diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..45350ad9 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +PR_Fox.md diff --git a/README.md b/README.md index cdf8e267..aad86aeb 100644 --- a/README.md +++ b/README.md @@ -229,6 +229,8 @@ It is not strictly required to ever log into the admin account via the macOS log * There are third-party applications that will not work correctly because they assume that the user account is an admin. These programs may have to be executed by logging into the admin account, or by using the `open` utility. * See additional discussion in [issue 167](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/167). + + ## Setup Accounts can be created and managed in System Preferences. On settled systems, it is generally easier to create a second admin account and then demote the first account. This avoids data migration. Newly installed systems can also just add a standard account. @@ -248,6 +250,20 @@ dscl . -read /Users/ GeneratedUID See also [this post](https://superuser.com/a/395738) for more information about how macOS determines group membership. +For single-user laptops and workstations, consider disabling the root +account's login shell to reduce the risk of an attacker obtaining a +persistent interactive root session via local or remote login: + +```console +sudo dsenableroot -d +sudo dscl . -create /Users/root UserShell /usr/bin/false +``` + +The first command disables the root account via Directory Services. +The second ensures that even if the account is re-enabled, it cannot +spawn an interactive shell. Privilege escalation via `sudo` remains +unaffected. + # Firmware You should check that firmware security settings are set to [Full Security](https://support.apple.com/guide/mac-help/mchl768f7291/mac) to prevent tampering with your OS. This is the default setting. @@ -452,6 +468,35 @@ If a program isn't available through the App Store, consider using [Homebrew](ht Remember to periodically run `brew upgrade` on trusted and secure networks to download and install software updates. To get information on a package before installation, run `brew info ` and check its formula online. You may also wish to enable [additional security options](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/138), such as `HOMEBREW_NO_INSECURE_REDIRECT=1` +To check installed Homebrew packages for known CVEs, consider using +[brew-vulns](https://github.com/nicowillis/brew-vulns): + +```console +brew tap nicowillis/brew-vulns +brew install brew-vulns +brew vulns +``` + +If the `brew-vulns` binary is not found after installation, add +Homebrew's bin directory to your `PATH`: + +```console +export PATH="$(brew --prefix)/bin:$PATH" +``` + +For Python environments, consider auditing dependencies with +[pip-audit](https://github.com/pypa/pip-audit) via +[pipx](https://github.com/pypa/pipx): + +```console +brew install pipx +pipx install pip-audit +pip-audit +``` + +Run `pipx upgrade pip-audit` periodically to ensure the vulnerability +database is current. + According to [Homebrew's Anonymous Analytics](https://docs.brew.sh/Analytics), Homebrew gathers anonymous analytics and reports these to a self-hosted InfluxDB instance. To opt out of Homebrew's analytics, set `export HOMEBREW_NO_ANALYTICS=1` in the environment or shell rc file, or use `brew analytics off` @@ -739,12 +784,18 @@ server: GitHub.com # Browser + The Web browser likely poses the largest security and privacy risk, as its fundamental job is to download and execute untrusted code from the Internet. An important property of modern browsers is the Same Origin Policy ([SOP](https://en.wikipedia.org/wiki/Same-origin_policy)) which prevents a malicious script on one page from obtaining access to sensitive data on another web page through the Document Object Model (DOM). If SOP is compromised, the security of the entire browser is compromised. Many browser exploits are based on social engineering as a means of gaining persistence. Always be mindful of opening untrusted sites and especially careful when downloading new software. +Regardless of browser choice, consider replacing the default search +engine. Google search queries are linked to your account and +browsing profile. See [Search engines](#search-engines) below for +alternatives suited to daily use. + Another important consideration about browser security is extensions. This is an issue affecting Firefox and [Chrome](https://courses.csail.mit.edu/6.857/2016/files/24.pdf) alike. The use of browser extensions should be limited to only critically necessary ones published by trustworthy developers. [Mozilla Firefox](https://www.mozilla.org/firefox/new), [Google Chrome](https://www.google.com/chrome), [Safari](https://www.apple.com/safari), and [Tor Browser](https://www.torproject.org/download) are all recommended browsers for their own unique and individual purposes. @@ -759,8 +810,17 @@ Firefox supports user-supplied configuration files. See [drduh/config/firefox.us Firefox [focuses on user privacy](https://www.mozilla.org/firefox/privacy). It supports [tracking protection](https://developer.mozilla.org/docs/Web/Privacy/Firefox_tracking_protection) in Private Browsing mode. The tracking protection can be enabled for the default account, although it may break the browsing experience on some websites. Firefox in Strict tracking protection mode will [randomize your fingerprint](https://support.mozilla.org/kb/firefox-protection-against-fingerprinting) to foil basic tracking scripts. Firefox offers separate user [profiles](https://support.mozilla.org/kb/profile-manager-create-remove-switch-firefox-profiles). You can separate your browsing inside a profile with [Multi-Account Containers](https://support.mozilla.org/kb/containers). + Firefox only supports Web Extensions through the [Web Extension Api](https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions), which is very similar to Chrome. Submission of Web Extensions in Firefox is free. Web Extensions in Firefox most of the time are open source, although certain Web Extensions are proprietary. +To change the default search engine: +*Settings → Search → Default Search Engine → choose from the list +or add a custom engine.* + +[DuckDuckGo](https://duckduckgo.com) is available by default. +[Brave Search](https://search.brave.com) can be added manually +via the search engine manager. + ## Chrome [Google Chrome](https://www.google.com/chrome) is based on the open source [Chromium project](https://www.chromium.org) with certain [proprietary components](https://fossbytes.com/difference-google-chrome-vs-chromium-browser): @@ -786,7 +846,16 @@ Read more about the benefits of disabling this [here](https://microsoftedge.gith You can block trackers with [uBlock Origin Lite](https://chromewebstore.google.com/detail/ublock-origin-lite/ddkjiahejlhfcafbddmgiahcphecmpfh). -Change the default search engine from Google to reduce additional tracking. +Change the default search engine from Google to reduce additional +tracking. Google search queries are linked to your Google Account +if signed in, and contribute to an advertising profile even in +Incognito mode. + +To change: *Settings → Search engine → Manage search engines → +Set as default.* + +See [Search engines](#search-engines) below for recommended +alternatives. Disable [DNS prefetching](https://www.chromium.org/developers/design-documents/dns-prefetching) (see also [DNS Prefetching and Its Privacy Implications](https://www.usenix.org/legacy/event/leet10/tech/full_papers/Krishnan.pdf) (pdf)). Note that Chrome [may attempt](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/350) to resolve DNS using Google's `8.8.8.8` and `8.8.4.4` public nameservers. @@ -808,12 +877,83 @@ Safari follows a slower release cycle than Chrome and Firefox (3-4 minor release See also [el1t/uBlock-Safari](https://github.com/el1t/uBlock-Safari/wiki/Disable-hyperlink-auditing-beacon) to disable hyperlink auditing beacons. +To change the default search engine: +*Settings → Safari → Search → Search engine.* + +DuckDuckGo is available natively. Note that Safari still sends +search suggestions to Apple as you type — disable this in +*Settings → Safari → Search → Include Safari Suggestions* +if this is a concern. + ## Other browsers Many Chromium-derived browsers are not recommended. They are usually [closed source](https://yro.slashdot.org/comments.pl?sid=4176879&cid=44774943), [poorly maintained](https://plus.google.com/+JustinSchuh/posts/69qw9wZVH8z), and make dubious claims to protect privacy. +[Mullvad Browser](https://mullvad.net/en/browser) is developed in +collaboration between Mullvad VPN and the Tor Project. It applies +Tor Browser's anti-fingerprinting architecture without routing +traffic through the Tor network, making it suitable for use with +a VPN. + +The key design principle is crowd anonymity: all Mullvad Browser +users share an identical fingerprint. Rather than randomizing +parameters per-session (which itself becomes detectable), the +browser standardizes them across the entire user base — +`privacy.resistFingerprinting` is enabled by default, canvas +prompts are auto-declined, and hardware APIs that expose CPU +cores, memory, and keyboard layout are masked. + +JavaScript can be disabled or restricted per-site via the built-in +[uBlock Origin](https://github.com/gorhill/uBlock) extension in +advanced mode. This provides per-domain script control without +requiring additional configuration — enable it from the uBlock +Origin dashboard under *Filter lists*. + +Additional defaults include: +- Private browsing mode on by default — cookies, history, and cache + are deleted on exit +- First-party isolation (FPI) — trackers cannot correlate activity + across sites +- HTTPS-only mode enforced +- No telemetry collected + +!NOTE Mullvad Browser's fingerprint protection is strongest when +settings are left at their defaults. Modifying the