca0463a5c0a3223cf75bd2f0fd73b66d95bca458afcdb5fd,False, -/System/Library/LaunchAgents/com.apple.ManagedClientAgent.enrollagent.plist,com.apple.ManagedClientAgent.enrollagent,"['/System/Library/CoreServices/ManagedClient.app/Contents/Resources/ManagedClientAgent', '-j']",de856cd882c50ef4ca0463a5c0a3223cf75bd2f0fd73b66d95bca458afcdb5fd,False, -/System/Library/LaunchAgents/com.apple.Maps.pushdaemon.plist,com.apple.Maps.mapspushd,"['/System/Library/CoreServices/mapspushd']",a842797ed4a8bf32d42eae25be04c0292944eead04207ba51e837581899ddc75,False, -/System/Library/LaunchAgents/com.apple.maspushagent.plist,com.apple.maspushagent,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/maspushagent']",93269fff6687e5fb0a2eb9e5a54257c1c428abdd6c94c84238b209c81fc9aaa7,False, -/System/Library/LaunchAgents/com.apple.mbbackgrounduseragent.plist,com.apple.mbbackgrounduseragent,"['/System/Library/CoreServices/Setup Assistant.app/Contents/Resources/mbbackgrounduseragent']",a6bfa170d7c01aba32a87d84c32526801f2fc41fe1ed891c2dad14877d3ebd32,False, -/System/Library/LaunchAgents/com.apple.mbfloagent.plist,com.apple.mbfloagent,"['/System/Library/CoreServices/Setup Assistant.app/Contents/Resources/mbfloagent']",c0b8b8fc3e4350c54196421cbb56b8b02950a0a31075cc8fafe1b9dfd79243a3,False, -/System/Library/LaunchAgents/com.apple.mbuseragent.plist,com.apple.mbuseragent,"['/System/Library/CoreServices/Setup Assistant.app/Contents/Resources/mbuseragent']",821d618ac78dfb1d649c5cebcb0f79aa204b3a3eab718c34ca6802bab07e523e,False, -/System/Library/LaunchAgents/com.apple.mdmclient.agent.plist,com.apple.mdmclient.agent,"['/usr/libexec/mdmclient', 'agent']",845d83d0c8a98dfeffef7f13ef0335e77e3b08fe168e9c9bf15f0beaccf7b6c0,False, -/System/Library/LaunchAgents/com.apple.mdworker.32bit.plist,com.apple.mdworker.32bit,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker32', '-s', 'mdworker-lsb', '-c', 'MDSImporterWorker', '-m', 'com.apple.mdworker.32bit']",44086ae7b33bbdee048b9e99d098e20db0473960e5a9c6ec44209f6705ec9c7e,False, -/System/Library/LaunchAgents/com.apple.mdworker.bundles.plist,com.apple.mdworker.bundles,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'mdworker-bundle', '-c', 'MDSImporterBundleFinder', '-m', 'com.apple.mdworker.bundles']",81eafcc77285d470f97d89668a79be80ffef08aab64a59d446e4f2bd150c290c,False, -/System/Library/LaunchAgents/com.apple.mdworker.isolation.plist,com.apple.mdworker.isolation,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'mdworker', '-c', 'MDSImporterWorker', '-m', 'com.apple.mdworker.isolation']",81eafcc77285d470f97d89668a79be80ffef08aab64a59d446e4f2bd150c290c,False, -/System/Library/LaunchAgents/com.apple.mdworker.lsb.plist,com.apple.mdworker.lsb,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'mdworker-lsb', '-c', 'MDSImporterWorker', '-m', 'com.apple.mdworker.lsb']",81eafcc77285d470f97d89668a79be80ffef08aab64a59d446e4f2bd150c290c,False, -/System/Library/LaunchAgents/com.apple.mdworker.mail.plist,com.apple.mdworker.mail,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'mdworker-mail', '-c', 'MDSImporterWorker', '-m', 'com.apple.mdworker.mail']",81eafcc77285d470f97d89668a79be80ffef08aab64a59d446e4f2bd150c290c,False, -/System/Library/LaunchAgents/com.apple.mdworker.shared.plist,com.apple.mdworker.shared,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'mdworker', '-c', 'MDSImporterWorker', '-m', 'com.apple.mdworker.shared']",81eafcc77285d470f97d89668a79be80ffef08aab64a59d446e4f2bd150c290c,False, -/System/Library/LaunchAgents/com.apple.mdworker.single.plist,com.apple.mdworker.single,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'mdworker', '-c', 'MDSImporterWorker', '-m', 'com.apple.mdworker.single']",81eafcc77285d470f97d89668a79be80ffef08aab64a59d446e4f2bd150c290c,False, -/System/Library/LaunchAgents/com.apple.mdworker.sizing.plist,com.apple.mdworker.sizing,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'mdworker-sizing', '-c', 'MDSSizingWorker', '-m', 'com.apple.mdworker.sizing']",81eafcc77285d470f97d89668a79be80ffef08aab64a59d446e4f2bd150c290c,False, -/System/Library/LaunchAgents/com.apple.metadata.mdbulkimport.plist,com.apple.metadata.mdbulkimport,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdbulkimport', '-s', 'mdbulkimport']",3d462b7ab4a74a6f5d7fd948ad1b767f56a48bad9d22416f51f581e14c603706,False, -/System/Library/LaunchAgents/com.apple.metadata.mdflagwriter.plist,com.apple.metadata.mdflagwriter,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdflagwriter']",e9419f9478d3b5dfca6b0b1d6ca9ecce8beb3cb2aa0902bc08e7dd97ecad4cb3,False, -/System/Library/LaunchAgents/com.apple.metadata.mdwrite.plist,com.apple.metadata.mdwrite,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdwrite']",43680197bbdf4ad9d52520511e46b95e40e6c28d6b527078fa79353e1e0c150b,False, -/System/Library/LaunchAgents/com.apple.metadata.SpotlightNetHelper.plist,com.apple.metadata.SpotlightNetHelper,"['/System/Library/PrivateFrameworks/ParsecUI.framework/Versions/A/Support/SpotlightNetHelper.app/Contents/MacOS/SpotlightNetHelper']",40de1eef9f1f9d6748400b7870646a9bb453d54f2b8eefa7ee82cc934c4f8bb5,False, -/System/Library/LaunchAgents/com.apple.midiserver.plist,com.apple.midiserver,"['/System/Library/Frameworks/CoreMIDI.framework/MIDIServer']",aa2eef746b49557f446f26e9d4f6ea5a0ee575fd82e4c2c7ad0d4b276f426b94,False, -/System/Library/LaunchAgents/com.apple.MRTa.plist,com.apple.MRTa,"['/System/Library/CoreServices/MRT.app/Contents/MacOS/MRT', '-a']",fd07a1f4ed10706cc4eb6c3c12ed46c4cb5f52ccd73f55ca847dffc67dc879bf,True, -/System/Library/LaunchAgents/com.apple.navd.plist,com.apple.navd,"['/System/Library/PrivateFrameworks/MapsSupport.framework/navd']",3f6ebf27024a6ef8cb08a2e7de693cd488549776617684367b1cd81f81177ac0,False, -/System/Library/LaunchAgents/com.apple.neagent.plist,com.apple.neagent,"['/usr/libexec/neagent']",d45ad60fa7aec79b53ac5e43f7c48723cf8f06f4267ad670a34ddf06a67e7ac8,False, -/System/Library/LaunchAgents/com.apple.netauth.user.auth.plist,com.apple.netauth.user.auth,"['/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent']",bc6707a055c064d3c6659fe6083663aac071d10973b2dbb571896307db16647c,False, -/System/Library/LaunchAgents/com.apple.netauth.user.gui.plist,com.apple.netauth.user.gui,"['/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent']",650d221ceb76eb2138ee9a1efea86f89db23cfe45a7e62dd8e7fc033f005926a,False, -/System/Library/LaunchAgents/com.apple.NetworkDiagnostics.plist,com.apple.NetworkDiagnostics,"['/System/Library/CoreServices/Network Diagnostics.app/Contents/MacOS/Network Diagnostics']",2018ea3b60a0970bd160664568aac6997e34e8a9fbc6e65ec030612246182011,False, -/System/Library/LaunchAgents/com.apple.noticeboard.agent.plist,com.apple.noticeboard.agent,"['/System/Library/PrivateFrameworks/Noticeboard.framework/Versions/A/Resources/nbagent.app/Contents/MacOS/nbagent']",89452d074a8c54451447f9784cf0cfa5a8bbbe7da05b21c38bf7444d539946bf,False, -/System/Library/LaunchAgents/com.apple.notificationcenterui.plist,com.apple.notificationcenterui.agent,"['/System/Library/CoreServices/NotificationCenter.app/Contents/MacOS/NotificationCenter']",d24a7e3f29077224acba1d8b82f42a4c9ac9f93f3fcee51dac2ae339d3a8b110,False, -/System/Library/LaunchAgents/com.apple.nsurlsessiond.plist,com.apple.nsurlsessiond,"['/usr/libexec/nsurlsessiond']",5fdabcf4f5b12868ff14ec56b871ec89d37446b456c05109d35927058accce01,False, -/System/Library/LaunchAgents/com.apple.nsurlstoraged.plist,com.apple.nsurlstoraged,"['/usr/libexec/nsurlstoraged']",24ae6fd6e474e3e50f88f616cceabeec6d17d731031dcfa69e66f52b2c0d21bf,False, -/System/Library/LaunchAgents/com.apple.PackageKit.InstallStatus.plist,com.apple.PackageKit.InstallStatus,"['/System/Library/CoreServices/Install in Progress.app/Contents/MacOS/Install in Progress']",9b81836501e0a0b62e1a45eaa82b4827a3d9868dfc61292930e4cd36bbcbc345,False, -/System/Library/LaunchAgents/com.apple.parentalcontrols.check.plist,com.apple.parentalcontrols.check,"['/System/Library/PrivateFrameworks/FamilyControls.framework/Resources/pcdCheck']",dc116b61f7038887e9e1e8a1dc21b4751aa1942da0955205291dc46cf340af1a,True, -/System/Library/LaunchAgents/com.apple.pboard.plist,com.apple.pboard,"['/usr/sbin/pboard']",d535518de1be40c615fe4e5f4b3f933bd0f48a0c3e9930db854566c8387afb33,False, -/System/Library/LaunchAgents/com.apple.pbs.plist,com.apple.pbs,"['/System/Library/CoreServices/pbs']",ebee7d236f3456b8ffe0adca15c8dc3773b09f62a97f69a4558617cdfbf8505f,False, -/System/Library/LaunchAgents/com.apple.PCIESlotCheck.plist,com.apple.PCIESlotCheck,"['/System/Library/CoreServices/Expansion Slot Utility.app/Contents/Resources/PCIESlotCheck']",62473156d2f5cc16ef734e79feb85acc9f204f822f34e350d5a3af84c69b6e03,True, -/System/Library/LaunchAgents/com.apple.photolibraryd.plist,com.apple.photolibraryd,"['/System/Library/PrivateFrameworks/PhotoLibraryPrivate.framework/Versions/A/Support/photolibraryd']",c88bff7c7821c5be3fc9ca0eb911841d2b5b302dd03888a48f1c803b14f95401,False, -/System/Library/LaunchAgents/com.apple.PhotoLibraryMigrationUtility.XPC.plist,com.apple.PhotoLibraryMigrationUtility.XPC,"['/System/Library/CoreServices/Photo Library Migration Utility.app/Contents/MacOS/Photo Library Migration Utility', '-server']",c00b9d1920f8cfef306c56a37f36e48c454bb78489ea12d1b68713f2282ced24,False, -/System/Library/LaunchAgents/com.apple.pictd.plist,com.apple.pictd,"['/usr/sbin/pictd']",2d4ed8e3c005c709a640e787657bf3b47de275d18874750093110ec4861522f3,False, -/System/Library/LaunchAgents/com.apple.pluginkit.pkd.plist,com.apple.pluginkit.pkd,"['/usr/libexec/pkd']",4d3f8e19eb89acbcc8b2876542f36a3ca1059325ff4c5e5f0e23854b5bee2537,False, -/System/Library/LaunchAgents/com.apple.pluginkit.pkreporter.plist,com.apple.pluginkit.pkreporter,"['/usr/libexec/pkreporter']",bf6228e6efeda9f7fc5a0317b1ed3215ce790ac3d1e0a589405a6ecbc59174f3,False, -/System/Library/LaunchAgents/com.apple.powerchime.plist,com.apple.powerchime,"['/System/Library/CoreServices/PowerChime.app/Contents/MacOS/PowerChime']",c59df0be778f393689b8f23bd7ad73670d2e70dab25342b85de6a9b72ab5cd29,True, -/System/Library/LaunchAgents/com.apple.printtool.agent.plist,com.apple.printtool.agent,"['/System/Library/Frameworks/ApplicationServices.framework/Frameworks/PrintCore.framework/Versions/A/printtool', 'agent']",243cd1b7895f770292615f6384e5972c2d80ff1593e57621ece01a0c996b1c22,False, -/System/Library/LaunchAgents/com.apple.printuitool.agent.plist,com.apple.printuitool.agent,"['/System/Library/PrivateFrameworks/PrintingPrivate.framework/Versions/A/PrintUITool']",d948a467c6c3070bfd69007972c1a2284877a3c7215bbb4066ce66f4acce4e43,False, -/System/Library/LaunchAgents/com.apple.PubSub.Agent.plist,com.apple.PubSub.Agent,"['/System/Library/Frameworks/PubSub.framework/Versions/A/Resources/PubSubAgent.app/Contents/MacOS/PubSubAgent']",c0ec9ed9835671dec8b7a70e22f28d62df1c4f3e94a31364e5143cf0766b3ae7,False, -/System/Library/LaunchAgents/com.apple.quicklook.32bit.plist,com.apple.quicklook.32bit,"['/System/Library/Frameworks/QuickLook.framework/Resources/quicklookd32.app/Contents/MacOS/quicklookd32']",914a5e5dea183dff3fbf62588285f8831dff963c35e3fb5bbcb8549cb53d6998,False, -/System/Library/LaunchAgents/com.apple.quicklook.config.plist,com.apple.quicklook.config,"['/System/Library/Frameworks/QuickLook.framework/Resources/quicklookconfig']",14f46ee99812557cde25232977e88891997376fd84ecd3b7a9dac03dca059672,False, -/System/Library/LaunchAgents/com.apple.quicklook.plist,com.apple.quicklook,"['/System/Library/Frameworks/QuickLook.framework/Resources/quicklookd.app/Contents/MacOS/quicklookd']",e2dec5555d22220ec0937d9c1ad65de5e22ef928286002b4841f399621c3c995,False, -/System/Library/LaunchAgents/com.apple.quicklook.ui.helper.plist,com.apple.quicklook.ui.helper,"['/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper']",f083f33f45d212ac4c6571e40af6b61df809db69dcf21804478e366901345cc4,False, -/System/Library/LaunchAgents/com.apple.rcd.plist,com.apple.rcd,"['/System/Library/CoreServices/rcd.app/Contents/MacOS/rcd']",143d77857368568a1c49445e59f0e04f05b67957553b6f1d046c54a411e27334,False, -/System/Library/LaunchAgents/com.apple.recentsd.plist,com.apple.recentsd,"['/System/Library/PrivateFrameworks/CoreRecents.framework/Versions/A/Support/recentsd']",6287e44254beef62117bd2410dddec885bd49735fc58c0c8e09b269d0f8b27db,False, -/System/Library/LaunchAgents/com.apple.RemoteDesktop.plist,com.apple.RemoteDesktop.agent,"['/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent']",a23e2343f0c26939ec8921c97bfd20df9e334dead805352933fd2fdcfd93727c,False, -/System/Library/LaunchAgents/com.apple.ReportCrash.plist,com.apple.ReportCrash,"['/System/Library/CoreServices/ReportCrash']",41edcb12813290dbd05b5dce02e772c01f2c2f149b66bc0c867bc8f42a402410,False, -/System/Library/LaunchAgents/com.apple.ReportCrash.Self.plist,com.apple.ReportCrash.Self,"['/System/Library/CoreServices/ReportCrash']",41edcb12813290dbd05b5dce02e772c01f2c2f149b66bc0c867bc8f42a402410,False, -/System/Library/LaunchAgents/com.apple.ReportGPURestart.plist,com.apple.ReportGPURestart,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/ReportGPURestart']",c955fd02f8d27a9e3f1e122ed43839ee5908f1c298d53ad289176e90caf12337,False, -/System/Library/LaunchAgents/com.apple.ReportPanic.plist,com.apple.ReportPanic,"['/System/Library/CoreServices/ReportPanic.app/Contents/MacOS/ReportPanic']",69bb440f5fb8c06744474c37843240233e1d9ed3c52ced9233d104a4444c3002,False, -/System/Library/LaunchAgents/com.apple.reversetemplated.plist,com.apple.reversetemplated,"['/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/reversetemplated']",f414f1631a456f5eaca88dac567e2e90576eaed4f63c98161269bc59769e9c11,False, -/System/Library/LaunchAgents/com.apple.rtcreportingd.plist,com.apple.rtcreportingd,"['/usr/libexec/rtcreportingd']",9b0bdde41b8f19c73fe256dc4cffb81dd14433de5b000ad81fe10e0ac01eec74,False, -/System/Library/LaunchAgents/com.apple.Safari.SafeBrowsing.Service.plist,com.apple.Safari.SafeBrowsing.Service,"['/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service']",a2932cf08e0a9d96ae5ebca19256b07687a1aebfed08de6ac6d4ea19946f425a,False, -/System/Library/LaunchAgents/com.apple.SafariCloudHistoryPushAgent.plist,com.apple.SafariCloudHistoryPushAgent,"['/usr/libexec/SafariCloudHistoryPushAgent']",15652e244b6241ea17777066da989bb39cef1f692da7ea8c672b54566c4ed5ea,False, -/System/Library/LaunchAgents/com.apple.safaridavclient.plist,com.apple.safaridavclient,"['/System/Library/PrivateFrameworks/BookmarkDAV.framework/Helpers/SafariDAVClient']",f9dbaa3a7a393eb5e160d64c18faee96a75b1fdecf698ec0d907eabb5e0a72cb,False, -/System/Library/LaunchAgents/com.apple.SafariNotificationAgent.plist,com.apple.SafariNotificationAgent,"['/usr/libexec/SafariNotificationAgent']",fe1c91e8b3403681999939d1269afc3163fb62aa082acabc3e3b2487fd2ea74e,False, -/System/Library/LaunchAgents/com.apple.SafariPlugInUpdateNotifier.plist,com.apple.SafariPlugInUpdateNotifier,"['/usr/libexec/SafariPlugInUpdateNotifier']",1b89f1379854765cae087bb4936d6364877ee6cb6f8e491adfb2f2bb056750ea,False, -/System/Library/LaunchAgents/com.apple.scopedbookmarkagent.xpc.plist,com.apple.scopedbookmarksagent.xpc,"['/System/Library/CoreServices/ScopedBookmarkAgent']",761b9b302e784e1de12fb25234e8d396c171d13c05b7e3021333ae4ee3c514e3,False, -/System/Library/LaunchAgents/com.apple.ScreenReaderUIServer.plist,com.apple.ScreenReaderUIServer,"['/System/Library/PrivateFrameworks/ScreenReader.framework/Resources/ScreenReaderUIServer.app/Contents/MacOS/ScreenReaderUIServer']",8304a4aaf3ea254ce426f1ece6974401fcdd54245b049195ec47fbd03f91861c,False, -/System/Library/LaunchAgents/com.apple.screensharing.agent.plist,com.apple.screensharing.agent,"['/System/Library/CoreServices/RemoteManagement/ScreensharingAgent.bundle/Contents/MacOS/ScreensharingAgent']",e499b617062e33c63c3b2b189ea8928a872e9f1bf85111e73cf47c7e83b439c6,False, -/System/Library/LaunchAgents/com.apple.screensharing.MessagesAgent.plist,com.apple.screensharing.MessagesAgent,"['/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/MacOS/AppleVNCServer']",421be1a8751220d40620bbd571d7b0297ef7fbe3cec70c98396dfb693b89fbf4,False, -/System/Library/LaunchAgents/com.apple.scrod.plist,com.apple.scrod,"['/System/Library/PrivateFrameworks/ScreenReader.framework/Frameworks/ScreenReaderOutput.framework/Resources/scrod']",e00b07530376f5acfc07e347068874709d2537367eb6245a01f55f406aeddac2,False, -/System/Library/LaunchAgents/com.apple.secd.plist,com.apple.secd,"['/usr/libexec/secd']",aa9d3723f9b6c6d25159afbf87d2fe0d0c2e86c4c7fea4d7b40c3acbcc264045,False, -/System/Library/LaunchAgents/com.apple.secinitd.plist,com.apple.secinitd,"['/usr/libexec/secinitd']",a31c423ec982340a5b15b735eef84e748da246b7425b697d038a1f5f29ca7e23,False, -/System/Library/LaunchAgents/com.apple.security.agent.plist,com.apple.security.agent,"['/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent']",f8db70fc362763faab1f3a7f1bfa70c410244f3b2b4e86a55e0859ee0303c10a,False, -/System/Library/LaunchAgents/com.apple.security.cloudkeychainproxy.plist,com.apple.security.cloudkeychainproxy3,"['/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy']",47a5b4f6421c0266d0a302bda37f5c9ecf20abf887371d8647ccb3a396603f88,False, -/System/Library/LaunchAgents/com.apple.security.DiskUnmountWatcher.plist,com.apple.security.DiskUnmountWatcher,"['/System/Library/PrivateFrameworks/KerberosHelper/Helpers/DiskUnmountWatcher']",5aa58afd80f368fa444778ccda679c0dfef91619857cfa359a0a5f2717ae7ee5,False, -/System/Library/LaunchAgents/com.apple.security.idskeychainsyncingproxy.plist,com.apple.security.idskeychainsyncingproxy,"['/System/Library/Frameworks/Security.framework/Versions/A/Resources/IDSKeychainSyncingProxy.bundle/Contents/MacOS/IDSKeychainSyncingProxy']",d11af68c714a8e003630ddb9d70564e160fa61e85e1cac95f24e6fae31bc3b75,False, -/System/Library/LaunchAgents/com.apple.security.keychain-circle-notification.plist,com.apple.security.keychain-circle-notification,"['/System/Library/CoreServices/Keychain Circle Notification.app/Contents/MacOS/Keychain Circle Notification']",66b13abc1362a9a53b8903728f2a1adadb5a48d7a20f047223c13200c2939afc,True, -/System/Library/LaunchAgents/com.apple.sharingd.plist,com.apple.sharingd,"['/usr/libexec/sharingd']",314673453ab1280c50ba8c2e79603e534bb019f14e2ddb0aec11812bbd12ad76,True, -/System/Library/LaunchAgents/com.apple.soagent.plist,com.apple.soagent,"['/System/Library/PrivateFrameworks/MessagesKit.framework/Resources/soagent.app/Contents/MacOS/soagent']",26fadd762c253fcfdd286499d238a5d00a44d430c6afdc64928a56e27706fb8c,True, -/System/Library/LaunchAgents/com.apple.SocialPushAgent.plist,com.apple.SocialPushAgent,"['/System/Library/CoreServices/SocialPushAgent.app/Contents/MacOS/SocialPushAgent']",f3fce98c0bbbe8550098a1ccc92d0d0f6eecb32f57a6883a2e17247a510f93f1,True, -/System/Library/LaunchAgents/com.apple.softwareupdate_notify_agent.plist,com.apple.softwareupdate_notify_agent,"['/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdate_notify_agent']",5af8b0de41767c7d6d340560a07545a124fd52b9cbcf3405c9c999d5c98e6b39,False, -/System/Library/LaunchAgents/com.apple.speech.speechdatainstallerd.plist,com.apple.speech.speechdatainstallerd,"['/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd']",02afbdcd04938025007eeb0b3bd13659c616dee67ff3b63aa82823e8a8c64bed,False, -/System/Library/LaunchAgents/com.apple.speech.speechsynthesisd.plist,com.apple.speech.speechsynthesisd,"['/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd']",7f32d7dede4838b2ebd3d0b5e903519378241fec16395acdf22c5520b9c84925,False, -/System/Library/LaunchAgents/com.apple.speech.synthesisserver.plist,com.apple.speech.synthesisserver,"['/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/SpeechSynthesis.framework/Versions/A/SpeechSynthesisServer.app/Contents/MacOS/SpeechSynthesisServer', 'launchd']",3ccaded7fe61ffc2dbdab6b90f3955b9314d8f85677d583f212554f0f978771c,False, -/System/Library/LaunchAgents/com.apple.spindump_agent.plist,com.apple.spindump_agent,"['/usr/libexec/spindump_agent']",afd0269b5dabeb7a0eea8df0b767e6c8fd8348472aa0ee6eec6f1bfe4f2948d0,True, -/System/Library/LaunchAgents/com.apple.spotlight.IndexAgent.plist,com.apple.spotlight.IndexAgent,"['/System/Library/PrivateFrameworks/CoreSpotlight.framework/Support/com.apple.spotlight.IndexAgent']",4865a57525cf2fce68d0a863f95fe67675c9fdd0b18dcbc67fc2841f4f2d4516,False, -/System/Library/LaunchAgents/com.apple.Spotlight.plist,com.apple.Spotlight,"['/System/Library/CoreServices/Spotlight.app/Contents/MacOS/Spotlight']",ede41b28d7ec750a14b36c5a5841c81047f10badc8a5a68d8d695d8a86390b89,False, -/System/Library/LaunchAgents/com.apple.SSInvitationAgent.plist,com.apple.ssinvitationagent,"['/System/Library/CoreServices/RemoteManagement/ScreensharingAgent.bundle/Contents/Support/SSInvitationAgent.app/Contents/MacOS/SSInvitationAgent']",04ac00f93f19b4193093021d104b0daf2eccd5d81287be1a7bda5bf1123082b6,False, -/System/Library/LaunchAgents/com.apple.storeaccountd.plist,com.apple.storeaccountd,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeaccountd']",0b4f8d38f3cf9752a1422f1c922c0c306c0448e03274ae8be17ca7827514c04c,False, -/System/Library/LaunchAgents/com.apple.storeassetd.plist,com.apple.storeassetd,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeassetd']",0018c00d6553533011b015987a509cb85b1bb0229f0dd4d4e57342e36ce2b39e,False, -/System/Library/LaunchAgents/com.apple.storedownloadd.plist,com.apple.storedownloadd,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd']",f36336a0bac12f1896bb32f6256976189acf5244534dcc10255fd17b1f26ffcd,False, -/System/Library/LaunchAgents/com.apple.storeinappd.plist,com.apple.storeinappd,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeinappd']",8ea1ee5e9f1af96e4d53b8e32d3ec931c9a76ed922b6a6c0c7c2835cb57c9b11,False, -/System/Library/LaunchAgents/com.apple.storelegacy.plist,com.apple.storelegacy,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storelegacy']",da5c5c34b09127c07a3915b00517c737f66da6d3aadad2bd5dd04b949100c1af,False, -/System/Library/LaunchAgents/com.apple.storeuid.plist,com.apple.storeuid,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid']",a33e6ae060a05d08993f3187680d727768ab98c02ab2601bdbcff0a4e5d1d538,False, -/System/Library/LaunchAgents/com.apple.suggestd.plist,com.apple.suggestd,"['/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd']",5d06b86d870ec3c576f5a7c5267d92e3249924dc4e694fd670193586e29631ff,False, -/System/Library/LaunchAgents/com.apple.swcd.plist,com.apple.swcd,"['/usr/libexec/swcd']",1b27c796f1f6a5ad46be19591de47491fec86d0eb88a5d304cb8c893af6c0147,False, -/System/Library/LaunchAgents/com.apple.syncdefaultsd.plist,com.apple.syncdefaultsd,"['/System/Library/PrivateFrameworks/SyncedDefaults.framework/Support/syncdefaultsd']",9e79eb95b69c83ffc81f63d7fd7fcbab69a1829a6c42318697d7116b207addab,False, -/System/Library/LaunchAgents/com.apple.syncservices.SyncServer.plist,com.apple.syncservices.SyncServer,"['/System/Library/Frameworks/SyncServices.framework/Versions/Current/Resources/SyncServer.app/Contents/MacOS/SyncServer']",4ae47c7fc6df9ad94b0e4fff9bd27c7f849a6b82e0d456496aa493ed601167d0,False, -/System/Library/LaunchAgents/com.apple.syncservices.uihandler.plist,com.apple.syncservices.uihandler,"['/System/Library/PrivateFrameworks/SyncServicesUI.framework/Versions/Current/Resources/syncuid.app/Contents/MacOS/syncuid']",de8c1f4b67f695a81910f1bf001bca2c3bdd6efd7267c91f5c7f8025f747a770,False, -/System/Library/LaunchAgents/com.apple.systemprofiler.plist,com.apple.systemprofiler,"['/Applications/Utilities/System Information.app/Contents/MacOS/System Information']",72e5ae11a5a62eb4cef93a107a69d31f305994ebed31ec24f07e4a7b9b108764,False, -/System/Library/LaunchAgents/com.apple.SystemUIServer.plist,com.apple.SystemUIServer.agent,"['/System/Library/CoreServices/SystemUIServer.app/Contents/MacOS/SystemUIServer']",12046e23c9a544ba203be938685269b288ef4342a6f107263cc40eef77a04c07,False, -/System/Library/LaunchAgents/com.apple.talagent.plist,com.apple.talagent,"['/System/Library/CoreServices/talagent']",5549995929202b0f20eabeb61aac88c3cdab3ec1f50da18136f44c0ffe78892e,True, -/System/Library/LaunchAgents/com.apple.tccd.plist,com.apple.tccd,"['/System/Library/PrivateFrameworks/TCC.framework/Resources/tccd']",3b76b97f21c0e1d1a29493f2c97760b526839c0ca872226548ed34d120a45eb6,False, -/System/Library/LaunchAgents/com.apple.telephonyutilities.callservicesd.plist,com.apple.telephonyutilities.callservicesd,"['/System/Library/PrivateFrameworks/TelephonyUtilities.framework/callservicesd']",a81b9bd5f4cc2f62b65df914abda2c4a7a754ecd389153dd57ffa1b7da033c2e,False, -/System/Library/LaunchAgents/com.apple.thermaltrap.plist,com.apple.thermaltrap,"['/System/Library/CoreServices/ThermalTrap.app/Contents/MacOS/ThermalTrap']",e3750762e7b2ace1da2de5934514b6cdc19874ac79e0455296d9a2c938337273,False, -/System/Library/LaunchAgents/com.apple.tiswitcher.plist,com.apple.tiswitcher,"['/System/Library/CoreServices/Menu Extras/TextInput.menu/Contents/SharedSupport/TISwitcher.app/Contents/MacOS/TISwitcher']",ca89b47403826eb8ed14886015bf6d93cff7c2d189e3f9e3cbe8027753c56f77,False, -/System/Library/LaunchAgents/com.apple.TMHelperAgent.plist,com.apple.TMHelperAgent,"['/System/Library/CoreServices/backupd.bundle/Contents/Resources/TMHelperAgent.app/Contents/MacOS/TMHelperAgent']",8fb77de377d53b4ec5d2482cd16f0642d44242d6521b041bdd76b8f7efdb7349,False, -/System/Library/LaunchAgents/com.apple.TMHelperAgent.SetupOffer.plist,com.apple.TMHelperAgent.SetupOffer,"['/System/Library/CoreServices/backupd.bundle/Contents/Resources/TMHelperAgent.app/Contents/MacOS/TMHelperAgent', '-offer']",8fb77de377d53b4ec5d2482cd16f0642d44242d6521b041bdd76b8f7efdb7349,False, -/System/Library/LaunchAgents/com.apple.trustd.agent.plist,com.apple.trustd.agent,"['/usr/libexec/trustd', '--agent']",90d89a19c2d761d3752c63a41fe2fb0cd6e1f09ab3970ad38dcbe5605d6e00e4,False, -/System/Library/LaunchAgents/com.apple.TrustEvaluationAgent.plist,com.apple.TrustEvaluationAgent,"['/System/Library/PrivateFrameworks/TrustEvaluationAgent.framework/Resources/trustevaluationagent']",9f2f2656365a6fa3bb08a91dfd1f3a567761a12e65baeb7c513b235a65a6cf72,False, -/System/Library/LaunchAgents/com.apple.universalaccessAuthWarn.plist,com.apple.universalaccessAuthWarn,"['/System/Library/PrivateFrameworks/UniversalAccess.framework/Versions/A/Resources/universalAccessAuthWarn.app/Contents/MacOS/universalAccessAuthWarn', 'launchd', '-s']",1be63fbc01cf9e1f0afbfdd7c4da51588c770edb5a1a177a9bad8e5fa6951eba,False, -/System/Library/LaunchAgents/com.apple.universalaccesscontrol.plist,com.apple.universalaccesscontrol,"['/System/Library/CoreServices/UniversalAccessControl.app/Contents/MacOS/UniversalAccessControl', 'launchd', '-s']",9fd9fb8edf9cdcfb42c4c37cdc644143098d171551747a20c01ef112c1df93b5,False, -/System/Library/LaunchAgents/com.apple.universalaccessd.plist,com.apple.universalaccessd,"['/usr/sbin/universalaccessd', 'launchd', '-s']",02c82a7bb7611c05f2726acc68931e974b66c593555a64c0e782aba6ab935638,True, -/System/Library/LaunchAgents/com.apple.unmountassistant.useragent.plist,com.apple.unmountassistant.useragent,"['/System/Library/CoreServices/UnmountAssistantAgent.app/Contents/MacOS/UnmountAssistantAgent']",b0a0595021e7070a61e526a3e9c9bb5b1a40dd4bbabf782e41e50904343006c5,False, -/System/Library/LaunchAgents/com.apple.USBAgent.plist,com.apple.USBAgent,"['/usr/libexec/USBAgent']",0cb55da6999db72aa684fa6fe3d6c6d003333837d07768867bccd3afb990a94f,False, -/System/Library/LaunchAgents/com.apple.UserEventAgent-Aqua.plist,com.apple.UserEventAgent-Aqua,"['/usr/libexec/UserEventAgent', '(Aqua)']",3ef66f06d6a10a8de1ccd6630a6d18caf49ed467d62ea4d8b22005ff75bdccdf,False, -/System/Library/LaunchAgents/com.apple.UserEventAgent-LoginWindow.plist,com.apple.UserEventAgent-LoginWindow,"['/usr/libexec/UserEventAgent', '(LoginWindow)']",3ef66f06d6a10a8de1ccd6630a6d18caf49ed467d62ea4d8b22005ff75bdccdf,False, -/System/Library/LaunchAgents/com.apple.usernoted.plist,com.apple.usernoted,"['/usr/sbin/usernoted']",e006b774384d52057858fdc8bd7328161cc4780e3efa47f13f74cee2d22cf0a8,True, -/System/Library/LaunchAgents/com.apple.UserNotificationCenterAgent-LoginWindow.plist,com.apple.UserNotificationCenterAgent-LoginWindow,"['/System/Library/CoreServices/UserNotificationCenter.app/Contents/MacOS/UserNotificationCenter', '-loginwindow']",3daa1429b450714be9239b7e5185af8ed4b439547b23a0f208e457085b4cc4d1,False, -/System/Library/LaunchAgents/com.apple.UserNotificationCenterAgent.plist,com.apple.UserNotificationCenterAgent,"['/System/Library/CoreServices/UserNotificationCenter.app/Contents/MacOS/UserNotificationCenter']",3daa1429b450714be9239b7e5185af8ed4b439547b23a0f208e457085b4cc4d1,False, -/System/Library/LaunchAgents/com.apple.VoiceOver.plist,com.apple.VoiceOver,"['/System/Library/CoreServices/VoiceOver.app/Contents/MacOS/VoiceOver', 'launchd', '-s']",942729bdc41d91e2fa226453dfd5410592392b38d2c7bd0445386134a1102643,False, -/System/Library/LaunchAgents/com.apple.warmd_agent.plist,com.apple.warmd_agent,"['/usr/libexec/warmd_agent']",fa3a996db7da9140573a713c5a20370132ad7e26bdf6ed7274ac80fc407781d5,False, -/System/Library/LaunchAgents/com.apple.webinspectord.plist,com.apple.webinspectord,"['/usr/libexec/webinspectord']",0e6cc1d981732f9187aac0c7743a5701d34f2f1f37b3c1e3a6231a337c2c4cd8,False, -/System/Library/LaunchAgents/com.apple.WebKit.PluginAgent.plist,com.apple.WebKit.PluginAgent,"['/System/Library/Frameworks/WebKit.framework/Frameworks/WebKitLegacy.framework/WebKitPluginAgent']",70c35e8d0a4d28b4ba0940f0e07b8db84861b27ec3cafdfec60360847dfa7d15,False, -/System/Library/LaunchAgents/com.apple.wifi.WiFiAgent.plist,com.apple.wifi.WiFiAgent,"['/System/Library/CoreServices/WiFiAgent.app/Contents/MacOS/WiFiAgent']",5b6699472436d80a9ffe1e16ed9c180dd5cf5786e6d80d4a1d5c1da30e9d52f8,True, -/System/Library/LaunchAgents/com.apple.xpc.loginitemregisterd.plist,com.apple.xpc.loginitemregisterd,"['/usr/libexec/loginitemregisterd']",304c78efa49e16281e769349f74c0c09c753e6d85e48782fb7921a3c526fd46b,False, -/System/Library/LaunchAgents/com.apple.xpc.otherbsd.plist,com.apple.xpc.otherbsd,"['/usr/libexec/otherbsd']",5208703f46fc46b899e22627cd26a25e26106fcb73b24916ab93a23eadc993aa,False, -/System/Library/LaunchAgents/com.apple.ZoomWindow.plist,com.apple.ZoomWindow,"['/System/Library/CoreServices/ZoomWindow.app/Contents/MacOS/ZoomWindowStarter', 'launchd', '-s']",f164e47664f7609ac58fae9e67245c326d132f5313ca3c7986b1c70c531b9c5e,False, -/System/Library/LaunchAgents/org.openbsd.ssh-agent.plist,org.openbsd.ssh-agent,"['/usr/bin/ssh-agent', '-l']",95af18a841888e31bb9a89a67c8a37a2ebc1bcd38755d6a7b7dce4ab2f69af9e,False, diff --git a/launchd/16A323_launchd.csv b/launchd/16A323_launchd.csv deleted file mode 100644 index d5277a45..00000000 --- a/launchd/16A323_launchd.csv +++ /dev/null @@ -1,574 +0,0 @@ -filename,label,program,sha256,runatload,comment -/System/Library/LaunchDaemons/bootps.plist,com.apple.bootpd,"['/usr/libexec/bootpd']",baaed55290ef711949e9d8aa92facec740036f93e6ff8530a4cef2a82800ea9e,False,"DHCP/BOOTP/NetBoot server" -/System/Library/LaunchDaemons/com.apple.afpfs_afpLoad.plist,com.apple.afpfs_afpLoad,"['/System/Library/Filesystems/AppleShare/afpLoad']",91982587de5db5df44fa1076a26f3f8867f1d0aa42475c50289e2f3292e5f182,False,"" -/System/Library/LaunchDaemons/com.apple.afpfs_checkafp.plist,com.apple.afpfs_checkafp,"['/System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp']",fd08db9d3ceb19f569ed82570b79e752a5ea108d487b55e5532c9d19d648bfd4,False,"" -/System/Library/LaunchDaemons/com.apple.airplaydiagnostics.server.mac.plist,com.apple.airplaydiagnostics.server.mac,"['/AppleInternal/Applications/AirPlayDiagnostics.app/Contents/Resources/AirPlayDiagnosticsServer']",UNKNOWN,False,"Apple Internal Diagnostic Tool" -/System/Library/LaunchDaemons/com.apple.AirPlayXPCHelper.plist,com.apple.AirPlayXPCHelper,"['/usr/libexec/AirPlayXPCHelper']",26090d86c8ab00d756bd32cee7f8a3fcba1bdbee43b88609fbc89f6799b9e440,False,"" -/System/Library/LaunchDaemons/com.apple.airport.wps.plist,com.apple.airport.wps,"['/usr/libexec/wps']",9dc8d6ad1fe736db1012a79e026fe51a91d51863d1b3cbad3a3b39dc552d8996,False,"" -/System/Library/LaunchDaemons/com.apple.airportd.plist,com.apple.airportd,"['/usr/libexec/airportd']",10947fd41b824565233a3622ff6b0dfe56c3ba893883f05fac2ddbc518020358,False,"" -/System/Library/LaunchDaemons/com.apple.akd.plist,com.apple.akd,"['/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd']",670fb2f9b92fea1a38a454ae6c3b79ee0d08206f0e04d10439b02a7b80e7dae0,False,"" -/System/Library/LaunchDaemons/com.apple.alf.agent.plist,com.apple.alf,"['/usr/libexec/ApplicationFirewall/socketfilterfw']",f2b4743bc590ce919c4f48a9b1405d4171730ec198ac71aff06d6d5c9460994e,False,"Apple Application Firewall" -/System/Library/LaunchDaemons/com.apple.AppleFileServer.plist,com.apple.AppleFileServer,"['/usr/sbin/AppleFileServer']",9440083957177535495c2e1565c8c990e547c0b547309d279e80fae00986c9e0,False,"Apple File Server (AFP)" -/System/Library/LaunchDaemons/com.apple.appleseed.fbahelperd.plist,com.apple.appleseed.fbahelperd,"['/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/fbahelperd']",6afc767a210b1bb5f8d0b45b2753e71ae8014a25647884482d92df41a56e6c11,False,"" -/System/Library/LaunchDaemons/com.apple.applessdstatistics.plist,com.apple.applessdstatistics,"['/usr/libexec/applessdstatistics']",b4b448b67a56b7fb36a53d73a2c305e8750d0a837e07a868d8b1abcee45e5e4b,False,"" -/System/Library/LaunchDaemons/com.apple.apsd.plist,com.apple.apsd,"['/System/Library/PrivateFrameworks/ApplePushService.framework/apsd']",86f06b679fb27d09216460c1733fae232071c0d0478a8c2b09f8f16768ee848f,True,"Apple Push Notification service daemon" -/System/Library/LaunchDaemons/com.apple.aslmanager.plist,com.apple.aslmanager,"['/usr/sbin/aslmanager']",e8f68d5c100be24b8c45625c850ae776222ca14ad5617daea9d9be1084bf125e,False,"Manages rotated files and ASL data written by the syslogd server" -/System/Library/LaunchDaemons/com.apple.AssetCacheLocatorService.plist,com.apple.AssetCacheLocatorService,"['/System/Library/PrivateFrameworks/AssetCacheServices.framework/XPCServices/AssetCacheLocatorService.xpc/Contents/MacOS/AssetCacheLocatorService', '-d']",8f62c38c566430ad038db3173c9589455f55c04bb38353a1df24a04fac455b64,False,"" -/System/Library/LaunchDaemons/com.apple.atrun.plist,com.apple.atrun,"['/usr/libexec/atrun']",89e806501dd2c463c0aea5a842a671b65025c7f52c4f763aecde280eb2a0b885,False,"" -/System/Library/LaunchDaemons/com.apple.audio.coreaudiod.plist,com.apple.audio.coreaudiod,"['/usr/sbin/coreaudiod']",51eecae6bca66cf28ff4859a3f020ceda8feec83cace5dddede23ddf85765fde,False,"daemon used for Core Audio related purposes" -/System/Library/LaunchDaemons/com.apple.audio.systemsoundserverd.plist,com.apple.audio.systemsoundserverd,"['/usr/sbin/systemsoundserverd']",a76ccd13dbb47606a8bd80d17fe6aa732da2042dd2b3f7e658e0020e86bdf71d,False,"" -/System/Library/LaunchDaemons/com.apple.auditd.plist,com.apple.auditd,"['/usr/sbin/auditd']",08ab796e279313669ccc794b6e9698032d76553f5146ff7be48f73221fc91335,False,"" -/System/Library/LaunchDaemons/com.apple.autofsd.plist,com.apple.autofsd,"['/usr/libexec/autofsd']",c239bfdccee1c682cd3ad201f44bba56b46d4dd48170a450692e4c9679f43270,False,"" -/System/Library/LaunchDaemons/com.apple.automountd.plist,com.apple.automountd,"['/usr/libexec/automountd']",a0e20fec47bb3ddfbbb44f2f5ab1b685f2a60e6316dbc73f9f6cf15ab8b54619,False,"" -/System/Library/LaunchDaemons/com.apple.avbdeviced.plist,com.apple.avbdeviced,"['/usr/sbin/avbdeviced']",b5a94c7abb137c6514a089eedd483b38af039902e858116f2d9c91961c071050,False,"" -/System/Library/LaunchDaemons/com.apple.awacsd.plist,com.apple.awacsd,"['/usr/libexec/awacsd']",fc4390a569f2f84da1c5d4b5e79c0122a770cfe867c307c5502a69e29d38d9e6,False,"" -/System/Library/LaunchDaemons/com.apple.awdd.plist,com.apple.awdd,"['/System/Library/PrivateFrameworks/WirelessDiagnostics.framework/Support/awdd']",39ef15ccbe8c2101aadeac4131a5d5a14fb008a477e75e967c26f8d7dcd69b96,False,"" -/System/Library/LaunchDaemons/com.apple.backupd-auto.plist,com.apple.backupd-auto,"['/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd-helper', '-launchd']",2db7c1efb0b46fda1603dd5b5aabd840e0e4a7f71a428aa9ad0ad90748a61b42,True,"" -/System/Library/LaunchDaemons/com.apple.backupd.plist,com.apple.backupd,"['/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd']",1148377b271b6cf6c2600bc5bc98fb5e53f8ae6a95baafac5625670150beee18,False,"" -/System/Library/LaunchDaemons/com.apple.blued.plist,com.apple.blued,"['/usr/sbin/blued']",6dddd6ee17bba3d6f30291a943acfb4dcf9ea454190f54bfa6067604a1379a6d,False,"" -/System/Library/LaunchDaemons/com.apple.bluetoothaudiod.plist,com.apple.bluetoothaudiod,"['/usr/sbin/bluetoothaudiod']",409b0e13928ce47b255340afe76a202cfbd6b9c1126d44efaff0d4c08dad4e1c,False,"" -/System/Library/LaunchDaemons/com.apple.bluetoothReporter.plist,com.apple.bluetoothReporter,"['/System/Library/Frameworks/IOBluetooth.framework/Versions/A/Resources/BluetoothReporter', '--dumpPacketLog', '/private/var/log/bluetooth.pklg']",049b065d1bb925ef664466803557598ddc75e34949c63d84f4e981f24953f2b2,False,"" -/System/Library/LaunchDaemons/com.apple.bnepd.plist,com.apple.bnepd,"['/usr/sbin/bnepd']",794acf51140e0fbcac7e1ffecdfef48c510b383f50fc0be9ec0824b12049e364,False,"" -/System/Library/LaunchDaemons/com.apple.bsd.dirhelper.plist,com.apple.bsd.dirhelper,"['/usr/libexec/dirhelper']",762f0c8081692471109aea36af9cea0604b4fcfa1a7fb8ececae959b13a6df0a,True,"" -/System/Library/LaunchDaemons/com.apple.captiveagent.plist,com.apple.captiveagent,"['/usr/libexec/captiveagent']",cde66a19f2b5d6be76018ec5c82bbf07ad12ca5e65c7777f60fd1b43d46724ef,False,"None" -/System/Library/LaunchDaemons/com.apple.cfprefsd.xpc.daemon.plist,com.apple.cfprefsd.xpc.daemon,"['/usr/sbin/cfprefsd', 