This guidebook is a collection of techniques for improving the security and privacy of a modern Apple Macintosh calculator ( “ MacBook ” ) running a holocene version of macOS ( once known as “ OS X ” ) .
This guide is targeted to ability users who wish to adopt enterprise-standard security, but is besides suitable for novice users with an interest in improving their privacy and security on a Mac .
A system is only deoxyadenosine monophosphate dependable as its administrator is able of making it. There is no one single technology, software, nor technique to undertake perfect computer security system ; a mod operate system and computer is very complex, and requires numerous incremental changes to meaningfully improve one ‘s security and privacy position .
This lead is provided on an ‘as is ‘ basis without any warranties of any kind. only you are responsible if you break anything or get in any sort of trouble by following this template.

To suggest an improvement, please send a wrench request or open an consequence .
This guide is besides available in 简体中文 .

Basics

Standard security best practices apply :

  • Create a threat model

    • What are you trying to protect and from whom? Is your adversary a three letter agency (if so, you may want to consider using OpenBSD instead); a nosy eavesdropper on the network; or a determined apt orchestrating a campaign against you?
    • Recognize threats and how to reduce attack surface against them.
  • Keep the system up to date

    • Patch the base operating system and all third party software.
    • macOS system updates can be completed using the App Store application, or the softwareupdate command-line utility – neither requires registering an Apple account. Updates can also be downloaded directly from Apple’s support site.
    • Subscribe to announcement mailing lists like Apple security-announce.
  • Encrypt sensible data at rest

    • In addition to full disk encryption, consider creating one or several encrypted partitions or volumes to store passwords, cryptographic keys, personal documents, etc. at rest.
    • This will mitigate damage in case of compromise and data theft.
  • Assure data handiness

    • Create regular backups of your data and be ready to format and re-install the operating system in case of compromise.
    • Always encrypt locally before copying backups to external media or the “cloud”.
    • Verify backups work by testing them regularly, for example by accessing certain files or performing a hash based comparison.
  • Click carefully

    • Ultimately, the security of a system can be reduced to its administrator.
    • Care should be taken when installing new software. Always prefer free and open source software (which macOS is not).

Preparing and installing macOS

There are several ways to install macOS .
The simplest way is to boot into Recovery Mode by holding Command and R keys at boot. A system visualize can be downloaded and applied directly from Apple. however, this way exposes the serial total and other identifying information over the net in homely text, which may not be desired for privacy reasons .
PII is transmitted to Apple in plain text when using macOS Recovery
Packet get of an unencrypted HTTP conversation during macOS recovery
An option direction to install macOS is to first download the latest interpretation of macOS ( Latest: macOS Monterey ) from Apple via the App Store and create a custom installable system double .

Getting macOS

Apple ‘s documentation provides details for getting older versions of macOS .

Verifying installation integrity

The macOS initiation application is code signed, which should be verified to make certain you received a lawful copy, using the pkgutil --check-signature or codesign -dvv commands .
To verify the code key signature and integrity of macOS application bundles :

$  pkgutil -- check-signature /Applications/Install 

\

macOS

\

Monterey.app package `` Install macOS Monterey '' : status : signed by a certificate trusted by macOS certificate chain : 1. software Signing Expires : 2026-10-24 17:39:41 +0000 SHA256 fingerprint : D8 4D B9 6A F8 C2 E6 0A C4 C8 51 A2 1E C4 60 F6 F8 4E 02 35 BE B1 7D 24 A7 87 12 B9 B0 21 ED 57 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 2. Apple Code Signing Certification Authority Expires : 2026-10-24 17:39:41 +0000 SHA256 fingerprint : 5B DA B1 28 8F C1 68 92 FE F5 0C 65 8D B5 4F 1E 2E 19 CF 8F 71 two hundred 55 F7 7D E2 B9 5E 05 1E 25 62 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 3. Apple Root CA Expires : 2035-02-09 21:40:36 +0000 SHA256 fingerprint : B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 68 C5 BE 91 B5 A1 10 01 F0 24

Use the codesign command to examine an application ‘s code touch :

$  codesign -dvv /Applications/Install 

\

macOS

\

Monterey.app Executable=/Applications/Install macOS Monterey.app/Contents/MacOS/InstallAssistant_springboard Identifier=com.apple.InstallAssistant.macOSMonterey Format=app bundle with Mach-O universal ( x86_64 arm64 ) CodeDirectory v=20400 size=641 flags=0x2000 ( library-validation ) hashes=13+3 location=embedded Platform identifier=13 key signature size=4523 Authority=Software Signing Authority=Apple Code Signing Certification Authority Authority=Apple Root CA Signed Time=Dec 1, 2021 at 1:10:31 AM Info.plist entries=32 TeamIdentifier=not set seal Resources version=2 rules=2 files=0 home requirements count=1 size=88

Creating a bootable USB installer

rather of booting from the network or using target harrow mode, a bootable macOS installer can be made with the createinstallmedia utility included in Contents/Resources folder of the installer application bunch. See Create a bootable installer for macOS, or run the utility without arguments to see how it works .
To create a bootable USB installer, mount a USB drive, and erase and partition it, then use the createinstallmedia utility :

$  diskutil number
 [ Find disk matching adjust size, normally the stopping point disk, e.g. /dev/disk2 ]

$  diskutil unmountDisk /dev/disk2

$  diskutil partitionDisk /dev/disk2 1 JHFS+ Installer 100 %

$  

cd

/Applications/Install

\

macOS

\

Monterey.app $ sudo ./Contents/Resources/createinstallmedia -- volume /Volumes/Installer -- nointeraction Erasing harrow : 0 % ... 10 % ... 20 % ... 30 % ... 100 % Copying to disk : 0 % ... 10 % ... 20 % ... 30 % ... 40 % ... 50 % ... 60 % ... 70 % ... 80 % ... 90 % ... 100 % Making disk bootable ... Copying boot files ... install media now available at `` /Volumes/Install macOS Catalina ''

Apple besides has guide on doing this via the GUI Disk Utility

Creating an install image

Note Apple ‘s AutoDMG installer does not appear to work across OS versions. If you want to build a 10.14 visualize, for example, the follow steps must be performed on macOS 10.14 !
To create a custom install image which can be restored to a Mac ( using a USB-C cable and aim magnetic disk modality, for exercise ), use MagerValp/AutoDMG .

