mirror of
https://github.com/Lissy93/dotfiles.git
synced 2024-11-22 07:23:10 +01:00
307 lines
12 KiB
Bash
Executable File
307 lines
12 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
##############################################################################
|
|
# Security improvements for Mac OS systems #
|
|
# Covers Siri, firewall, account security, connections and network protocols #
|
|
# #
|
|
# CAUTION: This script will apply changes to your OS X system configuration #
|
|
# Be sure to read it through carefully, and remove anything you don't want. #
|
|
# #
|
|
# Options: #
|
|
# --silent - Don't log any status outputs #
|
|
# --skip-intro - Skip the warning and intro section #
|
|
# --yes-to-all - Don't prompt user to agree to changes #
|
|
# #
|
|
# Licensed under MIT - (C) Alicia Sykes 2022 <https://aliciasykes.com> #
|
|
##############################################################################
|
|
|
|
############################################################
|
|
# Initialize variables, check requirements, and print info #
|
|
############################################################
|
|
|
|
# Record start time
|
|
start_time=`date +%s`
|
|
|
|
# Get params
|
|
params="$params $*"
|
|
|
|
# Color variables
|
|
PRIMARY_COLOR='\033[1;33m'
|
|
ACCENT_COLOR='\033[0;34m'
|
|
INFO_COLOR='\033[0;30m'
|
|
INFO_COLOR_U='\033[4;30m'
|
|
SUCCESS_COLOR='\033[0;32m'
|
|
WARN_1='\033[1;31m'
|
|
WARN_2='\033[0;31m'
|
|
RESET_COLOR='\033[0m'
|
|
|
|
# Current and total taslks, used for progress updates
|
|
current_event=0
|
|
total_events=34
|
|
|
|
if [ ! "$(uname -s)" = "Darwin" ]; then
|
|
echo -e "${PRIMARY_COLOR}Incompatible System${RESET_COLOR}"
|
|
echo -e "${ACCENT_COLOR}This script is specific to Mac OS,\
|
|
and only intended to be run on Darwin-based systems${RESET_COLOR}"
|
|
echo -e "${ACCENT_COLOR}Exiting...${RESET_COLOR}"
|
|
exit 1
|
|
fi
|
|
|
|
if [[ ! $params == *"--skip-intro"* ]]; then
|
|
# Prints intro message
|
|
echo -e "${PRIMARY_COLOR} MacOS Security Settings${RESET_COLOR}"
|
|
echo -e "${ACCENT_COLOR}The following options will be applied:"
|
|
echo -e " - Disabling Siri and voice feedback"
|
|
echo -e " - Configures firewall for security"
|
|
echo -e " - Apply login + screen security settings"
|
|
echo -e " - Prevent unauthorised connections"
|
|
echo -e " - Disable printer and sharing protocols"
|
|
|
|
# Informs user what they're running, and cautions them to read first
|
|
echo -e "\n${INFO_COLOR}You are running ${0} on\
|
|
$(hostname -f | sed -e 's/^[^.]*\.//') as $(id -un)${RESET_COLOR}"
|
|
echo -e "${WARN_1}IMPORTANT:${WARN_2} This script will make changes to your system."
|
|
echo -e "${WARN_2}Ensure that you've read it through before continuing.${RESET_COLOR}"
|
|
|
|
# Ask for user confirmation before proceeding (if skip flag isn't passed)
|
|
if [[ ! $params == *"--yes-to-all"* ]]; then
|
|
echo -e "\n${PRIMARY_COLOR}Would you like to proceed? (y/N)${RESET_COLOR}"
|
|
read -t 15 -n 1 -r
|
|
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
|
|
echo -e "${ACCENT_COLOR}\nNo worries, nothing will be applied - feel free to come back another time."
|
|
echo -e "${PRIMARY_COLOR}Exiting...${RESET_COLOR}"
|
|
exit 0
|
|
fi
|
|
fi
|
|
|
|
fi
|
|
|
|
# Check have got admin privilages
|
|
if [ "$EUID" -ne 0 ]; then
|
|
echo -e "${ACCENT_COLOR}\nElevated permissions are required to adjust system settings."