'daemon']",2147b55037302f85455852f6fb8b868dbf647ed70042442543329bcceef80bf6,False,"" -/System/Library/LaunchDaemons/com.apple.cloudfamilyrestrictionsd-mac.plist,com.apple.cloudfamilyrestrictionsd,"['/System/Library/PrivateFrameworks/CloudFamilyRestrictions.framework/cloudfamilyrestrictionsd']",389ff1641251a8df83310b7b48c75063520f5b78afb5f57b06a20160a4d2ef31,False,"" -/System/Library/LaunchDaemons/com.apple.cmio.AppleCameraAssistant.plist,com.apple.cmio.AppleCameraAssistant,"['/Library/CoreMediaIO/Plug-Ins/DAL/AppleCamera.plugin/Contents/Resources/AppleCameraAssistant']",c015c8df54ad57627680f71ed252e46d43192e93ae857260f0572011c6310440,False,"" -/System/Library/LaunchDaemons/com.apple.cmio.AVCAssistant.plist,com.apple.cmio.AVCAssistant,"['/System/Library/Frameworks/CoreMediaIO.framework/Resources/AVC.plugin/Contents/Resources/AVCAssistant']",50f1f314ee36e6f2d3f58c39512abad2c3b41e942c66dd6c04f2c704ef9b0547,False,"" -/System/Library/LaunchDaemons/com.apple.cmio.IIDCVideoAssistant.plist,com.apple.cmio.IIDCVideoAssistant,"['/System/Library/Frameworks/CoreMediaIO.framework/Resources/IIDC.plugin/Contents/Resources/IIDCVideoAssistant']",e55039ca09e5a96c211ad10cbabec802183f9fa25ad5dd72d46d1a2de1af5065,False,"" -/System/Library/LaunchDaemons/com.apple.cmio.iOSScreenCaptureAssistant.plist,com.apple.cmio.iOSScreenCaptureAssistant,"['/Library/CoreMediaIO/Plug-Ins/DAL/iOSScreenCapture.plugin/Contents/Resources/iOSScreenCaptureAssistant']",a967d194234f1768bbe2811443fffc2c8fc01802b97c94f937ad079f7bca3dbc,False,"" -/System/Library/LaunchDaemons/com.apple.cmio.VDCAssistant.plist,com.apple.cmio.VDCAssistant,"['/System/Library/Frameworks/CoreMediaIO.framework/Resources/VDC.plugin/Contents/Resources/VDCAssistant']",32887599a49afcf1bf6280c80e15fb31caaa8b62dfb200625e3f2679e82469c2,False,"" -/System/Library/LaunchDaemons/com.apple.colorsyncd.plist,com.apple.colorsyncd,"['/usr/libexec/colorsyncd']",b7800f12054e5a7a460664ad183eb0e32c716ebcc49439b1a0477519fa033e06,False,"" -/System/Library/LaunchDaemons/com.apple.CommCenterRootHelper.plist,com.apple.CommCenterRootHelper,"['/System/Library/Frameworks/CoreTelephony.framework/Support/CommCenterRootHelper']",0f3aa62dee70cfb88562db8f7f42b8e77c3bc960135e25d1308852730a48084d,False,"" -/System/Library/LaunchDaemons/com.apple.comsat.plist,com.apple.comsat,"['/usr/libexec/comsat']",9772e4f92bd8966cfcc137c1ce0e94e12376b4de20d11eb85efdc1530ee9efa8,False,"" -/System/Library/LaunchDaemons/com.apple.configd.plist,com.apple.configd,"['/usr/libexec/configd']",615518384eb14d9427f2b1f6ad92b6c8c439b3481a1cecdd564b0bdedff15f84,False,"" -/System/Library/LaunchDaemons/com.apple.configureLocalKDC.plist,com.apple.configureLocalKDC,"['/usr/libexec/configureLocalKDC']",f6afc2f328af2217addc06c515158cb41af43099e1bbe0f200429e5bba46385d,False,"" -/System/Library/LaunchDaemons/com.apple.CoreAuthentication.daemon.plist,com.apple.CoreAuthentication.daemon,"['/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd']",c13632f348f86aae9b529a6323c7ff9447eeac75cc1c1afa5050d1dab46ef513,False,"" -/System/Library/LaunchDaemons/com.apple.corecaptured.plist,com.apple.corecaptured,"['/usr/libexec/corecaptured']",6c4046bfa1e96b69565a440df285ec0a0347c6b76704b6b489e24e67d0fada87,False,"" -/System/Library/LaunchDaemons/com.apple.coreduetd.osx.plist,com.apple.coreduetd,"['/usr/libexec/coreduetd']",e4b99e1202b8ce8b369f88779d62597e64ddd9740237492df63bed556a621d7e,True,"" -/System/Library/LaunchDaemons/com.apple.CoreRAID.plist,com.apple.CoreRAID,"['/System/Library/PrivateFrameworks/CoreRAID.framework/Resources/CoreRAIDServer']",0784b81cc583abe95cf59a0bade93c702ad65b6e82e550510869bb76435c06a7,True,"" -/System/Library/LaunchDaemons/com.apple.coreservices.appleevents.plist,com.apple.coreservices.appleevents,"['/System/Library/CoreServices/appleeventsd', '--server']",06d36bbcb314dc397ba4f8b9aa3f6dba1a327c88c076d0c882e11fe092a394d1,True,"" -/System/Library/LaunchDaemons/com.apple.coreservices.appleid.passwordcheck.plist,com.apple.coreservices.appleid.passwordcheck,"['/System/Library/CoreServices/AppleIDAuthAgent', '--checkpassword']",d5e0eb2737df528d163166798900fbe8e69582e536aeb5202af0269e23d2eb7d,False,"" -/System/Library/LaunchDaemons/com.apple.coreservices.launchservicesd.plist,com.apple.coreservices.launchservicesd,"['/System/Library/CoreServices/launchservicesd']",40f17b7a513fdcf7554b2ee2bd6a09f9377939f7450022a9eacb1bac76550abc,True,"" -/System/Library/LaunchDaemons/com.apple.coreservices.sharedfilelistd.plist,com.apple.coreservices.sharedfilelistd,"['/System/Library/CoreServices/sharedfilelistd', '--enable-legacy-services']",ce3f524e7ecde28bef9cc879ee1526ac3a661cc5e43f4c79fba2718153a9fd0f,False,"" -/System/Library/LaunchDaemons/com.apple.coreservicesd.plist,com.apple.coreservicesd,"['/System/Library/CoreServices/coreservicesd']",0074e13887c66ad6c46e107a0bf16b3264b8fd8b59c4bf9b6c40b438900fa21d,False,"" -/System/Library/LaunchDaemons/com.apple.corestorage.corestoraged.plist,com.apple.corestorage.corestoraged,"['/usr/libexec/corestoraged']",7cfc5d09ba3a3ac5caafeac839f96186456607cd2cc834542285c8e493d46f0b,False,"" -/System/Library/LaunchDaemons/com.apple.corestorage.corestoragehelperd.plist,com.apple.corestorage.corestoragehelperd,"['/usr/libexec/corestoragehelperd']",0e38ec26934a7064e1e2cd1f8f8e96a1a30a9184774a4e02cc348a59cd08a04a,False,"" -/System/Library/LaunchDaemons/com.apple.coresymbolicationd.plist,com.apple.coresymbolicationd,"['/System/Library/PrivateFrameworks/CoreSymbolication.framework/coresymbolicationd']",c325cf04d5a03f0673f845a7903b07b97035883ae447c264cd59bc7fd1222b35,False,"" -/System/Library/LaunchDaemons/com.apple.CrashReporterSupportHelper.plist,com.apple.CrashReporterSupportHelper,"['/System/Library/CoreServices/CrashReporterSupportHelper', 'server-init']",bbb29968f049cec05216155f4a57f0657af771330dc36814ceec2875cc6159b3,False,"" -/System/Library/LaunchDaemons/com.apple.CryptoTokenKit.ahp.plist,com.apple.CryptoTokenKit.ahp,"['/System/Library/Frameworks/CryptoTokenKit.framework/ctkahp.bundle/Contents/MacOS/ctkahp', '-d']",3e14730f8e5efc414616a87e0f357506bcd1eea6d0dc6121970858a17fff9e75,False,"None" -/System/Library/LaunchDaemons/com.apple.csrutil.report.plist,com.apple.csrutil.report,"['/usr/bin/csrutil', 'report']",66ea3c3e3ba0b1d3e0e022e75ea2cf6dae8243ae12e52ffa6cdacc25d9c4dea0,False,"" -/System/Library/LaunchDaemons/com.apple.ctkd.plist,com.apple.ctkd,"['/System/Library/Frameworks/CryptoTokenKit.framework/ctkd', '-s']",caa6ffa56e93a88e0ca2b6e965850b0a11e63650ac9ec3998d7f6e6cc06a8c94,False,"" -/System/Library/LaunchDaemons/com.apple.cvmsServ.plist,com.apple.cvmsServ,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/CVMServer']",6b4c86cd10ab836fa5cb3285c0704fb94415ff1e28fac3b5ae9dbb2019d98876,False,"" -/System/Library/LaunchDaemons/com.apple.DataDetectorsSourceAccess.plist,com.apple.DataDetectorsSourceAccess,"['/usr/libexec/DataDetectorsSourceAccess']",31f7da0aa1a2721dce7958825dd90deb462891146c5a20e9bf568cf7ca0d10cb,False,"None" -/System/Library/LaunchDaemons/com.apple.defragx.plist,com.apple.defragx,"['/usr/libexec/defragx']",1c944772eac08223ca150f1c1bf0019f33b984c3ec3a4c1a7f136168520b50eb,False,"None" -/System/Library/LaunchDaemons/com.apple.DesktopServicesHelper.plist,com.apple.DesktopServicesHelper,"['/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper']",413a822b49b10c5a65e0543c1890085fb7da4ed37e02d82e942883078ebe3b50,False,"" -/System/Library/LaunchDaemons/com.apple.diagnosticd.plist,com.apple.diagnosticd,"['/usr/libexec/diagnosticd']",7111b5dd560ae7fb5e870ff83b54090c8468ec4a9fae17bef5b7d62f0616522c,False,"" -/System/Library/LaunchDaemons/com.apple.diagnosticextensions.osx.bluetooth.helper.plist,com.apple.diagnosticextensions.osx.bluetooth.helper,"['/System/Library/PrivateFrameworks/DiagnosticExtensions.framework/PlugIns/osx-bluetooth.appex/Contents/XPCServices/bluetoothhelper']",531a4a5044ac6f0739d9334bf3d967e77afdb76bd9416f84981ebc3b218ce569,False,"None" -/System/Library/LaunchDaemons/com.apple.diagnosticextensions.osx.getmobilityinfo.helper.plist,com.apple.diagnosticextensions.osx.getmobilityinfo.helper,"['/System/Library/PrivateFrameworks/DiagnosticExtensions.framework/PlugIns/osx-getmobilityinfo.appex/Contents/XPCServices/getmobilityinfohelper']",94078e3edec4c135ccfb64669ead982144ca95ae5a91beedd5c14da4ae5acbe1,False,"None" -/System/Library/LaunchDaemons/com.apple.diagnosticextensions.osx.spotlight.helper.plist,com.apple.diagnosticextensions.osx.spotlight.helper,"['/System/Library/PrivateFrameworks/DiagnosticExtensions.framework/PlugIns/osx-spotlight.appex/Contents/XPCServices/spotlighthelper']",49b9078ecf7898e9ecc89495999b9e4e021bcadf97094b7bf00a39a7de0f26d2,False,"None" -/System/Library/LaunchDaemons/com.apple.diagnosticextensions.osx.timemachine.helper.plist,com.apple.diagnosticextensions.osx.timemachine.helper,"['/System/Library/PrivateFrameworks/DiagnosticExtensions.framework/PlugIns/osx-timemachine.appex/Contents/XPCServices/timemachinehelper']",fd286745832399e75dfc03aa3e742787fe416ddfe1bcc738d1a42552facbae63,False,"None" -/System/Library/LaunchDaemons/com.apple.diagnosticextensions.osx.wifi.helper.plist,com.apple.diagnosticextensions.osx.wifi.helper,"['/System/Library/PrivateFrameworks/DiagnosticExtensions.framework/PlugIns/osx-WiFiDiagnose.appex/Contents/XPCServices/wifihelper']",303607e761bdab6fbe498bb68b72755842b507581ea16acefc7f7a70e40d62d8,False,"None" -/System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist,com.apple.diskarbitrationd,"['/usr/libexec/diskarbitrationd']",5991b982bde72f99fb99b2a6b1380dd50c8c3b24799782381e45bd718871a4cf,False,"" -/System/Library/LaunchDaemons/com.apple.diskmanagementd.plist,com.apple.diskmanagementd,"['/usr/libexec/diskmanagementd']",135dd69dcd8142189d54e14919b640bcc9ed8cee28dccff658a956f157e76a9d,False,"" -/System/Library/LaunchDaemons/com.apple.diskmanagementstartup.plist,com.apple.diskmanagementstartup,"['/usr/libexec/diskmanagementstartup']",805571a048bffcc655f37de7b453536d3af9a516e9e3af6ebb4fb830c97c6a48,True,"" -/System/Library/LaunchDaemons/com.apple.displaypolicyd.plist,com.apple.displaypolicyd,"['/usr/libexec/displaypolicyd', '-k', '1']",d12ef3f6e17885cd040466cec08e0a1a103e4f0000a0a178dc46bb5e84e0c810,True,"" -/System/Library/LaunchDaemons/com.apple.distnoted.xpc.daemon.plist,com.apple.distnoted.xpc.daemon,"['/usr/sbin/distnoted', 'daemon']",1972b5cf085b63fd15d157db20f0393152ab7a0881ffe58295321115ca43f3db,False,"" -/System/Library/LaunchDaemons/com.apple.dnsextd.plist,com.apple.dnsextd,"['/usr/sbin/dnsextd', '-launchd']",0b530ebf70c7066d52429dc50e20cf1b29dd5b89ea2eef58b26bff0c8b9078df,False,"" -/System/Library/LaunchDaemons/com.apple.dpaudiothru.plist,com.apple.dpaudiothru,"['/usr/libexec/dpaudiothru']",38e37420b9c4ff7489ea59a9a7b0d004861cbb86e819e85e693875b7d7aa0a02,False,"" -/System/Library/LaunchDaemons/com.apple.dpd.plist,com.apple.dpd,"['/usr/libexec/dpd']",e4f1fdbde15dd584ee9710455006826f085b03518c95c71a4107a91c1d998bc4,False,"" -/System/Library/LaunchDaemons/com.apple.dprivacyd.plist,com.apple.dprivacyd,"['/usr/libexec/dprivacyd']",f902b5b3f7fcf3f260bda0b3bc1562b4bfb2b8beaad96c7f148e69b0449cc6e2,False,"None" -/System/Library/LaunchDaemons/com.apple.dspluginhelperd.plist,com.apple.dspluginhelperd,"['/usr/libexec/dspluginhelperd']",433ddc3f05614370163b0f720f659cdf4684cead94c1a222f52831907b4aff5e,False,"" -/System/Library/LaunchDaemons/com.apple.DuetHeuristic-BM-OSX.plist,com.apple.DuetHeuristic-BM,"['/usr/libexec/DuetHeuristic-BM']",dbd1a12743bfc446623286c8fbacc6ba560071f6a4e7178c2c6be3abb0b97cbb,True,"None" -/System/Library/LaunchDaemons/com.apple.DumpGPURestart.plist,com.apple.DumpGPURestart,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/DumpGPURestart']",e3f887656934ed62ae14bef41972f060dbfabe8c64c9c4cd48883d03bcf63f66,False,"" -/System/Library/LaunchDaemons/com.apple.DumpPanic.plist,com.apple.DumpPanic,"['/System/Library/CoreServices/DumpPanic']",a26f81ff45268e670151aa9b07fa5a9d30b8260c30c28bbbd1c8a65ba647b385,True,"" -/System/Library/LaunchDaemons/com.apple.dvdplayback.setregion.plist,com.apple.dvdplayback.setregion,"['/usr/bin/setregion']",dd47f095a879cfcc6505fb285041a5e4134d97f72ed79aad85ae9e08b184e14c,False,"" -/System/Library/LaunchDaemons/com.apple.dynamic_pager.plist,com.apple.dynamic_pager,"['/sbin/dynamic_pager', '-F', '/private/var/vm/swapfile']",1a33e7f2c46d72d60e786c76b92a0650245a63c5af66ee725f3ad3eaab36112c,False,"" -/System/Library/LaunchDaemons/com.apple.dz.dznd.plist,com.apple.dz.dznd,"['/usr/libexec/dznd']",c6acb531f85a0dd8a197ec8e3142584acdef730e903b952d7a02eedfce0caf6b,True,"None" -/System/Library/LaunchDaemons/com.apple.eapolcfg_auth.plist,com.apple.eapolcfg_auth,"['/System/Library/PrivateFrameworks/EAP8021X.framework/Resources/eapolcfg_auth']",ec908905de2462052264ac06753c9117446f0e08969cea64de240c4d372b4f40,False,"" -/System/Library/LaunchDaemons/com.apple.efilogin-helper.plist,com.apple.efilogin-helper,"['/System/Library/PrivateFrameworks/EFILogin.framework/Resources/efilogin-helper']",4f7aa381d36062467460adec06f2c91629d10744c58bf4b217b228a8b1e2f1ed,False,"" -/System/Library/LaunchDaemons/com.apple.emlog.plist,com.apple.emlog,"['/usr/libexec/emlog.pl']",5328f0d109c2b421f0845c0d0fe0efb58734297dca5f8708dc5bda4fea57f634,False,"" -/System/Library/LaunchDaemons/com.apple.emond.aslmanager.plist,com.apple.emond.aslmanager,"['/usr/sbin/aslmanager', '-s', '/var/log/eventmonitor']",e8f68d5c100be24b8c45625c850ae776222ca14ad5617daea9d9be1084bf125e,False,"" -/System/Library/LaunchDaemons/com.apple.emond.plist,com.apple.emond,"['/sbin/emond']",f62a88d9cf1b96461149321f5db34b341d60a277f9a470d32a19696722ca8802,False,"" -/System/Library/LaunchDaemons/com.apple.eppc.plist,com.apple.AEServer,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/AE.framework/Versions/A/Support/AEServer', '--debug']",f404b13be91c4489690b008ef53eb84dc1ac03bf97f388b9f95c53f7747ed3f7,False,"" -/System/Library/LaunchDaemons/com.apple.familycontrols.plist,com.apple.familycontrols,"['/System/Library/PrivateFrameworks/FamilyControls.framework/Resources/parentalcontrolsd']",1f16ce8a0946e3d8694db92ae0ab1f84a98d20bad22adcb121fc6286b43520c4,False,"" -/System/Library/LaunchDaemons/com.apple.FileCoordination.plist,com.apple.FileCoordination,"['/usr/sbin/filecoordinationd']",563972c75818b2406154b57b53dcfffc4733edd585cfa564b7522e66220c345f,False,"" -/System/Library/LaunchDaemons/com.apple.findmymac.plist,com.apple.findmymacd,"['/System/Library/PrivateFrameworks/FindMyMac.framework/Resources/FindMyMacd']",63b6b215abdc70b06df0ab1337b12ae111b8ab1b460d5fb7f6ac310d5e130410,False,"" -/System/Library/LaunchDaemons/com.apple.findmymacmessenger.plist,com.apple.findmymacmessenger,"['/System/Library/PrivateFrameworks/FindMyMac.framework/Resources/FindMyMacMessenger.app/Contents/MacOS/FindMyMacMessenger']",0a23396d2c23805801779a8a98d030d0d7dd9c030a81ea0943e47caa9fbe2b95,False,"iCloud Find My Mac feature daemon" -/System/Library/LaunchDaemons/com.apple.firmwaresyncd.plist,com.apple.firmwaresyncd,"['/usr/libexec/firmwaresyncd']",dc766cc977ed2249db932526a1e3b6280014e94784649f58a7ddede688d1f46a,True,"" -/System/Library/LaunchDaemons/com.apple.fontd.plist,com.apple.fontd,"['/System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/fontd']",1a2f22229a71b23e9d0f99bd0657fa3a0bf2ef6356b954503c34b3267fbcd58c,False,"" -/System/Library/LaunchDaemons/com.apple.fontmover.plist,com.apple.fontmover,"['/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Support/fontmover', '-d']",e8eeb8da52d1ff2cee28a4cfd312a3c8b8e2a6851c5fb232742474e24ba97073,False,"" -/System/Library/LaunchDaemons/com.apple.FontWorker.plist,com.apple.FontWorker,"['/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Support/fontworker']",824f81a46ba59bd26765aadf0776a95165356ff8fcd752a1b697a4f171de3fd6,False,"" -/System/Library/LaunchDaemons/com.apple.fseventsd.plist,com.apple.fseventsd,"['/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/FSEvents.framework/Versions/A/Support/fseventsd']",232dcfea659f1a5a40bdb24592aacda2a40a3c76d02a6904768a4ba2f3564df3,False,"" -/System/Library/LaunchDaemons/com.apple.ftp-proxy.plist,com.apple.ftp-proxy,"['/usr/libexec/ftp-proxy']",5e972b121f32bcd6e5c7de2c13c6f442591bc3583ab387c2545eebf997416ab9,False,"" -/System/Library/LaunchDaemons/com.apple.GameController.gamecontrollerd.plist,com.apple.GameController.gamecontrollerd,"['/usr/libexec/gamecontrollerd']",435f1b5d1aa99a7bdc082e2461ebb2dca388889f88b35c2344ec6744b706133a,False,"" -/System/Library/LaunchDaemons/com.apple.getty.plist,com.apple.getty,"['/usr/libexec/getty', 'std.9600', 'console']",db76b36c87af09cf623e2cec8397832e9db85c9db60c35df92b722720847c188,False,"" -/System/Library/LaunchDaemons/com.apple.gkreport.plist,com.apple.gkreport,"['/usr/libexec/gkreport']",67d87aca1bb268cbb4578f637f0c2ceec3cc1d6cc259eb7584bec0eac2fb34c7,False,"" -/System/Library/LaunchDaemons/com.apple.GSSCred.plist,com.apple.GSSCred,"['/System/Library/Frameworks/GSS.framework/Helpers/com.apple.GSSCred']",2d878cffd5dfc1d8cfbda3a4e86f96d7843459521d31cafc984a89111d505e8a,False,"" -/System/Library/LaunchDaemons/com.apple.gssd.plist,com.apple.gssd,"['/usr/sbin/gssd']",bd7dea62b94a27c48e7f759463cf2728fce48e3758bb3fd11191c76173a61f80,False,"" -/System/Library/LaunchDaemons/com.apple.hdiejectd.plist,com.apple.hdiejectd,"['/System/Library/PrivateFrameworks/DiskImages.framework/Resources/hdiejectd']",277459d7bb64c0ae1026a262dbb3880bfd631cf64c19abdeb5a34eeefe737545,False,"" -/System/Library/LaunchDaemons/com.apple.hidd.plist,com.apple.hidd,"['/usr/libexec/hidd']",1720e8371c41e5387edcf05bde91eb31e6799808612a6fb28b375ff31a6b7e32,False,"" -/System/Library/LaunchDaemons/com.apple.hidfud.plist,com.apple.hidfud,"['/System/Library/CoreServices/HID/FirmwareUpdates/hidfud']",f6be1e00a2bcefdb828e787937ee76af5833a51c8df632c9db0cda77905cac61,False,"None" -/System/Library/LaunchDaemons/com.apple.icloud.findmydeviced.plist,com.apple.icloud.findmydeviced,"['/usr/libexec/findmydeviced']",090be3007763ccb46b7cffa2ed0f8ff958bc1156878da1a705ce953bf3bb8876,False,"" -/System/Library/LaunchDaemons/com.apple.iconservices.iconservicesagent.plist,com.apple.iconservices.iconservicesagent,"['/System/Library/CoreServices/iconservicesagent']",6d4fa344e7c5789db51abf041e79fb085589ee12031cede5458e2d70d3c4ee15,True,"" -/System/Library/LaunchDaemons/com.apple.iconservices.iconservicesd.plist,com.apple.iconservices.iconservicesd,"['/System/Library/CoreServices/iconservicesd']",e06ade62ad04fcbd3f66ba84b275202a16184fa7bbe9a61b7159f0b2ccd289a2,True,"" -/System/Library/LaunchDaemons/com.apple.IFCStart.plist,com.apple.IFCStart,"['/usr/libexec/ifcstart']",904f965b1d79959257cf247c9af75495dfb5a28790fee23ab66402791fe268d4,True,"" -/System/Library/LaunchDaemons/com.apple.ifdreader.plist,com.apple.ifdreader,"['/System/Library/CryptoTokenKit/com.apple.ifdreader.slotd/Contents/MacOS/com.apple.ifdreader']",4492e612f98bb21d1bb509b820e4e18444ebfdb9cc0b850b7983544ad581b0e2,False,"" -/System/Library/LaunchDaemons/com.apple.installandsetup.systemmigrationd.plist,com.apple.installandsetup.systemmigrationd,"['/System/Library/PrivateFrameworks/SystemMigration.framework/Resources/systemmigrationd']",7d0d46765bb5695c5982b68711ce6d3fef9c81d92673c0f9c00a3430213bb777,False,"" -/System/Library/LaunchDaemons/com.apple.installd.plist,com.apple.installd,"['/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd']",828d83797f7a6aacad52d10ec546941ccbc649f315dc85271c536a830db4d38c,False,"" -/System/Library/LaunchDaemons/com.apple.InstallerDiagnostics.installerdiagd.plist,com.apple.InstallerDiagnostics.installerdiagd,"['/System/Library/PrivateFrameworks/InstallerDiagnostics.framework/Versions/A/Resources/installerdiagd']",8d900d5d8247fcbc8b2c1ee40ad008acb22cf4bfe2af7024407e8d71d3f74195,False,"None" -/System/Library/LaunchDaemons/com.apple.InstallerDiagnostics.installerdiagwatcher.plist,com.apple.InstallerDiagnostics.installerdiagwatcher,"['/System/Library/PrivateFrameworks/InstallerDiagnostics.framework/Versions/A/Resources/installerdiagwatcher']",8305cded2daf19c01d47af5e8c5a4e1e54e64ec575f143d090f125d15dc73369,True,"None" -/System/Library/LaunchDaemons/com.apple.InstallerProgress.plist,com.apple.InstallerProgress,"['/System/Library/CoreServices/Installer Progress.app/Contents/MacOS/Installer Progress', '--showProgress']",c5827808788413706ab7dd0414d987f382d6d444005ae0019c5f1337dfb0541b,True,"None" -/System/Library/LaunchDaemons/com.apple.IOAccelMemoryInfoCollector.plist,com.apple.IOAccelMemoryInfoCollector,"['/usr/libexec/IOAccelMemoryInfoCollector']",30a60cb314b8d974c60ee88ea47ff600ad1f0128f77c781742efd2fa3ba07988,False,"" -/System/Library/LaunchDaemons/com.apple.IOBluetoothUSBDFU.plist,com.apple.IOBluetoothUSBDFU,"['/System/Library/Extensions/IOBluetoothFamily.kext/Contents/PlugIns/IOBluetoothUSBDFU.kext/Contents/Resources/IOBluetoothUSBDFUTool']",2da027c9783896b74544e3aa2fe51dd0fb1b37a698ed22671249dd80f06faa7a,False,"" -/System/Library/LaunchDaemons/com.apple.ionodecache.plist,com.apple.ionodecache,"['/System/Library/CoreServices/ionodecache', '-k', '/var/db/ionodecache.json']",3d6f8939719be0d71244faced1d99638045cd6323f3fdad6859bf8142b9b3320,True,"None" -/System/Library/LaunchDaemons/com.apple.kcproxy.plist,com.apple.kcproxy,"['/usr/libexec/kcproxy']",3f6e60beca8c7527d8e3f4a2f2129478b00f450f1ae49ac145965566053aa0fa,False,"" -/System/Library/LaunchDaemons/com.apple.kdumpd.plist,com.apple.kdumpd,"['/usr/libexec/kdumpd', '/PanicDumps']",bab44ae93c29b45e82d9c38bd29f04b77220026aaaa1388427f3e67c3965fddd,False,"" -/System/Library/LaunchDaemons/com.apple.Kerberos.digest-service.plist,com.apple.Kerberos.digest-service,"['/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/digest-service']",0824bbaa5cd52d7d4276ede8fbb78029cde258c750e615c0b1daca5649d4b8bf,False,"" -/System/Library/LaunchDaemons/com.apple.Kerberos.kadmind.plist,com.apple.Kerberos.kadmind,"['/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kadmind']",1b6c1b2e29fa512579dbc3a58208efc389da03178998324beb708e3114e7b94d,False,"" -/System/Library/LaunchDaemons/com.apple.Kerberos.kcm.plist,com.apple.Kerberos.kcm,"['/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kcm', '--launchd']",a8dc811afd4933945d872fc2f4ca4ae0b816918396476478819086fb06a6abaf,False,"" -/System/Library/LaunchDaemons/com.apple.Kerberos.kdc.plist,com.apple.Kerberos.kdc,"['/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kdc']",5e3c3ec521fdef2018288c3ca1299fdcd0bd2abd022575972ed69e516d9d2638,False,"" -/System/Library/LaunchDaemons/com.apple.Kerberos.kpasswdd.plist,com.apple.Kerberos.kpasswdd,"['/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kpasswdd']",57281d1c93cf3cab2e0b11972c733b95714b08bc91423332e6e531680a0b8c27,False,"" -/System/Library/LaunchDaemons/com.apple.KernelEventAgent.plist,com.apple.KernelEventAgent,"['/usr/sbin/KernelEventAgent']",504016d4c6179b684bd5b5a851de74a5c7af06e74c818fb615400c8f6385748e,False,"Responsible for displaying disk full and unresponsive file server messages" -/System/Library/LaunchDaemons/com.apple.kextd.plist,com.apple.kextd,"['/usr/libexec/kextd']",3d9a010161888f4a6e7e74bd94809f20029627921f496ad4550f5121ee2f2f2a,False,"" -/System/Library/LaunchDaemons/com.apple.kuncd.plist,com.apple.kuncd,"['/usr/libexec/kuncd']",35f8af8eaafc65951d23c03e43d2aab724d0b2eee5e92f49ab862e64b4cfc57f,False,"" -/System/Library/LaunchDaemons/com.apple.locate.plist,com.apple.locate,"['/usr/libexec/locate.updatedb']",7bf77fbcfaec0c33e7649a919872c45584fe65b8d1924cbe25b14ed799b6ff1c,False,"" -/System/Library/LaunchDaemons/com.apple.locationd.plist,com.apple.locationd,"['/usr/libexec/locationd']",d888c6850f72af44435246838facf1287ff92ebd935c35f82f98173b72325c9f,False,"Location daemon" -/System/Library/LaunchDaemons/com.apple.lockd.plist,com.apple.lockd,"['/usr/sbin/rpc.lockd']",cf4776d5e158a7b7b5c0b3f8e051300cf92fd63168b629696df150b1ce277f82,False,"" -/System/Library/LaunchDaemons/com.apple.logd.plist,com.apple.logd,"['/usr/libexec/logd']",9c7334124cb10008d8b3c0bc516110c53a7792f6e279b8febce137b0f72c4ed8,True,"" -/System/Library/LaunchDaemons/com.apple.logind.plist,com.apple.logind,"['/System/Library/CoreServices/logind']",71b1b016dd63e7466c4745e3ec8cfa08d420128b7728b6dfa1ab321d763a84ae,True,"" -/System/Library/LaunchDaemons/com.apple.loginwindow.LFVTracer.plist,com.apple.loginwindow.LFVTracer,"['/System/Library/CoreServices/loginwindow.app/Contents/Resources/LegacyFileVaultMessageTracer']",eb8fe267c3994cd8e1fdefc314a042fb1ebc188eaf23e3979c511a1a84717183,False,"" -/System/Library/LaunchDaemons/com.apple.loginwindow.plist,com.apple.loginwindow,"['/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow', 'console']",9c3103e40d3f13ff2de6f344732d9ba1103a301bbe32f782974dd0be44daecde,False,"" -/System/Library/LaunchDaemons/com.apple.logkextloadsd.plist,com.apple.logkextloadsd,"['/usr/libexec/logkextloadsd']",91ecc95c6c0e80b54283969b16556c9be8c6deffc4ff12fda1e46a7f04140d5c,False,"" -/System/Library/LaunchDaemons/com.apple.lsd.plist,com.apple.lsd,"['/usr/libexec/lsd', 'runAsRoot']",471ac181fab5fbeab8a4b27fe98258730da618bf585a892e5c2f6fc8c7cf3af5,False,"" -/System/Library/LaunchDaemons/com.apple.ManagedClient.cloudconfigurationd.plist,com.apple.ManagedClient.cloudconfigurationd,"['/usr/libexec/cloudconfigurationd']",9281cc7db2d3fb15631ce3c73c2de720a1da8af5958d8a70faf87e0b7ba104b4,False,"" -/System/Library/LaunchDaemons/com.apple.ManagedClient.enroll.plist,com.apple.ManagedClient.enroll,"['/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient', '-e']",36f569d3e3afcf12153239906423ed2d918b510a7c2e8d31b4b9a18470d9d82e,False,"" -/System/Library/LaunchDaemons/com.apple.ManagedClient.plist,com.apple.ManagedClient,"['/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient']",36f569d3e3afcf12153239906423ed2d918b510a7c2e8d31b4b9a18470d9d82e,False,"" -/System/Library/LaunchDaemons/com.apple.ManagedClient.startup.plist,com.apple.ManagedClient.startup,"['/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient', '-i']",36f569d3e3afcf12153239906423ed2d918b510a7c2e8d31b4b9a18470d9d82e,True,"" -/System/Library/LaunchDaemons/com.apple.mbsystemadministration.plist,com.apple.mbsystemadministration,"['/System/Library/CoreServices/Setup Assistant.app/Contents/Resources/mbsystemadministration']",4633f871f3f14f1dcf78cfd8d69fa065f4e634c466650fabbbf6cfc4205f73e6,False,"" -/System/Library/LaunchDaemons/com.apple.mbusertrampoline.plist,com.apple.mbusertrampoline,"['/System/Library/CoreServices/Setup Assistant.app/Contents/Resources/mbusertrampoline']",a8816cc411a02ae0da81f0f14c78e29811a4a2b924c76c873ef80b419af726f3,False,"" -/System/Library/LaunchDaemons/com.apple.mdmclient.daemon.plist,com.apple.mdmclient.daemon,"['/usr/libexec/mdmclient', 'daemon']",eecee657f6678b5bbbada7b0cda002fb5341385ee51fa4e3b0fa6e6d1dca771e,False,"" -/System/Library/LaunchDaemons/com.apple.mdmclient.daemon.runatboot.plist,com.apple.mdmclient.daemon.runatboot,"['/usr/libexec/mdmclient', 'rundaemon']",eecee657f6678b5bbbada7b0cda002fb5341385ee51fa4e3b0fa6e6d1dca771e,True,"" -/System/Library/LaunchDaemons/com.apple.mDNSResponder.plist,com.apple.mDNSResponder.reloaded,"['/usr/sbin/mDNSResponder']",8d2f4d87199943744a739efe29b0333d540858af0080038beb98dd2e4248c239,False,"" -/System/Library/LaunchDaemons/com.apple.mDNSResponderHelper.plist,com.apple.mDNSResponderHelper.reloaded,"['/usr/sbin/mDNSResponderHelper']",cd39e10fb367f3de0813d03174d8ec4c28ad80c291ffab2be5e0c0fd1e696342,False,"" -/System/Library/LaunchDaemons/com.apple.mediaremoted.plist,com.apple.mediaremoted,"['/System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted']",36e80ad5ab9553496e032d18992974e25a2f4141e045d444b0239213ac89d727,False,"None" -/System/Library/LaunchDaemons/com.apple.metadata.mds.index.plist,com.apple.metadata.mds.index,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mds_stores']",7a5de9535f6c906efb8a0ceed6c41c5087719c7f3dff9034626d58ede8888482,False,"" -/System/Library/LaunchDaemons/com.apple.metadata.mds.plist,com.apple.metadata.mds,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Support/mds']",2cd40d8500a3970734ed7c7826e0414c76dcee98527b39ee872f0aadbe2b8030,False,"" -/System/Library/LaunchDaemons/com.apple.metadata.mds.scan.plist,com.apple.metadata.mds.scan,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'mdworker-scan', '-c', 'MDSSyncScanWorker', '-m', 'com.apple.metadata.mds.scan']",019abfad5a68690d02a145719276e1e237f9e4ee9bd07dca41ee51058a1c572d,False,"" -/System/Library/LaunchDaemons/com.apple.metadata.mds.spindump.plist,com.apple.metadata.mds.spindump,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'none', '-c', 'MDSSpinDumpWorker', '-m', 'com.apple.metadata.mds.spindump']",019abfad5a68690d02a145719276e1e237f9e4ee9bd07dca41ee51058a1c572d,False,"" -/System/Library/LaunchDaemons/com.apple.mobile.fud.plist,com.apple.MobileAccessoryUpdater,"['/System/Library/PrivateFrameworks/MobileAccessoryUpdater.framework/Support/fud', '30']",06976949adc020cffbf26b751319c7dfe4cc656e3e2ddfcce7f0c33512c86b5a,True,"None" -/System/Library/LaunchDaemons/com.apple.mobile.keybagd.plist,com.apple.mobile.keybagd,"['/usr/libexec/keybagd', '-t', '15']",UNKNOWN,True,"None" -/System/Library/LaunchDaemons/com.apple.mobileassetd.plist,com.apple.mobileassetd,"['/usr/libexec/mobileassetd']",1988a6723b0fc0a907b36fc26ef15a576882464984fe4a8f36d53a6767cce8da,True,"None" -/System/Library/LaunchDaemons/com.apple.MobileFileIntegrity.plist,com.apple.MobileFileIntegrity,"['/usr/libexec/amfid']",aa1c281ce65abe3574573ed749b64745200280629c2c285aa56c02630abc929a,False,"" -/System/Library/LaunchDaemons/com.apple.MRTd.plist,com.apple.MRTd,"['/System/Library/CoreServices/MRT.app/Contents/MacOS/MRT', '-d']",0100350f46e5f61a4e66fb90cc1a49c0bb60ccb502a6c28b2b96136a1d3aa47e,True,"" -/System/Library/LaunchDaemons/com.apple.msrpc.echosvc.plist,com.apple.msrpc.echosvc,"['/usr/libexec/rpcsvchost', '-launchd', 'echosvc.bundle']",3bff6dda8d3ccf7fb9392f354a0d25d6c33f3ce3b520937eec58e332c556c788,False,"" -/System/Library/LaunchDaemons/com.apple.msrpc.lsarpc.plist,com.apple.msrpc.lsarpc,"['/usr/libexec/rpcsvchost', '-launchd', '-sandbox', 'lsarpc.bundle', 'dssetup.bundle']",3bff6dda8d3ccf7fb9392f354a0d25d6c33f3ce3b520937eec58e332c556c788,False,"" -/System/Library/LaunchDaemons/com.apple.msrpc.mdssvc.plist,com.apple.msrpc.mdssvc,"['/usr/libexec/rpcsvchost', '-launchd', '-sandbox', 'mdssvc.bundle']",3bff6dda8d3ccf7fb9392f354a0d25d6c33f3ce3b520937eec58e332c556c788,False,"" -/System/Library/LaunchDaemons/com.apple.msrpc.netlogon.plist,com.apple.msrpc.netlogon,"['/usr/libexec/rpcsvchost', '-launchd', 'netlogon.bundle']",3bff6dda8d3ccf7fb9392f354a0d25d6c33f3ce3b520937eec58e332c556c788,False,"" -/System/Library/LaunchDaemons/com.apple.msrpc.srvsvc.plist,com.apple.msrpc.srvsvc,"['/usr/libexec/rpcsvchost', '-launchd', '-sandbox', 'srvsvc.bundle']",3bff6dda8d3ccf7fb9392f354a0d25d6c33f3ce3b520937eec58e332c556c788,False,"" -/System/Library/LaunchDaemons/com.apple.msrpc.wkssvc.plist,com.apple.msrpc.wkssvc,"['/usr/libexec/rpcsvchost', '-launchd', '-sandbox', 'wkssvc.bundle']",3bff6dda8d3ccf7fb9392f354a0d25d6c33f3ce3b520937eec58e332c556c788,False,"" -/System/Library/LaunchDaemons/com.apple.mtmd.plist,com.apple.mtmd,"['/System/Library/CoreServices/backupd.bundle/Contents/Resources/mtmd']",ce30a17d3582fc47db96ee79bda92865f1b0c68be0157d349ec1728afcb24c29,False,"" -/System/Library/LaunchDaemons/com.apple.mtmfs.plist,com.apple.mtmfs,"['/System/Library/CoreServices/backupd.bundle/Contents/Resources/mtmfs', '--tcp', '--resvport', '--listen', 'localhost', '--oneshot', '--noportmap', '--nobrowse']",0234ebd297ca5a6fc7322e6c0e7343ae98fac45680b78d9ceb011717c8a3776a,True,"" -/System/Library/LaunchDaemons/com.apple.mtmhelper.plist,com.apple.mtmhelper,"['/System/Library/CoreServices/backupd.bundle/Contents/Resources/mtmhelper']",368e51e8e16c518adcca8c3ff051108b458e7005cff4f9431cb63cb71dd8232b,False,"None" -/System/Library/LaunchDaemons/com.apple.nehelper.plist,com.apple.nehelper,"['/usr/libexec/nehelper']",6f1168dce811450d2bed3338aa0d84706fe10008e1ad343d9840097d4690e935,False,"" -/System/Library/LaunchDaemons/com.apple.nesessionmanager.plist,com.apple.nesessionmanager,"['/usr/libexec/nesessionmanager']",a2313bdec063c66f93640bea729e777a768936890a63942460508342065cffac,False,"" -/System/Library/LaunchDaemons/com.apple.netauth.sys.auth.plist,com.apple.netauth.sys.auth,"['/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent', '--sys']",eee74a6ea16f475de659b6a18ddf92e9a6b51f0fbf73bbcdc9b8a242b7e54a37,False,"" -/System/Library/LaunchDaemons/com.apple.netauth.sys.gui.plist,com.apple.netauth.sys.gui,"['/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent', '--sys']",74d2a6ab4247631a21eb33d14fb33f7bde7bee59db6c4f7203e1dc98f494efa5,False,"" -/System/Library/LaunchDaemons/com.apple.netbiosd.plist,com.apple.netbiosd,"['/usr/sbin/netbiosd']",38c9cba0eaad41034f555f8cb8099c9a377e245e70d478ed46691d775ab739c2,False,"netbiosd is responsible for interacting with NetBIOS networks." -/System/Library/LaunchDaemons/com.apple.NetBootClientStatus.plist,com.apple.NetBootClientStatus,"['/usr/sbin/NetBootClientStatus']",e88e3051ce748b24feb0409d16d023d6a048187ecb91de5cb9da63ff05f0bfef,True,"" -/System/Library/LaunchDaemons/com.apple.NetworkDiagnostics.plist,com.apple.NetworkDiagnostics,"['/System/Library/CoreServices/Network Diagnostics.app/Contents/MacOS/Network Diagnostics']",4ac7acbfe00efa3586025c4bf7fb50f5e7877a8e580ac7c41a05a8e08cb01b4a,False,"" -/System/Library/LaunchDaemons/com.apple.NetworkLinkConditioner.plist,com.apple.nlcd,"['/usr/libexec/nlcd']",0cafc5fd26322275aa318ac997ea3ba001360aea15b26ac4a864b4d143a158c9,False,"" -/System/Library/LaunchDaemons/com.apple.NetworkSharing.plist,com.apple.NetworkSharing,"['/usr/libexec/InternetSharing']",c4aa376292272e82b73591bd8a66dd1b64bc74e3910702cca510c8c43bc6076f,False,"" -/System/Library/LaunchDaemons/com.apple.newsyslog.plist,com.apple.newsyslog,"['/usr/sbin/newsyslog']",fe693096f251cafb6571f57b9b4533b663989d029e9ff8e21f0bb360441aabc3,False,"" -/System/Library/LaunchDaemons/com.apple.nfsconf.plist,com.apple.nfsconf,"['/sbin/mount_nfs', 'configupdate']",4f6274a5d159721367dbee3aeb83c6162e4b30416c485f2f436d365cc2adbb07,True,"" -/System/Library/LaunchDaemons/com.apple.nfsd.plist,com.apple.nfsd,"['/sbin/nfsd']",c4b6a3bf723ff8406afeb0a7a65fe40214523604ead869897faca76b494c7d70,False,"" -/System/Library/LaunchDaemons/com.apple.nis.ypbind.plist,com.apple.nis.ypbind,"['/usr/sbin/ypbind']",76d986098cfb3f18f7c64b86cd1e2deea60740f30ff7d21d8bda9302c81abb5b,False,"" -/System/Library/LaunchDaemons/com.apple.noticeboard.state.plist,com.apple.noticeboard.state,"['/System/Library/PrivateFrameworks/Noticeboard.framework/Versions/A/Resources/nbstated']",607672fc358fb53e046b77149a5575e72567c16586cd6e739d724b0588809af3,False,"" -/System/Library/LaunchDaemons/com.apple.notifyd.plist,com.apple.notifyd,"['/usr/sbin/notifyd']",8755b590b54ec213b09214d77b973aede008a38bb328a51381fc3d8e8dd3a23b,False,"" -/System/Library/LaunchDaemons/com.apple.nsurlsessiond.plist,com.apple.nsurlsessiond_privileged,"['/usr/libexec/nsurlsessiond', '--privileged']",e398a8b6495aad49af02a3a5200ecd649832b0b8dd255b400a1a37d13559a0d2,False,"" -/System/Library/LaunchDaemons/com.apple.nsurlstoraged.plist,com.apple.nsurlstoraged,"['/usr/libexec/nsurlstoraged']",7b73d6259e96cdfb749d0b6c143b5333ad3d8fda7be151abd2698823e7b7b4c7,False,"" -/System/Library/LaunchDaemons/com.apple.ocspd.plist,com.apple.ocspd,"['/usr/sbin/ocspd']",58f7874dc86b11738fe2d3195b9305f36abca4c40b9e4d4fb7c2317e49600963,False,"Performs caching and network fetching of CRLs and OCSP responses, used by Security.framework during certificate verification" -/System/Library/LaunchDaemons/com.apple.odproxyd.plist,com.apple.odproxyd,"['/usr/libexec/odproxyd']",d7c1b6c118d19764de28ee2e02790d29697964ee23e157b182ce2f8af7b0018c,False,"" -/System/Library/LaunchDaemons/com.apple.ODSAgent.plist,com.apple.ODSAgent,"['/System/Library/CoreServices/ODSAgent.app/Contents/MacOS/ODSAgent', '-launchd']",f2f7e56a75a7af3f1133dcd640ad1f114c3705dd1f369c8b6b97ee432b2241f7,False,"" -/System/Library/LaunchDaemons/com.apple.opendirectoryd.plist,com.apple.opendirectoryd,"['/usr/libexec/opendirectoryd']",076b6e3c99d284082b20378cef66161253ba9f29795a3ca073cb155c505288f2,False,"" -/System/Library/LaunchDaemons/com.apple.PasswordService.plist,com.apple.PasswordService,"['/usr/sbin/PasswordService', '-n']",73ab1e7d0c9002c79332453a97b485e5560773969ab7a9acea72420de1bdd41b,False,"" -/System/Library/LaunchDaemons/com.apple.PCIELaneConfigTool.plist,com.apple.PCIELaneConfigTool,"['/System/Library/CoreServices/Expansion Slot Utility.app/Contents/Resources/PCIELaneConfigTool']",a79fe92de96951f9a61b67e19a657c9627369c0fa9a7be0b2a05e82a9cfad959,False,"" -/System/Library/LaunchDaemons/com.apple.periodic-daily.plist,com.apple.periodic-daily,"['/usr/libexec/periodic-wrapper', 'daily']",b2b8416c858c6caeb44eaab15949949a74e334c143ff3045682afdd5928b5f90,False,"" -/System/Library/LaunchDaemons/com.apple.periodic-monthly.plist,com.apple.periodic-monthly,"['/usr/libexec/periodic-wrapper', 'monthly']",b2b8416c858c6caeb44eaab15949949a74e334c143ff3045682afdd5928b5f90,False,"" -/System/Library/LaunchDaemons/com.apple.periodic-weekly.plist,com.apple.periodic-weekly,"['/usr/libexec/periodic-wrapper', 'weekly']",b2b8416c858c6caeb44eaab15949949a74e334c143ff3045682afdd5928b5f90,False,"" -/System/Library/LaunchDaemons/com.apple.pfctl.plist,com.apple.pfctl,"['/sbin/pfctl']",b5b3095a6413ff6116076833701020484ca34fe7d2718e063902fc3339d75752,True,"" -/System/Library/LaunchDaemons/com.apple.pfd.plist,com.apple.pfd,"['/usr/libexec/pfd']",d7cdc96fbeecce26ed4a9d58463ce78f77eb3b5561ad54a893707216c97aee9f,False,"" -/System/Library/LaunchDaemons/com.apple.platform.ptmd.plist,com.apple.platform.ptmd,"['/usr/libexec/ptmd']",fdab669bd73899d68be61711cba2a94c4159a10ffad69535acdfcf4dd0d5f29f,True,"" -/System/Library/LaunchDaemons/com.apple.postfix.master.plist,com.apple.postfix.master,"['/usr/libexec/postfix/master']",53c71cdbe29be2d55ae442f9a2aac1b354f08f063b00bc125882eb74e4c4fa44,False,"None" -/System/Library/LaunchDaemons/com.apple.postfix.newaliases.plist,com.apple.postfix.newaliases,"['/usr/libexec/postfix/check-aliases.sh']",85836505e7beee66772dc51df302e9c2eefcfe3f2349681a43fb3c0a1c51ad74,True,"None" -/System/Library/LaunchDaemons/com.apple.powerd.plist,com.apple.powerd,"['/System/Library/CoreServices/powerd.bundle/powerd']",b2a87d34cb3fe61bb768d07cac831a5d2a25a37a672e2cd825413f80b322b121,False,"" -/System/Library/LaunchDaemons/com.apple.powerd.swd.plist,com.apple.powerd.swd,"['/System/Library/CoreServices/powerd.bundle/swd']",c034f54d25aeffb6138dfca59cd223bd3540d42299f7b981997a44c6604be15b,False,"" -/System/Library/LaunchDaemons/com.apple.preferences.timezone.admintool.plist,com.apple.preferences.timezone.admintool,"['/System/Library/PreferencePanes/DateAndTime.prefPane/Contents/Resources/TimeZone.prefPane/Contents/Resources/TimeZoneAdminTool']",fa176cf3a0054fb12a04df8bc6fcfc413e79d4f5528ac1d4fea5d21d44ebbe8b,False,"" -/System/Library/LaunchDaemons/com.apple.preferences.timezone.auto.plist,com.apple.preferences.timezone.auto,"['/System/Library/PreferencePanes/DateAndTime.prefPane/Contents/Resources/TimeZone.prefPane/Contents/Resources/timezoned.app/Contents/MacOS/timezoned']",9826b2824962a61fefefdeff14e91606de45e3e634ab2de0ac4aa65184f5d5b8,False,"" -/System/Library/LaunchDaemons/com.apple.printtool.daemon.plist,com.apple.printtool.daemon,"['/System/Library/Frameworks/ApplicationServices.framework/Frameworks/PrintCore.framework/Versions/A/printtool', 'daemon']",eaf12c090dd671bbf82116de2d7c175ea775610b0b3a7c18626b54dfae0679e2,False,"" -/System/Library/LaunchDaemons/com.apple.racoon.plist,com.apple.racoon,"['/usr/sbin/racoon', '-D']",cba7f87d290cfeb7dd2184ec6af7757b04a92f5f6e353621d2dd2d42023238d9,False,"Built-in VPN key management