Manual way

Note The be instructions appear to work only on macOS versions before 10.13 .
Find InstallESD.dmg which is inside the installation application. Locate it in Terminal or with Finder, right cluck on the application bunch, blue-ribbon Show Package Contents and navigate to Contents > SharedSupport to find the file InstallESD.dmg
Verify file integrity by comparing its SHA-256 hash with others found in InstallESD_Hashes.csv or notpeter/apple-installer-checksums .
To determine which macOS versions and builds originally shipped with or are available for a Mac, see HT204319 .

$  shasum -a 256 InstallESD.dmg

Mount and install the manoeuver system to a temp trope :

$  hdiutil attach -mountpoint /tmp/InstallESD ./InstallESD.dmg

$  hdiutil create -size 32g -type SPARSE -fs HFS+J -volname 

"

macOS

"

-uid 0 -gid 80 -mode 1775 /tmp/macos.sparseimage $ hdiutil attach -mountpoint /tmp/macos -owners on /tmp/macos.sparseimage $ sudo installer -pkg /tmp/InstallESD/Packages/OSInstall.mpkg -tgt /tmp/macos -verbose installer : OS Install started . # # # # # # # # # # # # # [ ... ]

The initiation will take a while, indeed be affected role. Use tail -F /var/log/install.log in another terminal to monitor progress and check for errors .
once the installation is arrant, detach, convert and verify the prototype :

$  hdiutil detach /tmp/macos
 `` disk4 '' unmounted .
 `` disk4 '' ejected .

$  hdiutil detach /tmp/InstallESD
 `` disk3 '' unmounted .
 `` disk3 '' ejected .

$  hdiutil convert -format UDZO /tmp/macos.sparseimage -o 

~

/sierra.dmg Preparing imaging engine ... [ ... ] $ asr imagescan -- source

~

/sierra.dmg

The file sierra.dmg is immediately ready to be applied over Target Disk Mode, from a bootable USB installer, booting from the network or recovery mood. The trope could be further customized to include provision users, installed applications, preferences, for model .

Target disk mode

To use Target Disk Mode, boot up the Mac you wish to image while holding the T key and connect it to another Mac using a USB-C, Thunderbolt or Firewire cable television .
If you do n’t have another Mac, boot to a USB installer, with sierra.dmg and other ask files copied to it, by holding the Option key at kick .
Use the command diskutil list to identify the phonograph record of the connect Mac, normally /dev/disk2
optionally, securely erase the magnetic disk with a one passing ( if previously FileVault-encrypted, the phonograph record must first be unlock and mounted as /dev/disk3s2 ) :

$ sudo diskutil secureErase freespace 1 /dev/disk3s2

partition the phonograph record to Journaled HFS+ :

$  sudo diskutil unmountDisk /dev/disk2

$  sudo diskutil partitionDisk /dev/disk2 1 JHFS+ macOS 100 %

Restore the picture to the modern book, making certain /dev/disk2 is the disk being erased :

$  sudo asr restore -- source 

~

/sierra.dmg -- aim /Volumes/macOS -- erase -- buffersize 4m [ ... ] Erase contents of /dev/disk2s2 ( /Volumes/macOS ) ? [ new york ] : y [ ... ]

The Disk Utility application may besides be used to erase the connect disk and restore sierra.dmg to the newly created partition .
To transfer any files, copy them to a shared booklet like /Users/Shared on the mount magnetic disk image, e.g. cp Xcode_8.0.dmg /Volumes/macOS/Users/Shared
Finished restore install from USB recovery boot
Finished regenerate install from USB recovery boot

Creating a recovery partition

Unless you have built the trope with AutoDMG, or installed macOS to a second partition on the like Mac, you will need to create a convalescence partition in holy order to use fully harrow encoding. You can do so using MagerValp/Create-Recovery-Partition-Installer or manually by following these steps :
Download RecoveryHDUpdate.dmg and verify its integrity :

$  shasum -a 256 RecoveryHDUpdate.dmg
 f6a4f8ac25eaa6163aa33ac46d40f223f40e58ec0b6b9bf6ad96bdbfc771e12c RecoveryHDUpdate.dmg

Attach and expand the installer, then run it – again ensuring /Volumes/macOS path is the newly created division on the connect phonograph record :

$  hdiutil impound RecoveryHDUpdate.dmg

$  pkgutil -- expand /Volumes/Mac 

\

OS

\

X

\

Lion

\

Recovery

\

HD

\

Update/RecoveryHDUpdate.pkg /tmp/recovery $ hdiutil attach /tmp/recovery/RecoveryHDUpdate.pkg/RecoveryHDMeta.dmg $ /tmp/recovery/RecoveryHDUpdate.pkg/Scripts/Tools/dmtest ensureRecoveryPartition /Volumes/macOS/ /Volumes/Recovery

\

HD

\

Update/BaseSystem.dmg 0 0 /Volumes/Recovery

\

HD

\

Update/BaseSystem.chunklist [ ... ] Creating recovery partition : finished

Run diskutil list again to make sure Recovery HD nowadays exists on /dev/disk2. Eject the phonograph record with hdiutil unmount /Volumes/macOS and office down the target harrow mode-booted Mac .