configuration +can make your browser distinguishable from the crowd, reducing the +anonymity benefit. + +Mullvad Browser requires no Mullvad VPN subscription and is +[available for macOS](https://mullvad.net/en/download/browser). +When paired with any VPN, it provides a strong combination of +network-level and browser-level privacy. + Other miscellaneous browsers, such as [Brave](https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/94), are not evaluated in this guide, so are neither recommended nor actively discouraged from use. +## Search engines + +The default search engine in most browsers is Google, which +links queries to your account, IP address, and browsing history +to build an advertising profile. Changing the search engine is +one of the lowest-friction privacy improvements available. + +Recommended alternatives for daily use: + +- [DuckDuckGo](https://duckduckgo.com) — no search history stored, + no user profiling. Results sourced from Bing and its own crawler. + Supports `!bang` shortcuts (e.g., `!g query` to fall back to + Google for a single query without switching engines permanently). +- [Startpage](https://www.startpage.com) — proxies Google results + anonymously. Google index quality without Google seeing your IP + or identity. Useful when DuckDuckGo results are insufficient. +- [Brave Search](https://search.brave.com) — independent index, + no Google or Bing dependency, no tracking. + +!NOTE Changing the search engine reduces query-level tracking but +does not prevent browsers from sending data to their vendors through +other channels such as Safe Browsing, crash reports, or DNS +prefetching. Review each browser's section above for additional +mitigations. + ## Web browser privacy Web browsers reveal information in several ways, for example through the [Navigator](https://developer.mozilla.org/en-US/docs/Web/API/Navigator) interface, which may include information such as the browser version, operating system, site permissions, and the device's battery level. Many websites also use [canvas fingerprinting](https://en.wikipedia.org/wiki/Canvas_fingerprinting) to uniquely identify users across sessions. @@ -975,6 +1115,19 @@ It may be worthwhile to consider the geographical location of the VPN provider. Also see this [technical overview](https://blog.timac.org/2018/0717-macos-vpn-architecture/) of the macOS built-in VPN L2TP/IPSec and IKEv2 client. +For checking your VPN on leaks u can use resources such: + #check for VPN DNS leaks + - https://ipleak.net/ + #check for DNS leaks + - https://www.dnsleaktest.com/ + #check for DNS leaks + - https://www.comparitech.com/privacy-security-tools/dns-leak-test/ + #VPN Test: IP, DNS & WebRTC + - https://vpntesting.com +Make sure: + - IP and geolocation → match the VPN, not your ISP + - DNS servers → belong to the VPN (or a neutral provider), but not your local ISP + # PGP/GPG PGP is a standard for signing and encrypting data (especially email) end-to-end, so only the sender and recipient can access it. @@ -999,6 +1152,54 @@ Read [online](https://alexcabal.com/creating-the-perfect-gpg-keypair/) [guides]( # Messengers +## Notification Center privacy + +macOS stores all received notifications in a persistent SQLite +database at `/private/var/folders/`. This database retains +notification content — including message previews from Signal, +iMessage, and other messengers — in a recoverable form until +manually cleared, regardless of the encryption used by the +messenger itself. + +An attacker with physical or local access to the machine can +extract plaintext message content from this database without +breaking any cryptographic primitives. This was [demonstrated +by Patrick Wardle](https://objective-see.org/blog/blog_0x2E.html) +against Signal notifications on macOS. + +To reduce this exposure: + +**Disable message previews system-wide:** +*System Settings → Notifications → Show Previews → +set to "When Unlocked" or "Never"* + +**Per-app, disable notification persistence in each messenger:** + +- *Signal:* Settings → Notifications → Show → + set to "No Name or Message" +- *Telegram:* Settings → Notifications → Message Preview → + disable +- *iMessage:* System Settings → Notifications → Messages → + disable "Show Previews" +- *WhatsApp:* Settings → Notifications → disable + "Show Message Preview" + +**Clear the existing notification database manually:** + +```console +# View current notification database location +sudo find /private/var/folders -name "*.db" \ + -path "*notificationcenter*" 2>/dev/null + +# Restart Notification Center to flush in-memory state +killall NotificationCenter +``` + +> NOTE: macOS Sequoia moved the database location and added +> additional access restrictions. However, content is still +> stored until cleared. The mitigations above apply to all +> supported macOS versions. + ## XMPP XMPP is an [open standard](https://xmpp.org/extensions) developed by the [IETF](https://www.ietf.org) that allows