|
|
echo -e "${PRIMARY_COLOR}Please enter your password...${RESET_COLOR}"
|
|
script_path=$([[ "$0" = /* ]] && echo "$0" || echo "$PWD/${0#./}")
|
|
params="--skip-intro ${params}"
|
|
sudo "$script_path" $params || (
|
|
echo -e "${ACCENT_COLOR}Unable to continue without sudo permissions"
|
|
echo -e "${PRIMARY_COLOR}Exiting...${RESET_COLOR}"
|
|
exit 1
|
|
)
|
|
exit 0
|
|
fi
|
|
|
|
# Helper function to log progress to console
|
|
function log_msg () {
|
|
current_event=$(($current_event + 1))
|
|
if [[ ! $params == *"--silent"* ]]; then
|
|
if (("$current_event" < 10 )); then sp='0'; else sp=''; fi
|
|
echo -e "${PRIMARY_COLOR}[${sp}${current_event}/${total_events}] ${ACCENT_COLOR}${1}${INFO_COLOR}"
|
|
fi
|
|
}
|
|
|
|
# Helper function to log section to console
|
|
function log_section () {
|
|
if [[ ! $params == *"--silent"* ]]; then
|
|
echo -e "${PRIMARY_COLOR}[INFO ] ${1}${INFO_COLOR}"
|
|
fi
|
|
}
|
|
|
|
echo -e "\n${PRIMARY_COLOR}Starting...${RESET_COLOR}"
|
|
|
|
# Quit System Preferences before starting
|
|
osascript -e 'tell application "System Preferences" to quit'
|
|
|
|
# ######################################
|
|
# Disabling Siri and related features #
|
|
# ######################################
|
|
log_section "Disable Telemetry and Assistant Features"
|
|
|
|
# Disable Ask Siri
|
|
log_msg "Disable 'Ask Siri'"
|
|
defaults write com.apple.assistant.support 'Assistant Enabled' -bool false
|
|
|
|
# Disable Siri voice feedback
|
|
log_msg "Disable Siri voice feedback"
|
|
defaults write com.apple.assistant.backedup 'Use device speaker for TTS' -int 3
|
|
|
|
# Disable Siri services (Siri and assistantd)
|
|
log_msg "Disable Siri services (Siri and assistantd)"
|
|
launchctl disable "user/$UID/com.apple.assistantd"
|
|
launchctl disable "gui/$UID/com.apple.assistantd"
|
|
sudo launchctl disable 'system/com.apple.assistantd'
|
|
launchctl disable "user/$UID/com.apple.Siri.agent"
|
|
launchctl disable "gui/$UID/com.apple.Siri.agent"
|
|
sudo launchctl disable 'system/com.apple.Siri.agent'
|
|
if [ $(/usr/bin/csrutil status | awk '/status/ {print $5}' | sed 's/\.$//') = "enabled" ]; then
|
|
>&2 echo 'This script requires SIP to be disabled. Read more: \
|
|
https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection'
|
|
fi
|
|
|
|
# Disable "Do you want to enable Siri?" pop-up
|
|
log_msg "Disable 'Do you want to enable Siri?' pop-up"
|
|
defaults write com.apple.SetupAssistant 'DidSeeSiriSetup' -bool True
|
|
|
|
# Hide Siri from menu bar
|
|
log_msg "Hide Siri from menu bar"
|
|
defaults write com.apple.systemuiserver 'NSStatusItem Visible Siri' 0
|
|
|
|
# Hide Siri from status menu
|
|
log_msg "Hide Siri from status menu"
|
|
defaults write com.apple.Siri 'StatusMenuVisible' -bool false
|
|
defaults write com.apple.Siri 'UserHasDeclinedEnable' -bool true
|
|
|
|
# Opt-out from Siri data collection
|
|
log_msg "Opt-out from Siri data collection"
|
|
defaults write com.apple.assistant.support 'Siri Data Sharing Opt-In Status' -int 2
|
|
|
|
# Don't prompt user to report crashes, may leak sensitive info
|
|
log_msg "Disable crash reporter"
|
|
defaults write com.apple.CrashReporter DialogType none
|
|
|
|
############################
|
|
# MacOS Firefwall Security #
|
|
############################
|
|
log_section "Firewall Config"
|
|
|
|
# Prevent automatically allowing incoming connections to signed apps
|
|
log_msg "Prevent automatically allowing incoming connections to signed apps"
|
|
sudo defaults write /Library/Preferences/com.apple.alf allowsignedenabled -bool false
|
|
|
|
# Prevent automatically allowing incoming connections to downloaded signed apps
|
|
log_msg "Prevent automatically allowing incoming connections to downloaded signed apps"
|
|
sudo defaults write /Library/Preferences/com.apple.alf allowdownloadsignedenabled -bool false
|
|
|
|
# Enable application firewall
|
|
log_msg "Enable application firewall"
|
|
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
|
|
sudo defaults write /Library/Preferences/com.apple.alf globalstate -bool true
|
|
defaults write com.apple.security.firewall EnableFirewall -bool true
|
|
|
|
# Turn on firewall logging
|
|
log_msg "Turn on firewall logging"
|
|
/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
|
|
sudo defaults write /Library/Preferences/com.apple.alf loggingenabled -bool true
|
|
|
|
# Turn on stealth mode
|
|
log_msg "Turn on stealth mode"
|
|
/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
|
|
sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true
|
|
defaults write com.apple.security.firewall EnableStealthMode -bool true
|
|
|
|
# Will prompt user to allow network access even for signed apps
|
|
log_msg "Prevent signed apps from being automatically whitelisted"