Virtualization

To install macOS as a virtual machine ( VM ) using VMware Fusion, follow the instructions above to create an trope. You will not need to download and create a convalescence partition manually .
For the Installation Method, select Install macOS from the recovery partition. Customize any memory or CPU requirements and accomplished frame-up. The guest VM should boot into Recovery Mode by nonpayment .
Note If the virtual machine does not boot due to a kernel panic, adjust the memory and procedure resource settings .
In Recovery Mode, select a terminology, then blue-ribbon Utilities > Terminal from the menu bar .
In the node VM, type ifconfig | grep inet – you should see a private address like 172.16.34.129
On the host Mac, character ifconfig | grep inet – you should see a private gateway address like 172.16.34.1. From the host Mac, you should be able to ping 172.16.34.129 or the equivalent guest VM address .
From the horde Mac, serve the installable trope to the guest VM by editing /etc/apache2/httpd.conf and adding the play along line to the top ( using the gateway address assigned to the host Mac and port 80 ) :

Listen 172.16.34.1:80

On the host Mac, link the image to the default Apache Web server directory :

$ sudo ln ~/sierra.dmg /Library/WebServer/Documents

From the horde Mac, start Apache in the foreground :

$ sudo httpd -X

From the guest VM, install the disk image to the book over the local net using asr :

 -bash-3.2 # asr restore -- reference hypertext transfer protocol : //172.16.34.1/sierra.dmg -- prey /Volumes/Macintosh\ HD/ -- erase -- buffersize 4m
 Validating target ... done
 Validating beginning ... done
 Erase contents of /dev/disk0s2 ( /Volumes/Macintosh HD ) ? [ new york ] : y
 Retrieving scan data ... done
 Validating sizes ... done
 Restoring ... .10 ... .20 ... .30 ... .40 ... .50 ... .60 ... .70 ... .80 ... .90 ... .100
 Verifying ... .10 ... .20 ... .30 ... .40 ... .50 ... .60 ... .70 ... .80 ... .90 ... .100
 Remounting target book ... done

When it ‘s finished, stop the Apache Web server on the host Mac by pressing Control C at the sudo httpd -X window and remove the trope copy with sudo rm /Library/WebServer/Documents/sierra.dmg
In the guest VM, choice Startup Disk from the menubar top-left, select the hard tug and resume. You may wish to disable the Network Adapter in VMware to configure the guest VM initially .
Take and Restore from saved guest VM snapshots before and after attempting bad browse, for exemplar, or use a guest VM to install and operate questionable software .

First boot

Note Before setting up macOS, consider disconnecting network and configuring a firewall ( south ) first. however, recently 2016 MacBooks with Touch Bar hardware necessitate on-line OS energizing ( besides see future section ) .
On first boot, hold Command Option P R keys to acquit NVRAM .
When macOS first starts, you ‘ll be greeted by Setup Assistant .
When creating the first history, use a impregnable password without a touch .
If you enter your very name at the account setup process, be mindful that your calculator ‘s list and local anesthetic hostname will comprise that list ( for example, John Appleseed ‘s MacBook ) and therefore will appear on local networks and in respective preference files .
Both should be verified and updated as needed in System Preferences > Sharing or with the following commands after initiation :

$ sudo scutil --set ComputerName MacBook
$ sudo scutil --set LocalHostName MacBook

System activation

A few words on the privacy implications of activating “ touch Bar ” MacBook devices from your friendly anonymous security research worker :

Apple increasingly seems ( despite undefined claims to the contrary ) increasingly concern in merging or “ centripetal ” the two OSes, and there are constantly rumors of cardinal changes to macOS that make it far more like io than the macOS of honest-to-god. Apple ‘s introduction of ARM-based coprocessors running iOS/sepOS, first with the T1 processor on the TouchBar MacBook Pros ( run the TouchBar, implement NFC/ApplePay, add biometric login using september, and verify firmware integrity ) and the iMac Pro ‘s T2 ( implements/verifies embedded device firmware, implements secure boot, etc ) seems to cement this refer and basically renders using macOS devices without sending metadata to Apple unmanageable to impossible .
io devices have always required “ activation ” on first boot and when the battery has gone dead which initializes sepOS to proceed with verified bang. First boot activation not only initializes sepOS as discussed below, but sends metadata to Apple ( and carriers via Apple with cellular devices ) to activate the baseband and SIM. In energizing processes after first boot, barely as with first boot, a retentive list of highly medium metadata are sent hash ( note hash does not give you any privacy from Apple here since they link this demand metadata to payment data at purchase ) to Apple so it can return the personalize response required for plug kick to complete. What is peculiarly worrying about this action is that it is a network-linked secure boot process where centralized external servers have the power to dictate what the device should boot. equally there are meaning privacy concerns with devices constantly sending metadata ( both during activation and other Apple-linked/-hosted activities ) and linking IP addresses very strongly with very identities based on purchase payment information and if a cellular device, metadata collected about SIM, etc unless such connections are blocked at the network flush ( which is merely possible on self-managed infrastructure, i.e. not cellular ) and doing this basically renders using the device impossible since simply installing an application requires sending device metadata to Apple .
That the energizing confirmation mechanism is designed specifically to rely on unique device identifiers that are associated with payment data at purchase and actively associated on a continuing basis by Apple for every Apple-hosted avail that the device interacts with ( Apple ID-based services, softwareupdate, iMessage, FaceTime, etc. ) the ability ( and invitation ) for Apple to mutely send target malicious updates to devices matching specific unique ID criterion is a valid concern, and something that should not be dismissed as improbable, specially given Apple ‘s full complaisance with recently implemented Chinese ( and early authoritarian and “ non-authoritarian ” countries ‘ ) national security laws .
io has from the begin been designed with very little end-user master with no manner for end-users to configure devices according to their wishes while maintaining security and relies heavily on raw, closed generator code. While macOS has for most of its history been designed on the surface in a similar fashion, office and enterprise users can ( for the consequence ) calm configure their devices relatively securely while maintaining basically zero network interaction with Apple and with the facility of third base party software/kernel extensions, completely control the network stack and intercept filesystem events on a per-process footing. macOS, despite having a good bargain of closed source code, was designed at a very different period in Apple ‘s history and was designed more in argumentation with open informant standards, and designed to be configurable and controllable by enterprise/power users .
The initiation of these coprocessors to Mac devices, while increasing security system in many ways, brings with it all the issues with io discussed above, and means that running macintosh devices securely with dispatch user control, and without forced network interaction with the Apple mothership in highly sensitive corporate and other environments baffling and hazardous. Given this writer is unaware of the accurate hardware configuration of the coprocessors, the pursuit may be inaccurate. however, given the low-level nature of these coprocessors, it would not surprise the writer if these coprocessors, if not already, will finally have separate network entree of their own, freelancer of the Intel CPU ( indications suggest not presently the case for T1 ; indecipherable on T2 ), which leads to concerns similar to those that many have raised around Intel ME/AMT ( and of course macintosh devices besides have ME in the Intel CPU … ). One could argue that these coprocessors increase security, and in many ways that is the event, but not the drug user ‘s security against a malicious Apple .
The lack of configurability is the key emergence. Apple could have introduced secure boot and firmware protection without making it ask net entree, without making verification linked to device-unique IDs and without introducing an enormous measure of potentially exploitable code to protect against a much smaller, but highly exploitable codebase, while running on a coprocessor with a highly privileged stead on the dining table which gives huge power to an adversary with manufacturer complaisance for target attacks .
This is an ongoing concern and in the worst case scenario could potentially represent the conclusion of macintosh as independent, end-user controllable and relatively impregnable systems appropriate for medium environments with rigid network and security policies .

