Hardening additions: admin accounts, audit tools, browser privacy, messenger security#526
Open
Gr3y-foX wants to merge 4 commits intodrduh:masterfrom
Open
Hardening additions: admin accounts, audit tools, browser privacy, messenger security#526Gr3y-foX wants to merge 4 commits intodrduh:masterfrom
Gr3y-foX wants to merge 4 commits intodrduh:masterfrom
Conversation
drduh
reviewed
Apr 25, 2026
Owner
drduh
left a comment
drduh
left a comment
There was a problem hiding this comment.
Nice suggestions!
@beerisgood @friadev any comments?
| persistent interactive root session via local or remote login: | ||
|
|
||
| ```console | ||
| sudo dsenableroot -d |
Owner
There was a problem hiding this comment.
Is the root account enabled by default; can it be accessed without following these instructions to disable it?
| Remember to periodically run `brew upgrade` on trusted and secure networks to download and install software updates. To get information on a package before installation, run `brew info <package>` and check its formula online. You may also wish to enable [additional security options](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/138), such as `HOMEBREW_NO_INSECURE_REDIRECT=1` | ||
|
|
||
| To check installed Homebrew packages for known CVEs, consider using | ||
| [brew-vulns](https://github.com/nicowillis/brew-vulns): |
Owner
There was a problem hiding this comment.
This looks unavailable - can you check the URL?
| @@ -0,0 +1 @@ | |||
| PR_Fox.md | |||
Owner
There was a problem hiding this comment.
What is this; do we need a gitignore?
|
|
||
| Add the following lines: | ||
|
|
||
| # Log each successful sudo invocation with a timestamp |
|
|
||
| The default search engine in most browsers is Google, which | ||
| links queries to your account, IP address, and browsing history | ||
| to build an advertising profile. Changing the search engine is |
Owner
There was a problem hiding this comment.
Can we make this more neutral in tone or cite a concrete source?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR adds
Admin accounts
dsenablerootanddscl UserShell /usr/bin/falseHomebrew
brew-vulnspip-auditviapipxMiscellaneous
pmsetpower management baseline (sleep/displaysleep/womp)sudoaudit logging via/etc/sudoers.d/audit_sudodrop-in file(
log_allowed,timestamp_type=tty,timestamp_timeout=0)Browser
## Search enginessubsection: DuckDuckGo, Startpage, Brave SearchMessengers
## Notification Center privacysubsection: plaintext extraction riskfrom macOS SQLite notification database (ref: Patrick Wardle / Objective-See),
per-app preview disable instructions, database flush command
System monitoring
## System auditingsubsection: Lynis, Pareto Security, MergenViruses and malware
## AntivirusPhysical access
Related software
Notes