daemon" -/System/Library/LaunchDaemons/com.apple.RemoteDesktop.PrivilegeProxy.plist,com.apple.RemoteDesktop.PrivilegeProxy,"['/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy']",8c95c42276f863bc37529f44d9956ab6efc9415c3720f5d853fdcee8e6a0af19,False,"" -/System/Library/LaunchDaemons/com.apple.remotepairtool.plist,com.apple.RemotePairTool,"['/System/Library/CoreServices/RemotePairTool']",d759003427d479d0707db18eac8fab923bdf7e1dab357dfcdb5bd9ffb24e2cfd,False,"" -/System/Library/LaunchDaemons/com.apple.ReportCrash.Root.plist,com.apple.ReportCrash.Root,"['/System/Library/CoreServices/ReportCrash']",a64d420ec2bc8d826c8298072c279b17061e796759db64f719b1dbd9ae510279,False,"" -/System/Library/LaunchDaemons/com.apple.ReportPanicService.plist,com.apple.ReportPanicService,"['/System/Library/CoreServices/ReportPanicService']",656fe433407d03ac8b3e077efedec0a8b5bf68980b5d3aaa394cad47a3b5da80,False,"" -/System/Library/LaunchDaemons/com.apple.revisiond.plist,com.apple.revisiond,"['/System/Library/PrivateFrameworks/GenerationalStorage.framework/Versions/A/Support/revisiond']",d8708a2eaff2a994d93069ae10ff7de8c4ce5ed4427e74f752c0c58e5f22d42b,True,"" -/System/Library/LaunchDaemons/com.apple.RFBEventHelper.plist,com.apple.RFBEventHelper,"['/System/Library/CoreServices/RFBEventHelper.bundle/Contents/MacOS/RFBEventHelperd']",af93779c5e12f9fe2f9feb014e0b59f01854d9fb520a42e6d84556df238f1739,False,"" -/System/Library/LaunchDaemons/com.apple.rootless.init.plist,com.apple.rootless.init,"['/usr/libexec/rootless-init']",547d750fbaeeec80788199af46cb83080fde9756249c54623bbb888bd504ca1f,False,"" -/System/Library/LaunchDaemons/com.apple.rpcbind.plist,com.apple.rpcbind,"['/usr/sbin/rpcbind']",16f3bf97fbf96fbfbaac0238f855d3980c2f566b3e2b20e5441831effe6c384b,False,"" -/System/Library/LaunchDaemons/com.apple.rtcreportingd.plist,com.apple.rtcreportingd,"['/usr/libexec/rtcreportingd']",08a51edea24c34c3b9041f8cc727d5c0eaecb6f3be90ba9204766a4c71cff262,False,"" -/System/Library/LaunchDaemons/com.apple.sandboxd.plist,com.apple.sandboxd,"['/usr/libexec/sandboxd']",53159fd4e9f84663d210ec2e30ead78c50e87c5c2b3722bc1e41fd54e0c04b05,False,"" -/System/Library/LaunchDaemons/com.apple.SCHelper.plist,com.apple.SCHelper,"['/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/Helpers/SCHelper']",2a616e862bd65ba5f72c1a4cb2ac7ad1b91d6fce741ee4a3c26ac1304e1d455b,False,"" -/System/Library/LaunchDaemons/com.apple.screensharing.plist,com.apple.screensharing,"['/System/Library/CoreServices/RemoteManagement/screensharingd.bundle/Contents/MacOS/screensharingd']",48410645c83e4f7547fc5618c6ae410232ee6544b3e291ee3dc881ef580a1539,False,"" -/System/Library/LaunchDaemons/com.apple.scsid.plist,com.apple.scsid,"['/usr/libexec/scsid']",92fa2143bbdd6fe44c8fed24bbde2729d8b18539f8fe8d4def0a26ea1f904f42,True,"" -/System/Library/LaunchDaemons/com.apple.secinitd.plist,com.apple.secinitd,"['/usr/libexec/secinitd']",3de685f119f1c94f99ff2867106f086a0c37db53bc80c4369e03611f4d64fae3,False,"" -/System/Library/LaunchDaemons/com.apple.security.agent.login.plist,com.apple.security.agent.login,"['/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent']",bd1a5f8764e5f479bb094e4a08b7c314d24be3ee1f8dff9a6e12007f9d131d4f,False,"" -/System/Library/LaunchDaemons/com.apple.security.authhost.plist,com.apple.security.authhost,"['/System/Library/Frameworks/Security.framework/Versions/A/MachServices/authorizationhost.bundle/Contents/MacOS/authorizationhost']",726df637d0a331b199cd1258dba90b2d8e15b1b49fe95028e06b9d41a813eea3,False,"" -/System/Library/LaunchDaemons/com.apple.security.FDERecoveryAgent.plist,com.apple.security.FDERecoveryAgent,"['/usr/libexec/FDERecoveryAgent']",80ece19c945b2ff894648ddcdcf24d70d3cacac30298971ebf5a007327c61393,True,"" -/System/Library/LaunchDaemons/com.apple.security.syspolicy.plist,com.apple.security.syspolicy,"['/usr/libexec/syspolicyd']",1f14996689a3149ac93cadb263c1c095667154b3aba041196549961947a10603,False,"" -/System/Library/LaunchDaemons/com.apple.securityd.plist,com.apple.securityd,"['/usr/sbin/securityd', '-i']",f61c8eb53e0fa0fb49f07c22be058fe83c4ecfa97fb97332a60c794d41b5f0b7,True,"" -/System/Library/LaunchDaemons/com.apple.securityd_service.plist,com.apple.securityd_service,"['/usr/libexec/securityd_service']",186d1e61543c4a3875e6318864e0d1b2f4f4df4c9b74377c0622b5a3dc8c71c0,False,"" -/System/Library/LaunchDaemons/com.apple.sessionlogoutd.plist,com.apple.sessionlogoutd,"['/System/Library/CoreServices/sessionlogoutd']",095f461429ada2163ed91684e8ec32b9dc33ae8aa7e8b73d4ccf300ecbf2fa71,False,"" -/System/Library/LaunchDaemons/com.apple.smb.preferences.plist,com.apple.smb.preferences,"['/usr/libexec/smb-sync-preferences']",3b2fd1c4b1db41b6d8f59e377b015b298f399236bb19a1816a76c6fca22156d1,True,"" -/System/Library/LaunchDaemons/com.apple.smbd.plist,com.apple.smbd,"['/usr/sbin/smbd']",af500c02afeadf4c11c24e5faf178f927e4c0731b1c9bd2e3c338441d9c2fe48,False,"" -/System/Library/LaunchDaemons/com.apple.softwareupdate_download_service.plist,com.apple.softwareupdate_download_service,"['/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdate_download_service']",1c809811e04df0158383b51680d13850e273f69e9f3029778a25cfbf029f76ac,False,"" -/System/Library/LaunchDaemons/com.apple.softwareupdate_firstrun_tasks.plist,com.apple.softwareupdate_firstrun_tasks,"['/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdate_firstrun_tasks', '-BuildTagCache', 'YES']",cf8c72a022e8c418802f06248ddcd5977e6d7ad8d1ed9b01a61a065539ae6443,True,"None" -/System/Library/LaunchDaemons/com.apple.softwareupdated.plist,com.apple.softwareupdated,"['/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated']",a26efebee17a028b8d9b3824fecdd80b0741de4c76793b2972c66ddd0a8f6e13,False,"" -/System/Library/LaunchDaemons/com.apple.speech.speechsynthesisd.plist,com.apple.speech.speechsynthesisd,"['/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd']",d37eec8945fe3d7a4f29c241eff0b35da57fa1ec74672771fbf3239ea1d1917e,False,"" -/System/Library/LaunchDaemons/com.apple.spindump.plist,com.apple.spindump,"['/usr/sbin/spindump']",9bd9e44331646026255052ee1142d3be0219291b4fa6f69efac2660fa3d5d5dd,False,"" -/System/Library/LaunchDaemons/com.apple.startupdiskhelper.plist,com.apple.startupdiskhelper,"['/usr/libexec/startupdiskhelper']",a040058c2c9843c0a17a96dd647ec1a276ae0cddf852c5c063920f690beccaa2,False,"None" -/System/Library/LaunchDaemons/com.apple.statd.notify.plist,com.apple.statd.notify,"['/usr/sbin/rpc.statd', '-n']",dbc565426f75e2345b1fb2e8317869811602b61b72081db8cc7f9bba12a497da,True,"" -/System/Library/LaunchDaemons/com.apple.storagekitd.plist,com.apple.storagekitd,"['/System/Library/PrivateFrameworks/StorageKit.framework/Resources/storagekitd']",ce171c6170bcece5d4227a9c2364a5b3d59a02ed280bbcfd76eaf45990293119,False,"" -/System/Library/LaunchDaemons/com.apple.storeaccountd.daemon.plist,com.apple.storeaccountd.daemon,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeaccountd', 'daemon']",1f5b284bae1a1f34c385bbb858460cff6858fe453730e9594e6742a9236ff7eb,False,"" -/System/Library/LaunchDaemons/com.apple.storeagent.daemon.plist,com.apple.storeagent.daemon,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storelegacy', 'daemon']",d72eb418db720a85fb01b0994d6863ef01a55e3b38c42efecd7ed7dc92b1ed05,False,"" -/System/Library/LaunchDaemons/com.apple.storeassetd.daemon.plist,com.apple.storeassetd.daemon,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeassetd', 'daemon']",fa9af393b6dbe8244f66b012c7b3726a95dbaf0b2afd9448108240fcd365f038,False,"" -/System/Library/LaunchDaemons/com.apple.storedownloadd.daemon.plist,com.apple.storedownloadd.daemon,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd', 'daemon']",e9f3678a540fdbd26fff350937c61f717af8cf769fe14e1716c821979a8e000c,False,"" -/System/Library/LaunchDaemons/com.apple.storeinstalld.plist,com.apple.storeinstalld,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeinstalld']",33bffa2fd00918d7a2c61d75e76dfbf54c42206faee5b7c00be962c93b5f89c7,False,"None" -/System/Library/LaunchDaemons/com.apple.storereceiptinstaller.plist,com.apple.storereceiptinstaller,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/ReceiptInstaller']",608275b0114c8cc6dede375578d4b53b48546673d14479255e5b38070b76f8e5,False,"" -/System/Library/LaunchDaemons/com.apple.SubmitDiagInfo.plist,com.apple.SubmitDiagInfo,"['/System/Library/CoreServices/SubmitDiagInfo', 'server-init']",13a6f26878b72e9d3f83181dd793c843d46d314e1a8dabe0d9acfdf2d2e3fa2a,False,"Sends diagnostic information to Apple" -/System/Library/LaunchDaemons/com.apple.suhelperd.plist,com.apple.suhelperd,"['/System/Library/PrivateFrameworks/SoftwareUpdate.framework/Resources/suhelperd']",5b417e973db778f6e8c4a5ccdbb1bc1190811c80962ef860eaf42bf614a3413d,False,"" -/System/Library/LaunchDaemons/com.apple.symptomsd.plist,com.apple.symptomsd,"['/usr/libexec/symptomsd']",0e40d9059c77b2f8722395e8d8dc2dcd0b9892847dcb724f478e36e58bbc156c,False,"" -/System/Library/LaunchDaemons/com.apple.sysdiagnose.plist,com.apple.sysdiagnose,"['/usr/bin/sysdiagnose']",e7cf5ad447edde00f88741e944814b8b08bb8ee6d18c40edac8589e3404acb85,False,"" -/System/Library/LaunchDaemons/com.apple.syslogd.plist,com.apple.syslogd,"['/usr/sbin/syslogd']",04a4818bb49d74f91a93d768c0fc05d3fa2a70787722f7cc13caa1af23316316,False,"" -/System/Library/LaunchDaemons/com.apple.sysmond.plist,com.apple.sysmond,"['/usr/libexec/sysmond']",be93cd6dbe14c0fc45c02dbd972afc4afdad34e8b7c24c84b7c131e3ea61f4aa,False,"" -/System/Library/LaunchDaemons/com.apple.system_installd.plist,com.apple.system_installd,"['/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd']",eff9877c1bb33edb8efafcbafdaf1c27f1776c93f287ed9b7ae73a68b42a92ae,False,"" -/System/Library/LaunchDaemons/com.apple.systemkeychain.plist,com.apple.systemkeychain,"['/usr/sbin/systemkeychain', '-d']",7d23b4afe97039fe4cd8b730fbf3c2b1c4ba5c060965adf6b27f261f092f23aa,False,"" -/System/Library/LaunchDaemons/com.apple.systemstats.analysis.plist,com.apple.systemstats.analysis,"['/usr/sbin/systemstats', '--xpc']",6099ad3d540730d2c48b754276914522cfd8cf9beca604115cae4e1263af1fc3,False,"" -/System/Library/LaunchDaemons/com.apple.systemstats.daily.plist,com.apple.systemstats.daily,"['/usr/sbin/systemstats', '--daily']",6099ad3d540730d2c48b754276914522cfd8cf9beca604115cae4e1263af1fc3,False,"" -/System/Library/LaunchDaemons/com.apple.tailspind.plist,com.apple.tailspind,"['/usr/libexec/tailspind']",eed7bef237e29feae96f4188587fd3d06eb6d7a1e315c1e5755a97669e3f3e3c,False,"None" -/System/Library/LaunchDaemons/com.apple.taskgated-helper.plist,com.apple.taskgated-helper,"['/usr/libexec/taskgated-helper']",8a5b4c6de632bd5ca8a95c5772ec0d564260c504235869cc69c38ab72ccef1ed,False,"" -/System/Library/LaunchDaemons/com.apple.taskgated.plist,com.apple.taskgated,"['/usr/libexec/taskgated', '-s']",562b1cdaff02bf59fbcc46adb7c28107303750b1c39fae41c539b3365fc72aea,False,"" -/System/Library/LaunchDaemons/com.apple.tccd.system.plist,com.apple.tccd.system,"['/System/Library/PrivateFrameworks/TCC.framework/Resources/tccd', 'system']",f8ba72775dcc31f2b1ad218a356795c1ddc45ae5afb704162bad02efacbdf4ad,False,"" -/System/Library/LaunchDaemons/com.apple.thermald.plist,com.apple.thermald,"['/usr/libexec/thermald']",a99b06655380282e8051df3c2a70af006f042527cb77d734ec7b33c8fa2cdd3b,False,"Thermal management daemon" -/System/Library/LaunchDaemons/com.apple.TMCacheDelete.plist,com.apple.TMCacheDelete,"['/System/Library/CoreServices/backupd.bundle/Contents/Resources/TMCacheDelete']",38e67feb52060c5a4a093e43410af4ca8a72f093fbb1838c63b0817e80c30448,False,"" -/System/Library/LaunchDaemons/com.apple.trustd.plist,com.apple.trustd,"['/usr/libexec/trustd']",872b9574d20649ce20c78e6ead6a40b6ed494f24fac77535c27f0f71e5a114dc,False,"" -/System/Library/LaunchDaemons/com.apple.TrustEvaluationAgent.system.plist,com.apple.TrustEvaluationAgent.system,"['/System/Library/PrivateFrameworks/TrustEvaluationAgent.framework/Resources/trustevaluationagent']",ce6d7839e819198d7589ad73eb560960e01651e52e0339c24c6d6e9d68a20b1f,False,"" -/System/Library/LaunchDaemons/com.apple.ucupdate.plist,com.apple.ucupdate.plist,"['/usr/libexec/ucupdate', '-m', '/usr/share/ucupdate/microcode.dat']",925d0ffdd726448a1daa9d58ed070d492240fdfb426a8d22b61269e9c703fdd7,True,"" -/System/Library/LaunchDaemons/com.apple.uninstalld.plist,com.apple.uninstalld,"['/System/Library/PrivateFrameworks/Uninstall.framework/Resources/uninstalld']",929f33ea279c823c8df1e5bd50027b45187e61fe4b61ef3694cd7920c681de68,False,"" -/System/Library/LaunchDaemons/com.apple.unmountassistant.sysagent.plist,com.apple.unmountassistant.sysagent,"['/System/Library/CoreServices/UnmountAssistantAgent.app/Contents/Resources/UASysAgent']",db80f142573954dc09e4badba3f72c5cf7deeffdd159d84f824675145f12ebf9,False,"" -/System/Library/LaunchDaemons/com.apple.updateEFIDesktopPicture.plist,com.apple.updateEFIDesktopPicture,"['/usr/sbin/kextcache', '-u', '/']",e926a3cc1ea297ed2277b8c4e260897d2a055f0a72ac158d982b32cba12e77da,False,"" -/System/Library/LaunchDaemons/com.apple.usbd.plist,com.apple.usbd,"['/usr/libexec/usbd']",0e70c44f1a4dcdcb180d996512e991491bc37dd376b0b5e2c3c48461b023dd26,False,"" -/System/Library/LaunchDaemons/com.apple.usbmuxd.plist,com.apple.usbmuxd,"['/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/Resources/usbmuxd', '-launchd']",94633949b96a83a4f3de7d6e7a9ddbece7a2c36e5a8ff5c32891392730a5af9f,True,"" -/System/Library/LaunchDaemons/com.apple.UserEventAgent-System.plist,com.apple.UserEventAgent-System,"['/usr/libexec/UserEventAgent', '(System)']",0db2c6f3f3370cdc06524a4824186c8733ce732d2b5946d7f068e8b4d4bae4c9,False,"" -/System/Library/LaunchDaemons/com.apple.UserNotificationCenter.plist,com.apple.UserNotificationCenter,"['/System/Library/CoreServices/uncd']",f5fa68af3442797935ebd584f70254af756fd2922719911a7bb66a108e5e18af,False,"" -/System/Library/LaunchDaemons/com.apple.uucp.plist,com.apple.uucp,"['/usr/sbin/uucico', '-l', '-D']",2c45d334643c7b43f0a7ff4daa61725992e94c8ca2984faf0f285eb99a6fdf1a,False,"" -/System/Library/LaunchDaemons/com.apple.var-db-dslocal-backup.plist,com.apple.var-db-dslocal-backup,"['/usr/bin/xar', '-c', '-f', 'dslocal-backup.xar', 'dslocal']",fc1824ce33249ce98c91abf6d73e06c16a7d9500a561c9747a4226a2aa375c05,False,"" -/System/Library/LaunchDaemons/com.apple.vsdbutil.plist,com.apple.vsdbutil,"['/usr/sbin/vsdbutil', '-i']",efc252abe22de1c7c7a1ddb4e63b376b43e46bf607c1da0660691a9e5849e669,False,"" -/System/Library/LaunchDaemons/com.apple.warmd.plist,com.apple.warmd,"['/usr/libexec/warmd']",0f76623e8fb7c60cf82db40a4ae6597484e8562ec2811d121cd05ae00ad3b104,True,"" -/System/Library/LaunchDaemons/com.apple.watchdogd.plist,com.apple.watchdogd,"['/usr/libexec/watchdogd']",4807b1b721013c381f6a37023cf4e7e9f9cd8e9e9b20745ba9aa85caaf54eaf4,False,"" -/System/Library/LaunchDaemons/com.apple.wdhelper.plist,com.apple.wdhelper,"['/usr/libexec/wdhelper']",555e71716e1dc824f4a0fe006a9e8bbe268f47bb74dfa9b82096d95373b40753,True,"" -/System/Library/LaunchDaemons/com.apple.wifid.plist,com.apple.wifid,"['/usr/libexec/wifid']",1c146e1d2287b6e5c07d663ca672a7b533cb0b64033b93e5fd571d71b46d044a,False,"" -/System/Library/LaunchDaemons/com.apple.wifivelocityd.plist,com.apple.wifivelocityd,"['/usr/libexec/wifivelocityd']",99b391a67b49d9e662dcbe58176bdc53654e3cdd6547615c0441cf203e833cf1,False,"None" -/System/Library/LaunchDaemons/com.apple.WindowServer.plist,com.apple.WindowServer,"['/System/Library/PrivateFrameworks/SkyLight.framework/Resources/WindowServer', '-daemon']",308e164e5fcf6a08c488e9c1aa6129169a6c92f17253269bccc5862be982f445,False,"" -/System/Library/LaunchDaemons/com.apple.wirelessproxd.plist,com.apple.wirelessproxd,"['/usr/sbin/wirelessproxd']",0213b9d294328789f918a5c4dcbd9e53b2bbd9c410a790dd996ef3f57dee2053,False,"" -/System/Library/LaunchDaemons/com.apple.WirelessRadioManagerd-osx.plist,com.apple.WirelessRadioManagerd-osx,"['/usr/sbin/WirelessRadioManagerd']",874529d94d354e972a9e11d52f4f063198f9a17bb495747ad616148f4ccbfe14,False,"" -/System/Library/LaunchDaemons/com.apple.wwand.plist,com.apple.wwand,"['/System/Library/Extensions/IOSerialFamily.kext/Contents/PlugIns/AppleWWANSupport.kext/Contents/Resources/wwand']",02017b3ff60b93d77a50cd8acf605027a5a4ff3c177b13bbe175e7fd175fe7b3,False,"" -/System/Library/LaunchDaemons/com.apple.xpc.smd.plist,com.apple.xpc.smd,"['/usr/libexec/smd']",df9002235e2b41f44ae01822ba0b96d84f0cdb617b928a03859edff200fb7e28,False,"" -/System/Library/LaunchDaemons/com.apple.xpc.uscwoap.plist,com.apple.xpc.uscwoap,"['/bin/bash']",05fa593bb1247e5f73e21e8951c2215e4c83f60047167aad5e4371947587cce7,False,"" -/System/Library/LaunchDaemons/com.apple.xsan.plist,com.apple.xsan,"['/System/Library/Filesystems/acfs.fs/Contents/bin/xsand']",e52784268e7aad5e6c1e3221458e1bb847907d6ff1869b380ba832537ef1733c,False,"" -/System/Library/LaunchDaemons/com.apple.xsandaily.plist,com.apple.xsandaily,"['/System/Library/Filesystems/acfs.fs/Contents/bin/xsandaily']",bcdf58bd815603977712d79042f8fd34301e3468addef387387eedf3a8f389e0,False,"" -/System/Library/LaunchDaemons/com.apple.xscertadmin.plist,com.apple.xscertadmin,"['/usr/sbin/xscertadmin', 'update']",db6afabf5acff98338781979cc5ab071b8f9c7d8aefff106674a618bbcd52471,False,"" -/System/Library/LaunchDaemons/com.apple.xscertd-helper.plist,com.apple.xscertd-helper,"['/usr/libexec/xscertd-helper']",135c06e9b090198f6c84ebb039893fa602ed5cce29e071ebe5d45a0527b31503,False,"" -/System/Library/LaunchDaemons/com.apple.xscertd.plist,com.apple.xscertd,"['/usr/libexec/xscertd']",e7640cb80092966dee48006ac7fc26a411ca26b7099b2bb5c76908e6497e992b,False,"" -/System/Library/LaunchDaemons/com.vix.cron.plist,com.vix.cron,"['/usr/sbin/cron']",08b1dfda3e4c831013c40a5ca382bc80cb5a005c9376d2abce629db7e792851a,False,"" -/System/Library/LaunchDaemons/finger.plist,com.apple.fingerd,"['/usr/libexec/fingerd', '-s']",d631f7ab605ee5446602580ea994cd7c11dd177a5eef6f1839f33079a199e6b3,False,"" -/System/Library/LaunchDaemons/ftp.plist,com.apple.ftpd,"['/usr/libexec/ftpd']",c610ee26589862c19ef8f37c6878d6d53a807636b7c7d34e048bd3bce1f60487,False,"" -/System/Library/LaunchDaemons/ntalk.plist,com.apple.ntalkd,"['/usr/libexec/ntalkd']",137dce36b2ee244b5b527fb8edfc3b74bfb02fab49f9725fcda0ce1e31d45657,False,"" -/System/Library/LaunchDaemons/org.apache.httpd.plist,org.apache.httpd,"['/usr/sbin/httpd-wrapper', '-D', 'FOREGROUND']",c79a53bc3347ad16ca7e86753eb64733569e7e7d65fc1daeac2a41922f1dfa09,False,"" -/System/Library/LaunchDaemons/org.cups.cups-lpd.plist,org.cups.cups-lpd,"['/usr/libexec/cups/daemon/cups-lpd', '-o', 'document-format=application/octet-stream']",41baa504e181694922ea8d9bccc06afccca4d3b3c6577f55687925372aeae42a,False,"" -/System/Library/LaunchDaemons/org.cups.cupsd.plist,org.cups.cupsd,"['/usr/sbin/cupsd', '-l']",UNKNOWN,False,"" -/System/Library/LaunchDaemons/org.net-snmp.snmpd.plist,org.net-snmp.snmpd,"['/usr/sbin/snmpd']",30389db23c8d30e268dd7e3f98986a33b6a66bb2e13ad4e9248832247020b23c,False,"" -/System/Library/LaunchDaemons/org.ntp.ntpd.plist,org.ntp.ntpd,"['/usr/libexec/ntpd-wrapper']",af2e5171344166fae18d79ff27b81ac10b9fe2998e6fce449a7c57e54b3af80f,False,"Wrapper for ntpdate/ntpd called by launchd" -/System/Library/LaunchDaemons/org.openldap.slapd.plist,org.openldap.slapd,"['/usr/libexec/slapd']",c2560a36e3754e9891359a1341cadb9d1a51cf4110cf9a95c9fa5fb1c3559aee,False,"Slapd is the stand-alone LDAP daemon." -/System/Library/LaunchDaemons/ssh.plist,com.openssh.sshd,"['/usr/libexec/sshd-keygen-wrapper']",a7fc97ea60f6394f024de3f9a8fc97ad9bafdae5585b220d8bc7d5bc61f6a6cb,False,"Wrapper for OpenSSH SSH daemon called by launchd" -/System/Library/LaunchDaemons/telnet.plist,com.apple.telnetd,"['/usr/libexec/telnetd']",8a36078d665c7e99ef7677add8f072c4f8870d27811bc6d73f96997117f957e0,False,"" -/System/Library/LaunchDaemons/tftp.plist,com.apple.tftpd,"['/usr/libexec/tftpd', '-i', '/private/tftpboot']",db32fce07cda30b3514ce30251689db4310c9e45d1c9a093330de7c5bf07b1f4,False,"TFTP server daemon" -/System/Library/LaunchAgents/com.apple.accountsd.plist,com.apple.accountsd,"['/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd']",2c18649bbc5bd99d5ad244f16cd9512ca796b0362cda27e10796409ee712d867,False,"" -/System/Library/LaunchAgents/com.apple.AddressBook.abd.plist,com.apple.AddressBook.abd,"['/System/Library/Frameworks/AddressBook.framework/Versions/A/Helpers/AddressBookManager.app/Contents/MacOS/AddressBookManager']",a1866b73806ae2d148d720a88cc4f0726eef0272d4b96a59b5d3aaba64a2b0d1,False,"" -/System/Library/LaunchAgents/com.apple.AddressBook.AssistantService.plist,com.apple.AddressBook.AssistantService,"['/System/Library/Frameworks/AddressBook.framework/Versions/A/Helpers/ABAssistantService.app/Contents/MacOS/ABAssistantService']",8d661db3b0de27213d1b748096238fe1f5b2df28b506a25904cdb31d9df14636,False,"" -/System/Library/LaunchAgents/com.apple.AddressBook.ContactsAccountsService.plist,com.apple.AddressBook.ContactsAccountsService,"['/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService']",f301931b1e2387f1234bef867b401826161a2b291ad78563c154d6355b71fbb3,False,"None" -/System/Library/LaunchAgents/com.apple.AddressBook.SourceSync.plist,com.apple.AddressBook.SourceSync,"['/System/Library/Frameworks/AddressBook.framework/Versions/A/Helpers/AddressBookSourceSync.app/Contents/MacOS/AddressBookSourceSync']",321e1acce457deaf4d496a959042cd7fd5de85bb5c5ecfb7a0275c9f018c4e11,False,"" -/System/Library/LaunchAgents/com.apple.AirPlayUIAgent.plist,com.apple.AirPlayUIAgent,"['/System/Library/CoreServices/AirPlayUIAgent.app/Contents/MacOS/AirPlayUIAgent', '--launchd']",30d7ec2bff38d06cfe781e3d6ffe68a9ed855559547d180cac91dba0938b0385,True,"" -/System/Library/LaunchAgents/com.apple.AirPortBaseStationAgent.plist,com.apple.AirPortBaseStationAgent,"['/System/Library/CoreServices/AirPort Base Station Agent.app/Contents/MacOS/AirPort Base Station Agent', '--launchd']",74e7775fba88b5c639b60dc6bad8d7b0bc9f79698e29cc54cfe17c423bded8ce,False,"" -/System/Library/LaunchAgents/com.apple.akd.plist,com.apple.akd,"['/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd']",670fb2f9b92fea1a38a454ae6c3b79ee0d08206f0e04d10439b02a7b80e7dae0,False,"" -/System/Library/LaunchAgents/com.apple.alf.useragent.plist,com.apple.alf.useragent,"['/usr/libexec/ApplicationFirewall/Firewall']",c6ce0695dbee625021b16132146547ee18ac5119fffe2c8cf6e362c48e628ae8,False,"Apple Application Firewall (User Process)" -/System/Library/LaunchAgents/com.apple.AOSHeartbeat.plist,com.apple.AOSHeartbeat,"['/System/Library/PrivateFrameworks/AOSKit.framework/Helpers/AOSHeartbeat.app/Contents/MacOS/AOSHeartbeat']",faf13fe146196ca8c5bfc1fda86833950193cedc6d74338b4b12a3e08fca8567,True,"" -/System/Library/LaunchAgents/com.apple.AOSPushRelay.plist,com.apple.AOSPushRelay,"['/System/Library/PrivateFrameworks/AOSKit.framework/Helpers/AOSPushRelay.app/Contents/MacOS/AOSPushRelay']",c1f9881455a5eaad3ae8623278f4829b89026007b45bebd6d53cec5af6f1473c,False,"" -/System/Library/LaunchAgents/com.apple.AppleGraphicsWarning.plist,com.apple.AppleGraphicsWarning,"['/System/Library/CoreServices/AppleGraphicsWarning.app/Contents/MacOS/AppleGraphicsWarning']",ef2de95fe4cc10abc5d2dfc2063c5fd956eb715baac666ea9c3356969c544b81,False,"" -/System/Library/LaunchAgents/com.apple.appleseed.seedusaged.plist,com.apple.appleseed.seedusaged,"['/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged']",755f1fa8e0881969bb8c608f6e1e70050310ed7e8d1dac9822758cc548e222b7,True,"" -/System/Library/LaunchAgents/com.apple.appsleepd.plist,com.apple.appsleep,"['/usr/sbin/appsleepd']",7a8881516b13282b9c68bdb3512e73e99966b87fac7e33acea4c16bb79528139,False,"" -/System/Library/LaunchAgents/com.apple.appstoreupdateagent.plist,com.apple.appstoreupdateagent,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/appstoreupdateagent']",6701c79a64135d892c5566f5ae524d4f84ecd32330fd10716869d22eae35f68e,False,"" -/System/Library/LaunchAgents/com.apple.apsctl.plist,com.apple.apsctl,"['/System/Library/PrivateFrameworks/ApplePushService.framework/apsctl', 'login']",53f5c06bbd0a5635e67cde62d5434b04cbd982118457777913d9e95e287bcd56,True,"" -/System/Library/LaunchAgents/com.apple.askpermissiond.plist,com.apple.askpermissiond,"['/System/Library/PrivateFrameworks/AskPermission.framework/Versions/A/Resources/askpermissiond']",18c33b96cb47fdacfc061f6bbe09ceeb7e67f4f3aa95adddc343fae45728c9b7,True,"" -/System/Library/LaunchAgents/com.apple.AskPermissionUI.plist,com.apple.AskPermissionUI,"['/System/Library/PrivateFrameworks/AskPermission.framework/Versions/A/Resources/AskPermissionUI.app/Contents/MacOS/AskPermissionUI']",e849dd60b5ef11b15b7f44641b4925ae8b8dd46e67e73308bdc1c2d28dbaed6e,False,"" -/System/Library/LaunchAgents/com.apple.AssetCacheLocatorService.plist,com.apple.AssetCacheLocatorService,"['/System/Library/PrivateFrameworks/AssetCacheServices.framework/XPCServices/AssetCacheLocatorService.xpc/Contents/MacOS/AssetCacheLocatorService', '-a']",8f62c38c566430ad038db3173c9589455f55c04bb38353a1df24a04fac455b64,False,"" -/System/Library/LaunchAgents/com.apple.assistant_service.plist,com.apple.assistant_service,"['/System/Library/PrivateFrameworks/AssistantServices.framework/assistant_service']",c1aa2eaee052a4bb3c58f11d597d16c838f6222f95c12038c680a8c7c0ae8899,False,"" -/System/Library/LaunchAgents/com.apple.assistantd.plist,com.apple.assistantd,"['/System/Library/PrivateFrameworks/AssistantServices.framework/assistantd']",e8bc2ff6fdb4039d9eccc8a997a7c1bd734db014131d693ef08cc12fe72e6479,True,"" -/System/Library/LaunchAgents/com.apple.AssistiveControl.plist,com.apple.AssistiveControl,"['/System/Library/Input Methods/Switch Control.app/Contents/MacOS/Switch Control', 'launchd', '-s']",4395099fc887b2e8911b94d0bddc3b8969f0e525cddac0abc2a449868450a14a,False,"" -/System/Library/LaunchAgents/com.apple.avconferenced.plist,com.apple.videoconference.camera,"['/usr/libexec/avconferenced']",53eeb82c8624ce67b10ffea0aa8384e91793cabe2fead79ed12d84e8b39887b2,False,"None" -/System/Library/LaunchAgents/com.apple.bird.plist,com.apple.bird,"['/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird']",4d33a58f6397f3f3f3889e95b0649396ed1614ac53577db79077e3220ea0939c,False,"Documents in the Cloud feature daemon" -/System/Library/LaunchAgents/com.apple.bluetooth.PacketLogger.plist,com.apple.bluetooth.PacketLogger,"['/AppleInternal/DevTools/Hardware/PacketLogger.app/Contents/MacOS/PacketLogger']",UNKNOWN,False,"None" -/System/Library/LaunchAgents/com.apple.bluetoothUIServer.plist,com.apple.bluetoothUIServer,"['/System/Library/CoreServices/BluetoothUIServer.app/Contents/MacOS/BluetoothUIServer']",e31363577df4f470bc1532c30b7ea17c4b67e40df60fda66ebec54ae018ad213,False,"" -/System/Library/LaunchAgents/com.apple.btsa.plist,com.apple.btsa,"['/System/Library/CoreServices/Bluetooth Setup Assistant.app/Contents/MacOS/Bluetooth Setup Assistant', '-autoConfigure']",cb9c0cbe0c6f5bae7223971a3938331a04a164a76823efe2630784aedba630ab,False,"" -/System/Library/LaunchAgents/com.apple.cache_delete.plist,com.apple.cache_delete,"['/System/Library/PrivateFrameworks/CacheDelete.framework/deleted']",e68e08c6b61cf64bc680838c8fd1b61069c9094ee3db5cd823ca6d86e1d9aa0e,False,"" -/System/Library/LaunchAgents/com.apple.CalendarAgent.plist,com.apple.CalendarAgent,"['/System/Library/PrivateFrameworks/CalendarAgent.framework/Executables/CalendarAgent']",c11f8f4bb16abb037ba583f3906d546b51a50e99308f98738d678c7777c2c453,True,"" -/System/Library/LaunchAgents/com.apple.CallHistoryPluginHelper.plist,com.apple.CallHistoryPluginHelper,"['/System/Library/PrivateFrameworks/CallHistory.framework/Support/CallHistoryPluginHelper']",88e4764351d565564b31ee514432a7b76f9ee588ccfbdd5859124b756779be35,False,"" -/System/Library/LaunchAgents/com.apple.CallHistorySyncHelper.plist,com.apple.CallHistorySyncHelper,"['/System/Library/PrivateFrameworks/CallHistory.framework/Support/CallHistorySyncHelper']",1cefe1ee73c7ec3ce784e63785e2cdbdd10594c0e46411b638ddfba40bf0fe19,False,"" -/System/Library/LaunchAgents/com.apple.cdpd.plist,com.apple.cdpd,"['/System/Library/PrivateFrameworks/CoreCDP.framework/Versions/A/Resources/cdpd']",1a0e7cd5404edfc7d33771236078d9beaf556e30535f4f4eed653391891fa5cb,False,"" -/System/Library/LaunchAgents/com.apple.cfnetwork.AuthBrokerAgent.plist,com.apple.cfnetwork.AuthBrokerAgent,"['/System/Library/CoreServices/AuthBrokerAgent']",b61480e9a2c71af4bc953219c4bb9eb54ab8f3b4058369176f9cd96df16fcffc,False,"" -/System/Library/LaunchAgents/com.apple.cfnetwork.cfnetworkagent.plist,com.apple.cfnetwork.cfnetworkagent,"['/System/Library/CoreServices/CFNetworkAgent']",cb7f79261bc24bf73f2168c9b5f56a4bca82865307ebd46fede207a1a89e982f,False,"" -/System/Library/LaunchAgents/com.apple.cfprefsd.xpc.agent.plist,com.apple.cfprefsd.xpc.agent,"['/usr/sbin/cfprefsd', 'agent']",2147b55037302f85455852f6fb8b868dbf647ed70042442543329bcceef80bf6,False,"" -/System/Library/LaunchAgents/com.apple.cloudd.plist,com.apple.cloudd,"['/System/Library/PrivateFrameworks/CloudKitDaemon.framework/Support/cloudd']",8e2949d3f97993946f97ded10606a3dab58bdf3f949d05783f2a592313f268d6,False,"" -/System/Library/LaunchAgents/com.apple.cloudfamilyrestrictionsd-mac.plist,com.apple.cloudfamilyrestrictionsd,"['/System/Library/PrivateFrameworks/CloudFamilyRestrictions.framework/cloudfamilyrestrictionsd']",389ff1641251a8df83310b7b48c75063520f5b78afb5f57b06a20160a4d2ef31,False,"" -/System/Library/LaunchAgents/com.apple.cloudpaird.plist,com.apple.cloudpaird,"['/System/Library/CoreServices/cloudpaird']",1fd2ee037ce1b3986ce69f43845bee0560145a01badc9e8d1a300d308231fc19,False,"" -/System/Library/LaunchAgents/com.apple.cloudphotosd.plist,com.apple.cloudphotosd,"['/System/Library/CoreServices/cloudphotosd.app/Contents/MacOS/cloudphotosd']",5a187393ddb8a9fac8ec5baa6298c3c0d0c779f34c5e016b91a17964cb684b48,False,"" -/System/Library/LaunchAgents/com.apple.cmfsyncagent.plist,com.apple.cmfsyncagent,"['/System/Library/PrivateFrameworks/CommunicationsFilter.framework/CMFSyncAgent.app/Contents/MacOS/CMFSyncAgent']",e1aaa7e9216b9026e9b501802a695fdf114eba7f6239157bce03b2c4d404af6a,False,"" -/System/Library/LaunchAgents/com.apple.CommCenter-osx.plist,com.apple.CommCenter,"['/System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter', '-L']",2a26424c37aa46637bca71c365286ef2b804e1802be0c7519ca4e2e21b621e29,False,"" -/System/Library/LaunchAgents/com.apple.ContactsAgent.plist,com.apple.ContactsAgent,"['/System/Library/PrivateFrameworks/ContactsAgent.framework/Executables/ContactsAgent']",c76d8289c9dbc955f38fe02ac08d44fd3ae84e90bf34ec58a88eeec6b4d52ec8,False,"None" -/System/Library/LaunchAgents/com.apple.ContainerRepairAgent.plist,com.apple.ContainerRepairAgent,"['/usr/libexec/AppSandbox/ContainerRepairAgent']",d5e4f1e5d7e3c0052855c16a88634c250518218403774b311a0c2c2da9f9b87c,False,"" -/System/Library/LaunchAgents/com.apple.CoreAuthentication.agent.plist,com.apple.CoreAuthentication.agent,"['/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd']",c13632f348f86aae9b529a6323c7ff9447eeac75cc1c1afa5050d1dab46ef513,False,"None" -/System/Library/LaunchAgents/com.apple.CoreLocationAgent.plist,com.apple.CoreLocationAgent,"['/System/Library/CoreServices/CoreLocationAgent.app/Contents/MacOS/CoreLocationAgent']",ed89bfecc5aaf5e0b6748ebe26021196ff5512cf87303415c826e93894581e7c,False,"" -/System/Library/LaunchAgents/com.apple.CoreRAIDAgent.plist,com.apple.CoreRAIDAgent,"['/System/Library/PrivateFrameworks/CoreRAID.framework/Versions/A/Resources/CoreRAIDAgent']",16b3b050a8484b1e5bec38a82ba37d511204ced10c1f7fa37bad0ed495a134e4,False,"" -/System/Library/LaunchAgents/com.apple.coreservices.appleid.authentication.plist,com.apple.coreservices.appleid.authentication,"['/System/Library/CoreServices/AppleIDAuthAgent']",d5e0eb2737df528d163166798900fbe8e69582e536aeb5202af0269e23d2eb7d,True,"" -/System/Library/LaunchAgents/com.apple.coreservices.lsactivity.plist,com.apple.coreservices.useractivityd,"['/System/Library/PrivateFrameworks/UserActivity.framework/Agents/useractivityd']",6b8139c0a2bedd0c068d5b38427f24c1aa5e3eaacb3ef9f4484310db1a03fd19,False,"" -/System/Library/LaunchAgents/com.apple.coreservices.sharedfilelistd.plist,com.apple.coreservices.sharedfilelistd,"['/System/Library/CoreServices/sharedfilelistd']",ce3f524e7ecde28bef9cc879ee1526ac3a661cc5e43f4c79fba2718153a9fd0f,False,"" -/System/Library/LaunchAgents/com.apple.coreservices.UASharedPasteboardProgressUI.plist,com.apple.coreservices.UASharedPasteboardProgressUI,"['/System/Library/PrivateFrameworks/UserActivity.framework/Agents/UASharedPasteboardProgressUI.app/Contents/MacOS/UASharedPasteboardProgressUI']",f3159e797bbfca2e59e520ae0a51c050663844371bfe38bfaf35246843f25be9,False,"None" -/System/Library/LaunchAgents/com.apple.coreservices.uiagent.plist,com.apple.coreservices.uiagent,"['/System/Library/CoreServices/CoreServicesUIAgent.app/Contents/MacOS/CoreServicesUIAgent']",4e17e0e71f2a74d22d6250c9f142a06d8397277de64e62bee8424a2c99025e49,False,"" -/System/Library/LaunchAgents/com.apple.CryptoTokenKit.ahp.agent.plist,com.apple.CryptoTokenKit.ahp.agent,"['/System/Library/Frameworks/CryptoTokenKit.framework/ctkahp.bundle/Contents/MacOS/ctkahp']",3e14730f8e5efc414616a87e0f357506bcd1eea6d0dc6121970858a17fff9e75,False,"None" -/System/Library/LaunchAgents/com.apple.csuseragent.plist,com.apple.csuseragent,"['/System/Library/CoreServices/CSUserAgent']",0d73d0b5f5760a8f4e60902fa08440c4aa316cc7138a545526807343dc12f25e,False,"" -/System/Library/LaunchAgents/com.apple.ctkbind.plist,com.apple.ctkbind,"['/System/Library/Frameworks/CryptoTokenKit.framework/ctkbind.bundle/Contents/MacOS/ctkbind']",2856c154b71b062c66a130c2712e362a62078c67002f25d214bc3f291b4f9b25,False,"None" -/System/Library/LaunchAgents/com.apple.ctkd.plist,com.apple.ctkd,"['/System/Library/Frameworks/CryptoTokenKit.framework/ctkd', '-tw']",caa6ffa56e93a88e0ca2b6e965850b0a11e63650ac9ec3998d7f6e6cc06a8c94,False,"" -/System/Library/LaunchAgents/com.apple.cvmsCompAgent3425AMD_i386.plist,com.apple.cvmsCompAgent3425AMD_i386,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/3425AMD/CVMCompiler', '6']",afe570534a05cea7f7731cf743ba2cde873540709470c82ff5d22433c111cd29,False,"None" -/System/Library/LaunchAgents/com.apple.cvmsCompAgent3425AMD_i386_1.plist,com.apple.cvmsCompAgent3425AMD_i386_1,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/3425AMD/CVMCompiler', '7']",afe570534a05cea7f7731cf743ba2cde873540709470c82ff5d22433c111cd29,False,"None" -/System/Library/LaunchAgents/com.apple.cvmsCompAgent3425AMD_x86_64.plist,com.apple.cvmsCompAgent3425AMD_x86_64,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/3425AMD/CVMCompiler', '6']",afe570534a05cea7f7731cf743ba2cde873540709470c82ff5d22433c111cd29,False,"None" -/System/Library/LaunchAgents/com.apple.cvmsCompAgent3425AMD_x86_64_1.plist,com.apple.cvmsCompAgent3425AMD_x86_64_1,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/3425AMD/CVMCompiler', '7']",afe570534a05cea7f7731cf743ba2cde873540709470c82ff5d22433c111cd29,False,"None" -/System/Library/LaunchAgents/com.apple.cvmsCompAgent3600_i386.plist,com.apple.cvmsCompAgent3600_i386,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/3600/CVMCompiler', '4']",9510008596fd25a0a4677c5daf0b3e132a6ef3a3d28833065650e8c30a0854b8,False,"" -/System/Library/LaunchAgents/com.apple.cvmsCompAgent3600_i386_1.plist,com.apple.cvmsCompAgent3600_i386_1,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/3600/CVMCompiler', '5']",9510008596fd25a0a4677c5daf0b3e132a6ef3a3d28833065650e8c30a0854b8,False,"" -/System/Library/LaunchAgents/com.apple.cvmsCompAgent3600_x86_64.plist,com.apple.cvmsCompAgent3600_x86_64,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/3600/CVMCompiler', '4']",9510008596fd25a0a4677c5daf0b3e132a6ef3a3d28833065650e8c30a0854b8,False,"" -/System/Library/LaunchAgents/com.apple.cvmsCompAgent3600_x86_64_1.plist,com.apple.cvmsCompAgent3600_x86_64_1,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/3600/CVMCompiler', '5']",9510008596fd25a0a4677c5daf0b3e132a6ef3a3d28833065650e8c30a0854b8,False,"" -/System/Library/LaunchAgents/com.apple.cvmsCompAgent_i386.plist,com.apple.cvmsCompAgent_i386,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/CVMCompiler', '2']",a54ad831d2801cfb1a5c0d4436b5dc1c0d83c01b5f99f8e0b3779ed93bb6faed,False,"" -/System/Library/LaunchAgents/com.apple.cvmsCompAgent_i386_1.plist,com.apple.cvmsCompAgent_i386_1,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/CVMCompiler', '3']",a54ad831d2801cfb1a5c0d4436b5dc1c0d83c01b5f99f8e0b3779ed93bb6faed,False,"" -/System/Library/LaunchAgents/com.apple.cvmsCompAgent_x86_64.plist,com.apple.cvmsCompAgent_x86_64,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/CVMCompiler', '2']",a54ad831d2801cfb1a5c0d4436b5dc1c0d83c01b5f99f8e0b3779ed93bb6faed,False,"" -/System/Library/LaunchAgents/com.apple.cvmsCompAgent_x86_64_1.plist,com.apple.cvmsCompAgent_x86_64_1,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/CVMCompiler', '3']",a54ad831d2801cfb1a5c0d4436b5dc1c0d83c01b5f99f8e0b3779ed93bb6faed,False,"" -/System/Library/LaunchAgents/com.apple.cvmsCompAgentLegacy_i386.plist,com.apple.cvmsCompAgentLegacy_i386,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/Legacy/CVMCompiler']",8c54e6a7842132c1a94f91650248d4cf37dd98c0b00aa241b928630cd25b1cad,False,"" -/System/Library/LaunchAgents/com.apple.cvmsCompAgentLegacy_i386_1.plist,com.apple.cvmsCompAgentLegacy_i386_1,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/Legacy/CVMCompiler', '1']",8c54e6a7842132c1a94f91650248d4cf37dd98c0b00aa241b928630cd25b1cad,False,"" -/System/Library/LaunchAgents/com.apple.cvmsCompAgentLegacy_x86_64.plist,com.apple.cvmsCompAgentLegacy_x86_64,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/Legacy/CVMCompiler']",8c54e6a7842132c1a94f91650248d4cf37dd98c0b00aa241b928630cd25b1cad,False,"" -/System/Library/LaunchAgents/com.apple.cvmsCompAgentLegacy_x86_64_1.plist,com.apple.cvmsCompAgentLegacy_x86_64_1,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/Legacy/CVMCompiler', '1']",8c54e6a7842132c1a94f91650248d4cf37dd98c0b00aa241b928630cd25b1cad,False,"" -/System/Library/LaunchAgents/com.apple.DataDetectorsLocalSources.plist,com.apple.DataDetectorsLocalSources,"['/usr/libexec/DataDetectorsLocalSources']",d333efcb47a54f55233c007918a4f2bf58cdc87bdd642991bf6b936b59194b74,False,"None" -/System/Library/LaunchAgents/com.apple.DiagnosticReportCleanup.plist,com.apple.DiagnosticReportCleanup.plist,"['/System/Library/CoreServices/SubmitDiagInfo', 'cleanup']",13a6f26878b72e9d3f83181dd793c843d46d314e1a8dabe0d9acfdf2d2e3fa2a,False,"" -/System/Library/LaunchAgents/com.apple.diagnostics_agent.plist,com.apple.diagnostics_agent,"['/System/Library/CoreServices/diagnostics_agent']",7707231098f667a704f6ed219326a636efb7d5efc53a82a4afeeb1c556a5be10,True,"" -/System/Library/LaunchAgents/com.apple.DictationIM.plist,com.apple.DictationIM,"['/System/Library/Input Methods/DictationIM.app/Contents/MacOS/DictationIM']",c55c94bfbdc457dcfe8c7eb150f6d73f14f95af7779fb8de42ca0b84bfbf26ee,False,"" -/System/Library/LaunchAgents/com.apple.DiskArbitrationAgent.plist,com.apple.DiskArbitrationAgent,"['/System/Library/Frameworks/DiskArbitration.framework/Versions/A/Support/DiskArbitrationAgent']",ecf863dd4d98dde988fa706278da439d364a0a96e3633d7c1359e689eb6f9729,False,"" -/System/Library/LaunchAgents/com.apple.diskspaced.plist,com.apple.diskspaced,"['/System/Library/PrivateFrameworks/StorageManagement.framework/Resources/diskspaced']",2afcf5a4936d612b286b11e5c4e5ef4cd69483125167d450675fb72b0223fd50,False,"None" -/System/Library/LaunchAgents/com.apple.distnoted.xpc.agent.plist,com.apple.distnoted.xpc.agent,"['/usr/sbin/distnoted', 'agent']",1972b5cf085b63fd15d157db20f0393152ab7a0881ffe58295321115ca43f3db,False,"" -/System/Library/LaunchAgents/com.apple.Dock.plist,com.apple.Dock.agent,"['/System/Library/CoreServices/Dock.app/Contents/MacOS/Dock']",4220c18d4c126ef7a9dead14717d342c3c8a274b40ad672cd0c4ca8aeeb10c53,False,"" -/System/Library/LaunchAgents/com.apple.dt.CommandLineTools.installondemand.plist,com.apple.dt.CommandLineTools.installondemand,"['/System/Library/CoreServices/Install Command Line Developer Tools.app/Contents/MacOS/Install Command Line Developer Tools']",d7456a74bc8fdcf3bdc8caada1c2605eb6fe2e3c3c7335a8c2257c174632aac3,False,"" -/System/Library/LaunchAgents/com.apple.DwellControl.plist,com.apple.DwellControl,"['/System/Library/CoreServices/Dwell Control.app/Contents/MacOS/Dwell Control', 