From io, The future Of macOS, Freedom, Security And Privacy In An Increasingly Hostile Global Environment .

Admin and standard user accounts

The first drug user account is always an admin report. Admin accounts are members of the admin group and have access to sudo, which allows them to usurp other accounts, in particular etymon, and gives them effective control over the system. Any program that the admin executes can potentially obtain the lapp access, making this a security hazard .
Utilities like sudo have weaknesses that can be exploited by concurrently running programs and many panes in System Preferences are unlocked by nonpayment ( pdf ) ( p. 61–62 ) for admin accounts .
It is considered a best practice by Apple and others ( pdf ) ( p. 41–42 ) to use a distinguish standard account for daily knead and use the admin account for installations and system shape .
It is not strictly required to ever log into the admin history via the macOS login screen door. The system will prompt for authentication when required and Terminal can do the rest. To that end, Apple provides some recommendations for hiding the admin account and its home directory. This can be an elegant solution to avoid having a visible ‘ghost ‘ history. The admin report can besides be removed from FileVault for extra harden .

Caveats

  • Only administrators can install applications in /Applications (local directory). Finder and Installer will prompt a standard user with an authentication dialog. Many applications can be installed in ~/Applications instead (the directory can be created manually). As a rule of thumb: applications that do not require admin access – or do not complain about not being installed in /Applications – should be installed in the user directory, the rest in the local directory. Mac App Store applications are still installed in /Applications and require no additional authentication.
  • sudo is not available in shells of the standard user, which requires using su or login to enter a shell of the admin account. This can make some maneuvers trickier and requires some basic experience with command-line interfaces.
  • System Preferences and several system utilities (e.g. Wi-Fi Diagnostics) will require root privileges for full functionality. Many panels in System Preferences are locked and need to be unlocked separately by clicking on the lock icon. Some applications will simply prompt for authentication upon opening, others must be opened by an admin account directly to get access to all functions (e.g. Console).
  • There are third-party applications that will not work correctly because they assume that the user account is an admin. These programs may have to be executed by logging into the admin account, or by using the open utility.
  • See additional discussion in issue #167.

Setup

Accounts can be created and managed in System Preferences. On settled systems, it is by and large easier to create a second admin account and then demote the first account. This avoids datum migration. newly installed systems can besides just add a standard account .
Demoting an account can be done either from the the new admin report in System Preferences – the early report must be logged out – or by executing these commands ( it may not be necessary to execute both, see issue # 179 ) :

$  sudo dscl 

.

-delete /Groups/admin GroupMembership

<

username

>

$ sudo dscl

.

-delete /Groups/admin GroupMembers

<

GeneratedUID

>

To find the “ GeneratedUID ” of an account :

$  dscl 

.

-read /Users/

<

username

>

GeneratedUID

See besides this post for more information about how macOS determines group membership .

Full disk encryption

FileVault provides wax magnetic disk ( technically, full volume ) encoding on macOS .
FileVault encoding protects data at rest and hardens ( but not always prevents ) person with physical access from stealing data or tampering with your Mac .
With much of the cryptanalytic operations happening efficiently in hardware, the operation penalty for FileVault is not noticeable .
Like all cryptosystems, the security of FileVault greatly depends on the quality of the imposter random number generator ( PRNG ) .

The random device implements the Yarrow imposter random number generator algorithm and maintains its information consortium. extra randomness is fed to the generator regularly by the SecurityServer devil from random jitter measurements of the kernel .