for cross-platform federated messaging. There are many options for [clients](https://xmpp.org/getting-started). Consider using one of the browser-based clients to take advantage of the browser's sandbox. @@ -1086,7 +1287,8 @@ To scan an application with multiple AV products and examine its behavior, uploa macOS comes with a built-in AV program called [XProtect](https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8). XProtect automatically runs in the background and updates its signatures that it uses to detect malware without you having to do anything. If it detects malware already running, it will work to remove and mitigate it just like any other AV program. -Applications such as [BlockBlock](https://objective-see.com/products/blockblock.html) or [maclaunch.sh](https://github.com/hazcod/maclaunch) might help prevent persistent malware. +Applications such as [BlockBlock](https://objective-see.com/products/blockblock.html), [KnockKnock](https://objective-see.com/products/knockknock.html), [OverSight](https://objective-see.com/products/oversight.html), and [maclaunch.sh](https://github.com/hazcod/maclaunch) can help detect and prevent persistent malware, unauthorized launch items, +and unexpected use of the camera or microphone. Locally installed **Anti-virus** programs are generally a double-edged sword: they may catch "garden variety" malware, but also may increase the attack surface for sophisticated adversaries due to their privileged operating mode. They also typically phone home to send samples in order to catch the newest malware. This can be a privacy concern. @@ -1453,7 +1655,7 @@ Keep your Mac physically secure at all times and do not leave it unattended in p A skilled attacker with unsupervised physical access could install a [hardware keylogger](https://trmm.net/Thunderstrike_31c3) to record all of your keystrokes. Using a Mac with a built-in keyboard or a bluetooth keyboard makes this more difficult as many off-the-shelf versions of this attack are designed to be plugged in between a USB keyboard and your computer. -To protect against physical theft during use, you can use an anti-forensic tool like [BusKill](https://github.com/buskill/buskill-app) or [swiftGuard](https://github.com/Lennolium/swiftGuard) (updated usbkill, with graphical user interface). All respond to USB events and can immediately shutdown your computer if your device is physically separated from you or an unauthorized device is connected. +To protect against physical theft during use, you can use an anti-forensic tool like [BusKill](https://github.com/buskill/buskill-app) or [swiftGuard](https://github.com/Lennolium/swiftGuard) (updated usbkill, with graphical user interface) (on 18.4.26 swiftguard doesnt lunch on m series macbook on macos 26 and higher). [DoNotDisturb](https://objective-see.com/products/donotdisturb.html) can alert when the lid of an unattended Mac is opened, providing an additional layer of physical access detection. All of these tools respond to USB events and can immediately shutdown your computer if your device is physically separated from you or an unauthorized device is connected. Consider purchasing a privacy screen/filter for use in public. @@ -1461,6 +1663,9 @@ Consider purchasing a privacy screen/filter for use in public. # System monitoring +For a higher-level view of the system's security posture, several +auditing tools can complement the low-level visibility of OpenBSM. + ## OpenBSM audit macOS has a powerful OpenBSM (Basic Security Module) auditing capability. You can use it to monitor process execution, network activity, and much more. @@ -1480,6 +1685,35 @@ Although `man audit` says the `-s` flag will synchronize the audit configuration See articles on [ilostmynotes.blogspot.com](https://ilostmynotes.blogspot.com/2013/10/openbsm-auditd-on-os-x-these-are-logs.html) and [derflounder.wordpress.com](https://derflounder.wordpress.com/2012/01/30/openbsm-auditing-on-mac-os-x/) for more information. +[Lynis](https://github.com/CISOfy/lynis) is an open source security +auditing tool that performs over 300 checks against the system and +produces a hardening index score with actionable findings: + +```console +brew install lynis +sudo lynis audit system +``` +Results are saved to `/var/log/lynis.log` and +`/var/log/lynis-report.dat`. The hardening index provides a +reproducible baseline — run periodically and compare scores over +time to track improvement. + +For users who find raw Lynis output difficult to interpret, +[Pareto Security](https://paretosecurity.com) provides a MenuBar +application that continuously audits the most impactful security +settings and surfaces failures in plain language — no terminal +required. + +[Mergen](https://github.com/sametsazak/mergen) is a GUI-based +auditing tool with CIS Benchmark checks, similar in scope to Lynis. +Verify the project is actively maintained before use in production +environments. (note - after Mergen audit