'launchd', '-s']",2ab5d3cc1b9707f1dfe4265b4d62653862c5a0e27c6b7f5f0eb0fcf1884e05c1,False,"None" -/System/Library/LaunchAgents/com.apple.EscrowSecurityAlert.plist,com.apple.EscrowSecurityAlert,"['/System/Library/CoreServices/EscrowSecurityAlert.app/Contents/MacOS/EscrowSecurityAlert']",bec0717853bf672110e48822526b1c3bcd53f1d2b28047400d8597788ddfd60a,False,"" -/System/Library/LaunchAgents/com.apple.familycircled.plist,com.apple.familycircled,"['/System/Library/PrivateFrameworks/FamilyCircle.framework/Versions/A/Resources/familycircled']",02d44e1f1937a21a1470c73cbb0987ca1b620e8f08835d4e8808a3f6163b1f88,False,"" -/System/Library/LaunchAgents/com.apple.familycontrols.useragent.plist,com.apple.familycontrols.useragent,"['/System/Library/PrivateFrameworks/FamilyControls.framework/Resources/ParentalControls.app/Contents/MacOS/ParentalControls']",b77bd38efb02d886f08009e0209de1b91da8de28030e7961c410cc6dcde761cc,False,"" -/System/Library/LaunchAgents/com.apple.familynotificationd.plist,com.apple.familynotificationd,"['/System/Library/PrivateFrameworks/FamilyNotification.framework/Versions/A/Resources/Family.app/Contents/MacOS/Family']",1b9ee813fdd992b87c72db63e606feb435bee6e2416d90e39a76cdc1810900bb,False,"" -/System/Library/LaunchAgents/com.apple.FileStatsAgent.plist,com.apple.FileStatsAgent,"['/usr/sbin/FileStatsAgent']",8067bcd81f529076bf89a17a28d155f825e557bdcbe25b3f0156b55f7aaaa1f8,False,"" -/System/Library/LaunchAgents/com.apple.FilesystemUI.plist,com.apple.FilesystemUI,"['/System/Library/CoreServices/KernelEventAgent.bundle/Contents/Resources/FileSystemUIAgent.app/Contents/MacOS/FileSystemUIAgent']",5a6a09f9e305f46166ec32650af332bab94f464c26a17f3f62bdb214e3ad42fc,False,"" -/System/Library/LaunchAgents/com.apple.Finder.plist,com.apple.Finder,"['/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder']",f745fcbd1716416dd7cce2f4ec3c43a6176cc2d7d61136a0a1f595e39c16f0fe,False,"Finder" -/System/Library/LaunchAgents/com.apple.findmymacmessenger.plist,com.apple.findmymacmessenger,"['/System/Library/PrivateFrameworks/FindMyMac.framework/Resources/FindMyMacMessenger.app/Contents/MacOS/FindMyMacMessenger']",0a23396d2c23805801779a8a98d030d0d7dd9c030a81ea0943e47caa9fbe2b95,False,"iCloud Find My Mac feature daemon" -/System/Library/LaunchAgents/com.apple.FirmwareUpdateHelper.plist,com.apple.FirmwareUpdateHelper,"['/System/Library/CoreServices/FirmwareUpdateHelper.app/Contents/MacOS/FirmwareUpdateHelper']",7bc6439e8cdefd269f31ff8dd7a8b6db22c6f02b12ae4aea92a999d45c8adb87,False,"None" -/System/Library/LaunchAgents/com.apple.FolderActionsDispatcher.plist,com.apple.FolderActionsDispatcher,"['/System/Library/CoreServices/FolderActionsDispatcher.app/Contents/MacOS/FolderActionsDispatcher']",7c7f8995e12b1b62a3419320192c86c6c264e7bca0470db47715c834941b556f,True,"" -/System/Library/LaunchAgents/com.apple.followupd.plist,com.apple.followupd,"['/System/Library/PrivateFrameworks/CoreFollowUp.framework/Versions/A/Support/followupd']",a29a2a37be2d40d07045b2b95a9dd6539bc8b36606972662456b90c54bdf0639,False,"" -/System/Library/LaunchAgents/com.apple.FollowUpUI.plist,com.apple.FollowUpUI,"['/System/Library/PrivateFrameworks/CoreFollowUp.framework/Versions/A/Resources/FollowUpUI.app/Contents/MacOS/FollowUpUI']",eec4b3dcf0edf421e28ac118b738ce4144afd001db210382dcc6ff965fb70f9b,False,"" -/System/Library/LaunchAgents/com.apple.fontd.useragent.plist,com.apple.fontd,"['/System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/fontd']",1a2f22229a71b23e9d0f99bd0657fa3a0bf2ef6356b954503c34b3267fbcd58c,False,"" -/System/Library/LaunchAgents/com.apple.FontRegistryUIAgent.plist,com.apple.FontRegistryUIAgent,"['/System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/FontRegistryUIAgent.app/Contents/MacOS/FontRegistryUIAgent']",61662d406567021d0532e1594f4fd4b8f71d8d26247652b5040ff8ae601aaffd,False,"" -/System/Library/LaunchAgents/com.apple.FontValidator.plist,com.apple.ATS.FontValidator,"['/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Support/FontValidator']",bf055eec4cc9ceced4dcf2f279bf16f2395b77b4bceeac4205a27c2c7df6b99c,False,"" -/System/Library/LaunchAgents/com.apple.FontValidatorConduit.plist,com.apple.ATS.FontValidatorConduit,"['/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Support/FontValidatorConduit']",c9e4623bf0518a57535f408473d3184cfcd506b702e9e3e3d989c2dfe7398dec,False,"" -/System/Library/LaunchAgents/com.apple.FontWorker.plist,com.apple.FontWorker,"['/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Support/fontworker']",824f81a46ba59bd26765aadf0776a95165356ff8fcd752a1b697a4f171de3fd6,False,"" -/System/Library/LaunchAgents/com.apple.gamed.plist,com.apple.gamed,"['/System/Library/PrivateFrameworks/GameCenterFoundation.framework/Versions/A/gamed']",39a9d0a1fd873a86cdac6fd1a87cdf6cd6e64f67bb7163065445b8627dbe5928,False,"" -/System/Library/LaunchAgents/com.apple.geodMachServiceBridge.plist,com.apple.geodMachServiceBridge,"['/System/Library/PrivateFrameworks/GeoServices.framework/geodMachServiceBridge']",b475228de74129bbf6b8ae39dcc26015db00792fc23e21cf22b0192063cf6f79,False,"None" -/System/Library/LaunchAgents/com.apple.helpd.plist,com.apple.helpd,"['/System/Library/PrivateFrameworks/HelpData.framework/Versions/A/Resources/helpd']",2c08d20ba1351c9be7ce69e974fc15b300d956625d1929751a0c8ec065a72808,False,"" -/System/Library/LaunchAgents/com.apple.icdd.plist,com.apple.icdd,"['/System/Library/Image Capture/Support/icdd']",0396cb6d6f9554cea46a59526b0fc2f4a3b8d7f43496fd90853a27edf741598d,True,"" -/System/Library/LaunchAgents/com.apple.icloud.findmydeviced.findmydevice-user-agent.plist,com.apple.icloud.findmydeviced.findmydevice-user-agent,"['/usr/libexec/findmydevice-user-agent']",77ea051ee66dc9020e8483f8510c9de169f8eb79540ca8215de66baa318d668e,False,"" -/System/Library/LaunchAgents/com.apple.icloud.fmfd.plist,com.apple.icloud.fmfd,"['/usr/libexec/fmfd']",28a07b96d620b066069dc4af2491de205a83d42f7f3f7fe3d03e257da9a5edd0,False,"" -/System/Library/LaunchAgents/com.apple.iCloudUserNotifications.plist,com.apple.iCloudUserNotificationsd,"['/System/Library/PrivateFrameworks/AOSAccounts.framework/Versions/A/Resources/iCloudUserNotificationsd.app/Contents/MacOS/iCloudUserNotificationsd']",0bd8e7253091aaed773f1ac2f46a9962932ad6a3aa12ba89346e4a22cd1ac144,False,"" -/System/Library/LaunchAgents/com.apple.iconservices.iconservicesagent.plist,com.apple.iconservices.iconservicesagent,"['/System/Library/CoreServices/iconservicesagent']",6d4fa344e7c5789db51abf041e79fb085589ee12031cede5458e2d70d3c4ee15,True,"" -/System/Library/LaunchAgents/com.apple.identityservicesd.plist,com.apple.identityservicesd,"['/System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/Contents/MacOS/identityservicesd']",2c28689affe1a5f9f2d3de2edc411db9e85e7efc824770e90d82f44862794f46,False,"" -/System/Library/LaunchAgents/com.apple.idsremoteurlconnectionagent.plist,com.apple.idsfoundation.IDSRemoteURLConnectionAgent,"['/System/Library/PrivateFrameworks/IDSFoundation.framework/IDSRemoteURLConnectionAgent.app/Contents/MacOS/IDSRemoteURLConnectionAgent']",be77e55bff587e9462888dc0c96b53d03aba2610ff642675ec662e57ae8a2db3,False,"" -/System/Library/LaunchAgents/com.apple.imagent.plist,com.apple.imagent,"['/System/Library/PrivateFrameworks/IMCore.framework/imagent.app/Contents/MacOS/imagent']",1ab7b38f974e1f13484118e1cf0b36de82ddd4f590a287c4f57d71a28af895a7,False,"" -/System/Library/LaunchAgents/com.apple.imavagent.plist,com.apple.imavagent,"['/System/Library/PrivateFrameworks/IMAVCore.framework/imavagent.app/Contents/MacOS/imavagent']",2742b876530f2f1150bd28ed4fe2d0b8e731543d34925b2dd2a0cb7be0e5f201,False,"" -/System/Library/LaunchAgents/com.apple.imklaunchagent.plist,com.apple.imklaunchagent,"['/System/Library/Frameworks/InputMethodKit.framework/Resources/imklaunchagent']",9079c3557be6a30b669b5658b41ac124229f52883942aea77f26485760d765ac,False,"" -/System/Library/LaunchAgents/com.apple.IMLoggingAgent.plist,com.apple.IMLoggingAgent,"['/System/Library/PrivateFrameworks/IMFoundation.framework/IMLoggingAgent']",23e53d87d5eda772f81d6f3e31f0d7bab1c582611e2b30d8e29e42fcda58ba4b,False,"" -/System/Library/LaunchAgents/com.apple.imtransferagent.plist,com.apple.imcore.imtransferagent,"['/System/Library/PrivateFrameworks/IMTransferServices.framework/IMTransferAgent.app/Contents/MacOS/IMTransferAgent']",b8641b4abd530080c204ecf06fd78cc8f890cdd0e9a320a910d9b76852b3f745,False,"" -/System/Library/LaunchAgents/com.apple.installandsetup.migrationhelper.user.plist,com.apple.installandsetup.migrationhelper.user,"['/System/Library/PrivateFrameworks/SystemMigration.framework/Resources/migrationhelper']",8091f3e7ef3c79f5087ce9f8c92e44b252b069d0f7d1a71f3c6210f8f1a6b67e,False,"" -/System/Library/LaunchAgents/com.apple.installd.user.plist,com.apple.installd.user,"['/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd']",828d83797f7a6aacad52d10ec546941ccbc649f315dc85271c536a830db4d38c,False,"" -/System/Library/LaunchAgents/com.apple.InstallerProgress.la.plist,com.apple.InstallerProgress,"['/System/Library/CoreServices/Installer Progress.app/Contents/MacOS/Installer Progress', '--showProgress']",c5827808788413706ab7dd0414d987f382d6d444005ae0019c5f1337dfb0541b,False,"None" -/System/Library/LaunchAgents/com.apple.isst.plist,com.apple.isst,"['/System/Library/CoreServices/Menu Extras/TextInput.menu/Contents/SharedSupport/isst']",663cf768f3c10215d8a1c1e604255fbbab9dd5731baa419a7999d92a694c46c9,True,"" -/System/Library/LaunchAgents/com.apple.java.InstallOnDemand.plist,com.apple.java.InstallOnDemand,"['/System/Library/Java/Support/CoreDeploy.bundle/Contents/Download Java Components.app/Contents/MacOS/Download Java Components']",c6005142d2bd421ac396b678d304dfc045463b33a7dd371eb0ba7645d25fcd2f,False,"" -/System/Library/LaunchAgents/com.apple.java.updateSharing.plist,com.apple.java.updateSharing,"['/System/Library/Frameworks/JavaVM.framework/Versions/A/Resources/bin/updateSharingD']",c5f204730b3ec07cfecfd37d791ba787dd87f3e9f70284b1794d978414cc67c3,False,"" -/System/Library/LaunchAgents/com.apple.keyboardservicesd.plist,com.apple.keyboardservicesd,"['/usr/libexec/keyboardservicesd']",19f07a4fc21f10ef10edd6230003768e02050056b5981bf0ac359fe631ace5f6,False,"None" -/System/Library/LaunchAgents/com.apple.languageassetd.plist,com.apple.languageassetd,"['/usr/libexec/languageassetd']",e070bae9f6dba590cb69aa6ae8eb400da35f1f162b806f72bc5d080b22f9637c,False,"None" -/System/Library/LaunchAgents/com.apple.lateragent.plist,com.apple.lateragent,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Resources/LaterAgent.app/Contents/MacOS/LaterAgent']",9ee04b86402978382f0a353e81dad5bbddb2ec5ce06ec69a8dd9b0a7bb17e66f,False,"" -/System/Library/LaunchAgents/com.apple.locationmenu.plist,com.apple.locationmenu,"['/System/Library/CoreServices/LocationMenu.app/Contents/MacOS/LocationMenu']",4caa32001180f54abeeb4c2f955816c68260f7fe88943f9d45febfce12be8782,False,"" -/System/Library/LaunchAgents/com.apple.loginwindow.LWWeeklyMessageTracer.plist,com.apple.loginwindow.LWWeeklyMessageTracer,"['/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer']",be3a1293a200ed0dc5684e1fa3f8929229f5422362c113e459a18d6602594ef8,False,"None" -/System/Library/LaunchAgents/com.apple.lsd.plist,com.apple.lsd,"['/usr/libexec/lsd']",471ac181fab5fbeab8a4b27fe98258730da618bf585a892e5c2f6fc8c7cf3af5,False,"" -/System/Library/LaunchAgents/com.apple.ManagedClientAgent.agent.plist,com.apple.ManagedClientAgent.agent,"['/System/Library/CoreServices/ManagedClient.app/Contents/Resources/ManagedClientAgent', '-a']",9b1ac63533155c72899f5da9123420709efe4abcfc3f4d59a7fe94e01d318b80,False,"" -/System/Library/LaunchAgents/com.apple.ManagedClientAgent.enrollagent.plist,com.apple.ManagedClientAgent.enrollagent,"['/System/Library/CoreServices/ManagedClient.app/Contents/Resources/ManagedClientAgent', '-j']",9b1ac63533155c72899f5da9123420709efe4abcfc3f4d59a7fe94e01d318b80,False,"" -/System/Library/LaunchAgents/com.apple.Maps.pushdaemon.plist,com.apple.Maps.mapspushd,"['/System/Library/CoreServices/mapspushd']",fe4f02c1d4eed96c7ad1b198bb9793b32ed02fff9e7184330003501bfd45a3dc,False,"" -/System/Library/LaunchAgents/com.apple.maspushagent.plist,com.apple.maspushagent,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/maspushagent']",aa8eb4099b577626eb20518ebc2c0e703bd8a79d6ead4b075db6f751856ecf0c,False,"" -/System/Library/LaunchAgents/com.apple.mbbackgrounduseragent.plist,com.apple.mbbackgrounduseragent,"['/System/Library/CoreServices/Setup Assistant.app/Contents/Resources/mbbackgrounduseragent']",24016f2c65a75ba18fc1ccdae6025d66baef8f9d34f79cd03281e4fe029efa68,False,"" -/System/Library/LaunchAgents/com.apple.mbfloagent.plist,com.apple.mbfloagent,"['/System/Library/CoreServices/Setup Assistant.app/Contents/Resources/mbfloagent']",40905f98caf8a207fd16e3f66ad338c3bc58b52ea42a2da94e69032f72bb2b4d,False,"" -/System/Library/LaunchAgents/com.apple.mbuseragent.plist,com.apple.mbuseragent,"['/System/Library/CoreServices/Setup Assistant.app/Contents/Resources/mbuseragent']",b2849c894d4eec2a2d8abc8490c5fbb48bf60637e264de4234c5f52a0b0c8acb,False,"" -/System/Library/LaunchAgents/com.apple.mdmclient.agent.plist,com.apple.mdmclient.agent,"['/usr/libexec/mdmclient', 'agent']",eecee657f6678b5bbbada7b0cda002fb5341385ee51fa4e3b0fa6e6d1dca771e,False,"" -/System/Library/LaunchAgents/com.apple.mdworker.32bit.plist,com.apple.mdworker.32bit,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker32', '-s', 'mdworker-lsb', '-c', 'MDSImporterWorker', '-m', 'com.apple.mdworker.32bit']",b7d2a2e46b89fcbf1825294aba34c3bf6f13490a8ca41e90f0678fa702a431ad,False,"" -/System/Library/LaunchAgents/com.apple.mdworker.bundles.plist,com.apple.mdworker.bundles,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'mdworker-bundle', '-c', 'MDSImporterBundleFinder', '-m', 'com.apple.mdworker.bundles']",019abfad5a68690d02a145719276e1e237f9e4ee9bd07dca41ee51058a1c572d,False,"" -/System/Library/LaunchAgents/com.apple.mdworker.isolation.plist,com.apple.mdworker.isolation,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'mdworker', '-c', 'MDSImporterWorker', '-m', 'com.apple.mdworker.isolation']",019abfad5a68690d02a145719276e1e237f9e4ee9bd07dca41ee51058a1c572d,False,"" -/System/Library/LaunchAgents/com.apple.mdworker.lsb.plist,com.apple.mdworker.lsb,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'mdworker-lsb', '-c', 'MDSImporterWorker', '-m', 'com.apple.mdworker.lsb']",019abfad5a68690d02a145719276e1e237f9e4ee9bd07dca41ee51058a1c572d,False,"" -/System/Library/LaunchAgents/com.apple.mdworker.mail.plist,com.apple.mdworker.mail,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'mdworker-mail', '-c', 'MDSImporterWorker', '-m', 'com.apple.mdworker.mail']",019abfad5a68690d02a145719276e1e237f9e4ee9bd07dca41ee51058a1c572d,False,"" -/System/Library/LaunchAgents/com.apple.mdworker.shared.plist,com.apple.mdworker.shared,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'mdworker', '-c', 'MDSImporterWorker', '-m', 'com.apple.mdworker.shared']",019abfad5a68690d02a145719276e1e237f9e4ee9bd07dca41ee51058a1c572d,False,"" -/System/Library/LaunchAgents/com.apple.mdworker.single.plist,com.apple.mdworker.single,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'mdworker', '-c', 'MDSImporterWorker', '-m', 'com.apple.mdworker.single']",019abfad5a68690d02a145719276e1e237f9e4ee9bd07dca41ee51058a1c572d,False,"" -/System/Library/LaunchAgents/com.apple.mdworker.sizing.plist,com.apple.mdworker.sizing,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker', '-s', 'mdworker-sizing', '-c', 'MDSSizingWorker', '-m', 'com.apple.mdworker.sizing']",019abfad5a68690d02a145719276e1e237f9e4ee9bd07dca41ee51058a1c572d,False,"" -/System/Library/LaunchAgents/com.apple.mediaanalysisd.plist,com.apple.mediaanalysisd,"['/System/Library/PrivateFrameworks/VideoProcessing.framework/Versions/A/mediaanalysisd']",5d03fdde9a65df8fcd9ab8a49b1c163902dfbca615071f4c3953136a48c0e884,False,"None" -/System/Library/LaunchAgents/com.apple.mediaremoteagent.plist,com.apple.mediaremoteagent,"['/System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoteagent']",cd0d3e423b63e5e2e6a2bdbbbb0c4c888495dc1384dcd43c052ed0b327f6f9d1,False,"None" -/System/Library/LaunchAgents/com.apple.metadata.mdbulkimport.plist,com.apple.metadata.mdbulkimport,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdbulkimport', '-s', 'mdbulkimport']",b3cd78425db64e692c5792478fe05909e085e369344d8befcbf910869ac48308,False,"" -/System/Library/LaunchAgents/com.apple.metadata.mdflagwriter.plist,com.apple.metadata.mdflagwriter,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdflagwriter']",ca5d69eae092150061a52decbec20ae16568f9f13886bc1f60bf4b3f48de099d,False,"" -/System/Library/LaunchAgents/com.apple.metadata.mdwrite.plist,com.apple.metadata.mdwrite,"['/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdwrite']",1afac25b8dfda1afb206a930e7207516879c2123869acbec6f6faeaf0f6c1c67,False,"" -/System/Library/LaunchAgents/com.apple.midiserver.plist,com.apple.midiserver,"['/System/Library/Frameworks/CoreMIDI.framework/MIDIServer']",397d10e1998f61c5688bd803b08f47fd69bc2fc3ea5443cf86b6f674b1b85380,False,"" -/System/Library/LaunchAgents/com.apple.MRTa.plist,com.apple.MRTa,"['/System/Library/CoreServices/MRT.app/Contents/MacOS/MRT', '-a']",0100350f46e5f61a4e66fb90cc1a49c0bb60ccb502a6c28b2b96136a1d3aa47e,True,"" -/System/Library/LaunchAgents/com.apple.navd.plist,com.apple.navd,"['/System/Library/CoreServices/navd']",3ea139466dd955b8cfcb949fcf7b1264a7c87a1a53c311ec2c94e66265f5e2ce,False,"" -/System/Library/LaunchAgents/com.apple.neagent.plist,com.apple.neagent,"['/usr/libexec/neagent']",a8d2776aaeaadd3d79f86f6275d4e3d20449d156a59ab584620dea35eddc7b54,False,"" -/System/Library/LaunchAgents/com.apple.netauth.user.auth.plist,com.apple.netauth.user.auth,"['/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent']",eee74a6ea16f475de659b6a18ddf92e9a6b51f0fbf73bbcdc9b8a242b7e54a37,False,"" -/System/Library/LaunchAgents/com.apple.netauth.user.gui.plist,com.apple.netauth.user.gui,"['/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent']",74d2a6ab4247631a21eb33d14fb33f7bde7bee59db6c4f7203e1dc98f494efa5,False,"" -/System/Library/LaunchAgents/com.apple.NetworkDiagnostics.plist,com.apple.NetworkDiagnostics,"['/System/Library/CoreServices/Network Diagnostics.app/Contents/MacOS/Network Diagnostics']",4ac7acbfe00efa3586025c4bf7fb50f5e7877a8e580ac7c41a05a8e08cb01b4a,False,"" -/System/Library/LaunchAgents/com.apple.networkserviceproxy-osx.plist,com.apple.networkserviceproxy,"['/usr/libexec/networkserviceproxy']",87df0424485d8c6b3895547505d98e0c81a32a61fb211094c1bbcea88d682732,False,"None" -/System/Library/LaunchAgents/com.apple.noticeboard.agent.plist,com.apple.noticeboard.agent,"['/System/Library/PrivateFrameworks/Noticeboard.framework/Versions/A/Resources/nbagent.app/Contents/MacOS/nbagent']",61fc66f29f61cd915de00e51a1d70d07d4ca3753f7c930f99754d135c078afb5,False,"" -/System/Library/LaunchAgents/com.apple.notificationcenterui.plist,com.apple.notificationcenterui.agent,"['/System/Library/CoreServices/NotificationCenter.app/Contents/MacOS/NotificationCenter']",619ef0397a9647dec06e43b308d6683c69fe0ca6c65f2bf59519947c13a7e502,False,"" -/System/Library/LaunchAgents/com.apple.nsurlsessiond.plist,com.apple.nsurlsessiond,"['/usr/libexec/nsurlsessiond']",e398a8b6495aad49af02a3a5200ecd649832b0b8dd255b400a1a37d13559a0d2,False,"" -/System/Library/LaunchAgents/com.apple.nsurlstoraged.plist,com.apple.nsurlstoraged,"['/usr/libexec/nsurlstoraged']",7b73d6259e96cdfb749d0b6c143b5333ad3d8fda7be151abd2698823e7b7b4c7,False,"" -/System/Library/LaunchAgents/com.apple.OSDUIHelper.plist,com.apple.OSDUIHelper,"['/System/Library/CoreServices/OSDUIHelper.app/Contents/MacOS/OSDUIHelper']",a13f13ab1db2aa4e3fb57b4fba449bb8bb4e2bdab963f28dd3d1e6d2ed1dcf00,False,"None" -/System/Library/LaunchAgents/com.apple.PackageKit.InstallStatus.plist,com.apple.PackageKit.InstallStatus,"['/System/Library/CoreServices/Install in Progress.app/Contents/MacOS/Install in Progress']",4ee8dc5e6c5f461a156507f00121b1a504115edcd419785ef65fb893728c1e66,False,"" -/System/Library/LaunchAgents/com.apple.parentalcontrols.check.plist,com.apple.parentalcontrols.check,"['/System/Library/PrivateFrameworks/FamilyControls.framework/Resources/pcdCheck']",d1a265b5f0ed30e01386a91afec9f45e48c1e7cdb6720b935e0f6e1ea0bc49eb,True,"" -/System/Library/LaunchAgents/com.apple.parsecd.plist,com.apple.parsecd,"['/System/Library/PrivateFrameworks/CoreParsec.framework/parsecd']",57de8f6284304175e75688eb2e8dcc88310394a9ce2c758295674dfb180d4ea6,False,"None" -/System/Library/LaunchAgents/com.apple.passd.plist,com.apple.passd,"['/System/Library/PrivateFrameworks/PassKitCore.framework/passd']",00962fe46cc8dc4edf8b7640ce9b318bb5d827b83466f5b2797caba63ea0753f,False,"None" -/System/Library/LaunchAgents/com.apple.pboard.plist,com.apple.pboard,"['/usr/libexec/pboard']",6a9073e6d77e050aa21aaff7c69f2679b15fe35fb15df499ba6f58ff9698d75b,False,"" -/System/Library/LaunchAgents/com.apple.pbs.plist,com.apple.pbs,"['/System/Library/CoreServices/pbs']",8fd9e9f801d1d70c733b050cc21530facc2212def185dbee569e4edc2b11b4c1,False,"Services menu daemon" -/System/Library/LaunchAgents/com.apple.PCIESlotCheck.plist,com.apple.PCIESlotCheck,"['/System/Library/CoreServices/Expansion Slot Utility.app/Contents/Resources/PCIESlotCheck']",0cbdad8c23138cdfd19d14aa2b399ca1ce3d56b706ec388b07d55aa290fc1a90,True,"" -/System/Library/LaunchAgents/com.apple.personad.plist,com.apple.personad,"['/System/Library/PrivateFrameworks/PersonaKit.framework/Versions/A/Support/personad']",5a772e1a11f09b632b66b3b78d88800933104f041ba0b3992d877fa61256ea2e,False,"None" -/System/Library/LaunchAgents/com.apple.photoanalysisd.plist,com.apple.photoanalysisd,"['/System/Library/PrivateFrameworks/PhotoAnalysis.framework/Versions/A/Support/photoanalysisd']",28cb710e6a75d81e7ba893327fab78171dca534c520f6a59272ce46106f0078e,False,"None" -/System/Library/LaunchAgents/com.apple.photolibraryd.plist,com.apple.photolibraryd,"['/System/Library/PrivateFrameworks/PhotoLibraryPrivate.framework/Versions/A/Support/photolibraryd']",3a94f82e037f35ab46853cdf4050ff31a3e4035c53ad9ee0dafdd6dd868930d7,False,"" -/System/Library/LaunchAgents/com.apple.PhotoLibraryMigrationUtility.XPC.plist,com.apple.PhotoLibraryMigrationUtility.XPC,"['/System/Library/CoreServices/Photo Library Migration Utility.app/Contents/MacOS/Photo Library Migration Utility', '-server']",9f81315e397fe2f0584afbebe8977e09e7eb99ff5d649c4b3a2197296ccd6f45,False,"" -/System/Library/LaunchAgents/com.apple.pictd.plist,com.apple.pictd,"['/usr/sbin/pictd']",24e231675f8fa5f905a35a8d468fd515ead7f77b44387a29a9be138bd7c559d5,False,"" -/System/Library/LaunchAgents/com.apple.PIPAgent.plist,com.apple.PIPAgent,"['/System/Library/CoreServices/PIPAgent.app/Contents/MacOS/PIPAgent']",300d37989400719c3cdee2239714c972494921cac58e8b84ee78a660ced65593,False,"None" -/System/Library/LaunchAgents/com.apple.pluginkit.pkd.plist,com.apple.pluginkit.pkd,"['/usr/libexec/pkd']",a5098161f5fcc40ab64396bbad62635ecf43c994b46cb8550f30318234d437f2,False,"" -/System/Library/LaunchAgents/com.apple.pluginkit.pkreporter.plist,com.apple.pluginkit.pkreporter,"['/usr/libexec/pkreporter']",0b5e79255fead173992b2bf8b02ac84ce71ed74cf1ae0fec2bb15e1ae09f0c15,False,"" -/System/Library/LaunchAgents/com.apple.powerchime.plist,com.apple.powerchime,"['/System/Library/CoreServices/PowerChime.app/Contents/MacOS/PowerChime']",34eb25a2110ebaee8eb51719a63e93f4cd7b86386a955835d5c68553ab5fd6c2,True,"" -/System/Library/LaunchAgents/com.apple.printtool.agent.plist,com.apple.printtool.agent,"['/System/Library/Frameworks/ApplicationServices.framework/Frameworks/PrintCore.framework/Versions/A/printtool', 'agent']",eaf12c090dd671bbf82116de2d7c175ea775610b0b3a7c18626b54dfae0679e2,False,"" -/System/Library/LaunchAgents/com.apple.printuitool.agent.plist,com.apple.printuitool.agent,"['/System/Library/PrivateFrameworks/PrintingPrivate.framework/Versions/A/PrintUITool']",1e5200d6bf4e78ce8440775d973e24603996ae884425323c71ddb95b32c60fcb,False,"" -/System/Library/LaunchAgents/com.apple.protectedcloudstorage.protectedcloudkeysyncing.plist,com.apple.protectedcloudstorage.protectedcloudkeysyncing,"['/System/Library/PrivateFrameworks/ProtectedCloudStorage.framework/Helpers/ProtectedCloudKeySyncing']",da860346440ac65cf1c6098d562087ab0a739b5b9aaff3417e43c854235594a5,False,"None" -/System/Library/LaunchAgents/com.apple.PubSub.Agent.plist,com.apple.PubSub.Agent,"['/System/Library/Frameworks/PubSub.framework/Versions/A/Resources/PubSubAgent.app/Contents/MacOS/PubSubAgent']",8eca5d557b21657416c4b8ac418f8bcfae0fee9156854ab83621f2fe97e9903b,False,"" -/System/Library/LaunchAgents/com.apple.quicklook.32bit.plist,com.apple.quicklook.32bit,"['/System/Library/Frameworks/QuickLook.framework/Resources/quicklookd32.app/Contents/MacOS/quicklookd32']",49325fb2eec37df64604ecdd4dee1fd22c928416c1df9ef101eae4169de7e77b,False,"" -/System/Library/LaunchAgents/com.apple.quicklook.config.plist,com.apple.quicklook.config,"['/System/Library/Frameworks/QuickLook.framework/Resources/quicklookconfig']",12a8ef5b0ba6c65535a0551aeb4546098560e940a8ac455b99c3ec6c7ec3530b,False,"" -/System/Library/LaunchAgents/com.apple.quicklook.plist,com.apple.quicklook,"['/System/Library/Frameworks/QuickLook.framework/Resources/quicklookd.app/Contents/MacOS/quicklookd']",f47e5ee500aa55d7c1c63eec82122854871c56269950e33c7aeba9c059ee3e61,False,"" -/System/Library/LaunchAgents/com.apple.quicklook.ThumbnailsAgent.plist,com.apple.quicklook.ThumbnailsAgent,"['/System/Library/PrivateFrameworks/QuickLookThumbnailing.framework/Support/com.apple.quicklook.ThumbnailsAgent']",9d14a78ac173aae36c41c41c03e9afc28eb2677b08d462f475639636342e2c68,False,"None" -/System/Library/LaunchAgents/com.apple.quicklook.ui.helper.plist,com.apple.quicklook.ui.helper,"['/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper']",b7af3a62434062ec429e195d815656eec8fe6c8172da94e43b5a4db07b3e4e1a,False,"" -/System/Library/LaunchAgents/com.apple.rcd.plist,com.apple.rcd,"['/System/Library/CoreServices/rcd.app/Contents/MacOS/rcd']",41603b4dafd5a38e6a27561cb64bf2d0c81b9969c430959fdef37ecf2de0a913,False,"" -/System/Library/LaunchAgents/com.apple.recentsd.plist,com.apple.recentsd,"['/System/Library/PrivateFrameworks/CoreRecents.framework/Versions/A/Support/recentsd']",dafe3f9a00949e119955b670319890020ec87397b585ec163870f1353849db1e,False,"" -/System/Library/LaunchAgents/com.apple.RemoteDesktop.plist,com.apple.RemoteDesktop.agent,"['/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent']",17c2a06f6b378737b347505eb83cfde082528700a3b992fd4a0501b5c178f91b,False,"" -/System/Library/LaunchAgents/com.apple.ReportCrash.plist,com.apple.ReportCrash,"['/System/Library/CoreServices/ReportCrash']",a64d420ec2bc8d826c8298072c279b17061e796759db64f719b1dbd9ae510279,False,"Analyzes crashing processes and saves a crash report to disk" -/System/Library/LaunchAgents/com.apple.ReportCrash.Self.plist,com.apple.ReportCrash.Self,"['/System/Library/CoreServices/ReportCrash']",a64d420ec2bc8d826c8298072c279b17061e796759db64f719b1dbd9ae510279,False,"" -/System/Library/LaunchAgents/com.apple.ReportGPURestart.plist,com.apple.ReportGPURestart,"['/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/ReportGPURestart']",3a46d422792790e04e3d5aa862dc7fe3f742411dc61506fc0be4aceda604c94e,False,"" -/System/Library/LaunchAgents/com.apple.ReportPanic.plist,com.apple.ReportPanic,"['/System/Library/CoreServices/ReportPanic.app/Contents/MacOS/ReportPanic']",20e12f0323501473844f1e29c3ad8b7486f3a365ea22a1e2cfa076ec8b698a87,False,"" -/System/Library/LaunchAgents/com.apple.reversetemplated.plist,com.apple.reversetemplated,"['/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/reversetemplated']",8757b19095a0f5dd1df07f5e3d71e7082625705727ff0d750fb9633bba066cd4,False,"" -/System/Library/LaunchAgents/com.apple.Safari.SafeBrowsing.Service.plist,com.apple.Safari.SafeBrowsing.Service,"['/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service']",3035e6c1b818c1bd516c4254093f984ac3bdb1ebf0e4aedf65eb6312c0f3082c,False,"" -/System/Library/LaunchAgents/com.apple.SafariCloudHistoryPushAgent.plist,com.apple.SafariCloudHistoryPushAgent,"['/usr/libexec/SafariCloudHistoryPushAgent']",8220a9c93d2790ff1f41d0beb92bd8709804530db697f68b6e2c475e4e9c601f,False,"" -/System/Library/LaunchAgents/com.apple.safaridavclient.plist,com.apple.safaridavclient,"['/System/Library/PrivateFrameworks/BookmarkDAV.framework/Helpers/SafariDAVClient']",bc592e69e7185e8fcc8e331bb8f0c03057d6aca1266809b06e39da140b17732d,False,"" -/System/Library/LaunchAgents/com.apple.SafariNotificationAgent.plist,com.apple.SafariNotificationAgent,"['/usr/libexec/SafariNotificationAgent']",f4b535c7e3f4aa8a937ec10db2d9cab8b55527fbcf20aa67fcb5182f4a74a325,False,"" -/System/Library/LaunchAgents/com.apple.SafariPlugInUpdateNotifier.plist,com.apple.SafariPlugInUpdateNotifier,"['/usr/libexec/SafariPlugInUpdateNotifier']",f9cc06a4486a8b24abdf08dba2a4e28e5031f0197b0adb70464c82517a02a42e,False,"" -/System/Library/LaunchAgents/com.apple.scopedbookmarkagent.xpc.plist,com.apple.scopedbookmarksagent.xpc,"['/System/Library/CoreServices/ScopedBookmarkAgent']",50f125e0c2e92ddf494377bb882b5c2f55afe9f5f453c43c70599ed7b4a70325,False,"" -/System/Library/LaunchAgents/com.apple.ScreenReaderUIServer.plist,com.apple.ScreenReaderUIServer,"['/System/Library/PrivateFrameworks/ScreenReader.framework/Resources/ScreenReaderUIServer.app/Contents/MacOS/ScreenReaderUIServer']",a4af357b81f5b3f9b20eee41e1cca65c6d8a4b7e8ddbe65d17181d8cf9421235,False,"" -/System/Library/LaunchAgents/com.apple.screensharing.agent.plist,com.apple.screensharing.agent,"['/System/Library/CoreServices/RemoteManagement/ScreensharingAgent.bundle/Contents/MacOS/ScreensharingAgent']",a31f1b6b7b54305c52e53f8a1cfc47ce9f5da396e0423d5154af54adae3075a9,False,"" -/System/Library/LaunchAgents/com.apple.screensharing.MessagesAgent.plist,com.apple.screensharing.MessagesAgent,"['/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/MacOS/AppleVNCServer']",92dc82dbee3b4b3ae80cb70d63b9dcd106a8e1b2803bde9497b86a6d0be409a7,False,"" -/System/Library/LaunchAgents/com.apple.scrod.plist,com.apple.scrod,"['/System/Library/PrivateFrameworks/ScreenReader.framework/Frameworks/ScreenReaderOutput.framework/Resources/scrod']",8f725cbdd8ccfd21d9d34a6c09fb971a25113c6304fb462029126a9ce43ead3b,False,"" -/System/Library/LaunchAgents/com.apple.secd.plist,com.apple.secd,"['/usr/libexec/secd']",1b9f50548015a9a8c5d73dbc8bc806482acee94c3f9f74a7f018c5fde42af4d0,False,"" -/System/Library/LaunchAgents/com.apple.secinitd.plist,com.apple.secinitd,"['/usr/libexec/secinitd']",3de685f119f1c94f99ff2867106f086a0c37db53bc80c4369e03611f4d64fae3,False,"" -/System/Library/LaunchAgents/com.apple.security.agent.plist,com.apple.security.agent,"['/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent']",bd1a5f8764e5f479bb094e4a08b7c314d24be3ee1f8dff9a6e12007f9d131d4f,False,"" -/System/Library/LaunchAgents/com.apple.security.cloudkeychainproxy3.plist,com.apple.security.cloudkeychainproxy3,"['/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy']",34cd004d8aa2bdc95beeed71ac41427540693308c3c594175d5e3fbb7fc64812,False,"" -/System/Library/LaunchAgents/com.apple.security.DiskUnmountWatcher.plist,com.apple.security.DiskUnmountWatcher,"['/System/Library/PrivateFrameworks/KerberosHelper/Helpers/DiskUnmountWatcher']",f82f52a97b773fbde88d97ca752de56e43b8701797a6138f5f7160d5d7ac5aab,False,"" -/System/Library/LaunchAgents/com.apple.security.idskeychainsyncingproxy.plist,com.apple.security.idskeychainsyncingproxy,"['/System/Library/Frameworks/Security.framework/Versions/A/Resources/IDSKeychainSyncingProxy.bundle/Contents/MacOS/IDSKeychainSyncingProxy']",6a589fbc82c0f9eca03f6e147799a682b205a174778d80a7bb9b22273c541841,False,"" -/System/Library/LaunchAgents/com.apple.security.keychain-circle-notification.plist,com.apple.security.keychain-circle-notification,"['/System/Library/CoreServices/Keychain Circle Notification.app/Contents/MacOS/Keychain Circle Notification']",491323b6c4d4d444f4722de3924570365e46b2a2a31b3b0f70b3687fed2f18ca,False,"" -/System/Library/LaunchAgents/com.apple.sharingd.plist,com.apple.sharingd,"['/usr/libexec/sharingd']",bb19e63102a77bb5973f535d3fb7b9cd605f1aaaaae82d252a793a33dc535c6a,True,"Sharing Daemon that enables AirDrop, Handoff, Instant Hotspot, Shared Computers, and Remote Disc in the Finder" -/System/Library/LaunchAgents/com.apple.Siri.plist,com.apple.Siri.agent,"['/System/Library/CoreServices/Siri.app/Contents/MacOS/Siri', 'launchd']",76cb2b1816918f1666462fb07b7a24d620bb49afb5365d1f42ca370f9844f90a,False,"None" -/System/Library/LaunchAgents/com.apple.soagent.plist,com.apple.soagent,"['/System/Library/PrivateFrameworks/MessagesKit.framework/Resources/soagent.app/Contents/MacOS/soagent']",ecca65efcb3afa85a23bbce9dfd37442c5a86f8102983ef5ea889a22bfd6bf81,True,"" -/System/Library/LaunchAgents/com.apple.SocialPushAgent.plist,com.apple.SocialPushAgent,"['/System/Library/CoreServices/SocialPushAgent.app/Contents/MacOS/SocialPushAgent']",3fe4153715701bbcef3815db8c798af7483047cd8725a4c797ba3e08fe2c714d,True,"" -/System/Library/LaunchAgents/com.apple.softwareupdate_notify_agent.plist,com.apple.softwareupdate_notify_agent,"['/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdate_notify_agent']",72e5777f50bc4aabe0a34fcc509a23c2cd1f9e6602b0313e9766b6142b449771,False,"" -/System/Library/LaunchAgents/com.apple.speech.speechdatainstallerd.plist,com.apple.speech.speechdatainstallerd,"['/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd']",23f2092cb95e37f22f2f67466259c796cd6f4fce63b592835cddd879a1439d33,False,"" -/System/Library/LaunchAgents/com.apple.speech.speechsynthesisd.plist,com.apple.speech.speechsynthesisd,"['/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd']",d37eec8945fe3d7a4f29c241eff0b35da57fa1ec74672771fbf3239ea1d1917e,False,"" -/System/Library/LaunchAgents/com.apple.speech.synthesisserver.plist,com.apple.speech.synthesisserver,"['/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/SpeechSynthesis.framework/Versions/A/SpeechSynthesisServer.app/Contents/MacOS/SpeechSynthesisServer', 'launchd']",cb384caba4a1805adf1f8ffa0f8a00134e3b05b0aec20a2d4af46866fbd378a8,False,"" -/System/Library/LaunchAgents/com.apple.spindump_agent.plist,com.apple.spindump_agent,"['/usr/libexec/spindump_agent']",91316bc9169625bb5b70a54f5d6a1845bda3baabedb5c217dc548f02d0458539,True,"" -/System/Library/LaunchAgents/com.apple.spotlight.IndexAgent.plist,com.apple.spotlight.IndexAgent,"['/System/Library/PrivateFrameworks/CoreSpotlight.framework/Support/com.apple.spotlight.IndexAgent']",1052d614877e440940fcc081eb2b880ff3f52fc98d83cd214aebcd35d404eba3,False,"" -/System/Library/LaunchAgents/com.apple.Spotlight.plist,com.apple.Spotlight,"['/System/Library/CoreServices/Spotlight.app/Contents/MacOS/Spotlight']",12e03c2ff2f84cd0388415291fa31adbe526379effb3335d15e9b16db9d266a6,False,"" -/System/Library/LaunchAgents/com.apple.SSInvitationAgent.plist,com.apple.ssinvitationagent,"['/System/Library/CoreServices/RemoteManagement/ScreensharingAgent.bundle/Contents/Support/SSInvitationAgent.app/Contents/MacOS/SSInvitationAgent']",55de18cf5ae18b802ddbfbdc5bf7d7d2eefe5dcbb0ccb1d1d571052645746fb3,False,"" -/System/Library/LaunchAgents/com.apple.StorageManagementUIHelper.plist,com.apple.STMUIHelper,"['/System/Library/PrivateFrameworks/StorageManagement.framework/Resources/STMUIHelper.app/Contents/MacOS/STMUIHelper']",69b442188c5c328a19ddf7b9ce4e164cf8b58afca91e6947eb40578126d494f0,False,"None" -/System/Library/LaunchAgents/com.apple.storeaccountd.plist,com.apple.storeaccountd,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeaccountd']",1f5b284bae1a1f34c385bbb858460cff6858fe453730e9594e6742a9236ff7eb,False,"" -/System/Library/LaunchAgents/com.apple.storeassetd.plist,com.apple.storeassetd,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeassetd']",fa9af393b6dbe8244f66b012c7b3726a95dbaf0b2afd9448108240fcd365f038,False,"" -/System/Library/LaunchAgents/com.apple.storedownloadd.plist,com.apple.storedownloadd,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd']",e9f3678a540fdbd26fff350937c61f717af8cf769fe14e1716c821979a8e000c,False,"" -/System/Library/LaunchAgents/com.apple.storeinappd.plist,com.apple.storeinappd,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeinappd']",2e585d2adf1aac94a22ee0db5540111f97401ee28e1cc56caefcba648b29fa1e,False,"" -/System/Library/LaunchAgents/com.apple.storeinstallagent.plist,com.apple.storeinstallagent,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeinstallagent']",6abb54288204bdea0d8b8a4e07a3e12d750c3ef823bd0f5189f6d6d219e3a3c7,False,"None" -/System/Library/LaunchAgents/com.apple.storelegacy.plist,com.apple.storelegacy,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storelegacy']",d72eb418db720a85fb01b0994d6863ef01a55e3b38c42efecd7ed7dc92b1ed05,False,"" -/System/Library/LaunchAgents/com.apple.storeuid.plist,com.apple.storeuid,"['/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid']",3965b2e902c644aafb02401f6abbbacad0446283cf6a84d620e5fcd057b09bdb,False,"" -/System/Library/LaunchAgents/com.apple.suggestd.plist,com.apple.suggestd,"['/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd']",d38fdd71d4b724c79929e344e59d35da6664dd9a0697be10098defda96462252,False,"" -/System/Library/LaunchAgents/com.apple.sulogoutmonitor.plist,com.apple.sulogoutmonitor,"['/System/Library/CoreServices/Software Update.app/Contents/Resources/sulogoutmonitor']",8c230ccd95ed30581c5941a7060d0695ee3191de1c545176af12ecd6e009ac61,True,"None" -/System/Library/LaunchAgents/com.apple.swcd.plist,com.apple.swcd,"['/usr/libexec/swcd']",3f2eadce48f28aa91bd036189e8352df5c029be76a0b133bef66808fae824140,False,"" -/System/Library/LaunchAgents/com.apple.syncdefaultsd.plist,com.apple.syncdefaultsd,"['/System/Library/PrivateFrameworks/SyncedDefaults.framework/Support/syncdefaultsd']",de66931fd702a93aab22efbe524585f7427fa398fd6e831004e58c065a8cae1b,False,"" -/System/Library/LaunchAgents/com.apple.syncservices.SyncServer.plist,com.apple.syncservices.SyncServer,"['/System/Library/Frameworks/SyncServices.framework/Versions/Current/Resources/SyncServer.app/Contents/MacOS/SyncServer']",2dc2eb28809490be6e7c041b7d13f9a495cd68891cfad8c1d12edb1f7c458e54,False,"" -/System/Library/LaunchAgents/com.apple.syncservices.uihandler.plist,com.apple.syncservices.uihandler,"['/System/Library/PrivateFrameworks/SyncServicesUI.framework/Versions/Current/Resources/syncuid.app/Contents/MacOS/syncuid']",777a757608cbba762f56c276b108317bcb3b4235d07e5be45e6a6adeeec95910,False,"" -/System/Library/LaunchAgents/com.apple.sysdiagnose_agent.plist,com.apple.sysdiagnose_agent,"['/usr/libexec/sysdiagnose_agent']",45adcae8b81d8a9cf5e13aff4127604c9ecf44e8b3ca98d45381e007c1502103,False,"None" -/System/Library/LaunchAgents/com.apple.systemprofiler.plist,com.apple.systemprofiler,"['/Applications/Utilities/System Information.app/Contents/MacOS/System Information']",fb8236990567b86473053dd39e132be3354ed51981e07e8f94cab2f668d82791,False,"" -/System/Library/LaunchAgents/com.apple.SystemUIServer.plist,com.apple.SystemUIServer.agent,"['/System/Library/CoreServices/SystemUIServer.app/Contents/MacOS/SystemUIServer']",0e1b385d10a6b187d3533a0f0f66baf2386d83d32f00f4c906956d6788292e44,False,"" -/System/Library/LaunchAgents/com.apple.talagent.plist,com.apple.talagent,"['/System/Library/CoreServices/talagent']",21d5228c0c3361352b296be1a3a2bc286c3d8d4fa3b7c13636af8b0f41396b16,True,"" -/System/Library/LaunchAgents/com.apple.tccd.plist,com.apple.tccd,"['/System/Library/PrivateFrameworks/TCC.framework/Resources/tccd']",f8ba72775dcc31f2b1ad218a356795c1ddc45ae5afb704162bad02efacbdf4ad,False,"" -/System/Library/LaunchAgents/com.apple.telephonyutilities.callservicesd.plist,com.apple.telephonyutilities.callservicesd,"['/System/Library/PrivateFrameworks/TelephonyUtilities.framework/callservicesd']",660fa6be5283e68353191fec41bd3bac8906177362bc1f77282b187e99ca7cde,False,"" -/System/Library/LaunchAgents/com.apple.thermaltrap.plist,com.apple.thermaltrap,"['/System/Library/CoreServices/ThermalTrap.app/Contents/MacOS/ThermalTrap']",0793a6ba51a71052ced06ff43c64981b89023450aa2169229d97c1436d78f04a,False,"" -/System/Library/LaunchAgents/com.apple.tiswitcher.plist,com.apple.tiswitcher,"['/System/Library/CoreServices/Menu