See man 4 random for more information .
Turning on FileVault in System Preferences after installing macOS, preferably than creating an code partition for the initiation first, is more procure, because more PRNG information is available then .
additionally, the PRNG can be manually seeded with information by writing to /dev/random before enabling FileVault. This can be done by plainly using the Mac for a fiddling while before activating FileVault .
It may besides be potential to increase randomness with an external reservoir, like OneRNG. See Entropy and Random Number Generators and Fun with encoding and randomness for more information .
enable FileVault with sudo fdesetup enable or through System Preferences > Security & Privacy and boot .
If you can remember the password, there ‘s no cause to save the recovery key. however, all encrypted data will be lost everlastingly if without either the password or recovery key .
To learn about how FileVault works, see the newspaper Infiltrate the Vault : security psychoanalysis and Decryption of Lion Full Disk Encryption ( pdf ) and related presentation ( pdf ). besides see IEEE Std 1619-2007 : The XTS-AES Tweakable Block Cipher ( pdf ) .
Optional Enforce system hibernation and evict FileVault keys from memory rather of traditional sleep to memory :

$  sudo pmset -a destroyfvkeyonstandby 1
$  sudo pmset -a hibernatemode 25

All computers have firmware of some type – EFI, BIOS – to help in the discovery of hardware components and ultimately to properly bootstrap the computer using the desired OS case. In the case of Apple hardware and the manipulation of EFI, Apple stores relevant information within EFI to aid in the functionality of macOS. For exemplar, the FileVault key is stored in EFI to transparently come out of standby mode .

Organizations particularly sensitive to a high-attack environment, or potentially exposed to full device access when the device is in understudy mode, should mitigate this risk by destroying the FileVault key in firmware. Doing so does n’t destroy the function of FileVault, but simply requires the drug user to enter the password in order for the system to come out of understudy mood .

If you choose to evict FileVault keys in standby mode, you should besides modify your understudy and office pile settings. differently, your machine may wake while in standby mode and then baron off due to the absence of the FileVault cardinal. See topic # 124 for more information. These settings can be changed with :

$  sudo pmset -a powernap 0
$  sudo pmset -a standby 0
$  sudo pmset -a standbydelay 0
$  sudo pmset -a autopoweroff 0

For more data, see Best Practices for Deploying FileVault 2 ( pdf ) and newspaper Lest We Remember : coldness Boot Attacks on Encryption Keys ( pdf )
Note APFS may make evicting FileVault keys redundant – see discussion and links in return # 283 .

Firmware

Setting a firmware password prevents a Mac from starting up from any device other than the startup phonograph record. It may besides be set to be required on each boot. This may be utilitarian for mitigating some attacks which require physical entree to hardware. See How to set a firmware password on your Mac for official software documentation .
This feature can be helpful if your laptop is lost or stolen, protects against Direct Memory Access ( DMA ) attacks which can read your FileVault passwords and inject kernel modules such as pcileech, as the only way to reset the firmware password is through an Apple Store, or by using an SPI programmer, such as Bus Pirate or other flash IC programmer .

  1. Start up pressing Command and R keys to boot to Recovery Mode mode.
  2. When the Recovery window appears, choose Firmware Password Utility from the Utilities menu.
  3. In the Firmware Utility window that appears, select Turn On Firmware Password.
  4. Enter a new password, then enter the same password in the Verify field.
  5. Select Set Password.
  6. Select Quit Firmware Utility to close the Firmware Password Utility.
  7. Select Restart or Shutdown from the Apple menu in the top-left corner.

The firmware password will activate at adjacent boot. To validate the password, hold Alt during boot – you should be prompted to enter the password .
The firmware password can besides be managed with the firmwarepasswd utility while booted into the OS. For exemplar, to prompt for the firmware password when attempting to boot from a different book :

$  sudo firmwarepasswd -setpasswd -setmode 

command

To verify the firmware password :

$  sudo firmwarepasswd -verify
 Verifying Firmware Password
 enter password :
 right

A firmware password may be bypassed by a decide attacker or Apple, with forcible access to the calculator .
Using a Dediprog SF600 to dump and flash a 2013 MacBook SPI Flash chip to remove a firmware password, sans Apple
Using a Dediprog SF600 to dump and flash a 2013 MacBook SPI Flash nick to remove a firmware password, sans Apple
As of macOS 10.15 Catalina, the firmwarepasswd plan has a new choice -disable-reset-capability. According to Apple ‘s new Platform Security page, this efficaciously prevents any firmware password resets, even by Apple themselves :

For users who want no one but themselves to remove their Firmware Password by software means, the -disable-reset-capability choice has been added to the firmwarepasswd command-line tool in macOS 10.15. Before setting this option, users must to acknowledge that if the password is forgotten and needs removal, the user must bear the monetary value of the motherboard successor necessary to achieve this .

Newer Mac models ( Mac Pro, iMac Pro, Macbook with TouchBar ) with Apple T2 chips, which provide a procure enclave for code keys, lessen the hazard of EFI firmware attacks. See this web log post for more information .
See LongSoft/UEFITool, chipsec/chipsec and discussion in emergence # 213 for more information .

Firewall

There are respective types of firewalls available for macOS .

Application layer firewall

Built-in, basic firewall which blocks incoming connections only. This firewall does not have the ability to monitor, nor block outgoing connections .
It can be controlled by the Firewall yellow journalism of Security & Privacy in System Preferences, or with the follow commands .
Enable the firewall with log and stealth manner :

$  sudo /usr/libexec/ApplicationFirewall/socketfilterfw -- setglobalstate on
 firewall is enabled. ( State = 1 )

$  sudo /usr/libexec/ApplicationFirewall/socketfilterfw -- setloggingmode on
 Turning on log mood

$  sudo /usr/libexec/ApplicationFirewall/socketfilterfw -- setstealthmode on
 Stealth mode enabled

Computer hackers scan networks so they can attempt to identify computers to attack. You can prevent your calculator from responding to some of these scans by using stealth mode. When stealth mode is enabled, your computer does not respond to ICMP pink requests, and does not answer to connection attempts from a close transmission control protocol or UDP port. This makes it more unmanageable for attackers to find your calculator .