|
|
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned off
|
|
|
|
# Will prompt user to allow network access for downloaded apps
|
|
log_msg "Prevent downloaded apps from being automatically whitelisted"
|
|
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off
|
|
|
|
# Sending hangup command to socketfilterfw is required for changes to take effect
|
|
log_msg "Restarting socket filter firewall"
|
|
sudo pkill -HUP socketfilterfw
|
|
|
|
# Prevents quarantine from storing info about downloaded files as privacy risk
|
|
log_msg "Disabling GateKeeper"
|
|
sudo spctl --master-disable
|
|
|
|
####################################
|
|
# Log In and User Account Security #
|
|
####################################
|
|
log_section "Account Security"
|
|
|
|
# Enforce system hibernation
|
|
log_msg "Enforce hibernation instead of sleep"
|
|
sudo pmset -a destroyfvkeyonstandby 1
|
|
|
|
# Evict FileVault keys from memory
|
|
log_msg "Evict FileVault keys from memory on hibernate"
|
|
sudo pmset -a hibernatemode 25
|
|
|
|
# Set power settings (required when evicting FV keys)
|
|
log_msg "Disable power nap and other auto-power settings"
|
|
sudo pmset -a powernap 0
|
|
sudo pmset -a standby 0
|
|
sudo pmset -a standbydelay 0
|
|
sudo pmset -a autopoweroff 0
|
|
|
|
# Require a password to wake the computer from sleep or screen saver
|
|
log_msg "Require a password to wake the computer from sleep or screen saver"
|
|
sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true
|
|
|
|
# Initiate session lock five seconds after screen saver is started
|
|
log_msg "Initiate session lock five seconds after screen saver is started"
|
|
sudo defaults write /Library/Preferences/com.apple.screensaver 'askForPasswordDelay' -int 5
|
|
|
|
# Disables signing in as Guest from the login screen
|
|
log_msg "Disables signing in as Guest from the login screen"
|
|
sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool NO
|
|
|
|
# Disables Guest access to file shares over AF
|
|
log_msg "Disables Guest access to file shares over AF"
|
|
sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool NO
|
|
|
|
|
|
####################################
|
|
# Prevent Unauthorized Connections #
|
|
####################################
|
|
log_section "Prevent Unauthorized Connections"
|
|
|
|
# Disables Guest access to file shares over SMB
|
|
log_msg "Disables Guest access to file shares over SMB"
|
|
sudo defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool NO
|
|
|
|
# Disable remote login (incoming SSH and SFTP connections)
|
|
log_msg "Disable remote login (incoming SSH and SFTP connections)"
|
|
echo 'yes' | sudo systemsetup -setremotelogin off
|
|
|
|
# Disable insecure TFTP service
|
|
log_msg "Disable insecure TFTP service"
|
|
sudo launchctl disable 'system/com.apple.tftpd'
|
|
|
|
# Disable Bonjour multicast advertising
|
|
log_msg "Disable Bonjour multicast advertising"
|
|
sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool true
|
|
|
|
# Disable insecure telnet protocol
|
|
log_msg "Disable insecure telnet protocol"
|
|
sudo launchctl disable system/com.apple.telnetd
|
|
|
|
log_msg "Prevent auto-launching captive portal webpages"
|
|
sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active -bool false
|
|
|
|
#########################################
|
|
# Disable Printers and Sharing Protocols #
|
|
#########################################
|
|
log_section "Printers and Sharing Protocols"
|
|
|
|
# Disable sharing of local printers with other computers
|
|
log_msg "Disable sharing of local printers with other computers"
|
|
cupsctl --no-share-printers
|
|
|
|
# Disable printing from any address including the Internet
|
|
log_msg "Disable printing from any address including the Internet"
|
|
cupsctl --no-remote-any
|
|
|
|
# Disable remote printer administration
|
|
log_msg "Disable remote printer administration"
|
|
cupsctl --no-remote-admin
|
|
|
|
# Disable Captive portal
|
|
log_msg "Disable Captive portal"
|
|
sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active -bool false
|
|
|
|
#####################################
|
|
# Print finishing message, and exit #
|
|
#####################################
|
|
echo -e "${PRIMARY_COLOR}\nFinishing...${RESET_COLOR}"
|
|
echo -e "${SUCCESS_COLOR}✔ ${current_event}/${total_events} tasks were completed \
|
|
succesfully in $((`date +%s`-start_time)) seconds${RESET_COLOR}"
|
|
echo -e "\n${PRIMARY_COLOR} .:'\n __ :'__\n .'\`__\`-'__\`\`.\n \
|
|
:__________.-'\n :_________:\n :_________\`-;\n \`.__.-.__.'\n${RESET_COLOR}"
|
|
|
|
if [[ ! $params == *"--quick-exit"* ]]; then
|
|
echo -e "${ACCENT_COLOR}Press any key to continue.${RESET_COLOR}"
|
|
read -t 5 -n 1 -s
|
|
fi
|
|
exit 0
|