Extras/TextInput.menu/Contents/SharedSupport/TISwitcher.app/Contents/MacOS/TISwitcher']",c064be6efc1abee945bf40eea41e4dba88b4d687b26dc0e5b5802c2a2b8773cc,False,"" -/System/Library/LaunchAgents/com.apple.TMHelperAgent.plist,com.apple.TMHelperAgent,"['/System/Library/CoreServices/backupd.bundle/Contents/Resources/TMHelperAgent.app/Contents/MacOS/TMHelperAgent']",e643174ab97189486809a7de68b8ce7f6eebe397a463dba4a3f807cafbd02902,False,"" -/System/Library/LaunchAgents/com.apple.TMHelperAgent.SetupOffer.plist,com.apple.TMHelperAgent.SetupOffer,"['/System/Library/CoreServices/backupd.bundle/Contents/Resources/TMHelperAgent.app/Contents/MacOS/TMHelperAgent', '-offer']",e643174ab97189486809a7de68b8ce7f6eebe397a463dba4a3f807cafbd02902,False,"" -/System/Library/LaunchAgents/com.apple.touristd.plist,com.apple.touristd,"['/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/touristd']",3f482470c287ed69ba6779811ef028d6df6a56a8caf12097fde78bc508b5e2ca,False,"None" -/System/Library/LaunchAgents/com.apple.trustd.agent.plist,com.apple.trustd.agent,"['/usr/libexec/trustd', '--agent']",872b9574d20649ce20c78e6ead6a40b6ed494f24fac77535c27f0f71e5a114dc,False,"" -/System/Library/LaunchAgents/com.apple.TrustEvaluationAgent.plist,com.apple.TrustEvaluationAgent,"['/System/Library/PrivateFrameworks/TrustEvaluationAgent.framework/Resources/trustevaluationagent']",ce6d7839e819198d7589ad73eb560960e01651e52e0339c24c6d6e9d68a20b1f,False,"" -/System/Library/LaunchAgents/com.apple.universalaccessAuthWarn.plist,com.apple.universalaccessAuthWarn,"['/System/Library/PrivateFrameworks/UniversalAccess.framework/Versions/A/Resources/universalAccessAuthWarn.app/Contents/MacOS/universalAccessAuthWarn', 'launchd', '-s']",5f5429530117a444af89c99f2bd23c327a3d5a3e85498e5e606c2158f934d306,False,"" -/System/Library/LaunchAgents/com.apple.universalaccesscontrol.plist,com.apple.universalaccesscontrol,"['/System/Library/CoreServices/UniversalAccessControl.app/Contents/MacOS/UniversalAccessControl', 'launchd', '-s']",54c4ea54577eae189b3af6b3faa66e7fc215ae6ae5005568394dc6db1e81e833,False,"" -/System/Library/LaunchAgents/com.apple.universalaccessd.plist,com.apple.universalaccessd,"['/usr/sbin/universalaccessd', 'launchd', '-s']",34abb9fd0ed401cb8a53c9fd080cdb68ef6a283da39ad80783a36f78cb03f788,True,"" -/System/Library/LaunchAgents/com.apple.universalaccessHUD.plist,com.apple.universalaccessHUD,"['/System/Library/PrivateFrameworks/UniversalAccess.framework/Versions/A/Resources/UniversalAccessHUD.app/Contents/MacOS/UniversalAccessHUD', 'launchd', '-s']",5aee033db38a01c8d065b8f3cf7eb8afc8b11e32733138f8d1722ef5555ce24f,False,"None" -/System/Library/LaunchAgents/com.apple.unmountassistant.useragent.plist,com.apple.unmountassistant.useragent,"['/System/Library/CoreServices/UnmountAssistantAgent.app/Contents/MacOS/UnmountAssistantAgent']",37b2dce24c9ca5cf5596bac0dcb2b3e61d853f44ff0e5d54f7a9640d9744de4f,False,"" -/System/Library/LaunchAgents/com.apple.USBAgent.plist,com.apple.USBAgent,"['/usr/libexec/USBAgent']",5264537451aaf4bc1da13789ab95730b245979614149a1beb353d6771b28bb55,False,"" -/System/Library/LaunchAgents/com.apple.UserEventAgent-Aqua.plist,com.apple.UserEventAgent-Aqua,"['/usr/libexec/UserEventAgent', '(Aqua)']",0db2c6f3f3370cdc06524a4824186c8733ce732d2b5946d7f068e8b4d4bae4c9,False,"" -/System/Library/LaunchAgents/com.apple.UserEventAgent-LoginWindow.plist,com.apple.UserEventAgent-LoginWindow,"['/usr/libexec/UserEventAgent', '(LoginWindow)']",0db2c6f3f3370cdc06524a4824186c8733ce732d2b5946d7f068e8b4d4bae4c9,False,"" -/System/Library/LaunchAgents/com.apple.usernoted.plist,com.apple.usernoted,"['/usr/sbin/usernoted']",4b11ef82cd74a380510bf7fda98f8f1229ce7e1e760304a4f5a3a0b360be6cea,True,"" -/System/Library/LaunchAgents/com.apple.UserNotificationCenterAgent-LoginWindow.plist,com.apple.UserNotificationCenterAgent-LoginWindow,"['/System/Library/CoreServices/UserNotificationCenter.app/Contents/MacOS/UserNotificationCenter', '-loginwindow']",c14559361ebb79ef29ea71654013946362cb9dc7e9def31f188a633fed7a5c59,False,"" -/System/Library/LaunchAgents/com.apple.UserNotificationCenterAgent.plist,com.apple.UserNotificationCenterAgent,"['/System/Library/CoreServices/UserNotificationCenter.app/Contents/MacOS/UserNotificationCenter']",c14559361ebb79ef29ea71654013946362cb9dc7e9def31f188a633fed7a5c59,False,"" -/System/Library/LaunchAgents/com.apple.VoiceOver.plist,com.apple.VoiceOver,"['/System/Library/CoreServices/VoiceOver.app/Contents/MacOS/VoiceOver', 'launchd', '-s']",db420561d8eeac28b8ad36b46437671fa8ff307be6abb83aca569eb571a9e007,False,"" -/System/Library/LaunchAgents/com.apple.warmd_agent.plist,com.apple.warmd_agent,"['/usr/libexec/warmd_agent']",e7542426d0a476ee71a1f0f53068f1368c40d071b69a3f1a992c8f069bfe4eca,False,"" -/System/Library/LaunchAgents/com.apple.webdriverd.plist,com.apple.webdriverd,"['/usr/libexec/webdriverd']",69f5cb47506cd6656e7f6f66dabc4069ada2738c99cd730ace3fd08e25b8388e,False,"None" -/System/Library/LaunchAgents/com.apple.webinspectord.plist,com.apple.webinspectord,"['/usr/libexec/webinspectord']",354e23702c287c1a201e2c8a44dc383a514d2af41df719e7c6bc013d2c581fcb,False,"" -/System/Library/LaunchAgents/com.apple.WebKit.PluginAgent.plist,com.apple.WebKit.PluginAgent,"['/System/Library/Frameworks/WebKit.framework/Frameworks/WebKitLegacy.framework/WebKitPluginAgent']",7c6be1f002928a1a7e32b259f6595635d5399708a3fdf559344d77f70f0758f3,False,"" -/System/Library/LaunchAgents/com.apple.wifi.WiFiAgent.plist,com.apple.wifi.WiFiAgent,"['/System/Library/CoreServices/WiFiAgent.app/Contents/MacOS/WiFiAgent']",8adb0646534136bc16b0f83ca8e48f0b29aa5daab69b0e8345eadc53783a42a0,True,"" -/System/Library/LaunchAgents/com.apple.WiFiVelocityAgent.plist,com.apple.WiFiVelocityAgent,"['/usr/libexec/WiFiVelocityAgent']",9a225ebbbd22810270ce7422288f818a40f66bd47bf3cc2af7d870e46e5c577c,False,"None" -/System/Library/LaunchAgents/com.apple.xpc.loginitemregisterd.plist,com.apple.xpc.loginitemregisterd,"['/usr/libexec/loginitemregisterd']",5af881aa40a33ef7dc26604f2601e1710e2980a6e51c4d41c43ae25a6ab18bcd,False,"" -/System/Library/LaunchAgents/com.apple.xpc.otherbsd.plist,com.apple.xpc.otherbsd,"['/usr/libexec/otherbsd']",949d29ac4189e9aa5028f30cb75f62826d178db02f08bf7cc15cbe8865c360f6,False,"" -/System/Library/LaunchAgents/com.apple.ZoomWindow.plist,com.apple.ZoomWindow,"['/System/Library/CoreServices/ZoomWindow.app/Contents/MacOS/ZoomWindowStarter', 'launchd', '-s']",549c0bb305ab4739b6ff3f0c000591ae2a9bc9dee88380ac64b829491d760c0e,False,"" -/System/Library/LaunchAgents/com.openssh.ssh-agent.plist,com.openssh.ssh-agent,"['/usr/bin/ssh-agent', '-l']",7815ec173d45abb2606c718fc1261bb4309254daa7b474e87541c6dc19dc934c,False,"None" diff --git a/launchd/comments.csv b/launchd/comments.csv deleted file mode 100644 index 0e308bd6..00000000 --- a/launchd/comments.csv +++ /dev/null @@ -1,511 +0,0 @@ -Label,Comment -com.apple.accountsd, -com.apple.AddressBook.abd, -com.apple.AddressBook.AssistantService, -com.apple.AddressBook.SourceSync, -com.apple.AEServer, -com.apple.afpfs_afpLoad, -com.apple.afpfs_checkafp, -com.apple.airplaydiagnostics.server.mac,Apple Internal Diagnostic Tool -com.apple.AirPlayUIAgent, -com.apple.AirPlayXPCHelper,AirPlay daemon -com.apple.AirPortBaseStationAgent, -com.apple.airportd, -com.apple.airport.wps, -com.apple.akd, -com.apple.alf,Apple Application Firewall -com.apple.alf.useragent,Apple Application Firewall (User Process) -com.apple.AOSHeartbeat, -com.apple.aos.migrate, -com.apple.AOSPushRelay, -com.apple.AppleFileServer,Apple File Server (AFP) -com.apple.AppleGraphicsWarning, -com.apple.appleseed.fbahelperd,Feedback -com.apple.appleseed.seedusaged,Feedback -com.apple.applessdstatistics, -com.apple.appsleep, -com.apple.appstoreupdateagent, -com.apple.apsctl, -com.apple.apsd,Apple Push Notification service daemon - used by Facetime/Messages -com.apple.askpermissiond, -com.apple.AskPermissionUI, -com.apple.aslmanager,Manages rotated files and ASL data written by the syslogd server -com.apple.AssetCacheLocatorService, -com.apple.assistantd, -com.apple.assistant_service,Siri -com.apple.AssistiveControl, -com.apple.atrun, -com.apple.ATS.FontValidator, -com.apple.ATS.FontValidatorConduit, -com.apple.audio.coreaudiod,daemon used for Core Audio related purposes -com.apple.audio.systemsoundserverd, -com.apple.auditd, -com.apple.autofsd, -com.apple.automountd, -com.apple.avbdeviced, -com.apple.awacsd,Apple Wide Area Connectivity Service daemon -com.apple.awdd,Diagnostics and usage -com.apple.backupd, -com.apple.backupd-auto, -com.apple.BezelUIServer, -com.apple.bird,Documents in the Cloud feature daemon -com.apple.blued,Bluetooth -com.apple.bluetoothaudiod, -com.apple.bluetoothReporter, -com.apple.bluetoothUIServer, -com.apple.bnepd, -com.apple.bootpd,DHCP/BOOTP/NetBoot server -com.apple.bsd.dirhelper, -com.apple.btsa, -com.apple.cache_delete, -com.apple.CalendarAgent, -com.apple.CallHistoryPluginHelper,iCloud call history -com.apple.CallHistorySyncHelper,iCloud call history -com.apple.cdpd, -com.apple.cfnetwork.AuthBrokerAgent, -com.apple.cfnetwork.cfnetworkagent, -com.apple.cfprefsd.xpc.agent, -com.apple.cfprefsd.xpc.daemon, -com.apple.cloudd, -com.apple.cloudfamilyrestrictionsd, -com.apple.cloudpaird, -com.apple.cloudphotosd,iCloud photo sync -com.apple.cmfsyncagent, -com.apple.cmio.AppleCameraAssistant, -com.apple.cmio.AVCAssistant, -com.apple.cmio.IIDCVideoAssistant,iSight -com.apple.cmio.iOSScreenCaptureAssistant, -com.apple.cmio.VDCAssistant, -com.apple.colorsyncd, -com.apple.CommCenter, -com.apple.CommCenterRootHelper, -com.apple.comsat, -com.apple.configd, -com.apple.configureLocalKDC, -com.apple.ContainerRepairAgent, -com.apple.CoreAuthentication.daemon, -com.apple.corecaptured, -com.apple.coredata.externalrecordswriter, -com.apple.coreduetd, -com.apple.CoreLocationAgent, -com.apple.CoreRAID, -com.apple.CoreRAIDAgent, -com.apple.coreservices.appleevents, -com.apple.coreservices.appleid.authentication, -com.apple.coreservices.appleid.passwordcheck, -com.apple.coreservicesd, -com.apple.coreservices.launchservicesd, -com.apple.coreservices.sharedfilelistd, -com.apple.coreservices.uiagent, -com.apple.coreservices.useractivityd, -com.apple.corestorage.corestoraged, -com.apple.corestorage.corestoragehelperd, -com.apple.coresymbolicationd, -com.apple.CrashReporterSupportHelper,Crash reporter -com.apple.csrutil.report, -com.apple.csuseragent, -com.apple.ctkd, -com.apple.cvmsCompAgent3600_i386, -com.apple.cvmsCompAgent3600_i386_1, -com.apple.cvmsCompAgent3600_x86_64, -com.apple.cvmsCompAgent3600_x86_64_1, -com.apple.cvmsCompAgent_i386, -com.apple.cvmsCompAgent_i386_1, -com.apple.cvmsCompAgentLegacy_i386, -com.apple.cvmsCompAgentLegacy_i386_1, -com.apple.cvmsCompAgentLegacy_x86_64, -com.apple.cvmsCompAgentLegacy_x86_64_1, -com.apple.cvmsCompAgent_x86_64, -com.apple.cvmsCompAgent_x86_64_1, -com.apple.cvmsServ, -com.apple.DesktopServicesHelper, -com.apple.diagnosticd, -com.apple.DiagnosticReportCleanup.plist, -com.apple.diagnostics_agent, -com.apple.diagnostic.uuidpathd, -com.apple.DictationIM,Dictation daemon -com.apple.DiskArbitrationAgent, -com.apple.diskarbitrationd, -com.apple.diskmanagementd, -com.apple.diskmanagementstartup, -com.apple.displaypolicyd, -com.apple.distnoted.xpc.agent, -com.apple.distnoted.xpc.daemon, -com.apple.dnsextd, -com.apple.Dock.agent, -com.apple.dpaudiothru, -com.apple.dpd, -com.apple.dspluginhelperd, -com.apple.dt.CommandLineTools.installondemand, -com.apple.DumpGPURestart, -com.apple.DumpPanic, -com.apple.dvdplayback.setregion, -com.apple.dynamic_pager, -com.apple.eapolcfg_auth, -com.apple.efax, -com.apple.efilogin-helper, -com.apple.emlog, -com.apple.emond, -com.apple.emond.aslmanager, -com.apple.EscrowSecurityAlert, -com.apple.familycircled, -com.apple.familycontrols,Parental controls -com.apple.familycontrols.useragent, -com.apple.familynotificationd,Family notifications -com.apple.FileCoordination, -com.apple.FileStatsAgent, -com.apple.FileSyncAgent.PHD, -com.apple.FileSyncAgent.sshd, -com.apple.FilesystemUI, -com.apple.Finder,Finder -com.apple.findmymacd,Find My mac daemon -com.apple.findmymacmessenger,iCloud Find My Mac feature daemon -com.apple.fingerd, -com.apple.firmwaresyncd, -com.apple.FolderActionsDispatcher, -com.apple.followupd, -com.apple.FollowUpUI, -com.apple.fontd, -com.apple.fontmover, -com.apple.FontRegistryUIAgent, -com.apple.FontWorker, -com.apple.fseventsd, -com.apple.FTCleanup, -com.apple.ftpd,FTP -com.apple.ftp-proxy, -com.apple.GameController.gamecontrollerd, -com.apple.gamed,Game Center -com.apple.getty, -com.apple.gkreport, -com.apple.GSSCred, -com.apple.gssd, -com.apple.hdiejectd, -com.apple.helpd, -com.apple.hidd, -com.apple.icdd, -com.apple.icloud.findmydeviced, -com.apple.icloud.findmydeviced.findmydevice-user-agent, -com.apple.icloud.fmfd, -com.apple.iCloudUserNotificationsd, -com.apple.iconservices.iconservicesagent, -com.apple.iconservices.iconservicesd, -com.apple.identityservicesd,iCloud authentication -com.apple.idsfoundation.IDSRemoteURLConnectionAgent, -com.apple.IFCStart, -com.apple.ifdreader, -com.apple.imagent,Facetime and Messages -com.apple.imavagent, -com.apple.imcore.imtransferagent, -com.apple.imklaunchagent, -com.apple.IMLoggingAgent, -com.apple.installandsetup.migrationhelper.user, -com.apple.installandsetup.systemmigrationd, -com.apple.installd, -com.apple.installd.user, -com.apple.IOAccelMemoryInfoCollector, -com.apple.IOBluetoothUSBDFU, -com.apple.isst, -com.apple.java.InstallOnDemand, -com.apple.java.updateSharing, -com.apple.kcproxy, -com.apple.kdumpd, -com.apple.Kerberos.digest-service, -com.apple.Kerberos.kadmind, -com.apple.Kerberos.kcm, -com.apple.Kerberos.kdc, -com.apple.Kerberos.kpasswdd, -com.apple.KernelEventAgent,Responsible for displaying disk full and unresponsive file server messages -com.apple.kextd, -com.apple.kuncd, -com.apple.lateragent, -com.apple.locate, -com.apple.locationd,Location daemon -com.apple.locationmenu, -com.apple.lockd, -com.apple.logd, -com.apple.logind, -com.apple.loginwindow, -com.apple.loginwindow.LFVTracer, -com.apple.logkextloadsd, -com.apple.lsd, -com.apple.ManagedClient,User management daemon -com.apple.ManagedClientAgent.agent, -com.apple.ManagedClientAgent.enrollagent, -com.apple.ManagedClient.cloudconfigurationd, -com.apple.ManagedClient.enroll, -com.apple.ManagedClient.startup, -com.apple.Maps.mapspushd, -com.apple.maspushagent, -com.apple.mbbackgrounduseragent, -com.apple.mbfloagent, -com.apple.mbsystemadministration, -com.apple.mbuseragent, -com.apple.mbusertrampoline, -com.apple.mdmclient.agent, -com.apple.mdmclient.daemon, -com.apple.mdmclient.daemon.runatboot, -com.apple.mDNSResponderHelper.reloaded, -com.apple.mDNSResponder.reloaded, -com.apple.mdworker.32bit, -com.apple.mdworker.bundles, -com.apple.mdworker.isolation, -com.apple.mdworker.lsb, -com.apple.mdworker.mail, -com.apple.mdworker.shared, -com.apple.mdworker.single, -com.apple.mdworker.sizing, -com.apple.metadata.mdbulkimport, -com.apple.metadata.mdflagwriter, -com.apple.metadata.mds, -com.apple.metadata.mds.index, -com.apple.metadata.mds.scan, -com.apple.metadata.mds.spindump, -com.apple.metadata.mdwrite, -com.apple.metadata.SpotlightNetHelper, -com.apple.midiserver, -com.apple.MobileFileIntegrity, -com.apple.MRTa, -com.apple.MRTd, -com.apple.msrpc.echosvc, -com.apple.msrpc.lsarpc, -com.apple.msrpc.mdssvc, -com.apple.msrpc.netlogon, -com.apple.msrpc.srvsvc, -com.apple.msrpc.wkssvc, -com.apple.mtmd, -com.apple.mtmfs, -com.apple.navd, -com.apple.neagent, -com.apple.nehelper, -com.apple.nesessionmanager, -com.apple.netauth.sys.auth, -com.apple.netauth.sys.gui, -com.apple.netauth.user.auth, -com.apple.netauth.user.gui, -com.apple.netbiosd,Used to share files with Windows hosts -com.apple.NetBootClientStatus, -com.apple.NetworkDiagnostics, -com.apple.networkd,network daemon -com.apple.networkd_privileged, -com.apple.NetworkSharing, -com.apple.newsyslog, -com.apple.nfsconf, -com.apple.nfsd, -com.apple.nis.ypbind, -com.apple.nlcd, -com.apple.noticeboard.agent, -com.apple.noticeboard.state, -com.apple.notificationcenterui.agent, -com.apple.notifyd, -com.apple.nsurlsessiond, -com.apple.nsurlsessiond_privileged, -com.apple.nsurlstoraged, -com.apple.ntalkd, -com.apple.ocspd,"Performs caching and network fetching of CRLs and OCSP responses, used by Security.framework during certificate verification" -com.apple.odproxyd, -com.apple.ODSAgent, -com.apple.opendirectoryd, -com.apple.PackageKit.InstallStatus, -com.apple.parentalcontrols.check, -com.apple.PasswordService, -com.apple.pboard, -com.apple.pbs,Services menu daemon -com.apple.PCIELaneConfigTool, -com.apple.PCIESlotCheck, -com.apple.periodic-daily, -com.apple.periodic-monthly, -com.apple.periodic-weekly, -com.apple.pfctl, -com.apple.pfd, -com.apple.photolibraryd, -com.apple.PhotoLibraryMigrationUtility.XPC, -com.apple.pictd, -com.apple.platform.ptmd, -com.apple.pluginkit.pkd, -com.apple.pluginkit.pkreporter, -com.apple.postgres,Legacy or server app -com.apple.powerchime, -com.apple.powerd, -com.apple.powerd.swd, -com.apple.preferences.timezone.admintool, -com.apple.preferences.timezone.auto, -com.apple.printtool.agent, -com.apple.printtool.daemon, -com.apple.printuitool.agent, -com.apple.PubSub.Agent, -com.apple.quicklook, -com.apple.quicklook.32bit, -com.apple.quicklook.config, -com.apple.quicklook.ui.helper, -com.apple.racoon,Built-in VPN key management daemon -com.apple.rcd, -com.apple.recentsd, -com.apple.RemoteDesktop.agent,ARD -com.apple.RemoteDesktop.PrivilegeProxy,ARD -com.apple.RemotePairTool,Remote device pairing -com.apple.RemoteUI,Remote control -com.apple.ReportCrash,Analyzes crashing processes and saves a crash report to disk -com.apple.ReportCrash.Root, -com.apple.ReportCrash.Self, -com.apple.ReportGPURestart, -com.apple.ReportPanic, -com.apple.ReportPanicService, -com.apple.reversetemplated, -com.apple.revisiond, -com.apple.rexecd, -com.apple.RFBEventHelper, -com.apple.rlogind, -com.apple.rootless.init, -com.apple.rpcbind, -com.apple.rshd,Remote shell server -com.apple.rtcreportingd,Home Sharing -com.apple.SafariCloudHistoryPushAgent, -com.apple.safaridavclient, -com.apple.SafariNotificationAgent,Safari notifications -com.apple.SafariPlugInUpdateNotifier, -com.apple.Safari.SafeBrowsing.Service, -com.apple.sandboxd, -com.apple.SCHelper, -com.apple.scopedbookmarksagent.xpc, -com.apple.ScreenReaderUIServer, -com.apple.screensharing,Screen Sharing daemon -com.apple.screensharing.agent, -com.apple.screensharing.MessagesAgent, -com.apple.scrod, -com.apple.scsid, -com.apple.secd, -com.apple.secinitd, -com.apple.security.agent, -com.apple.security.agent.login, -com.apple.security.authhost, -com.apple.security.cloudkeychainproxy3, -com.apple.securityd, -com.apple.security.DiskUnmountWatcher, -com.apple.securityd_service, -com.apple.security.FDERecoveryAgent, -com.apple.security.idskeychainsyncingproxy, -com.apple.security.keychain-circle-notification, -com.apple.security.syspolicy, -com.apple.sessionlogoutd, -com.apple.sharingd,"Sharing Daemon that enables AirDrop, Handoff, Instant Hotspot, Shared Computers, and Remote Disc in the Finder" -com.apple.smbd, -com.apple.smb.preferences, -com.apple.soagent, -com.apple.SocialPushAgent, -com.apple.softwareupdatecheck.initial, -com.apple.softwareupdated, -com.apple.softwareupdate_download_service, -com.apple.softwareupdate_notify_agent, -com.apple.speech.speechdatainstallerd, -com.apple.speech.speechsynthesisd, -com.apple.speech.synthesisserver, -com.apple.spindump, -com.apple.spindump_agent, -com.apple.Spotlight, -com.apple.spotlight.IndexAgent, -com.apple.ssinvitationagent, -com.apple.statd.notify, -com.apple.storagekitd, -com.apple.storeaccountd, -com.apple.storeaccountd.daemon, -com.apple.storeagent.daemon, -com.apple.storeassetd, -com.apple.storeassetd.daemon, -com.apple.storedownloadd, -com.apple.storedownloadd.daemon, -com.apple.storeinappd, -com.apple.storelegacy, -com.apple.storereceiptinstaller, -com.apple.storeuid, -com.apple.SubmitDiagInfo,Sends diagnostic information to Apple -com.apple.suggestd, -com.apple.suhelperd, -com.apple.swcd, -com.apple.symptomsd, -com.apple.syncdefaultsd, -com.apple.syncservices.SyncServer, -com.apple.syncservices.uihandler, -com.apple.sysdiagnose, -com.apple.syslogd, -com.apple.sysmond, -com.apple.system_installd, -com.apple.systemkeychain, -com.apple.systempreferences.install, -com.apple.systemprofiler, -com.apple.systemstats.analysis, -com.apple.systemstatsd, -com.apple.systemstats.daily, -com.apple.SystemUIServer.agent, -com.apple.talagent, -com.apple.taskgated, -com.apple.taskgated-helper, -com.apple.tccd, -com.apple.tccd.system, -com.apple.telephonyutilities.callservicesd, -com.apple.telnetd, -com.apple.tftpd,TFTP server daemon -com.apple.thermald,Thermal management daemon -com.apple.thermaltrap, -com.apple.tiswitcher, -com.apple.TMCacheDelete, -com.apple.TMHelperAgent, -com.apple.TMHelperAgent.SetupOffer, -com.apple.trustd,Certificate validation -com.apple.trustd.agent, -com.apple.TrustEvaluationAgent, -com.apple.TrustEvaluationAgent.system, -com.apple.ucupdate.plist, -com.apple.uninstalld, -com.apple.universalaccessAuthWarn, -com.apple.universalaccesscontrol, -com.apple.universalaccessd, -com.apple.unmountassistant.sysagent, -com.apple.unmountassistant.useragent, -com.apple.updateEFIDesktopPicture, -com.apple.USBAgent, -com.apple.usbd, -com.apple.usbmuxd, -com.apple.UserEventAgent-Aqua, -com.apple.UserEventAgent-LoginWindow, -com.apple.UserEventAgent-System, -com.apple.usernoted, -com.apple.UserNotificationCenterAgent, -com.apple.UserNotificationCenterAgent-LoginWindow, -com.apple.UserNotificationCenter,Notification Center -com.apple.uucp, -com.apple.var-db-dslocal-backup, -com.apple.VoiceOver, -com.apple.vsdbutil, -com.apple.warmd, -com.apple.warmd_agent, -com.apple.watchdogd, -com.apple.wdhelper, -com.apple.webinspectord, -com.apple.WebKit.PluginAgent, -com.apple.wifid, -com.apple.wifi.WiFiAgent, -com.apple.WindowServer, -com.apple.wirelessproxd, -com.apple.WirelessRadioManagerd-osx, -com.apple.wwand, -com.apple.xpc.loginitemregisterd, -com.apple.xpc.otherbsd, -com.apple.xpc.smd, -com.apple.xpc.uscwoap, -com.apple.xsan, -com.apple.xsandaily, -com.apple.xscertadmin, -com.apple.xscertd, -com.apple.xscertd-helper, -com.apple.ZoomWindow, -com.openssh.sshd,Wrapper for OpenSSH SSH daemon called by launchd -com.vix.cron, -org.apache.httpd,Apache HTTP server -org.cups.cupsd,CUPS print server -org.cups.cups-lpd, -org.net-snmp.snmpd,SNMP diagnostics -org.ntp.ntpd,Wrapper for ntpdate/ntpd called by launchd -org.openbsd.ssh-agent, -org.openldap.slapd,Slapd is the stand-alone LDAP daemon. -org.postfix.master, -org.postfix.newaliases, diff --git a/launchd/read_launch_plists.py b/launchd/read_launch_plists.py deleted file mode 100644 index 1d04ecfe..00000000 --- a/launchd/read_launch_plists.py +++ /dev/null @@ -1,104 +0,0 @@ -""" -https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/launchd/read_launch_plists.py - -Reads macOS system launch daemon and agent property lists. -""" - -import glob -import hashlib -import os -import plistlib -import subprocess -import csv - -HEADER = "filename,label,program,sha256,runatload,comment" -PLIST_LOCATION = "/System/Library/Launch%s/*.plist" -PLIST_TYPES = ["Daemons", "Agents"] - - -def LoadPlist(filename): - """Returns plists read with plistlib.""" - try: - proc = subprocess.Popen( - ["/usr/bin/plutil", "-convert", "xml1", "-o", "-", filename], - stdout=subprocess.PIPE, stderr=subprocess.PIPE) - out_data, err_data = proc.communicate() - except IOError as io_error: - print(io_error, err_data) - - if proc.returncode == 0: - return plistlib.readPlistFromString(out_data) - - return None - - -def GetPlistValue(plist, value): - """Returns the value of a plist dictionary, or False.""" - try: - return plist[value] - except KeyError: - return False - - -def GetProgram(plist): - """Returns a plist's Program or ProgramArguments key and hash.""" - try: - return "['%s']" % plist["Program"], HashFile(plist["Program"]) - except KeyError: - try: - return plist["ProgramArguments"], HashFile(plist["ProgramArguments"]) - except KeyError: - return ("NO PROGRAM DEFINED", "UNKNOWN FILE HASH") - return None - - -def HashFile(filename): - """Returns SHA-256 hash of a given file.""" - if isinstance(filename, list): - filename = filename[0] - try: - return hashlib.sha256( - open(filename, "rb").read()).hexdigest() - except IOError: - return "UNKNOWN FILE HASH" - - -def GetComment(plist, comments): - """Get comment for a given property list.""" - try: - label = plist["Label"] - except KeyError: - return None - - if label in comments: - return comments[label] - return None - - -def main(): - """Main function.""" - print(HEADER) - - comments_file = os.path.join( - os.path.dirname(os.path.realpath(__file__)), "comments.csv") - - with open(comments_file, "rb") as c_file: - reader = csv.reader(c_file) - comments = {rows[0]:rows[1] for rows in reader} - - for ptype in PLIST_TYPES: - for filename in glob.glob(PLIST_LOCATION % ptype): - prop = LoadPlist(filename) - if prop: - print("%s,%s,%s,%s,%s" % ( - filename, - GetPlistValue(prop, "Label"), - '"%s",%s' % GetProgram(prop), - GetPlistValue(prop, "RunAtLoad"), - '"%s"' % GetComment(prop, comments))) - else: - print("Could not load %s" % filename) - - -if __name__ == "__main__": - main() From dc40fcf3ec109d967b300f28ad084358536d51b7 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Fri, 24 May 2024 23:47:30 -0500 Subject: [PATCH 423/476] Fix broken links --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 148ebe93..443052c0 100755 --- a/README.md +++ b/README.md @@ -1387,7 +1387,7 @@ macOS remembers access points it has connected to. Like all wireless devices, th This is a privacy risk, so remove networks from the list in **System Preferences** > **Network** > **Advanced** when they are no longer needed. -Also see [Signals from the Crowd: Uncovering Social Relationships through Smartphone Probes](https://conferences.sigcomm.org/imc/2013/papers/imc148-barberaSP106.pdf) (pdf) and [Wi-Fi told me everything about you](http://confiance-numerique.clermont-universite.fr/Slides/M-Cunche-2014.pdf) (pdf). +Also see [Signals from the Crowd: Uncovering Social Relationships through Smartphone Probes](https://conferences.sigcomm.org/imc/2013/papers/imc148-barberaSP106.pdf) (pdf). Saved Wi-Fi information (SSID, last connection, etc.) can be found in `/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist` @@ -1815,7 +1815,7 @@ Don't default to saving documents to iCloud: defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false ``` -Enable [Secure Keyboard Entry](https://support.apple.com/guide/terminal/use-secure-keyboard-entry-trml109) in Terminal (unless you use [YubiKey](https://mig5.net/content/secure-keyboard-entry-os-x-blocks-interaction-yubikeys) or applications such as [TextExpander](https://smilesoftware.com/textexpander/secureinput)). +Enable [Secure Keyboard Entry](https://support.apple.com/guide/terminal/use-secure-keyboard-entry-trml109) in Terminal (unless you use [YubiKey](https://mig5.net/content/secure-keyboard-entry-os-x-blocks-interaction-yubikeys) or applications such as [TextExpander](https://smilesoftware.com/textexpander/secure-input)). Disable crash reporter (the dialog which appears after an application crashes and prompts to report the problem to Apple): From 56d899370cbc98dd36c298f67bc65cfe7f894cb6 Mon Sep 17 00:00:00 2001 From: cspence001 <69818722+cspence001@users.noreply.github.com> Date: Tue, 11 Jun 2024 16:57:21 -0400 Subject: [PATCH 424/476] update saved app state directories --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 1d3b184b..785f0fdc 100755 --- a/README.md +++ b/README.md @@ -1262,12 +1262,12 @@ sudo chflags -R uchg /.DocumentRevisions-V100 Saved application state metadata may be cleared and locked with the following commands: ```console -rm -rfv "~/Library/Saved Application State/*" -rm -rfv "~/Library/Containers//Saved Application State" -chmod -R 000 "~/Library/Saved Application State/" -chmod -R 000 "~/Library/Containers//Saved Application State" -chflags -R uchg "~/Library/Saved Application State/" -chflags -R uchg "~/Library/Containers//Saved Application State" +rm -rfv ~/Library/Saved\ Application\ State/* +rm -rfv ~/Library/Containers//Data/Library/Saved\ Application\ State +chmod -R 000 ~/Library/Saved\ Application\ State/ +chmod -R 000 ~/Library/Containers//Data/Library/Saved\ Application\ State +chflags -R uchg ~/Library/Saved\ Application\ State/ +chflags -R uchg ~/Library/Containers//Data/Library/Saved\ Application\ State ``` Autosave metadata can be cleared and locked with the following commands: From e9a40bccc5508ac7b64e32d7641c931065b6edbf Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 21 Jul 2024 03:24:22 -0500 Subject: [PATCH 425/476] Remove Outdated Link --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 785f0fdc..44c4b74c 100755 --- a/README.md +++ b/README.md @@ -197,9 +197,9 @@ sudo scutil --set LocalHostName MacBook The first user account is always an admin account. Admin accounts are members of the admin group and have access to `sudo`, which allows them to usurp other accounts, in particular root, and gives them effective control over the system. Any program that the admin executes can potentially obtain the same access, making this a security risk. -Utilities like `sudo` have [weaknesses that can be exploited](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/) by concurrently running programs and many panes in System Preferences are [unlocked by default](https://csrc.nist.gov/publications/drafts/800-179/sp800_179_draft.pdf) (pdf) (p. 61–62) for admin accounts. +Utilities like `sudo` have [weaknesses that can be exploited](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/) by concurrently running programs. -It is considered a best practice by [Apple](https://help.apple.com/machelp/mac/10.12/index.html#/mh11389) and [others](https://csrc.nist.gov/publications/drafts/800-179/sp800_179_draft.pdf) (pdf) (p. 41–42) to use a separate standard account for day-to-day work and use the admin account for installations and system configuration. +It is considered a best practice by [Apple](https://help.apple.com/machelp/mac/10.12/index.html#/mh11389) to use a separate standard account for day-to-day work and use the admin account for installations and system configuration. It is not strictly required to ever log into the admin account via the macOS login screen. When a Terminal command requires administrator privileges, the system will prompt for authentication and Terminal then continues using those privileges. To that end, Apple provides some [recommendations](https://support.apple.com/HT203998) for hiding the admin account and its home directory. This can be an elegant solution to avoid having a visible 'ghost' account. From cfac5d9d47476ce75f40ca2e5c5a27e925bc96ac Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 21 Jul 2024 04:07:49 -0500 Subject: [PATCH 426/476] Clean up Browser Section --- README.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 785f0fdc..7cea6ec1 100755 --- a/README.md +++ b/README.md @@ -724,19 +724,19 @@ Many browser exploits are based on social engineering as a means of gaining pers Another important consideration about browser security is extensions. This is an issue affecting Firefox and [Chrome](https://courses.csail.mit.edu/6.857/2016/files/24.pdf) alike. The use of browser extensions should be limited to only critically necessary ones published by trustworthy developers. -[Mozilla Firefox](https://www.mozilla.org/en-US/firefox/new/), [Google Chrome](https://www.google.com/chrome/), [Safari](https://www.apple.com/safari/), and [Tor Browser](https://www.torproject.org/projects/torbrowser.html.en) are all recommended browsers for their own unique and individual purposes. +[Mozilla Firefox](https://www.mozilla.org/firefox/new), [Google Chrome](https://www.google.com/chrome), [Safari](https://www.apple.com/safari), and [Tor Browser](https://www.torproject.org/download) are all recommended browsers for their own unique and individual purposes. ## Firefox -[Mozilla Firefox](https://www.mozilla.org/firefox/new/) is a popular open source browser. Firefox replaced major parts of its infrastructure and code base under the projects [Quantum](https://wiki.mozilla.org/Quantum) and [Photon](https://wiki.mozilla.org/Firefox/Photon/Updates). Part of the Quantum project is to replace C++ code with [Rust](https://www.rust-lang.org). Rust is a systems programming language with a focus on security and thread safety. It is expected that Rust adoption will greatly improve the overall security posture of Firefox. +[Mozilla Firefox](https://www.mozilla.org/firefox/new) is a popular open source browser. Firefox replaced major parts of its infrastructure and code base under the projects [Quantum](https://wiki.mozilla.org/Quantum) and [Photon](https://wiki.mozilla.org/Firefox/Photon/Updates). Part of the Quantum project is to replace C++ code with [Rust](https://www.rust-lang.org). Rust is a systems programming language with a focus on security and thread safety. It is expected that Rust adoption will greatly improve the overall security posture of Firefox. -Firefox offers a similar security model to Chrome: it has a [bug bounty program](https://www.mozilla.org/security/bug-bounty), although it is not as lucrative. Firefox follows a four-week release cycle similar to Chrome. +Firefox offers a similar security model to Chrome: it has a [bug bounty program](https://www.mozilla.org/security/bug-bounty), although it is not as lucrative. Firefox follows a four-week release cycle. -Firefox supports user-supplied configuration files. See [drduh/config/firefox.user.js](https://github.com/drduh/config/blob/master/firefox.user.js) and [arkenfox/user.js](https://github.com/arkenfox/user.js) for recommended preferences and hardening measures. Also see [NoScript](https://noscript.net/), an extension which allows selective script blocking. +Firefox supports user-supplied configuration files. See [drduh/config/firefox.user.js](https://github.com/drduh/config/blob/master/firefox.user.js) and [arkenfox/user.js](https://github.com/arkenfox/user.js) for recommended preferences and hardening measures. Also see [NoScript](https://noscript.net), an extension which allows selective script blocking. -Firefox [focuses on user privacy](https://www.mozilla.org/en-US/firefox/privacy/). It supports [tracking protection](https://developer.mozilla.org/docs/Web/Privacy/Firefox_tracking_protection) in Private Browsing mode. The tracking protection can be enabled for the default account, although it may break the browsing experience on some websites. Firefox in Strict tracking protection mode will [randomize your fingerprint](https://support.mozilla.org/kb/firefox-protection-against-fingerprinting) to foil basic tracking scripts. Firefox offers separate user [profiles](https://support.mozilla.org/kb/profile-manager-create-remove-switch-firefox-profiles). You can separate your browsing inside a profile with [Multi-Account Containers](https://support.mozilla.org/kb/containers). +Firefox [focuses on user privacy](https://www.mozilla.org/firefox/privacy). It supports [tracking protection](https://developer.mozilla.org/docs/Web/Privacy/Firefox_tracking_protection) in Private Browsing mode. The tracking protection can be enabled for the default account, although it may break the browsing experience on some websites. Firefox in Strict tracking protection mode will [randomize your fingerprint](https://support.mozilla.org/kb/firefox-protection-against-fingerprinting) to foil basic tracking scripts. Firefox offers separate user [profiles](https://support.mozilla.org/kb/profile-manager-create-remove-switch-firefox-profiles). You can separate your browsing inside a profile with [Multi-Account Containers](https://support.mozilla.org/kb/containers). -Firefox only supports Web Extensions through the [Web Extension Api](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions), which is very similar to Chrome. Submission of Web Extensions in Firefox is free. Web Extensions in Firefox most of the time are open source, although certain Web Extensions are proprietary. +Firefox only supports Web Extensions through the [Web Extension Api](https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions), which is very similar to Chrome. Submission of Web Extensions in Firefox is free. Web Extensions in Firefox most of the time are open source, although certain Web Extensions are proprietary. ## Chrome @@ -787,7 +787,7 @@ See also [el1t/uBlock-Safari](https://github.com/el1t/uBlock-Safari/wiki/Disable ## Other browsers -Many Chromium-derived browsers are not recommended. They are usually [closed source](https://yro.slashdot.org/comments.pl?sid=4176879&cid=44774943), [poorly maintained](https://plus.google.com/+JustinSchuh/posts/69qw9wZVH8z), [have bugs](https://code.google.com/p/google-security-research/issues/detail?id=679), and make dubious claims to protect privacy. See [The Private Life of Chromium Browsers](https://web.archive.org/web/20180517132144/http://thesimplecomputer.info/the-private-life-of-chromium-browsers). +Many Chromium-derived browsers are not recommended. They are usually [closed source](https://yro.slashdot.org/comments.pl?sid=4176879&cid=44774943), [poorly maintained](https://plus.google.com/+JustinSchuh/posts/69qw9wZVH8z), [have bugs](https://code.google.com/p/google-security-research/issues/detail?id=679), and make dubious claims to protect privacy. Other miscellaneous browsers, such as [Brave](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/94), are not evaluated in this guide, so are neither recommended nor actively discouraged from use. From 87452a0962067dacea4200c3bf9551ff893cbf34 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 22 Jul 2024 03:04:28 -0500 Subject: [PATCH 427/476] Remove Abandoned Software --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index a138755a..0450824c 100755 --- a/README.md +++ b/README.md @@ -1543,8 +1543,6 @@ tshark -Y "ssl.handshake.certificate" -Tfields \ -Eseparator=/s -Equote=d ``` -Also see the simple networking monitoring application [BonzaiThePenguin/Loading](https://github.com/BonzaiThePenguin/Loading). - # Binary authorization [google/santa](https://github.com/google/santa/) is a security software developed for Google's corporate Macintosh fleet and open sourced. From 3ac9e00b70a30f1b529a238b40ec65f3f8b61387 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 24 Jul 2024 15:57:52 -0500 Subject: [PATCH 428/476] Remove Espionage --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index a138755a..0156e476 100755 --- a/README.md +++ b/README.md @@ -1374,7 +1374,6 @@ Additional applications and services which offer backups include: * [Tresorit](https://www.tresorit.com) * [Arq](https://www.arqbackup.com) -* [Espionage](https://www.espionageapp.com/) * [restic](https://restic.github.io) # Wi-Fi From 4e22ecf4590cd50f54e26ad521201644ff82ce6c Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 29 Jul 2024 20:45:34 -0500 Subject: [PATCH 429/476] Remove Arq --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index be770a9e..4e8e34f0 100755 --- a/README.md +++ b/README.md @@ -1373,7 +1373,6 @@ hdiutil eject /Volumes/secretStuff Additional applications and services which offer backups include: * [Tresorit](https://www.tresorit.com) -* [Arq](https://www.arqbackup.com) * [restic](https://restic.github.io) # Wi-Fi From c9056302201f00a6d8fd141abaf7d837b658b439 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 29 Jul 2024 23:54:00 -0500 Subject: [PATCH 430/476] Remove Voodoo Privacy --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index be770a9e..42d6b1b4 100755 --- a/README.md +++ b/README.md @@ -946,7 +946,7 @@ When choosing a VPN service or setting up your own, be sure to research the prot Some clients may send traffic over the next available interface when VPN is interrupted or disconnected. See [scy/8122924](https://gist.github.com/scy/8122924) for an example on how to allow traffic only over VPN. -Another set of scripts to lock down your system so it will only access the internet via a VPN can be found as part of the Voodoo Privacy project - [sarfata/voodooprivacy](https://github.com/sarfata/voodooprivacy) and there is an updated guide to setting up an IPSec VPN on a virtual machine ([hwdsl2/setup-ipsec-vpn](https://github.com/hwdsl2/setup-ipsec-vpn)) or a docker container ([hwdsl2/docker-ipsec-vpn-server](https://github.com/hwdsl2/docker-ipsec-vpn-server)). +There is an updated guide to setting up an IPSec VPN on a virtual machine ([hwdsl2/setup-ipsec-vpn](https://github.com/hwdsl2/setup-ipsec-vpn)) or a docker container ([hwdsl2/docker-ipsec-vpn-server](https://github.com/hwdsl2/docker-ipsec-vpn-server)). It may be worthwhile to consider the geographical location of the VPN provider. See further discussion in [issue 114](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/114). From ca88da6b7f675da3a15f65f36c192674a86fd8e7 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Wed, 4 Sep 2024 14:53:57 -0500 Subject: [PATCH 431/476] Update VMWare Fusion --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 298f218f..98d75dcc 100755 --- a/README.md +++ b/README.md @@ -176,7 +176,7 @@ You can easily run macOS natively in a virtual machine using [UTM](https://mac.g Follow their [documentation](https://docs.getutm.app/guest-support/macos) to install a macOS VM with just a few clicks. -Another option is [VMware Fusion](https://www.vmware.com/products/fusion.html), although it costs money. You can read their [documentation](https://docs.vmware.com/en/VMware-Fusion/13/com.vmware.fusion.using.doc/GUID-474FC78E-4E77-42B7-A1C6-12C2F378C5B9.html) to see how to install a macOS VM. +Another option is [VMware Fusion](https://www.vmware.com/products/fusion.html). You can read their [documentation](https://docs.vmware.com/en/VMware-Fusion/13/com.vmware.fusion.using.doc/GUID-474FC78E-4E77-42B7-A1C6-12C2F378C5B9.html) to see how to install a macOS VM. # First boot From 99f0e5e131742363caf518a89d8990dad3eec8e8 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Tue, 17 Sep 2024 21:31:50 -0500 Subject: [PATCH 432/476] add mac address randomization --- README.md | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 298f218f..b6e6baa1 100755 --- a/README.md +++ b/README.md @@ -1385,17 +1385,13 @@ Also see [Signals from the Crowd: Uncovering Social Relationships through Smartp Saved Wi-Fi information (SSID, last connection, etc.) can be found in `/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist` -You may want to [spoof the MAC address](https://en.wikipedia.org/wiki/MAC_spoofing) of the network card before connecting to new and untrusted wireless networks to mitigate passive fingerprinting: - -```console -sudo ifconfig en0 ether $(openssl rand -hex 6 | sed 's%\(..