To prevent built-in software a well as code-signed, downloaded software from being whitelisted mechanically :

$  sudo /usr/libexec/ApplicationFirewall/socketfilterfw -- setallowsigned off
 disabled permit signed built-in applications automatically

$  sudo /usr/libexec/ApplicationFirewall/socketfilterfw -- setallowsignedapp off
 disable permit signed download applications mechanically

Applications that are signed by a valid certificate authority are mechanically added to the list of allowed apps, rather than prompting the exploiter to authorize them. Apps included in macOS are signed by Apple and are allowed to receive entrance connections when this mise en scene is enabled. For exercise, since iTunes is already signed by Apple, it is mechanically allowed to receive entrance connections through the firewall .

If you run an unsigned app that is not listed in the firewall list, a dialogue appears with options to Allow or Deny connections for the app. If you choose “ Allow ”, macOS signs the application and mechanically adds it to the firewall list. If you choose “ Deny ”, macOS adds it to the number but denies incoming connections intended for this app .

After interacting with socketfilterfw, restart the process by sending a line hangup sign :

$  sudo pkill -HUP socketfilterfw

Third party firewalls

Programs such as Little Snitch, Hands Off, Radio Silence, LuLu and Security Growler provide a dear libra of serviceability and security .
These programs are capable of monitor and blocking incoming and outgoing network connections. however, they may require the use of a close reference kernel extension .
If the total of choices of allowing/blocking network connections is overpower, manipulation Silent Mode with connections allowed, then sporadically check the configuration to gain understand of applications and what they are doing .
It is deserving noting that these firewalls can be bypassed by programs running as root or through OS vulnerabilities ( pdf ), but they are still worth having – barely do n’t expect absolute protection. however, some malware actually deletes itself and does n’t execute if Little Snitch, or other security software, is installed .
For more on how little Snitch works, see the Network Kernel Extensions Programming Guide and Shut up hook ! – inverse mastermind and exploiting a critical Little Snitch vulnerability .

Kernel level packet filtering

A highly customizable, mighty, but besides most complicated firewall exists in the kernel. It can be controlled with pfctl and versatile shape files .
pf can besides be controlled with a GUI application such as IceFloor or Murus .
There are many books and articles on the subject of pf firewall. here ‘s is just one example of blocking traffic by IP savoir-faire .
Add the following into a file called pf.rules :

wifi = "en0"
ether = "en7"
set block-policy drop
set fingerprints "/etc/pf.os"
set ruleset-optimization basic
set skip on lo0
scrub in all no-df
table  persist
block in log
block in log quick from no-route to any
block log on $wifi from {  } to any
block log on $wifi from any to {  }
antispoof quick for { $wifi $ether }
pass out proto tcp from { $wifi $ether } to any keep state
pass out proto udp from { $wifi $ether } to any keep state
pass out proto icmp from $wifi to any keep state

then use the follow commands to manipulate the firewall :

  • sudo pfctl -e -f pf.rules to enable the firewall and load the configuration
  • sudo pfctl -d to disable the firewall
  • sudo pfctl -t blocklist -T add 1.2.3.4 to add an IP address to the blocklist
  • sudo pfctl -t blocklist -T show to view the blocklist
  • sudo ifconfig pflog0 create to create an interface for logging
  • sudo tcpdump -ni pflog0 to view filtered packets

Unless you ‘re already familiar with packet percolate, spending excessively much clock configuring pf is not recommended. It is besides credibly unnecessary if your Mac is behind a NAT on a fasten home network .
It is possible to use the pf firewall to block network access to entire ranges of network addresses, for case to a solid arrangement :
Query Merit RADb for the list of networks in practice by an autonomous system, like Facebook :

$  whois -h whois.radb.net 

'

!gAS32934

'

copy and paste the number of networks returned into the blocklist command :

$  sudo pfctl -t blocklist -T add 31.13.24.0/21 31.13.64.0/24 157.240.0.0/16

Confirm the addresses were added :

$  sudo pfctl -t blocklist -T show
 No ALTQ documentation in kernel
 ALTQ associate functions disabled
 31.13.24.0/21
 31.13.64.0/24
 157.240.0.0/16

Confirm network traffic is blocked to those addresses ( note that DNS requests will calm work ) :

$  dig a +short facebook.com
 157.240.2.35

$  lock -- connect-timeout 5 -I hypertext transfer protocol : //facebook.com/
 * Trying 157.240.2.35 ...
 * TCP_NODELAY jell
 * Connection timed out after 5002 milliseconds
 * Closing connection 0
 curl : ( 28 ) association timed out after 5002 milliseconds

$  sudo tcpdump -tqni pflog0 

'

host 157.240.2.35

'

IP 192.168.1.1.62771 > 157.240.2.35.80 : transmission control protocol 0 IP 192.168.1.1.62771 > 157.240.2.35.80 : transmission control protocol 0 IP 192.168.1.1.62771 > 157.240.2.35.80 : transmission control protocol 0 IP 192.168.1.1.62771 > 157.240.2.35.80 : transmission control protocol 0 IP 192.168.1.1.162771 > 157.240.2.35.80 : transmission control protocol 0

Outgoing TCP SYN packets are blocked, so a TCP connection is not established and thus a Web site is efficaciously blocked at the IP level .
To use pf to audit “ earphone home ” behavior of user and system-level processes, see fix-macosx/net-monitor. See drduh/config/scripts/pf-blocklist.sh for more inspiration .

Services

Note System Integrity Protection does not allow disabling system services on recent macOS versions. Either temporarily disable SIP or disable services from Recovery Mode. See Issue 334 for more data .
See fix-macosx/yosemite-phone-home, l1k/osxparanoia and karek314/macOS-home-call-drop for foster recommendations .
Services on macOS are managed by launchd. See launchd.info, equally well as Apple ‘s Daemons and Services Programming Guide and Technical Note TN2083
You can besides run KnockKnock that shows more information about startup items .