resultats, dont blind click "fix all one button", look up what issue Mergen found, look up discribtion. If u feel profesional and accept resposobility and risks, u can open terminal and wrote command, unless u not sure - dont do anything, or ask for profesional guidness) + +To compare findings across tools, note that Lynis and Mergen surface +configuration weaknesses, while OpenBSM records runtime behavior. +They are complementary: auditors catch what is misconfigured, +OpenBSM catches what is happening. + ## DTrace [System Integrity Protection](https://github.com/drduh/macOS-Security-and-Privacy-Guide#system-integrity-protection) interferes with DTrace, so it is not possible to use it in recent macOS versions without disabling SIP. @@ -1555,6 +1789,30 @@ tshark -Y "ssl.handshake.certificate" -Tfields \ Disable [Diagnostics & Usage Data](https://support.apple.com/guide/mac-help/share-analytics-information-mac-apple-mh27990). +To improve auditability of privilege escalation without modifying +`/etc/sudoers` directly, create a dedicated drop-in file: + +`log_allowed` writes a timestamped entry for every successful `sudo` +invocation, improving forensic visibility. `timestamp_type=tty` ties +credential caching to the terminal session rather than the user +process, preventing credential reuse across concurrent sessions. +`timestamp_timeout=0` disables the 15-minute cache entirely — +every `sudo` call requires re-authentication. Adjust to taste +based on your threat model. + +```console +sudo visudo -f /etc/sudoers.d/audit_sudo +``` + +Add the following lines: + +# Log each successful sudo invocation with a timestamp +Defaults log_allowed +# Require password re-entry per TTY session, not per process +Defaults timestamp_type=tty +# Remove the default 15-minute credential cache +Defaults timestamp_timeout=0 + If you want to play **music** or watch **videos**, use QuickTime Player, the built-in media player in macOS. It uses the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox/protecting_user_data_with_app_sandbox), [Hardened Runtime](https://developer.apple.com/documentation/xcode/configuring-the-hardened-runtime), and benefits from the [Signed System Volume](https://support.apple.com/guide/security/signed-system-volume-security-secd698747c9/web) as part of the base system. If you want to use **torrents**, use [Transmission](https://transmissionbt.com/download/) which is free and open source (note: like all software, even open source projects, [malware may still find its way in](http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/)). You may also wish to use a block list to avoid peering with known bad hosts - see [Which is the best blocklist for Transmission](https://giuliomac.wordpress.com/2014/02/19/best-blocklist-for-transmission/) and [johntyree/3331662](https://gist.github.com/johntyree/3331662). @@ -1637,9 +1895,28 @@ drwx------ 2 kevin staff 64 Dec 4 12:27 umask_testing_dir -rw-------@ 1 kevin staff 2026566 Dec 4 12:28 umask_testing_file ``` +For laptops and desktops, consider applying a CIS-style power +management baseline to reduce the window of an unattended unlocked +session: + +```console +sudo pmset -a sleep 15 +sudo pmset -a displaysleep 10 +sudo pmset -a womp 0 +``` + +`sleep` sets system idle sleep to 15 minutes, `displaysleep` dims +the display after 10 minutes, and `womp 0` disables Wake on LAN. +On server or lab setups this baseline may be undesirable — verify +with `pmset -g` before and after applying changes. + # Related software * [CISOfy/lynis](https://github.com/CISOfy/lynis) - Cross-platform security auditing tool and assists with compliance testing and system hardening. +* [sametsazak/mergen](https://github.com/sametsazak/mergen) - + A GUI-based system auditing tool with CIS Benchmark checks, + similar to Lynis. Verify the project is actively maintained + before use in production environments. * [Zentral](https://github.com/zentralopensource/zentral) - A log and configuration server for osquery. Run audit and probes on inventory, events, logfiles, combine with point-in-time alerting. A full Framework and Django web server build on top of the elastic stack (formerly known as ELK stack). * [osquery](https://github.com/osquery/osquery) - Can be used to retrieve low level system information. Users can write SQL queries to retrieve system information. * [Pareto Security](https://github.com/paretoSecurity/pareto-mac/) - A MenuBar app to automatically audit your Mac for basic security hygiene. @@ -1653,4 +1930,4 @@ drwx------ 2 kevin staff 64 Dec 4 12:27 umask_testing_dir * [Patrick Wardle's Objective-See blog](https://objective-see.com/blog.html) * [Reverse Engineering macOS blog](https://reverse.put.as/) * [Reverse Engineering Resources](http://samdmarshall.com/re.html) -* [iCloud security and privacy overview](https://support.apple.com/102651) +* [iCloud security and privacy overview](https://support.apple.com/102651) \ No newline at end of file