\)%\1:%g; s%.$%%') -``` +You can have a different, [random MAC address](https://support.apple.com/en-gb/guide/mac-help/mchlb1cb3eb4/mac) for each network that rotates over time. This will help prevent you from being tracked across networks and on the same network over time. macOS stores Wi-Fi SSIDs and passwords in NVRAM in order for Recovery Mode to access the Internet. Be sure to either clear NVRAM or de-authenticate your Mac from your Apple account, which will clear the NVRAM, before passing a Mac along. Resetting the SMC will clear some of the NVRAM, but not all. **Note** MAC addresses will reset to hardware defaults on each boot. -Finally, WEP protection on wireless networks is [not secure](http://www.howtogeek.com/167783/htg-explains-the-difference-between-wep-wpa-and-wpa2-wireless-encryption-and-why-it-matters/) and you should only connect to **WPA2** protected networks when possible. +Finally, WEP protection on wireless networks is [not secure](http://www.howtogeek.com/167783/htg-explains-the-difference-between-wep-wpa-and-wpa2-wireless-encryption-and-why-it-matters/) and you should only connect to **WPA3** protected networks when possible. # SSH From 70c7c2e1cc501b13f643f8d23375e0c434fcb4df Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Thu, 19 Sep 2024 16:41:34 -0500 Subject: [PATCH 433/476] update gatekeeper --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 298f218f..62a27b54 100755 --- a/README.md +++ b/README.md @@ -1072,7 +1072,7 @@ See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/soph **Gatekeeper** tries to prevent non-notarized apps from running. -If you try to run an app that isn't notarized, Gatekeeper will give you a warning. This can be easily bypassed if you open Finder to where the program is and right click/control click on it and select Open. Then Gatekeeper will allow you to run it. +If you try to run an app that isn't notarized, Gatekeeper will give you a warning. This can be easily bypassed if you go to **Privacy & Security**, scroll down to the bottom and click **Open** on your app. Then Gatekeeper will allow you to run it. Gatekeeper doesn't cover all binaries, only apps so be careful when running other file types. From 371b7652c91d23fd06e6fcdb98cc428ccd60c259 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 29 Sep 2024 16:39:41 -0500 Subject: [PATCH 434/476] Replace Apple ID with Apple Account --- README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 9a0fc945..a92513bc 100755 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ To suggest an improvement, send a pull request or [open an issue](https://github - [Hardware](#hardware) - [Installing macOS](#installing-macos) * [System activation](#system-activation) - * [Apple ID](#apple-id) + * [Apple Account](#apple-account) * [App Store](#app-store) * [Virtualization](#virtualization) - [First boot](#first-boot) @@ -156,19 +156,19 @@ As part of Apple's [theft prevention system](https://support.apple.com/102541), You can read about exactly how this process works [here](https://support.apple.com/guide/security/localpolicy-signing-key-creation-management-sec1f90fbad1). -## Apple ID +## Apple Account -Creating an Apple ID is not required to use macOS. Making an Apple ID requires a phone number and it will by default sync a [lot of data](https://www.apple.com/legal/privacy/data/en/apple-id/) to iCloud, Apple's cloud storage service. You can [disable](https://support.apple.com/102651) the syncing later if you want or enable [end-to-end encryption](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web) for your iCloud data. +Creating an Apple Account is not required to use macOS. Making an Apple Account requires a phone number and it will by default sync a [lot of data](https://www.apple.com/legal/privacy/data/en/apple-id/) to iCloud, Apple's cloud storage service. You can [disable](https://support.apple.com/102651) the syncing later if you want or enable [end-to-end encryption](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web) for your iCloud data. -You can [control the data](https://support.apple.com/102283) associated with your Apple ID or completely delete it. +You can [control the data](https://support.apple.com/102283) associated with your Apple Account or completely delete it. -An Apple ID is required in order to access the App Store and use most Apple services like iCloud, Apple Music, etc. +An Apple Account is required in order to access the App Store and use most Apple services like iCloud, Apple Music, etc. ## App Store The Mac App Store is a [curated](https://developer.apple.com/app-store/review/guidelines) repository of software that is required to utilize the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox/protecting_user_data_with_app_sandbox) and [Hardened Runtime](https://developer.apple.com/documentation/security/hardened_runtime), as well as offering automatic updates that integrate with your system. -The App Store offers the greatest security guarantees for software on macOS, but it requires you to log in with an Apple ID and Apple will be able to link your Apple ID to your downloaded apps. +The App Store offers the greatest security guarantees for software on macOS, but it requires you to log in with an Apple Account and Apple will be able to link your Apple Account to your downloaded apps. ## Virtualization @@ -992,7 +992,7 @@ Signal requires a phone number to sign up and you'll need to install it on your ## iMessage -iMessage is Apple's first party messenger. It requires an [Apple ID](#apple-id) in order to use it. +iMessage is Apple's first party messenger. It requires an [Apple Account](#apple-account) in order to use it. Make sure to enable [Contact Key Verification](https://support.apple.com/118246) and verify with anyone you message to ensure that you're messaging the right person. @@ -1295,7 +1295,7 @@ chflags -R uchg ~/Library/Assistant/SiriAnalytics.db defaults delete ~/Library/Preferences/com.apple.iTunes.plist recentSearches ``` -If you do not use Apple ID-linked services, the following keys may be cleared, too, using the following commands: +If you do not use Apple Account-linked services, the following keys may be cleared, too, using the following commands: ```console defaults delete ~/Library/Preferences/com.apple.iTunes.plist StoreUserInfo From 73699d058735b84c1d646267407bb914eac04b80 Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Sun, 29 Sep 2024 18:15:51 -0500 Subject: [PATCH 435/476] Replace Broken Privoxy Link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9a0fc945..16515a78 100755 --- a/README.md +++ b/README.md @@ -622,7 +622,7 @@ brew install privoxy brew services start privoxy ``` -Alternatively, a signed installation package for Privoxy is available from [silvester.org.uk](https://silvester.org.uk/privoxy/Macintosh%20%28OS%20X%29/) or [Sourceforge](https://sourceforge.net/projects/ijbswa/files/Macintosh%20%28OS%20X%29/). The signed package is [more secure](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/65) than the Homebrew version and receives support from the Privoxy project. +Alternatively, a signed installation package for Privoxy is available from [their website](https://www.privoxy.org/sf-download-mirror/Macintosh%20%28OS%20X%29/) or [Sourceforge](https://sourceforge.net/projects/ijbswa/files/Macintosh%20%28OS%20X%29/). The signed package is [more secure](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/65) than the Homebrew version and receives support from the Privoxy project. By default, Privoxy listens on local TCP port 8118. From e40f6fff746cfae9e1ea50a5727ba254ca1d061d Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 30 Sep 2024 01:41:55 -0500 Subject: [PATCH 436/476] Remove incorrect MAC address info --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 9a0fc945..977f1693 100755 --- a/README.md +++ b/README.md @@ -1389,8 +1389,6 @@ You can have a different, [random MAC address](https://support.apple.com/en-gb/g macOS stores Wi-Fi SSIDs and passwords in NVRAM in order for Recovery Mode to access the Internet. Be sure to either clear NVRAM or de-authenticate your Mac from your Apple account, which will clear the NVRAM, before passing a Mac along. Resetting the SMC will clear some of the NVRAM, but not all. -**Note** MAC addresses will reset to hardware defaults on each boot. - Finally, WEP protection on wireless networks is [not secure](http://www.howtogeek.com/167783/htg-explains-the-difference-between-wep-wpa-and-wpa2-wireless-encryption-and-why-it-matters/) and you should only connect to **WPA3** protected networks when possible. # SSH From c237c72cbc5107aa022f74ecbc6732abca0d445c Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 30 Sep 2024 02:24:09 -0500 Subject: [PATCH 437/476] Remove KnockKnock --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9a0fc945..303f262e 100755 --- a/README.md +++ b/README.md @@ -1062,7 +1062,7 @@ To scan an application with multiple AV products and examine its behavior, uploa macOS comes with a built-in AV program called [XProtect](https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8). XProtect automatically runs in the background and updates its signatures that it uses to detect malware without you having to do anything. If it detects malware already running, it will work to remove and mitigate it just like any other AV program. -You could periodically run a tool like [KnockKnock](https://objective-see.org/products/knockknock.html) to examine persistent applications (e.g. scripts, binaries). But by then, it is probably too late. Applications such as [BlockBlock](https://objective-see.com/products/blockblock.html) or [maclaunch.sh](https://github.com/hazcod/maclaunch) might help. +Applications such as [BlockBlock](https://objective-see.com/products/blockblock.html) or [maclaunch.sh](https://github.com/hazcod/maclaunch) might help prevent persistent malware. Locally installed **Anti-virus** programs are generally a double-edged sword: they may catch "garden variety" malware, but also may increase the attack surface for sophisticated adversaries due to their privileged operating mode. They also typically phone home to send samples in order to catch the newest malware. This can be a privacy concern. From bb75e1bc5fba083e3f6f88af462d0b09359b90cc Mon Sep 17 00:00:00 2001 From: kimg45 <138676274+kimg45@users.noreply.github.com> Date: Mon, 30 Sep 2024 21:32:38 -0500 Subject: [PATCH 438/476] Remove the Safe Mac --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9a0fc945..2189f2b3 100755 --- a/README.md +++ b/README.md @@ -1008,7 +1008,7 @@ Some malware comes bundled with both legitimate software, such as the [Java bund See [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) and [Malware Persistence on OS X Yosemite](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite) to learn about how garden-variety malware functions. -Subscribe to updates at [The Safe Mac](http://www.thesafemac.com/) and [Malwarebytes Blog](https://blog.malwarebytes.com/) for current Mac security news. +Subscribe to updates at the [Malwarebytes Blog](https://blog.malwarebytes.com/) for current Mac security news. Also check out [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html) malware for macOS: [root installation for MacOS](https://github.com/hackedteam/vector-macos-root), [Support driver for Mac Agent](https://github.com/hackedteam/driver-macos) and [RCS Agent for Mac](https://github.com/hackedteam/core-macos), which is a good example of advanced malware with capabilities to hide from userland (e.g., `ps`, `ls`). For more, see [A Brief Analysis of an RCS Implant Installer](https://objective-see.com/blog/blog_0x0D.html) and [reverse.put.as](https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/) From a9c5539694e301e4332a35d5344a21bde51942c5 Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Thu, 31 Oct 2024 14:57:03 -0500 Subject: [PATCH 439/476] Update Link for macOS Sequoia --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3ee23500..123f93b2 100755 --- a/README.md +++ b/README.md @@ -238,7 +238,7 @@ You should check that firmware security settings are set to [Full Security](http All Mac models with Apple silicon are encrypted by default. Enabling [FileVault](https://support.apple.com/guide/mac-help/mh11785/mac) makes it so that you need to enter a password in order to access the data on your drive. The EFF has a guide on generating [strong but memorable passwords](https://www.eff.org/dice). -Your FileVault password also acts as a [firmware password](https://support.apple.com/en-us/102384) that will prevent people that don't know it from booting from anything other than the designated startup disk, accessing [Recovery](https://support.apple.com/guide/mac-help/macos-recovery-a-mac-apple-silicon-mchl82829c17/14.0/mac/14.0#mchl5abfbb29), and [reviving](https://support.apple.com/en-us/108900) it with DFU mode. +Your FileVault password also acts as a [firmware password](https://support.apple.com/en-us/102384) that will prevent people that don't know it from booting from anything other than the designated startup disk, accessing [Recovery](https://support.apple.com/guide/mac-help/macos-recovery-a-mac-apple-silicon-mchl82829c17/15.0/mac/15.0#mchl5abfbb29), and [reviving](https://support.apple.com/en-us/108900) it with DFU mode. FileVault will ask you to set a recovery key in case you forget your password. Keep this key stored somewhere safe. You'll have the option use your iCloud account to unlock your disk; however, anyone with access to your iCloud account will be able to unlock it as well. From 092f7edb15b406581f9b81a934081b345f8841ff Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Thu, 31 Oct 2024 15:00:35 -0500 Subject: [PATCH 440/476] Fix Typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3ee23500..80f2708d 100755 --- a/README.md +++ b/README.md @@ -426,7 +426,7 @@ Apple is moving to on-device processing for a lot of Siri functions, but some in # Homebrew -If your program isn't available through Apple AppStore you can consider using [Homebrew](https://brew.sh/). +If your program isn't available through Apple App Store you can consider using [Homebrew](https://brew.sh/). **Important!** Note that Homebrew asks you to grant “App Management” (or “Full Disk Access”) permission to your terminal. This is a bad idea, as it would make you vulnerable to these attacks again: any non-sandboxed application can execute code with the TCC permissions of your terminal by adding a malicious command to (e.g.) ~/.zshrc. Granting “App Management” or “Full Disk Access” to your terminal should be considered the same as disabling TCC completely. From 3f9d2c30370f0ea7aedd75cb1f1f3c155d4be512 Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Thu, 31 Oct 2024 15:01:44 -0500 Subject: [PATCH 441/476] grammar --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 80f2708d..2e5d8196 100755 --- a/README.md +++ b/README.md @@ -426,7 +426,7 @@ Apple is moving to on-device processing for a lot of Siri functions, but some in # Homebrew -If your program isn't available through Apple App Store you can consider using [Homebrew](https://brew.sh/). +If your program isn't available through the Apple App Store you can consider using [Homebrew](https://brew.sh/). **Important!** Note that Homebrew asks you to grant “App Management” (or “Full Disk Access”) permission to your terminal. This is a bad idea, as it would make you vulnerable to these attacks again: any non-sandboxed application can execute code with the TCC permissions of your terminal by adding a malicious command to (e.g.) ~/.zshrc. Granting “App Management” or “Full Disk Access” to your terminal should be considered the same as disabling TCC completely. From d05f91f50a0a5d55800849a0af102cddf2edefde Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Thu, 31 Oct 2024 15:02:45 -0500 Subject: [PATCH 442/476] remove redundant phrase --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2e5d8196..97653800 100755 --- a/README.md +++ b/README.md @@ -428,7 +428,7 @@ Apple is moving to on-device processing for a lot of Siri functions, but some in If your program isn't available through the Apple App Store you can consider using [Homebrew](https://brew.sh/). -**Important!** Note that Homebrew asks you to grant “App Management” (or “Full Disk Access”) permission to your terminal. This is a bad idea, as it would make you vulnerable to these attacks again: any non-sandboxed application can execute code with the TCC permissions of your terminal by adding a malicious command to (e.g.) ~/.zshrc. Granting “App Management” or “Full Disk Access” to your terminal should be considered the same as disabling TCC completely. +**Important!** Homebrew asks you to grant “App Management” (or “Full Disk Access”) permission to your terminal. This is a bad idea, as it would make you vulnerable to these attacks again: any non-sandboxed application can execute code with the TCC permissions of your terminal by adding a malicious command to (e.g.) ~/.zshrc. Granting “App Management” or “Full Disk Access” to your terminal should be considered the same as disabling TCC completely. Remember to periodically run `brew upgrade` on trusted and secure networks to download and install software updates. To get information on a package before installation, run `brew info ` and check its formula online. You may also wish to enable [additional security options](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/138), such as `HOMEBREW_NO_INSECURE_REDIRECT=1` From 1095b57f60bc075887accfef7b65dcdf92a9cecf Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Thu, 31 Oct 2024 15:08:00 -0500 Subject: [PATCH 443/476] remove unnecessary word --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 97653800..b2eab2eb 100755 --- a/README.md +++ b/README.md @@ -426,7 +426,7 @@ Apple is moving to on-device processing for a lot of Siri functions, but some in # Homebrew -If your program isn't available through the Apple App Store you can consider using [Homebrew](https://brew.sh/). +If your program isn't available through the App Store you can consider using [Homebrew](https://brew.sh/). **Important!** Homebrew asks you to grant “App Management” (or “Full Disk Access”) permission to your terminal. This is a bad idea, as it would make you vulnerable to these attacks again: any non-sandboxed application can execute code with the TCC permissions of your terminal by adding a malicious command to (e.g.) ~/.zshrc. Granting “App Management” or “Full Disk Access” to your terminal should be considered the same as disabling TCC completely. From a70e214f530194c51484b20dc6adb4f84e13fac6 Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Thu, 31 Oct 2024 15:19:26 -0500 Subject: [PATCH 444/476] fix tor browser link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3ee23500..ca7f383a 100755 --- a/README.md +++ b/README.md @@ -841,7 +841,7 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290 Make sure `Good signature from "Tor Browser Developers (signing key) "` appears in the output. The warning about the key not being certified is benign, as it has not yet been assigned trust. -See [How can I verify Tor Browser's signature?](https://support.torproject.org/) for more information. +See [How can I verify Tor Browser's signature?](https://support.torproject.org/tbb/how-to-verify-signature/) for more information. To finish installing Tor Browser, open the disk image and drag the it into the Applications folder, or with: From bb03e1bfa0e7e608e557cf0a5e95943f68b59104 Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Thu, 31 Oct 2024 20:18:49 -0500 Subject: [PATCH 445/476] remove broken links --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ca7f383a..29122dcd 100755 --- a/README.md +++ b/README.md @@ -787,7 +787,7 @@ See also [el1t/uBlock-Safari](https://github.com/el1t/uBlock-Safari/wiki/Disable ## Other browsers -Many Chromium-derived browsers are not recommended. They are usually [closed source](https://yro.slashdot.org/comments.pl?sid=4176879&cid=44774943), [poorly maintained](https://plus.google.com/+JustinSchuh/posts/69qw9wZVH8z), [have bugs](https://code.google.com/p/google-security-research/issues/detail?id=679), and make dubious claims to protect privacy. +Many Chromium-derived browsers are not recommended. They are usually [closed source](https://yro.slashdot.org/comments.pl?sid=4176879&cid=44774943), [poorly maintained](https://plus.google.com/+JustinSchuh/posts/69qw9wZVH8z), and make dubious claims to protect privacy. Other miscellaneous browsers, such as [Brave](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/94), are not evaluated in this guide, so are neither recommended nor actively discouraged from use. @@ -1066,7 +1066,7 @@ Applications such as [BlockBlock](https://objective-see.com/products/blockblock. Locally installed **Anti-virus** programs are generally a double-edged sword: they may catch "garden variety" malware, but also may increase the attack surface for sophisticated adversaries due to their privileged operating mode. They also typically phone home to send samples in order to catch the newest malware. This can be a privacy concern. -See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sophailv2.pdf) (pdf), [Analysis and Exploitation of an ESET Vulnerability](https://googleprojectzero.blogspot.ro/2015/06/analysis-and-exploitation-of-eset.html), [a trivial Avast RCE](https://code.google.com/p/google-security-research/issues/detail?id=546), [Popular Security Software Came Under Relentless NSA and GCHQ Attacks](https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/), [How Israel Caught Russian Hackers Scouring the World for U.S. Secrets](https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html) and [AVG: "Web TuneUP" extension multiple critical vulnerabilities](https://code.google.com/p/google-security-research/issues/detail?id=675). +See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sophailv2.pdf) (pdf), [Analysis and Exploitation of an ESET Vulnerability](https://googleprojectzero.blogspot.ro/2015/06/analysis-and-exploitation-of-eset.html), [Popular Security Software Came Under Relentless NSA and GCHQ Attacks](https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/), and [How Israel Caught Russian Hackers Scouring the World for U.S. Secrets](https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html). ## Gatekeeper From 91261db91b094b3b7606f34e85946030cee2f502 Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Fri, 8 Nov 2024 23:39:25 -0600 Subject: [PATCH 446/476] Update Google Santa --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1916ccbe..1255cbcf 100755 --- a/README.md +++ b/README.md @@ -1541,7 +1541,7 @@ tshark -Y "ssl.handshake.certificate" -Tfields \ > Santa is a binary and file access authorization system for macOS. It consists of a system extension that monitors for executions, a daemon that makes execution decisions based on the contents of a local database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server. -Santa uses the [Kernel Authorization API](https://developer.apple.com/library/content/technotes/tn2127/_index.html) to monitor and allow/disallow binaries from executing in the kernel. Binaries can be white- or black-listed by unique hash or signing developer certificate. Santa can be used to only allow trusted code execution, or to blacklist known malware from executing on a Mac, similar to Bit9 software for Windows. +Santa uses the [Endpoint Security API](https://developer.apple.com/documentation/endpointsecurity) to monitor and allow/disallow binaries from executing. Binaries can be white- or black-listed by unique hash or signing developer certificate. Santa can be used to only allow trusted code execution, or to blacklist known malware from executing on a Mac, similar to Bit9 software for Windows. **Note** Santa does not currently have a graphical user interface for managing rules. The following instructions are for advanced users only! From e643b049f4507a9033444bb89621a8ecdef1a321 Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Fri, 8 Nov 2024 23:49:47 -0600 Subject: [PATCH 447/476] update name of the pkg --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1255cbcf..97e6e7eb 100755 --- a/README.md +++ b/README.md @@ -1548,9 +1548,9 @@ Santa uses the [Endpoint Security API](https://developer.apple.com/documentation To install Santa, visit the [Releases](https://github.com/google/santa/releases) page and download the latest disk image, the mount it and install the contained package: ```console -hdiutil mount ~/Downloads/santa-0.9.20.dmg +hdiutil mount ~/Downloads/santa-2024.9.dmg -sudo installer -pkg /Volumes/santa-0.9.20/santa-0.9.20.pkg -tgt / +sudo installer -pkg /Volumes/santa-2024.9/santa-2024.9.pkg -tgt / ``` By default, Santa installs in "Monitor" mode (meaning, nothing gets blocked, only logged) and comes with two rules: one for Apple binaries and another for Santa software itself. From b73b8a36b43ac0bf9ddfa212982e88cc4d883507 Mon Sep 17 00:00:00 2001 From: Neyts Zupan Date: Fri, 28 Mar 2025 17:12:57 +0000 Subject: [PATCH 448/476] Re-add Pareto Security It seems to have been removed by mistake in a cleanup commit last March: https://github.com/drduh/macOS-Security-and-Privacy-Guide/commit/a07d13a95d1bd79e67808cf689d2478f673688e8 Yes, it's part of a commercial monitoring suite, but the app itself is opensource and free. Exactly like CISOfy/lynis a few lines above, just aimed more at regular users, with a UI app to make security approachable to everyone. --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 1916ccbe..e847a78d 100755 --- a/README.md +++ b/README.md @@ -1854,6 +1854,7 @@ drwx------ 2 kevin staff 64 Dec 4 12:27 umask_testing_dir * [CISOfy/lynis](https://github.com/CISOfy/lynis) - Cross-platform security auditing tool and assists with compliance testing and system hardening. * [Zentral](https://github.com/zentralopensource/zentral) - A log and configuration server for santa and osquery. Run audit and probes on inventory, events, logfiles, combine with point-in-time alerting. A full Framework and Django web server build on top of the elastic stack (formerly known as ELK stack). * [osquery](https://github.com/osquery/osquery) - Can be used to retrieve low level system information. Users can write SQL queries to retrieve system information. +* [Pareto Security](https://github.com/paretoSecurity/pareto-mac/) - A MenuBar app to automatically audit your Mac for basic security hygiene. # Additional resources From 8181413cd151452cc0517ea1fbce65ba35eb5039 Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Tue, 1 Apr 2025 05:50:40 -0500 Subject: [PATCH 449/476] remove google santa --- README.md | 227 ------------------------------------------------------ 1 file changed, 227 deletions(-) diff --git a/README.md b/README.md index 97e6e7eb..23457554 100755 --- a/README.md +++ b/README.md @@ -74,7 +74,6 @@ To suggest an improvement, send a pull request or [open an issue](https://github * [DTrace](#dtrace) * [Execution](#execution) * [Network](#network) -- [Binary authorization](#binary-authorization) - [Miscellaneous](#miscellaneous) - [Related software](#related-software) - [Additional resources](#additional-resources) @@ -1535,232 +1534,6 @@ tshark -Y "ssl.handshake.certificate" -Tfields \ -Eseparator=/s -Equote=d ``` -# Binary authorization - -[google/santa](https://github.com/google/santa/) is a security software developed for Google's corporate Macintosh fleet and open sourced. - -> Santa is a binary and file access authorization system for macOS. It consists of a system extension that monitors for executions, a daemon that makes execution decisions based on the contents of a local database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server. - -Santa uses the [Endpoint Security API](https://developer.apple.com/documentation/endpointsecurity) to monitor and allow/disallow binaries from executing. Binaries can be white- or black-listed by unique hash or signing developer certificate. Santa can be used to only allow trusted code execution, or to blacklist known malware from executing on a Mac, similar to Bit9 software for Windows. - -**Note** Santa does not currently have a graphical user interface for managing rules. The following instructions are for advanced users only! - -To install Santa, visit the [Releases](https://github.com/google/santa/releases) page and download the latest disk image, the mount it and install the contained package: - -```console -hdiutil mount ~/Downloads/santa-2024.9.dmg - -sudo installer -pkg /Volumes/santa-2024.9/santa-2024.9.pkg -tgt / -``` - -By default, Santa installs in "Monitor" mode (meaning, nothing gets blocked, only logged) and comes with two rules: one for Apple binaries and another for Santa software itself. - -Verify Santa is running and its kernel module is loaded: - -```console -$ santactl status ->>> Daemon Info - Mode | Monitor - File Logging | No - Watchdog CPU Events | 0 (Peak: 0.00%) - Watchdog RAM Events | 0 (Peak: 0.00MB) ->>> Kernel Info - Kernel cache count | 0 ->>> Database Info - Binary Rules | 0 - Certificate Rules | 2 - Events Pending Upload | 0 - -$ ps -ef | grep "[s]anta" - 0 786 1 0 10:01AM ?? 0:00.39 /Library/Extensions/santa-driver.kext/Contents/MacOS/santad --syslog - -$ kextstat | grep santa - 119 0 0xffffff7f822ff000 0x6000 0x6000 com.google.santa-driver (0.9.14) 693D8E4D-3161-30E0-B83D-66A273CAE026 <5 4 3 1> -``` - -Create a blacklist rule to prevent iTunes from executing: - -```console -$ sudo santactl rule --blacklist --path /Applications/iTunes.app/ -Added rule for SHA-256: e1365b51d2cb2c8562e7f1de36bfb3d5248de586f40b23a2ed641af2072225b3. -``` - -Try to launch iTunes - it will be blocked. - -```console -$ open /Applications/iTunes.app/ -LSOpenURLsWithRole() failed with error -10810 for the file /Applications/iTunes.app. -``` - -Santa block dialog when attempting to run a blacklisted program - -To remove the rule: - -```console -$ sudo santactl rule --remove --path /Applications/iTunes.app/ -Removed rule for SHA-256: e1365b51d2cb2c8562e7f1de36bfb3d5248de586f40b23a2ed641af2072225b3. -``` - -Open iTunes: - -```console -$ open /Applications/iTunes.app/ -[iTunes will open successfully] -``` - -Create a new, example C program: - -```console -$ cat < foo.c -> #include -> main() { printf("Hello World\n”); } -> EOF -``` - -Compile the program with GCC (requires installation of Xcode or command-line tools): - -```console -$ gcc -o foo foo.c - -$ file foo -foo: Mach-O 64-bit executable x86_64 - -$ codesign -d foo -foo: code object is not signed at all -``` - -Run it: - -```console -$ ./foo -Hello World -``` - -Toggle Santa into "Lockdown" mode, which only allows authorized binaries to run: - -```console -$ sudo defaults write /var/db/santa/config.plist ClientMode -int 2 -``` - -Try to run the unsigned binary: - -```console -$ ./foo -bash: ./foo: Operation not permitted - -Santa - -The following application has been blocked from executing -because its trustworthiness cannot be determined. - -Path: /Users/demouser/foo -Identifier: 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed -Parent: bash (701) -``` - -To authorize a binary, determine its SHA-256 sum: - -```console -$ santactl fileinfo /Users/demouser/foo -Path : /Users/demouser/foo -SHA-256 : 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed -SHA-1 : 4506f3a8c0a5abe4cacb98e6267549a4d8734d82 -Type : Executable (x86-64) -Code-signed : No -Rule : Blacklisted (Unknown) -``` - -Add a new rule: - -```console -$ sudo santactl rule --whitelist --sha256 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed -Added rule for SHA-256: 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed. -``` - -Run it: - -```console -$ ./foo -Hello World -``` - -It's allowed and works! - -Applications can also be allowed by developer certificate. For example, download and run Google Chrome - it will be blocked by Santa in "Lockdown" mode: - -```console -$ curl -sO https://dl.google.com/chrome/mac/stable/GGRO/googlechrome.dmg - -$ hdiutil mount googlechrome.dmg - -$ cp -r /Volumes/Google\ Chrome/Google\ Chrome.app /Applications/ - -$ open /Applications/Google\ Chrome.app/ -LSOpenURLsWithRole() failed with error -10810 for the file /Applications/Google Chrome.app. -``` - -Authorize the application by the developer certificate (first item in the Signing Chain): - -```console -$ santactl fileinfo /Applications/Google\ Chrome.app/ -Path : /Applications/Google Chrome.app/Contents/MacOS/Google Chrome -SHA-256 : 0eb08224d427fb1d87d2276d911bbb6c4326ec9f74448a4d9a3cfce0c3413810 -SHA-1 : 9213cbc7dfaaf7580f3936a915faa56d40479f6a -Bundle Name : Google Chrome -Bundle Version : 2883.87 -Bundle Version Str : 55.0.2883.87 -Type : Executable (x86-64) -Code-signed : Yes -Rule : Blacklisted (Unknown) -Signing Chain: - 1. SHA-256 : 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153 - SHA-1 : 85cee8254216185620ddc8851c7a9fc4dfe120ef - Common Name : Developer ID Application: Google Inc. - Organization : Google Inc. - Organizational Unit : EQHXZ8M8AV - Valid From : 2012/04/26 07:10:10 -0700 - Valid Until : 2017/04/27 07:10:10 -0700 - - 2. SHA-256 : 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f - SHA-1 : 3b166c3b7dc4b751c9fe2afab9135641e388e186 - Common Name : Developer ID Certification Authority - Organization : Apple Inc. - Organizational Unit : Apple Certification Authority - Valid From : 2012/02/01 14:12:15 -0800 - Valid Until : 2027/02/01 14:12:15 -0800 - - 3. SHA-256 : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024 - SHA-1 : 611e5b662c593a08ff58d14ae22452d198df6c60 - Common Name : Apple Root CA - Organization : Apple Inc. - Organizational Unit : Apple Certification Authority - Valid From : 2006/04/25 14:40:36 -0700 - Valid Until : 2035/02/09 13:40:36 -0800 -``` - -In this case, `15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153` is the SHA-256 of Google’s Apple developer certificate (team ID EQHXZ8M8AV) - authorize it: - -```console -$ sudo santactl rule --whitelist --certificate --sha256 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153 -Added rule for SHA-256: 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153. -``` - -Google Chrome should now launch, and subsequent updates to the application will continue to work as long as the code signing certificate doesn’t change or expire. - -To disable "Lockdown" mode: - -```console -sudo defaults delete /var/db/santa/config.plist ClientMode -``` - -See `/var/log/santa.log` to monitor ALLOW and DENY execution decisions. - -A log and configuration server for Santa is available in [Zentral](https://github.com/zentralopensource/zentral), an open source event monitoring solution and TLS server for osquery and Santa. - -Zentral will support Santa in both MONITORING and LOCKDOWN operation mode. Clients need to be enrolled with a TLS connection to sync Santa Rules, all Santa events from endpoints are aggregated and logged back in Zentral. Santa events can trigger actions and notifications from within the Zentral Framework. - -**Note** Python, Bash and other interpreters are authorized (since they are signed by Apple's developer certificate), so Santa will not be able to block such scripts from executing. Thus, a potential non-binary program which disables Santa is a weakness (not vulnerability, since it is so by design) to take note of. - # Miscellaneous Disable [Diagnostics & Usage Data](https://support.apple.com/guide/mac-help/share-analytics-information-mac-apple-mh27990). From 45c33eab09d35507807ea2ea8fbb90c17925cfd4 Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Tue, 1 Apr 2025 05:51:31 -0500 Subject: [PATCH 450/476] remove mention of santa --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 23457554..42c9d7bb 100755 --- a/README.md +++ b/README.md @@ -1625,7 +1625,7 @@ drwx------ 2 kevin staff 64 Dec 4 12:27 umask_testing_dir # Related software * [CISOfy/lynis](https://github.com/CISOfy/lynis) - Cross-platform security auditing tool and assists with compliance testing and system hardening. -* [Zentral](https://github.com/zentralopensource/zentral) - A log and configuration server for santa and osquery. Run audit and probes on inventory, events, logfiles, combine with point-in-time alerting. A full Framework and Django web server build on top of the elastic stack (formerly known as ELK stack). +* [Zentral](https://github.com/zentralopensource/zentral) - A log and configuration server for osquery. Run audit and probes on inventory, events, logfiles, combine with point-in-time alerting. A full Framework and Django web server build on top of the elastic stack (formerly known as ELK stack). * [osquery](https://github.com/osquery/osquery) - Can be used to retrieve low level system information. Users can write SQL queries to retrieve system information. # Additional resources From ec146aee80079280a2138f3fcd92d83358bbae9b Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Tue, 1 Apr 2025 12:28:57 -0500 Subject: [PATCH 451/476] remove --setloggingmode on --- README.