  • Use launchctl list to view running user agents
  • Use sudo launchctl list to view running system daemons
  • Specify the service name to examine it, e.g. launchctl list com.apple.Maps.mapspushd
  • Use defaults read to examine job plists in /System/Library/LaunchDaemons and /System/Library/LaunchAgents
  • Use man and strings to find out more about what an agent/daemon does

For model, to learn what a arrangement plunge daemon or agentive role does, start with :

$  defaults 

read

/System/Library/LaunchDaemons/com.apple.apsd.plist

search at the Program or ProgramArguments section to see which binary is run, in this encase apsd. To find more information about that, look at the valet page with man apsd
For model, if you ‘re not concerned in Apple Push Notifications, disable the service :

$  sudo launchctl drop -w /System/Library/LaunchDaemons/com.apple.apsd.plist

Note Unloading services may break serviceability of some applications. Read the manual pages and use Google to make sure you understand what you ‘re doing beginning .
Be careful about disabling any system daemons you do n’t understand, as it may render your system unbootable. If you break your Mac, use one user modality to fix it .
Use Console and Activity Monitor applications if you notice your Mac heat up, feeling sluggish, or broadly misbehave, as it may have resulted from your putter .
To view the status of services :

$  find /var/db/com.apple.xpc.launchd/ -type f -print -exec defaults 

read

{ }

\;

2>

/dev/null

annotate lists of launch daemons and agents, the respective program executed, and the programs ‘ hashish sums are included in this repository .
(Optional) Run the read_launch_plists.py script and diff output signal to check for any discrepancies on your system, e.g. :

$  diff 

<(

python read_launch_plists.py

|

sort

)

<(

cat 16A323_launchd.csv

|

sort

)

See besides cirrusj.github.io/Yosemite-Stop-Launch for descriptions of services and Provisioning OS X and Disabling Unnecessary Services for another explanation .
Persistent login items may besides exist in these directories :

  • /Library/LaunchAgents
  • /Library/LaunchDaemons
  • /Library/ScriptingAdditions
  • /Library/StartupItems
  • /System/Library/LaunchAgents
  • /System/Library/LaunchDaemons
  • /System/Library/ScriptingAdditions
  • /System/Library/StartupItems
  • ~/Library/LaunchAgents
  • ~/Library/Preferences/com.apple.loginitems.plist

See Mac OSX Startup ( pdf ) for more information .

Spotlight Suggestions

disable Spotlight Suggestions in both the Spotlight preferences and Safari ‘s Search preferences to avoid your search queries being sent to Apple .
besides disable Bing Web Searches in the Spotlight preferences to avoid your search queries being sent to Microsoft .
See fix-macosx.com for detailed instructions .

If you ‘ve upgraded to OS X 10.10 “ Yosemite ” and you ‘re using the default settings, each time you start typing in Spotlight ( to open an application or search for a file on your calculator ), your local search terms and location are sent to Apple and third parties ( including Microsoft ) .

Note This Web site and instructions may no longer work on macOS Sierra – see exit 164 .
For comparison to Windows 10, see hypertext transfer protocol : //fix10.isleaked.com/

Homebrew

Consider using Homebrew to make software installations easier and to update userland tools ( see Apple ‘s bang-up GPL purge ) .
Note If you have not already install Xcode or Command Line Tools, function xcode-select --install to download and install them, or check Apple ‘s developer locate .
install Homebrew :

$  mkdir homebrew 

&&

curl -L hypertext transfer protocol : //themedipia.com/Homebrew/brew/tarball/master

|

tar xz -- strip 1 -C home brew

Edit PATH in your shell or shell rc file to use ~/homebrew/bin and ~/homebrew/sbin. For exemplar, echo 'PATH=$PATH:~/homebrew/sbin:~/homebrew/bin' >> .zshrc, then change your login blast to Z carapace with chsh -s /bin/zsh, open a new Terminal window and run brew update .
Homebrew uses SSL/TLS to talk with GitHub and verifies integrity of download packages, so it ‘s fairly secure .
Remember to sporadically run brew update and brew upgrade on trust and secure networks to download and install software updates. To get information on a software before initiation, run brew info and check its recipe on-line .
According to Homebrew ‘s anonymous Aggregate User Behaviour Analytics, Homebrew gathers anonymous aggregate drug user demeanor analytics and reporting these to Google Analytics .
To opt out of Homebrew ‘s analytics, you can set export HOMEBREW_NO_ANALYTICS=1 in your environment or shell rc file, or use brew analytics off .
You may besides wish to enable extra security options, such as HOMEBREW_NO_INSECURE_REDIRECT=1 and HOMEBREW_CASK_OPTS=--require-sha .

DNS

Hosts file

Use the hosts file to block known malware, advertise or differently unwanted domains .
Edit the hosts file as root, for example with sudo vi /etc/hosts. The hosts file can besides be managed with the GUI app 2ndalpha/gasmask .
To block a domain by A record, append any one of the keep up lines to /etc/hosts :

0 example.com
0.0.0.0 example.com
127.0.0.1 example.com

Note IPv6 uses the AAAA DNS record type, rather than A record type, so you may besides want to block those connections by besides including ::1 example.com entries, like shown here .
There are many lists of domains available on-line which you can paste in, just make surely each agate line starts with 0, 0.0.0.0, 127.0.0.1, and the trace 127.0.0.1 localhost is included .
here are some democratic and utilitarian hosts lists :
Append a number of hosts with the tee command and confirm only non-routable addresses or comments were added :