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/README.md b/README.md index 1916ccbe..a1274b1c 100755 --- a/README.md +++ b/README.md @@ -258,13 +258,11 @@ Built-in, basic firewall which blocks **incoming** connections only. This firewa It can be controlled by the **Firewall** tab of **Network** in **System Settings**, or with the following commands. -Enable the firewall with logging and stealth mode: +Enable the firewall and stealth mode: ```console sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on -sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on - sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on ``` From 0128c89ad5c044970328ee5e332be13ab5067702 Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Tue, 1 Apr 2025 13:16:55 -0500 Subject: [PATCH 452/476] Replace Little Snitch rules with raw blocklist link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1916ccbe..82b15bb1 100755 --- a/README.md +++ b/README.md @@ -474,7 +474,7 @@ Append a list of hosts with `tee`: curl https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | sudo tee -a /etc/hosts ``` -If you're using a firewall like [Little Snitch](#third-party-firewalls), you could use the [StevenBlack/hosts](https://github.com/StevenBlack/hosts) importing the rules from [leohidalgo/little-snitch---rule-groups](https://github.com/leohidalgo/little-snitch---rule-groups) repository, these rules are updated every 12 hours from the [StevenBlack/hosts](https://github.com/StevenBlack/hosts) repository. +If you're using a firewall like [Little Snitch](#third-party-firewalls), you could add the [StevenBlack/hosts](https://github.com/StevenBlack/hosts) [blocklist](https://help.obdev.at/littlesnitch6/lsc-blocklists). Make sure to use this URL: [https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts](https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts) ## DNSCrypt From bf82a09fd07227216b9e6fd40cfd1ebddc28870a Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Fri, 4 Apr 2025 11:35:05 -0500 Subject: [PATCH 453/476] Update passwords section --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 1605ddd0..9a9e0994 100755 --- a/README.md +++ b/README.md @@ -1321,7 +1321,9 @@ Generate strong passwords using [`urandom`](https://en.wikipedia.org/wiki//dev/r tr -dc '[:graph:]' < /dev/urandom | fold -w 20 | head -1 ``` -The password assistant in **Keychain Access** can also generate secure credentials. +The built-in **[Passwords](https://support.apple.com/guide/passwords/the-passwords-app-mchl901b1b95/mac)** app can also generate [secure credentials](https://support.apple.com/guide/security/automatic-strong-passwords-secc84c811c4/web). + +The **Passwords** app also supports [passkeys](https://fidoalliance.org/passkeys/), FIDO credentials that can replace passwords and are much more secure against phishing and human error. Make sure to use them instead of passwords whenever you can. Consider using [Diceware](https://secure.research.vt.edu/diceware/) for memorable passwords. From 8de2d43f7c4a986bbb0dc6382cb14090373ad3a4 Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Fri, 4 Apr 2025 11:38:00 -0500 Subject: [PATCH 454/476] fix WebAuthn capitalization --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 9a9e0994..9353eee0 100755 --- a/README.md +++ b/README.md @@ -1329,9 +1329,9 @@ Consider using [Diceware](https://secure.research.vt.edu/diceware/) for memorabl GnuPG can also be used to manage passwords and other encrypted files (see [drduh/Purse](https://github.com/drduh/Purse) and [drduh/pwd.sh](https://github.com/drduh/pwd.sh)). -Ensure all eligible online accounts have [multi-factor authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication) enabled. The strongest form of multi-factor authentication is [WebAuthN](https://en.wikipedia.org/wiki/WebAuthn), followed by app-based authenticators, and SMS-based codes are weakest. +Ensure all eligible online accounts have [multi-factor authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication) enabled. The strongest form of multi-factor authentication is [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn), followed by app-based authenticators, and SMS-based codes are weakest. -[YubiKey](https://www.yubico.com/products/) is an affordable hardware token with WebAuthN support. It can also be used to store cryptographic keys for GnuPG encryption and SSH authentication - see [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide). +[YubiKey](https://www.yubico.com/products/) is an affordable hardware token with WebAuthn support. It can also be used to store cryptographic keys for GnuPG encryption and SSH authentication - see [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide). # Backup From de4191d431468fdd3e13a93602a770b7d765d863 Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Fri, 4 Apr 2025 11:39:19 -0500 Subject: [PATCH 455/476] change app-based authenticators to TOTP --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9353eee0..5db50fcc 100755 --- a/README.md +++ b/README.md @@ -1329,7 +1329,7 @@ Consider using [Diceware](https://secure.research.vt.edu/diceware/) for memorabl GnuPG can also be used to manage passwords and other encrypted files (see [drduh/Purse](https://github.com/drduh/Purse) and [drduh/pwd.sh](https://github.com/drduh/pwd.sh)). -Ensure all eligible online accounts have [multi-factor authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication) enabled. The strongest form of multi-factor authentication is [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn), followed by app-based authenticators, and SMS-based codes are weakest. +Ensure all eligible online accounts have [multi-factor authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication) enabled. The strongest form of multi-factor authentication is [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn), followed by TOTP, and SMS-based codes are weakest. [YubiKey](https://www.yubico.com/products/) is an affordable hardware token with WebAuthn support. It can also be used to store cryptographic keys for GnuPG encryption and SSH authentication - see [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide). From fa949b12d704d153e327163fdaa16352282472ca Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Fri, 4 Apr 2025 11:40:59 -0500 Subject: [PATCH 456/476] add HOTP and links --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5db50fcc..b43f7d50 100755 --- a/README.md +++ b/README.md @@ -1329,7 +1329,7 @@ Consider using [Diceware](https://secure.research.vt.edu/diceware/) for memorabl GnuPG can also be used to manage passwords and other encrypted files (see [drduh/Purse](https://github.com/drduh/Purse) and [drduh/pwd.sh](https://github.com/drduh/pwd.sh)). -Ensure all eligible online accounts have [multi-factor authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication) enabled. The strongest form of multi-factor authentication is [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn), followed by TOTP, and SMS-based codes are weakest. +Ensure all eligible online accounts have [multi-factor authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication) enabled. The strongest form of multi-factor authentication is [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn), followed by [TOTP](https://datatracker.ietf.org/doc/html/rfc6238), then [HOTP](https://datatracker.ietf.org/doc/html/rfc4226), and SMS-based codes are weakest. [YubiKey](https://www.yubico.com/products/) is an affordable hardware token with WebAuthn support. It can also be used to store cryptographic keys for GnuPG encryption and SSH authentication - see [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide). From ba346427902280d3604bb3596963ecf2b19715eb Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Fri, 4 Apr 2025 11:50:50 -0500 Subject: [PATCH 457/476] add more passkey info --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b43f7d50..cc86a6dd 100755 --- a/README.md +++ b/README.md @@ -1323,7 +1323,7 @@ tr -dc '[:graph:]' < /dev/urandom | fold -w 20 | head -1 The built-in **[Passwords](https://support.apple.com/guide/passwords/the-passwords-app-mchl901b1b95/mac)** app can also generate [secure credentials](https://support.apple.com/guide/security/automatic-strong-passwords-secc84c811c4/web). -The **Passwords** app also supports [passkeys](https://fidoalliance.org/passkeys/), FIDO credentials that can replace passwords and are much more secure against phishing and human error. Make sure to use them instead of passwords whenever you can. +The **Passwords** app also supports [passkeys](https://fidoalliance.org/passkeys/), FIDO credentials that can replace passwords and are much more secure against phishing, human error, and data breaches. Make sure to use them instead of passwords whenever you can. Consider using [Diceware](https://secure.research.vt.edu/diceware/) for memorable passwords. From 65feb9bcab3abd99f5cf82bb76e1e7532412d154 Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Fri, 4 Apr 2025 11:56:32 -0500 Subject: [PATCH 458/476] remove password generating command --- README.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/README.md b/README.md index cc86a6dd..75d5c16b 100755 --- a/README.md +++ b/README.md @@ -1315,12 +1315,6 @@ Additional metadata may exist in the following files: # Passwords -Generate strong passwords using [`urandom`](https://en.wikipedia.org/wiki//dev/random) and [`tr`](https://linux.die.net/man/1/tr): - -```console -tr -dc '[:graph:]' < /dev/urandom | fold -w 20 | head -1 -``` - The built-in **[Passwords](https://support.apple.com/guide/passwords/the-passwords-app-mchl901b1b95/mac)** app can also generate [secure credentials](https://support.apple.com/guide/security/automatic-strong-passwords-secc84c811c4/web). The **Passwords** app also supports [passkeys](https://fidoalliance.org/passkeys/), FIDO credentials that can replace passwords and are much more secure against phishing, human error, and data breaches. Make sure to use them instead of passwords whenever you can. From 5b680cd335b74752fed699688c821dcf9f4636ea Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Fri, 4 Apr 2025 11:56:43 -0500 Subject: [PATCH 459/476] wording --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 75d5c16b..020055e0 100755 --- a/README.md +++ b/README.md @@ -1315,7 +1315,7 @@ Additional metadata may exist in the following files: # Passwords -The built-in **[Passwords](https://support.apple.com/guide/passwords/the-passwords-app-mchl901b1b95/mac)** app can also generate [secure credentials](https://support.apple.com/guide/security/automatic-strong-passwords-secc84c811c4/web). +The built-in **[Passwords](https://support.apple.com/guide/passwords/the-passwords-app-mchl901b1b95/mac)** app can generate [secure credentials](https://support.apple.com/guide/security/automatic-strong-passwords-secc84c811c4/web). The **Passwords** app also supports [passkeys](https://fidoalliance.org/passkeys/), FIDO credentials that can replace passwords and are much more secure against phishing, human error, and data breaches. Make sure to use them instead of passwords whenever you can. From 14fadd89fe816ff1f3de35252c8fe8dacd750469 Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Sat, 5 Apr 2025 00:37:21 -0500 Subject: [PATCH 460/476] Update WiFi section --- README.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/README.md b/README.md index 020055e0..4fe33bb9 100755 --- a/README.md +++ b/README.md @@ -1370,10 +1370,6 @@ Additional applications and services which offer backups include: # Wi-Fi -macOS remembers access points it has connected to. Like all wireless devices, the Mac will broadcast all access point names it remembers (e.g., *MyHomeNetwork*) each time it looks for a network, such as when waking from sleep. - -This is a privacy risk, so remove networks from the list in **System Preferences** > **Network** > **Advanced** when they are no longer needed. - Also see [Signals from the Crowd: Uncovering Social Relationships through Smartphone Probes](https://conferences.sigcomm.org/imc/2013/papers/imc148-barberaSP106.pdf) (pdf). Saved Wi-Fi information (SSID, last connection, etc.) can be found in `/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist` From e868380ce80ce4b2631ba5f98c56b46d29010c2c Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Sat, 5 Apr 2025 00:59:28 -0500 Subject: [PATCH 461/476] replace wifi scanning with hidden network info --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4fe33bb9..dbaf405d 100755 --- a/README.md +++ b/README.md @@ -1370,7 +1370,9 @@ Additional applications and services which offer backups include: # Wi-Fi -Also see [Signals from the Crowd: Uncovering Social Relationships through Smartphone Probes](https://conferences.sigcomm.org/imc/2013/papers/imc148-barberaSP106.pdf) (pdf). +Most Wi-Fi networks continuously broadcast their network name, called the **service set identifier (SSID)**, allowing devices to passively scan for networks they have already connected to before. However, **hidden** networks don't transmit their SSID, meaning your device has to send a probe with the SSID to connect to it. This can reveal your previously connected networks to an attacker. As such, avoid connecting to [hidden networks](https://support.apple.com/guide/security/wi-fi-privacy-with-apple-devices-sec31e483abf/web#sec059998a98). + +Make sure to avoid setting your home network to hidden. Follow Apple's [guidance](https://support.apple.com/en-us/102766) on how to set up your home Wi-Fi network to be as secure as possible. Saved Wi-Fi information (SSID, last connection, etc.) can be found in `/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist` From 9f61ac2783ff62dfc7f0c626abc10da756e5af6d Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Sat, 5 Apr 2025 01:05:20 -0500 Subject: [PATCH 462/476] add wifi info --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index dbaf405d..7802c82b 100755 --- a/README.md +++ b/README.md @@ -1370,7 +1370,11 @@ Additional applications and services which offer backups include: # Wi-Fi -Most Wi-Fi networks continuously broadcast their network name, called the **service set identifier (SSID)**, allowing devices to passively scan for networks they have already connected to before. However, **hidden** networks don't transmit their SSID, meaning your device has to send a probe with the SSID to connect to it. This can reveal your previously connected networks to an attacker. As such, avoid connecting to [hidden networks](https://support.apple.com/guide/security/wi-fi-privacy-with-apple-devices-sec31e483abf/web#sec059998a98). +Most Wi-Fi networks continuously broadcast their network name, called the **service set identifier (SSID)**, allowing devices to [passively](https://www.wi-fi.org/knowledge-center/faq/what-are-passive-and-active-scanning) scan for networks they have already connected to before. However, **hidden** networks don't transmit their SSID, meaning your device has to send a probe with the SSID to connect to it. This can reveal your previously connected networks to an attacker. + +>Apple devices automatically detect when a network is hidden. If a network is hidden, the device sends a probe with the SSID included in the request—not otherwise. This helps prevent the device from broadcasting the name of previously hidden networks a user was connected to, thereby further ensuring privacy. + +As such, avoid connecting to [hidden networks](https://support.apple.com/guide/security/wi-fi-privacy-with-apple-devices-sec31e483abf/web#sec059998a98). Make sure to avoid setting your home network to hidden. Follow Apple's [guidance](https://support.apple.com/en-us/102766) on how to set up your home Wi-Fi network to be as secure as possible. From c9b0ade3dcf5e3495bc4a6be5513bdde97807cd6 Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Sat, 5 Apr 2025 01:10:57 -0500 Subject: [PATCH 463/476] remove irrelevant data --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 7802c82b..355e816b 100755 --- a/README.md +++ b/README.md @@ -1378,8 +1378,6 @@ As such, avoid connecting to [hidden networks](https://support.apple.com/guide/s Make sure to avoid setting your home network to hidden. Follow Apple's [guidance](https://support.apple.com/en-us/102766) on how to set up your home Wi-Fi network to be as secure as possible. -Saved Wi-Fi information (SSID, last connection, etc.) can be found in `/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist` - You can have a different, [random MAC address](https://support.apple.com/en-gb/guide/mac-help/mchlb1cb3eb4/mac) for each network that rotates over time. This will help prevent you from being tracked across networks and on the same network over time. macOS stores Wi-Fi SSIDs and passwords in NVRAM in order for Recovery Mode to access the Internet. Be sure to either clear NVRAM or de-authenticate your Mac from your Apple account, which will clear the NVRAM, before passing a Mac along. Resetting the SMC will clear some of the NVRAM, but not all. From 11ef5016332cd97bf80bc1e3afc65d38cb3728ae Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Sat, 5 Apr 2025 01:28:59 -0500 Subject: [PATCH 464/476] remove clearing nvram --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 355e816b..3f58aecd 100755 --- a/README.md +++ b/README.md @@ -1380,8 +1380,6 @@ Make sure to avoid setting your home network to hidden. Follow Apple's [guidance You can have a different, [random MAC address](https://support.apple.com/en-gb/guide/mac-help/mchlb1cb3eb4/mac) for each network that rotates over time. This will help prevent you from being tracked across networks and on the same network over time. -macOS stores Wi-Fi SSIDs and passwords in NVRAM in order for Recovery Mode to access the Internet. Be sure to either clear NVRAM or de-authenticate your Mac from your Apple account, which will clear the NVRAM, before passing a Mac along. Resetting the SMC will clear some of the NVRAM, but not all. - Finally, WEP protection on wireless networks is [not secure](http://www.howtogeek.com/167783/htg-explains-the-difference-between-wep-wpa-and-wpa2-wireless-encryption-and-why-it-matters/) and you should only connect to **WPA3** protected networks when possible. # SSH From db473efbe286f0aa7be98a0ef6127e6205547198 Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Sat, 5 Apr 2025 01:37:57 -0500 Subject: [PATCH 465/476] remove wifi security recommendation --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 3f58aecd..ccc3084d 100755 --- a/README.md +++ b/README.md @@ -1380,8 +1380,6 @@ Make sure to avoid setting your home network to hidden. Follow Apple's [guidance You can have a different, [random MAC address](https://support.apple.com/en-gb/guide/mac-help/mchlb1cb3eb4/mac) for each network that rotates over time. This will help prevent you from being tracked across networks and on the same network over time. -Finally, WEP protection on wireless networks is [not secure](http://www.howtogeek.com/167783/htg-explains-the-difference-between-wep-wpa-and-wpa2-wireless-encryption-and-why-it-matters/) and you should only connect to **WPA3** protected networks when possible. - # SSH For outgoing SSH connections, use hardware or password-protected keys, [set up](http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/) remote hosts and consider [hashing](http://nms.csail.mit.edu/projects/ssh/) them for added privacy. See [drduh/config/ssh_config](https://github.com/drduh/config/blob/master/ssh_config) for recommended client options. From c0325a78238975affe92bfda049f9b56dfcbcf11 Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Sat, 5 Apr 2025 01:40:17 -0500 Subject: [PATCH 466/476] add more info --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ccc3084d..3ee4b59b 100755 --- a/README.md +++ b/README.md @@ -1376,7 +1376,7 @@ Most Wi-Fi networks continuously broadcast their network name, called the **serv As such, avoid connecting to [hidden networks](https://support.apple.com/guide/security/wi-fi-privacy-with-apple-devices-sec31e483abf/web#sec059998a98). -Make sure to avoid setting your home network to hidden. Follow Apple's [guidance](https://support.apple.com/en-us/102766) on how to set up your home Wi-Fi network to be as secure as possible. +Make sure to avoid setting your home network to hidden and set your security to the maximum your router supports. Follow Apple's [guidance](https://support.apple.com/en-us/102766) on how to set up your home Wi-Fi network to be as secure as possible. You can have a different, [random MAC address](https://support.apple.com/en-gb/guide/mac-help/mchlb1cb3eb4/mac) for each network that rotates over time. This will help prevent you from being tracked across networks and on the same network over time. From e27f82702903e53f1e1af85dbab4a11c8fc50196 Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Sat, 5 Apr 2025 01:40:35 -0500 Subject: [PATCH 467/476] wording --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3ee4b59b..1b4cf42e 100755 --- a/README.md +++ b/README.md @@ -1378,7 +1378,7 @@ As such, avoid connecting to [hidden networks](https://support.apple.com/guide/s Make sure to avoid setting your home network to hidden and set your security to the maximum your router supports. Follow Apple's [guidance](https://support.apple.com/en-us/102766) on how to set up your home Wi-Fi network to be as secure as possible. -You can have a different, [random MAC address](https://support.apple.com/en-gb/guide/mac-help/mchlb1cb3eb4/mac) for each network that rotates over time. This will help prevent you from being tracked across networks and on the same network over time. +You can set your Mac to have a different, [random MAC address](https://support.apple.com/en-gb/guide/mac-help/mchlb1cb3eb4/mac) for each network that rotates over time. This will help prevent you from being tracked across networks and on the same network over time. # SSH From a4d6d10a46ceb4d0bb0af124cb143b8d77326a99 Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Sat, 5 Apr 2025 16:22:20 -0500 Subject: [PATCH 468/476] change "prevent" to "reduce" --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1b4cf42e..ed91ae05 100755 --- a/README.md +++ b/README.md @@ -1378,7 +1378,7 @@ As such, avoid connecting to [hidden networks](https://support.apple.com/guide/s Make sure to avoid setting your home network to hidden and set your security to the maximum your router supports. Follow Apple's [guidance](https://support.apple.com/en-us/102766) on how to set up your home Wi-Fi network to be as secure as possible. -You can set your Mac to have a different, [random MAC address](https://support.apple.com/en-gb/guide/mac-help/mchlb1cb3eb4/mac) for each network that rotates over time. This will help prevent you from being tracked across networks and on the same network over time. +You can set your Mac to have a different, [random MAC address](https://support.apple.com/en-gb/guide/mac-help/mchlb1cb3eb4/mac) for each network that rotates over time. This is indended to reduce tracking across networks and on the same network over time. # SSH From f500e31f8c743e8fe0bc7c943439d65cf8539a51 Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Sat, 5 Apr 2025 16:23:13 -0500 Subject: [PATCH 469/476] specificy security setting --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ed91ae05..40b00dd6 100755 --- a/README.md +++ b/README.md @@ -1376,7 +1376,7 @@ Most Wi-Fi networks continuously broadcast their network name, called the **serv As such, avoid connecting to [hidden networks](https://support.apple.com/guide/security/wi-fi-privacy-with-apple-devices-sec31e483abf/web#sec059998a98). -Make sure to avoid setting your home network to hidden and set your security to the maximum your router supports. Follow Apple's [guidance](https://support.apple.com/en-us/102766) on how to set up your home Wi-Fi network to be as secure as possible. +Make sure to avoid setting your home network to hidden and set your security to WPA3 or the highest your router supports. Follow Apple's [guidance](https://support.apple.com/en-us/102766) on how to set up your home Wi-Fi network to be as secure as possible. You can set your Mac to have a different, [random MAC address](https://support.apple.com/en-gb/guide/mac-help/mchlb1cb3eb4/mac) for each network that rotates over time. This is indended to reduce tracking across networks and on the same network over time. From 3d44ae24c56b69b1b66a2e636f6b845d9abbb925 Mon Sep 17 00:00:00 2001 From: drduh Date: Sat, 5 Apr 2025 21:41:46 +0000 Subject: [PATCH 470/476] publish github pages workflow --- .github/workflows/static.yml | 43 ++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 .github/workflows/static.yml diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml new file mode 100644 index 00000000..0ba82305 --- /dev/null +++ b/.github/workflows/static.yml @@ -0,0 +1,43 @@ +# Simple workflow for deploying static content to GitHub Pages +name: Deploy static content to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: ["master"] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: "pages" + cancel-in-progress: false + +jobs: + # Single deploy job since we're just deploying + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Setup Pages + uses: actions/configure-pages@v5 + - name: Upload artifact + uses: actions/upload-pages-artifact@v3 + with: + # Upload entire repository + path: '.' + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v4 From b66e11c88273380eb6a55d6f31487a0d89ec68a7 Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Sun, 6 Apr 2025 12:44:28 -0500 Subject: [PATCH 471/476] Add more backup info --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 3909bfe3..d2b4094b 100755 --- a/README.md +++ b/README.md @@ -1329,7 +1329,11 @@ Ensure all eligible online accounts have [multi-factor authentication](https://e # Backup -Encrypt files locally before backing them up to external media or online services. +Encrypt files locally before backing them up to external media or online services. You can create an [encrypted disk image](https://support.apple.com/is-is/guide/disk-utility/dskutl11888/mac#dsku7bb3d28c) to backup and store files securely. It'll act as a secure, encrypted folder that you can put your sensitive files inside. + +You can add a [checksum](https://support.apple.com/is-is/guide/disk-utility/dskutl1019/22.6/mac/15.0) to the disk image to [verify integrity](https://support.apple.com/is-is/guide/disk-utility/dskutl15186/22.6/mac/15.0). + +You can also encypt and password-protect [external storage devices](https://support.apple.com/en-asia/guide/disk-utility/dskutl35612/mac). If your threat model allows it, you should follow the [3-2-1 backup model](https://www.cisa.gov/sites/default/files/publications/data_backup_options.pdf) as outlined by CISA. Keep 3 copies: the original and two backups. Keep backups on 2 different media types, e.g. on a local drive and cloud storage. Store 1 copy offsite. From f3dfa2a3011068b6ac5c508d5e0fc2a52707813d Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Sun, 6 Apr 2025 12:56:45 -0500 Subject: [PATCH 472/476] add more backup info --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d2b4094b..ab9d1d33 100755 --- a/README.md +++ b/README.md @@ -1329,7 +1329,7 @@ Ensure all eligible online accounts have [multi-factor authentication](https://e # Backup -Encrypt files locally before backing them up to external media or online services. You can create an [encrypted disk image](https://support.apple.com/is-is/guide/disk-utility/dskutl11888/mac#dsku7bb3d28c) to backup and store files securely. It'll act as a secure, encrypted folder that you can put your sensitive files inside. +Encrypt files locally before backing them up to external media or online services. You can create an [encrypted disk image](https://support.apple.com/is-is/guide/disk-utility/dskutl11888/mac#dsku7bb3d28c) to backup and store files securely. It'll act as a secure, encrypted virtual drive that you can put your sensitive files inside. When you mount the disk image, you can check a box to save the password in your keychain for convenience. Remember to [unmount](https://support.apple.com/is-is/guide/disk-utility/dskud709f49b/mac) the drive when you're done with it. You can add a [checksum](https://support.apple.com/is-is/guide/disk-utility/dskutl1019/22.6/mac/15.0) to the disk image to [verify integrity](https://support.apple.com/is-is/guide/disk-utility/dskutl15186/22.6/mac/15.0). From bff149ffc104c0f7f1fccdc555bef12fe4bb90b0 Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Mon, 7 Apr 2025 22:57:32 -0500 Subject: [PATCH 473/476] remove locale from URL --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index ab9d1d33..28c6e00a 100755 --- a/README.md +++ b/README.md @@ -1329,11 +1329,11 @@ Ensure all eligible online accounts have [multi-factor authentication](https://e # Backup -Encrypt files locally before backing them up to external media or online services. You can create an [encrypted disk image](https://support.apple.com/is-is/guide/disk-utility/dskutl11888/mac#dsku7bb3d28c) to backup and store files securely. It'll act as a secure, encrypted virtual drive that you can put your sensitive files inside. When you mount the disk image, you can check a box to save the password in your keychain for convenience. Remember to [unmount](https://support.apple.com/is-is/guide/disk-utility/dskud709f49b/mac) the drive when you're done with it. +Encrypt files locally before backing them up to external media or online services. You can create an [encrypted disk image](https://support.apple.com/guide/disk-utility/dskutl11888/mac#dsku7bb3d28c) to backup and store files securely. It'll act as a secure, encrypted virtual drive that you can put your sensitive files inside. When you mount the disk image, you can check a box to save the password in your keychain for convenience. Remember to [unmount](https://support.apple.com/guide/disk-utility/dskud709f49b/mac) the drive when you're done with it. -You can add a [checksum](https://support.apple.com/is-is/guide/disk-utility/dskutl1019/22.6/mac/15.0) to the disk image to [verify integrity](https://support.apple.com/is-is/guide/disk-utility/dskutl15186/22.6/mac/15.0). +You can add a [checksum](https://support.apple.com/is-is/guide/disk-utility/dskutl1019/22.6/mac/15.0) to the disk image to [verify integrity](https://support.apple.com/guide/disk-utility/dskutl15186/22.6/mac/15.0). -You can also encypt and password-protect [external storage devices](https://support.apple.com/en-asia/guide/disk-utility/dskutl35612/mac). +You can also encypt and password-protect [external storage devices](https://support.apple.com/guide/disk-utility/dskutl35612/mac). If your threat model allows it, you should follow the [3-2-1 backup model](https://www.cisa.gov/sites/default/files/publications/data_backup_options.pdf) as outlined by CISA. Keep 3 copies: the original and two backups. Keep backups on 2 different media types, e.g. on a local drive and cloud storage. Store 1 copy offsite. From 4e8a9a5a9472e693522f201d0fca49f6e3618927 Mon Sep 17 00:00:00 2001 From: drduh Date: Tue, 8 Apr 2025 18:56:24 -0700 Subject: [PATCH 474/476] use markdown alerts; tidy grammar, style and links --- README.md | 136 +++++++++++++++++++++++++++--------------------------- 1 file changed, 69 insertions(+), 67 deletions(-) mode change 100755 => 100644 README.md diff --git a/README.md b/README.md old mode 100755 new mode 100644 index 28c6e00a..21eece66 --- a/README.md +++ b/README.md @@ -83,7 +83,7 @@ To suggest an improvement, send a pull request or [open an issue](https://github General security best practices apply: - Create a [threat model](#threat-modeling) - * What are you trying to protect and from whom? Is your adversary a three letter agency, a nosy eavesdropper on the network, or a determined [APT](https://en.wikipedia.org/wiki/Advanced_persistent_threat) orchestrating a campaign against you? + * What are you trying to protect and from whom? Is the adversary a three letter agency, a nosy eavesdropper on the network, or a determined [APT](https://en.wikipedia.org/wiki/Advanced_persistent_threat) orchestrating a campaign against you? * Recognize threats and how to reduce attack surface against them. - Keep the system and software up to date @@ -95,8 +95,8 @@ General security best practices apply: * In addition to [FileVault](https://support.apple.com/guide/mac-help/protect-data-on-your-mac-with-filevault-mh11785) volume encryption, consider using the [built-in password manager](https://support.apple.com/105115) to protect passwords and other sensitive data. - Assure data availability - * Create [regular backups](https://support.apple.com/104984) of your data and be ready to [restore from a backup](https://support.apple.com/102551) in case of compromise. - * [Encrypt locally](https://support.apple.com/guide/mac-help/keep-your-time-machine-backup-disk-secure-mh21241) before copying backups to unencrypted external media or the "cloud"; alternatively, enable [end-to-end encryption](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) if your cloud provider supports it. + * Create [regular backups](https://support.apple.com/104984) of critical data and be ready to [restore from a backup](https://support.apple.com/102551) in case of compromise. + * [Encrypt locally](https://support.apple.com/guide/mac-help/keep-your-time-machine-backup-disk-secure-mh21241) before copying backups to unencrypted external media or the "cloud"; alternatively, enable [end-to-end encryption](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f). * Verify backups by accessing them regularly. - Click carefully @@ -105,19 +105,19 @@ General security best practices apply: # Threat modeling -The first and most important step for security and privacy is to create a [threat model](https://www.owasp.org/index.php/Application_Threat_Modeling). You need to understand your adversaries in order to defend against them. Each person will have their own needs so everyone's threat model will be different. Threat models tend to evolve over time as our situation changes, so be sure to periodically reassess your threat model. +The first and most important step for security and privacy is to create a [threat model](https://owasp.org/www-community/Threat_Modeling). You need to understand your adversaries in order to defend against them. Each person will have their own needs so everyone's threat model will be different. Threat models tend to evolve over time as our situation changes, so be sure to periodically reassess your threat model. ## Identify assets -This is probably a lot of things: your phone, your laptop, passwords stored on your devices, internet browsing history, etc. Make a list starting with the most important assets to protect. You can put them in categories based on how important they are: public, sensitive, or secret. +This is probably a lot of things: phone, laptop, passwords stored on various devices, internet browsing history, etc. Make a list starting with the most important assets to protect. You can put them in categories based on how important they are: public, sensitive, or secret. ## Identify adversaries -Define whom you are defending against. Start by defining the motivation they might have to attack your assets. [Financial gain](https://www.verizon.com/business/resources/reports/dbir/) is a big motivator for many attackers, for example. +Define whom you are defending against. Start by defining the motivation they might have to attack assets. [Financial gain](https://www.verizon.com/business/resources/reports/dbir/) is a big motivator for many attackers, for example. ## Identify capabilities -In order to counter your adversaries, you'll need to understand what they're capable of and what they're not capable of. Rank adversaries from totally unsophisticated to very advanced. For example, a common thief is not very sophisticated; they will likely be stopped by basic things like simply having a password and drive encryption on your device. A very advanced adversary like a state actor might require fully turning off your device when not in use to clear the keys from RAM and a long diceware password. +In order to counter adversaries, you'll need to understand what they're capable of and what they're not capable of. Rank adversaries from totally unsophisticated to very advanced. For example, a common thief is not very sophisticated; they will likely be stopped by basic things like simply having a password and drive encryption on devices. A very advanced adversary like a state actor might require fully turning off devices when not in use to clear the keys from RAM and a long diceware password. ## Identify mitigations @@ -167,7 +167,7 @@ An Apple Account is required in order to access the App Store and use most Apple The Mac App Store is a [curated](https://developer.apple.com/app-store/review/guidelines) repository of software that is required to utilize the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox/protecting_user_data_with_app_sandbox) and [Hardened Runtime](https://developer.apple.com/documentation/security/hardened_runtime), as well as offering automatic updates that integrate with your system. -The App Store offers the greatest security guarantees for software on macOS, but it requires you to log in with an Apple Account and Apple will be able to link your Apple Account to your downloaded apps. +The App Store offers the greatest security guarantees for software on macOS, but it requires you to log in with an Apple Account and Apple will be able to link your Apple Account to your downloaded applications. ## Virtualization @@ -333,7 +333,7 @@ Then use the following commands to manipulate the firewall: * `sudo ifconfig pflog0 create` to create an interface for logging * `sudo tcpdump -ni pflog0` to view filtered packets -Unless you're already familiar with packet filtering, spending too much time configuring pf is not recommended. It is also probably unnecessary if your Mac is behind a [NAT](https://www.grc.com/nat/nat.htm) on a private home network. +Unless you're already familiar with packet filtering, spending too much time configuring pf is not recommended. It is also probably unnecessary if the system is behind a [NAT](https://www.grc.com/nat/nat.htm) on a private home network. It is possible to use the pf firewall to block network access to entire ranges of network addresses, for example to a whole organization: @@ -383,7 +383,7 @@ IP 192.168.1.1.162771 > 157.240.2.35.80: tcp 0 Outgoing TCP SYN packets are blocked, so a TCP connection is not established and thus a Web site is effectively blocked at the IP layer. -See [drduh/config/scripts/pf-blocklist.sh](https://github.com/drduh/config/blob/master/scripts/pf-blocklist.sh) for more inspiration. +See [drduh/config/scripts/pf-blocklist.sh](https://github.com/drduh/config/blob/main/scripts/pf-blocklist.sh) for more inspiration. # Services @@ -405,7 +405,8 @@ defaults read /System/Library/LaunchDaemons/com.apple.apsd.plist Look at the `Program` or `ProgramArguments` section to see which binary is run, in this case `apsd`. To find more information about that, look at the man page with `man apsd` -**Note** System services are protected by SIP, don't disable SIP just to tinker with system services as SIP is an integral part of security on macOS. Disabling system services could cause breakage and unstable behavior! +> [!IMPORTANT] +> System services are protected by SIP; don't disable SIP just to tinker with system services as SIP is an integral part of macOS security. Disabling system services may cause system instability. To view the status of services: @@ -423,14 +424,18 @@ Apple is moving to on-device processing for a lot of Siri functions, but some in # Homebrew -If your program isn't available through the App Store you can consider using [Homebrew](https://brew.sh/). +If a program isn't available through the App Store, consider using [Homebrew](https://brew.sh/). -**Important!** Homebrew asks you to grant “App Management” (or “Full Disk Access”) permission to your terminal. This is a bad idea, as it would make you vulnerable to these attacks again: any non-sandboxed application can execute code with the TCC permissions of your terminal by adding a malicious command to (e.g.) ~/.zshrc. Granting “App Management” or “Full Disk Access” to your terminal should be considered the same as disabling TCC completely. +> [!WARNING] +> Homebrew requiests "App Management" (or "Full Disk Access") permission to the terminal. +> This is a bad idea, as it would make you vulnerable to these attacks again: any non-sandboxed application can execute code with the TCC permissions of the terminal by adding a malicious command to zshrc, for example. +> Granting "App Management" or "Full Disk Access" entitlements should be considered the same as disabling TCC entirely. Remember to periodically run `brew upgrade` on trusted and secure networks to download and install software updates. To get information on a package before installation, run `brew info ` and check its formula online. You may also wish to enable [additional security options](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/138), such as `HOMEBREW_NO_INSECURE_REDIRECT=1` According to [Homebrew's Anonymous Analytics](https://docs.brew.sh/Analytics), Homebrew gathers anonymous analytics and reports these to a self-hosted InfluxDB instance. -To opt out of Homebrew's analytics, you can set `export HOMEBREW_NO_ANALYTICS=1` in your environment or shell rc file, or use `brew analytics off` + +To opt out of Homebrew's analytics, set `export HOMEBREW_NO_ANALYTICS=1` in the environment or shell rc file, or use `brew analytics off` # DNS @@ -455,7 +460,8 @@ To block a domain by `A` record, append any one of the following lines to `/etc/ 127.0.0.1 example.com ``` -**Note** IPv6 uses the `AAAA` DNS record type, rather than `A` record type, so you may also want to block those connections by *also* including `::1 example.com` entries, like shown [here](https://someonewhocares.org/hosts/ipv6/). +> [!NOTE] +> IPv6 uses the `AAAA` DNS record type, rather than `A` record type, so you may also want to block those connections by *also* including `::1 example.com` entries, like shown [here](https://someonewhocares.org/hosts/ipv6/). There are many lists of domains available online which you can paste in, just make sure each line starts with `0`, `0.0.0.0`, `127.0.0.1`, and the line `127.0.0.1 localhost` is included. @@ -516,7 +522,8 @@ dnscrypt-proxy 15244 nobody 14u IPv6 0x1337f85ff9f8beef 0t0 UDP [::1]:5 > By default, dnscrypt-proxy runs on localhost (127.0.0.1), port 53, balancing traffic across a set of resolvers. If you would like to change these settings, you will have to edit the configuration file: $HOMEBREW_PREFIX/etc/dnscrypt-proxy.toml -**Note** Applications and programs may resolve DNS using their own provided servers. If dnscrypt-proxy is used, it is possible to disable all other, non-dnscrypt DNS traffic with the following pf rules: +> [!NOTE] +> Applications may resolve DNS using their own provided servers. If dnscrypt-proxy is used, it is possible to disable all other, non-dnscrypt DNS traffic with the following pf rules: ```shell block drop quick on !lo0 proto udp from any to any port = 53 @@ -541,9 +548,9 @@ Install Dnsmasq: brew install dnsmasq --with-dnssec ``` -Download and edit [drduh/config/dnsmasq.conf](https://github.com/drduh/config/blob/master/dnsmasq.conf) or the default configuration file. +Download and edit [drduh/config/dnsmasq.conf](https://github.com/drduh/config/blob/main/dnsmasq.conf) or the default configuration file. -See [drduh/config/domains](https://github.com/drduh/config/tree/master/domains) for appendable examples on blocking services by domains. +See [drduh/config/domains](https://github.com/drduh/config/tree/main/domains) for appendable examples on blocking services by domains. Install and start the program (sudo is required to bind to [privileged port](https://unix.stackexchange.com/questions/16564/why-are-the-first-1024-ports-restricted-to-the-root-user-only) 53): @@ -573,7 +580,8 @@ $ networksetup -getdnsservers "Wi-Fi" 127.0.0.1 ``` -**Note** Some VPN software overrides DNS settings on connect. See [issue 24](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/24) and [drduh/config/scripts/macos-dns.sh](https://github.com/drduh/config/blob/master/scripts/macos-dns.sh). +> [!NOTE] +> Some VPN applications override DNS settings on connect. See [issue 24](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/24) and [drduh/config/scripts/macos-dns.sh](https://github.com/drduh/config/blob/main/scripts/macos-dns.sh). **Optional** Test DNSSEC validation for signed zones - the reply should have `NOERROR` status and contain `ad` flag: @@ -601,11 +609,9 @@ Inspect system root certificates in **Keychain Access**, under the **System Root You can manually disable certificate authorities through Keychain Access by marking them as **Never Trust** and closing the window: -A certificate authority certificate - -**Warning:** This will cause your browser to give a warning when you visit a site using certificates signed by these CAs and may cause breakage in other software. Don't distrust Apple root certificates or it will cause lots of breakage in macOS! +A certificate authority certificate -The risk of a [man in the middle](https://wikipedia.org/wiki/Man-in-the-middle_attack) attack in which a coerced or compromised certificate authority trusted by your system issues a fake/rogue TLS certificate is quite low, but still [possible](https://wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates). +The risk of a [man in the middle](https://wikipedia.org/wiki/Man-in-the-middle_attack) attack, in which a coerced or compromised certificate authority trusted by a system root store issues a fake/rogue TLS certificate, is relatively low, but [possible](https://wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates). # Privoxy @@ -685,7 +691,7 @@ fb*.akamaihd.net Wildcards are also supported. -See [drduh/config/privoxy/config](https://github.com/drduh/config/blob/master/privoxy/config) and [drduh/config/privoxy/user.action](https://github.com/drduh/config/blob/master/privoxy/user.action) for additional Privoxy examples. Privoxy does **not** need to be restarted after editing `user.action` filter rules. +See [drduh/config/privoxy/config](https://github.com/drduh/config/blob/main/privoxy/config) and [drduh/config/privoxy/user.action](https://github.com/drduh/config/blob/main/privoxy/user.action) for additional Privoxy examples. Privoxy does **not** need to be restarted after editing `user.action` filter rules. To verify traffic is blocked or redirected, use curl or the Privoxy interface available at in the browser: @@ -709,7 +715,8 @@ HTTP/2 200 server: GitHub.com ``` -**Note** macOS proxy settings are not universal; apps and services may not honor system proxy settings. Ensure the application you wish to proxy is correctly configured and verify connections don't leak. Additionally, *pf* can be configured to transparently proxy traffic on certain ports. +> [!NOTE] +> Proxy settings are not universal; applications and services may bypass system proxy settings. Ensure the application to proxy is correctly configured and verify connections don't leak. Additionally, *pf* can be configured to transparently proxy traffic on certain ports. # Browser @@ -729,7 +736,7 @@ Another important consideration about browser security is extensions. This is an Firefox offers a similar security model to Chrome: it has a [bug bounty program](https://www.mozilla.org/security/bug-bounty), although it is not as lucrative. Firefox follows a four-week release cycle. -Firefox supports user-supplied configuration files. See [drduh/config/firefox.user.js](https://github.com/drduh/config/blob/master/firefox.user.js) and [arkenfox/user.js](https://github.com/arkenfox/user.js) for recommended preferences and hardening measures. Also see [NoScript](https://noscript.net), an extension which allows selective script blocking. +Firefox supports user-supplied configuration files. See [drduh/config/firefox.user.js](https://github.com/drduh/config/blob/main/firefox.user.js) and [arkenfox/user.js](https://github.com/arkenfox/user.js) for recommended preferences and hardening measures. Also see [NoScript](https://noscript.net), an extension which allows selective script blocking. Firefox [focuses on user privacy](https://www.mozilla.org/firefox/privacy). It supports [tracking protection](https://developer.mozilla.org/docs/Web/Privacy/Firefox_tracking_protection) in Private Browsing mode. The tracking protection can be enabled for the default account, although it may break the browsing experience on some websites. Firefox in Strict tracking protection mode will [randomize your fingerprint](https://support.mozilla.org/kb/firefox-protection-against-fingerprinting) to foil basic tracking scripts. Firefox offers separate user [profiles](https://support.mozilla.org/kb/profile-manager-create-remove-switch-firefox-profiles). You can separate your browsing inside a profile with [Multi-Account Containers](https://support.mozilla.org/kb/containers). @@ -770,7 +777,7 @@ Read [Chromium Security](https://www.chromium.org/Home/chromium-security) and [C [Safari](https://www.apple.com/safari) is the default browser on macOS. It is also the most optimized browser for reducing battery use. Safari, like Chrome, has both Open Source and proprietary components. Safari is based on the open source Web Engine [WebKit](https://webkit.org), which is ubiquitous among the macOS ecosystem. WebKit is used by Apple apps such as Mail, iTunes, iBooks, and the App Store. Chrome's [Blink](https://www.chromium.org/blink) engine is a fork of WebKit and both engines share a number of similarities. -Safari supports certain unique features that benefit user security and privacy. [Content blockers](https://webkit.org/blog/3476/content-blockers-first-look) enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory use, security, and privacy. Safari 11 introduced [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention), which removes tracking data stored in Safari after a period of non-interaction by the user from the tracker's website. Safari can randomize your fingerprint to reduce tracking. Safari doesn't support certain features like WebUSB or the Battery API intentionally for security and privacy reasons. Private tabs in Safari have isolated cookies and cache that is destroyed when you close the tab. Safari also support Profiles which are equivalent to Firefox's Multi-Account Containers for separating cookies and browsing. Safari can be made significantly more secure with [lockdown mode](#lockdown-mode), which can be disabled per-site. Read more about [tracking prevention](https://webkit.org/tracking-prevention) in Safari. +Safari supports certain unique features that benefit user security and privacy. [Content blockers](https://webkit.org/blog/3476/content-blockers-first-look) enables the creation of content blocking rules without using Javascript. This rule based approach greatly improves memory use, security, and privacy. Safari 11 introduced [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention), which removes tracking data stored in Safari after a period of non-interaction by the user from the tracker's website. Safari can randomize the browser fingerprint to reduce tracking. Safari doesn't support certain features like WebUSB or the Battery API intentionally for security and privacy reasons. Private tabs in Safari have isolated cookies and cache that is destroyed when you close the tab. Safari also support Profiles which are equivalent to Firefox's Multi-Account Containers for separating cookies and browsing. Safari can be made significantly more secure with [lockdown mode](#lockdown-mode), which can be disabled per-site. Read more about [tracking prevention](https://webkit.org/tracking-prevention) in Safari. Safari offers an invite-only [bounty program](https://developer.apple.com/bug-reporting) for bug reporting to a select number of security researchers. The bounty program was announced during Apple's [presentation](https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf) at [BlackHat](https://www.blackhat.com/us-16/briefings.html#behind-the-scenes-of-ios-security) 2016. @@ -792,11 +799,11 @@ Other miscellaneous browsers, such as [Brave](https://github.com/drduh/macOS-Sec Web browsers reveal information in several ways, for example through the [Navigator](https://developer.mozilla.org/en-US/docs/Web/API/Navigator) interface, which may include information such as the browser version, operating system, site permissions, and the device's battery level. Many websites also use [canvas fingerprinting](https://en.wikipedia.org/wiki/Canvas_fingerprinting) to uniquely identify users across sessions. -For more information about security conscious browsing and what data is sent by your browser, see [HowTo: Privacy & Security Conscious Browsing](https://gist.github.com/atcuno/3425484ac5cce5298932), [browserleaks.com](https://browserleaks.com/), [Am I Unique?](https://amiunique.org/fingerprint) and [EFF Cover Your Tracks](https://coveryourtracks.eff.org/) resources. +For more information about security conscious browsing and what data is sent by the browser, see [HowTo: Privacy & Security Conscious Browsing](https://gist.github.com/atcuno/3425484ac5cce5298932), [browserleaks.com](https://browserleaks.com/), [Am I Unique?](https://amiunique.org/fingerprint) and [EFF Cover Your Tracks](https://coveryourtracks.eff.org/) resources. To hinder third party trackers, it is recommended to **disable third-party cookies** altogether. Safari, Firefox, and Chrome all block third party cookies by default. A third party cookie is a cookie associated with a file requested by a different domain than the one the user is currently viewing. Most of the time third-party cookies are used to create browsing profiles by tracking a user's movement on the web. Disabling third-party cookies prevents HTTP responses and scripts from other domains from setting cookies. Moreover, cookies are removed from requests to domains that are not the document origin domain, so cookies are only sent to the current site that is being viewed. -Also be aware of [WebRTC](https://en.wikipedia.org/wiki/WebRTC#Concerns), which may reveal your local or public (if connected to VPN) IP address(es). In Firefox and Chrome/Chromium this can be disabled with extensions such as [uBlock Origin](https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address). [Lockdown mode](#lockdown-mode) [disables WebRTC](https://www.sevarg.net/2022/07/20/ios16-lockdown-mode-browser-analysis) in Safari. +Also be aware of [WebRTC](https://en.wikipedia.org/wiki/WebRTC#Concerns), which may reveal local or public (if connected to VPN) IP address(es). In Firefox and Chrome/Chromium this can be disabled with extensions such as [uBlock Origin](https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address). [Lockdown mode](#lockdown-mode) [disables WebRTC](https://www.sevarg.net/2022/07/20/ios16-lockdown-mode-browser-analysis) in Safari. # Tor @@ -929,7 +936,7 @@ See [Tor Protocol Specification](https://spec.torproject.org/tor-spec/) and [Tor You may wish to additionally obfuscate Tor traffic using a [pluggable transport](https://tb-manual.torproject.org/circumvention/). -This can be done by setting up your own [Tor relay](https://support.torproject.org/relay-operators/) or finding an existing private or [public bridge](https://bridges.torproject.org/) to serve as an obfuscating entry node. +This can be done by setting up a [Tor relay](https://support.torproject.org/relay-operators/) or finding an existing private or [public bridge](https://bridges.torproject.org/) to serve as an obfuscating entry node. For extra security, use Tor inside a [VirtualBox](https://www.virtualbox.org/wiki/Downloads) or [VMware](https://www.vmware.com/products/fusion.html) virtualized [GNU/Linux](https://www.brianlinkletter.com/2012/10/installing-debian-linux-in-a-virtualbox-virtual-machine/) or [OpenBSD](https://www.openbsd.org/faq/faq4.html) instance. @@ -939,7 +946,7 @@ Also see [Invisible Internet Project (I2P)](https://geti2p.net/en/about/intro) a # VPN -When choosing a VPN service or setting up your own, be sure to research the protocols, key exchange algorithms, authentication mechanisms, and type of encryption being used. Some protocols, such as [PPTP](https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security), should be avoided in favor of [OpenVPN](https://en.wikipedia.org/wiki/OpenVPN) or Linux-based [Wireguard](https://www.wireguard.com/) [on a Linux VM](https://github.com/mrash/Wireguard-macOS-LinuxVM) or via a set of [cross platform tools](https://www.wireguard.com/xplatform/). +When choosing a VPN service or self-hosting, be sure to research the protocols, key exchange algorithms, authentication mechanisms, and type of encryption being used. Some protocols, such as [PPTP](https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security), should be avoided in favor of [OpenVPN](https://en.wikipedia.org/wiki/OpenVPN) or Linux-based [Wireguard](https://www.wireguard.com/) [on a Linux VM](https://github.com/mrash/Wireguard-macOS-LinuxVM) or via a set of [cross platform tools](https://www.wireguard.com/xplatform/). Some clients may send traffic over the next available interface when VPN is interrupted or disconnected. See [scy/8122924](https://gist.github.com/scy/8122924) for an example on how to allow traffic only over VPN. @@ -961,10 +968,10 @@ Install from Homebrew with `brew install gnupg`. If you prefer a graphical application, download and install [GPG Suite](https://gpgtools.org/). -Download [drduh/config/gpg.conf](https://github.com/drduh/config/blob/master/gpg.conf) to use recommended settings: +Download [drduh/config/gpg.conf](https://github.com/drduh/config/blob/main/gpg.conf) to use recommended settings: ```console -curl -o ~/.gnupg/gpg.conf https://raw.githubusercontent.com/drduh/config/master/gpg.conf +curl -o ~/.gnupg/gpg.conf https://raw.githubusercontent.com/drduh/config/main/gpg.conf ``` See [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) to securely generate and store GPG keys. @@ -975,17 +982,17 @@ Read [online](https://alexcabal.com/creating-the-perfect-gpg-keypair/) [guides]( ## XMPP -XMPP is an [open standard](https://xmpp.org/extensions) developed by the [IETF](https://www.ietf.org) that allows for cross-platform federated messaging. There are many options for [clients](https://xmpp.org/getting-started). Consider using one of the browser-based clients to take advantage of your browser's sandbox. +XMPP is an [open standard](https://xmpp.org/extensions) developed by the [IETF](https://www.ietf.org) that allows for cross-platform federated messaging. There are many options for [clients](https://xmpp.org/getting-started). Consider using one of the browser-based clients to take advantage of the browser's sandbox. -Depending on the provider, you might not need anything other than a username and password to set up your account. +Depending on the provider, you might not need anything other than a username and password to set up an account. -XMPP isn't E2EE by default, you'll need to use [OMEMO](https://omemo.top) encryption, so make sure your client supports it. +XMPP isn't E2EE by default, you'll need to use [OMEMO](https://omemo.top) encryption, so make sure the client supports it. ## Signal [Signal](https://www.signal.org) is an advanced E2EE messenger whose [double-ratchet](https://signal.org/docs/specifications/doubleratchet/) protocol is used by countless other messengers including WhatsApp, Google Messages, and Facebook Messenger. -Signal requires a phone number to sign up and you'll need to install it on your phone first before you can use it on desktop. +Signal requires a phone number to sign up and you'll need to install it on a phone first before you can use it on desktop. ## iMessage @@ -993,9 +1000,10 @@ iMessage is Apple's first party messenger. It requires an [Apple Account](#apple Make sure to enable [Contact Key Verification](https://support.apple.com/118246) and verify with anyone you message to ensure that you're messaging the right person. -You can use iMessage with either a [phone number or an email](https://support.apple.com/108758#help), so pick one that you're comfortable with your contacts seeing. +You can use iMessage with either a [phone number or an email](https://support.apple.com/108758#help), so pick one that you're comfortable with contacts seeing. -**Note:** By default, iCloud backup is enabled which stores copies of your message encryption keys on [Apple's servers](https://support.apple.com/102651) without E2EE. Either [disable iCloud backup](https://support.apple.com/guide/icloud/view-and-manage-backups-mm122d3ef202/1.0/icloud/1.0) or enable [Advanced Data Protection](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) to prevent this. Also remember to tell your messaging partner/s to do the same! +> [!WARNING] +> By default, iCloud backup is enabled, which stores copies of message encryption keys on [Apple's servers](https://support.apple.com/102651) without E2EE. Either [disable iCloud backup](https://support.apple.com/guide/icloud/view-and-manage-backups-mm122d3ef202/1.0/icloud/1.0) or enable [Advanced Data Protection](https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f) to prevent this. Remind messaging recipients to do the same. # Viruses and malware @@ -1013,7 +1021,7 @@ Also check out [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hac Only running programs from the App Store or that are [Notarized](https://support.apple.com/guide/security/app-code-signing-process-sec3ad8e6e53/web) by Apple will help mitigate malware. Apple performs an automated scan on notarized apps for malware. App Store apps undergo a [review](https://developer.apple.com/app-store/review/guidelines/) process to catch malware. -Otherwise, get programs from trusted sources like directly from the developer's website or GitHub. Always make sure that your browser/terminal is using HTTPS when downloading any program. +Otherwise, get programs from trusted sources like directly from the developer's website or GitHub. Always make sure that the browser/terminal is using HTTPS when downloading any program. You should also avoid programs that ask for lots of permissions and third party closed source programs. Open source code allows anyone to audit and examine the code for security/privacy issues. @@ -1022,22 +1030,22 @@ You should also avoid programs that ask for lots of permissions and third party Check if a program uses the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox/protecting_user_data_with_app_sandbox) before running it by running the following command: ```console -codesign -dvvv --entitlements - +codesign -dvvv --entitlements - ``` -If the App Sandbox is enabled, you will see +With the App Sandbox enabled: ```console - [Key] com.apple.security.app-sandbox - [Value] - [Bool] true +[Key] com.apple.security.app-sandbox +[Value] + [Bool] true ``` Alternatively, you can check while the app is running by opening Activity Monitor and adding the "Sandbox" column. -All App Store apps are required to use the App Sandbox. +All App Store software is required to use the App Sandbox. -**Note:** Browsers like Google Chrome use their own [sandbox](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md) so they don't use the App Sandbox. +Browsers like Google Chrome use their own [sandbox](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md) so they don't use the App Sandbox. ## Hardened Runtime @@ -1051,7 +1059,7 @@ If Hardened Runtime is enabled, you will see `flags=0x10000(runtime)`. The "runt You can enable a column in Activity Monitor called "Restricted" which is a flag that prevents programs from injecting code via macOS's [dynamic linker](https://pewpewthespells.com/blog/blocking_code_injection_on_ios_and_os_x.html). Ideally, this should say "Yes". -Notarized apps are required to use the Hardened Runtime. +Notarized applications are required to use the Hardened Runtime. ## Antivirus @@ -1067,11 +1075,11 @@ See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/soph ## Gatekeeper -**Gatekeeper** tries to prevent non-notarized apps from running. +**Gatekeeper** tries to prevent non-notarized applications from running. If you try to run an app that isn't notarized, Gatekeeper will give you a warning. This can be easily bypassed if you go to **Privacy & Security**, scroll down to the bottom and click **Open** on your app. Then Gatekeeper will allow you to run it. -Gatekeeper doesn't cover all binaries, only apps so be careful when running other file types. +Gatekeeper does not cover all binaries - only applications - so exercise caution when running other file types. # System Integrity Protection @@ -1329,15 +1337,11 @@ Ensure all eligible online accounts have [multi-factor authentication](https://e # Backup -Encrypt files locally before backing them up to external media or online services. You can create an [encrypted disk image](https://support.apple.com/guide/disk-utility/dskutl11888/mac#dsku7bb3d28c) to backup and store files securely. It'll act as a secure, encrypted virtual drive that you can put your sensitive files inside. When you mount the disk image, you can check a box to save the password in your keychain for convenience. Remember to [unmount](https://support.apple.com/guide/disk-utility/dskud709f49b/mac) the drive when you're done with it. - -You can add a [checksum](https://support.apple.com/is-is/guide/disk-utility/dskutl1019/22.6/mac/15.0) to the disk image to [verify integrity](https://support.apple.com/guide/disk-utility/dskutl15186/22.6/mac/15.0). +Encrypt files locally before backing them up to external media or online services. -You can also encypt and password-protect [external storage devices](https://support.apple.com/guide/disk-utility/dskutl35612/mac). +If the threat model allows it, you should follow the [3-2-1 backup model](https://www.cisa.gov/sites/default/files/publications/data_backup_options.pdf) as outlined by CISA. Keep 3 copies: the original and two backups. Keep backups on 2 different media types, e.g. on a local drive and cloud storage. Store 1 copy offsite. -If your threat model allows it, you should follow the [3-2-1 backup model](https://www.cisa.gov/sites/default/files/publications/data_backup_options.pdf) as outlined by CISA. Keep 3 copies: the original and two backups. Keep backups on 2 different media types, e.g. on a local drive and cloud storage. Store 1 copy offsite. - -[Time Machine](https://support.apple.com/104984) is the built-in tool for handling backups on macOS. Get an external drive or network drive to back up to and [encrypt](https://support.apple.com/guide/mac-help/keep-your-time-machine-backup-disk-secure-mh21241) your backups. +[Time Machine](https://support.apple.com/104984) is the built-in tool for handling backups on macOS. Get an external drive or network drive to back up to and [encrypt](https://support.apple.com/guide/mac-help/keep-your-time-machine-backup-disk-secure-mh21241) backups. GnuPG can be used with a static password or public key (with the private key stored on [YubiKey](https://github.com/drduh/YubiKey-Guide)). @@ -1374,19 +1378,19 @@ Additional applications and services which offer backups include: # Wi-Fi -Most Wi-Fi networks continuously broadcast their network name, called the **service set identifier (SSID)**, allowing devices to [passively](https://www.wi-fi.org/knowledge-center/faq/what-are-passive-and-active-scanning) scan for networks they have already connected to before. However, **hidden** networks don't transmit their SSID, meaning your device has to send a probe with the SSID to connect to it. This can reveal your previously connected networks to an attacker. +Most Wi-Fi networks continuously broadcast their network name, called the **service set identifier (SSID)**, allowing devices to [passively](https://www.wi-fi.org/knowledge-center/faq/what-are-passive-and-active-scanning) scan for networks they have already connected to before. However, **hidden** networks don't transmit their SSID, meaning the device has to send a probe with the SSID to connect to it. This can reveal previously connected networks to an attacker. >Apple devices automatically detect when a network is hidden. If a network is hidden, the device sends a probe with the SSID included in the request—not otherwise. This helps prevent the device from broadcasting the name of previously hidden networks a user was connected to, thereby further ensuring privacy. As such, avoid connecting to [hidden networks](https://support.apple.com/guide/security/wi-fi-privacy-with-apple-devices-sec31e483abf/web#sec059998a98). -Make sure to avoid setting your home network to hidden and set your security to WPA3 or the highest your router supports. Follow Apple's [guidance](https://support.apple.com/en-us/102766) on how to set up your home Wi-Fi network to be as secure as possible. +Make sure to avoid setting personal networks to hidden and set the security mode to WPA3 or the highest your router supports. Follow Apple's [guidance](https://support.apple.com/en-us/102766) on how to set up your home Wi-Fi network to be as secure as possible. You can set your Mac to have a different, [random MAC address](https://support.apple.com/en-gb/guide/mac-help/mchlb1cb3eb4/mac) for each network that rotates over time. This is indended to reduce tracking across networks and on the same network over time. # SSH -For outgoing SSH connections, use hardware or password-protected keys, [set up](http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/) remote hosts and consider [hashing](http://nms.csail.mit.edu/projects/ssh/) them for added privacy. See [drduh/config/ssh_config](https://github.com/drduh/config/blob/master/ssh_config) for recommended client options. +For outgoing SSH connections, use hardware or password-protected keys, [set up](http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/) remote hosts and consider [hashing](http://nms.csail.mit.edu/projects/ssh/) them for added privacy. See [drduh/config/ssh_config](https://github.com/drduh/config/blob/main/ssh_config) for recommended client options. You can also use ssh to create an [encrypted tunnel](http://blog.trackets.com/2014/05/17/ssh-tunnel-local-and-remote-port-forwarding-explained-with-examples.html) to send traffic through, similar to a VPN. @@ -1416,7 +1420,7 @@ sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist Or use the **System Preferences** > **Sharing** menu. -If enabling sshd, be sure to disable password authentication and consider further [hardening](https://stribika.github.io/2015/01/04/secure-secure-shell.html) your configuration. See [drduh/config/sshd_config](https://github.com/drduh/config/blob/master/sshd_config) for recommended options. +If enabling sshd, be sure to disable password authentication and consider further [hardening](https://stribika.github.io/2015/01/04/secure-secure-shell.html) the configuration. See [drduh/config/sshd_config](https://github.com/drduh/config/blob/main/sshd_config) for recommended options. Confirm whether sshd is running: @@ -1453,13 +1457,13 @@ header,111,11,OpenSSH login,0,Thu Sep 1 12:00:00 2015, + 16 msec,subject_ex,drd See the manual pages for `audit`, `praudit`, `audit_control` and other files in `/etc/security` -**Note** although `man audit` says the `-s` flag will synchronize the audit configuration, it appears necessary to reboot for changes to take effect. +Although `man audit` says the `-s` flag will synchronize the audit configuration, it appears necessary to reboot for changes to take effect. See articles on [ilostmynotes.blogspot.com](https://ilostmynotes.blogspot.com/2013/10/openbsm-auditd-on-os-x-these-are-logs.html) and [derflounder.wordpress.com](https://derflounder.wordpress.com/2012/01/30/openbsm-auditing-on-mac-os-x/) for more information. ## DTrace -**Note** [System Integrity Protection](https://github.com/drduh/macOS-Security-and-Privacy-Guide#system-integrity-protection) interferes with DTrace, so it is not possible to use it in recent macOS versions without disabling SIP. +[System Integrity Protection](https://github.com/drduh/macOS-Security-and-Privacy-Guide#system-integrity-protection) interferes with DTrace, so it is not possible to use it in recent macOS versions without disabling SIP. * `iosnoop` monitors disk I/O * `opensnoop` monitors file opens @@ -1576,9 +1580,7 @@ Disable crash reporter (the dialog which appears after an application crashes an defaults write com.apple.CrashReporter DialogType none ``` -Disable Bonjour multicast advertisements: - -**Warning:** This will cause problems with AirPlay and AirPrint! +Disable Bonjour multicast advertisements (also disabling AirPlay and AirPrint features): ```console sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES @@ -1586,7 +1588,7 @@ sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMultica [Disable Handoff](https://support.apple.com/guide/mac-help/change-airdrop-handoff-settings-mchl6a407f99) and [Bluetooth](https://support.apple.com/guide/mac-help/turn-bluetooth-on-or-off-blth1008) features, if they aren't necessary. -Check that your apps are sandboxed in [Activity Monitor](https://developer.apple.com/documentation/security/app_sandbox/protecting_user_data_with_app_sandbox#4098972). +Validate applications are sandboxed in [Activity Monitor](https://developer.apple.com/documentation/security/app_sandbox/protecting_user_data_with_app_sandbox#4098972). macOS comes with this line in `/etc/sudoers`: From 1be4bd5eb4d2270da22fd9ff2b1b52a1328d4c43 Mon Sep 17 00:00:00 2001 From: drduh Date: Wed, 16 Apr 2025 18:07:28 -0700 Subject: [PATCH 475/476] remove workflow; using classic pages --- .github/workflows/static.yml | 43 ------------------------------------ 1 file changed, 43 deletions(-) delete mode 100644 .github/workflows/static.yml diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml deleted file mode 100644 index 0ba82305..00000000 --- a/.github/workflows/static.yml +++ /dev/null @@ -1,43 +0,0 @@ -# Simple workflow for deploying static content to GitHub Pages -name: Deploy static content to Pages - -on: - # Runs on pushes targeting the default branch - push: - branches: ["master"] - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages -permissions: - contents: read - pages: write - id-token: write - -# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. -# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. -concurrency: - group: "pages" - cancel-in-progress: false - -jobs: - # Single deploy job since we're just deploying - deploy: - environment: - name: github-pages - url: ${{ steps.deployment.outputs.page_url }} - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Setup Pages - uses: actions/configure-pages@v5 - - name: Upload artifact - uses: actions/upload-pages-artifact@v3 - with: - # Upload entire repository - path: '.' - - name: Deploy to GitHub Pages - id: deployment - uses: actions/deploy-pages@v4 From bc5e3934984454f416f3d9353a29658e7b4bdeb1 Mon Sep 17 00:00:00 2001 From: Elliot Jordan Date: Sat, 2 Aug 2025 21:50:51 -0700 Subject: [PATCH 476/476] Typo fixes --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 21eece66..754334f5 100644 --- a/README.md +++ b/README.md @@ -427,7 +427,7 @@ Apple is moving to on-device processing for a lot of Siri functions, but some in If a program isn't available through the App Store, consider using [Homebrew](https://brew.sh/). > [!WARNING] -> Homebrew requiests "App Management" (or "Full Disk Access") permission to the terminal. +> Homebrew requests "App Management" (or "Full Disk Access") permission to the terminal. > This is a bad idea, as it would make you vulnerable to these attacks again: any non-sandboxed application can execute code with the TCC permissions of the terminal by adding a malicious command to zshrc, for example. > Granting "App Management" or "Full Disk Access" entitlements should be considered the same as disabling TCC entirely. @@ -1386,7 +1386,7 @@ As such, avoid connecting to [hidden networks](https://support.apple.com/guide/s Make sure to avoid setting personal networks to hidden and set the security mode to WPA3 or the highest your router supports. Follow Apple's [guidance](https://support.apple.com/en-us/102766) on how to set up your home Wi-Fi network to be as secure as possible. -You can set your Mac to have a different, [random MAC address](https://support.apple.com/en-gb/guide/mac-help/mchlb1cb3eb4/mac) for each network that rotates over time. This is indended to reduce tracking across networks and on the same network over time. +You can set your Mac to have a different, [random MAC address](https://support.apple.com/en-gb/guide/mac-help/mchlb1cb3eb4/mac) for each network that rotates over time. This is intended to reduce tracking across networks and on the same network over time. # SSH