$  curl hypertext transfer protocol : //raw.githubusercontent.com/StevenBlack/hosts/master/hosts 

|

sudo tee -a /etc/hosts $ wc -l /etc/hosts 65580 $ egrep -ve

"

^#|^255.255.255.255|^127.|^0.|^::1|^ff..::|^fe80::

"

/etc/hosts

|

classify

|

uniq

|

egrep -e

"

[1,2]|::

"

[ No output signal ]

See man hosts and FreeBSD Configuration Files for more data .
See the dnsmasq segment of this guide for more hosts blocking options .

dnscrypt

To encrypt outgoing DNS traffic, consider using jedisct1/dnscrypt-proxy. In combination with dnsmasq and DNSSEC, the integrity and authenticity of DNS traffic is greatly improved .
JayBrown/DNSCrypt-Menu and jedisct1/bitbar-dnscrypt-proxy-switcher leave a graphic exploiter interface to dnscrypt .
Install dnscrypt from Homebrew and follow the instructions to configure and start dnscrypt-proxy :

$  brew install dnscrypt-proxy

If using in combination with Dnsmasq, find the file homebrew.mxcl.dnscrypt-proxy.plist by running

$  brew info dnscrypt-proxy

which will show a localization like /usr/local/etc/dnscrypt-proxy.toml
Open it in a text editor program, find the line starting with listen_addresses = and edit that argumentation to use DNScrypt on a port early than 53, like 5355 :

listen_addresses = ['127.0.0.1:5355', '[::1]:5355']

Start DNSCrypt :

$  sudo brew services restart dnscrypt-proxy

Make sure DNSCrypt is running :

$  sudo lsof +c 15 -Pni UDP:5355
 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
 dnscrypt-proxy 15244 cipher 7u IPv4 0x1337f85ff9f8beef 0t0 UDP 127.0.0.1:5355
 dnscrypt-proxy 15244 cipher 10u IPv6 0x1337f85ff9f8beef 0t0 UDP [ : :1 ] :5355
 dnscrypt-proxy 15244 cipher 12u IPv4 0x1337f85ff9f8beef 0t0 UDP 127.0.0.1:5355
 dnscrypt-proxy 15244 cipher 14u IPv6 0x1337f85ff9f8beef 0t0 UDP [ : :1 ] :5355

By default, dnscrypt-proxy runs on localhost ( 127.0.0.1 ), larboard 53, and under the “ cipher ” user using the resolvers specified in hypertext transfer protocol : //raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md. If you would like to change these settings, you will have to edit the shape file ( e.g. listen_addresses, user_name, url, etc. )

This can be accomplished by editing /usr/local/etc/dnscrypt-proxy.toml as described above .
You can run your own dnscrypt waiter ( see besides drduh/Debian-Privacy-Server-Guide # dnscrypt ) from a believe placement or use one of many public servers alternatively .
Confirm outgoing DNS traffic is encrypted :

$  sudo tcpdump -qtni en0
 IP 10.8.8.8.59636 > 107.181.168.52 : UDP, length 512
 IP 107.181.168.52 > 10.8.8.8.59636 : UDP, length 368

$  labor +short -x 128.180.155.106.49321
 d0wn-us-ns4

dnscrypt-proxy besides has the capability to blacklist domains, including the use of wild-cards. See the Sample configuration file for dnscrypt-proxy for the options .
Note Applications and programs may resolve DNS using their own provided servers. If dnscrypt-proxy is used, it is possible to disable all other, non-dnscrypt DNS traffic with the following pf rules :

block drop quick on  !lo0 proto udp from any to any port = 53
block drop quick on  !lo0 proto tcp from any to any port = 53

See besides What is a DNS leak, the mDNSResponder manual page and ipv6-test.com .

Dnsmasq

Among other features, dnsmasq is able to cache replies, prevent upstream queries for unqualified names, and block entire top-level world names .
Use in combination with DNSCrypt to additionally encrypt outgoing DNS traffic .
If you do n’t wish to use DNSCrypt, you should at least use DNS not provided by your ISP. Two popular alternatives are Google DNS and OpenDNS .
(Optional) DNSSEC is a set of extensions to DNS which provide to DNS clients ( resolvers ) origin authentication of DNS data, authenticated abnegation of universe, and data integrity. All answers from DNSSEC protected zones are digitally signed. The gestural records are authenticated via a range of trust, starting with a arrange of verify public keys for the DNS root-zone. The current root-zone confidence anchors may be downloaded from IANA web site. There are a numeral of resources on DNSSEC, but credibly the best one is dnssec.net web site .
Install Dnsmasq ( DNSSEC is optional ) :

$  brew install dnsmasq -- with-dnssec

Download drduh/config/dnsmasq.conf :

$ curl -o homebrew/etc/dnsmasq.conf https://raw.githubusercontent.com/drduh/config/master/dnsmasq.conf

Edit the file and examine all the options. To block entire levels of domains, append drduh/config/domains or your own rules .
Install and start the platform ( sudo is required to bind to privileged port 53 ) :

$  sudo brew services start dnsmasq

To set Dnsmasq as your local anesthetic DNS waiter, open System Preferences > Network and select the active interface, then the DNS check, blue-ribbon + and add 127.0.0.1, or use :

$  sudo networksetup -setdnsservers 

"

Wi-Fi

"

127.0.0.1

Make certain Dnsmasq is correctly configured :

$  scutil -- dns 

|

drumhead DNS shape resolver # 1 search knowledge domain [ 0 ] : whatever nameserver [ 0 ] : 127.0.0.1 flags : Request A records, Request AAAA records reach : 0x00030002 ( Reachable, Local Address, Directly Reachable Address ) $ networksetup -getdnsservers

"

Wi-Fi

"

127.0.0.1

Note Some VPN software overrides DNS settings on connect. See issue # 24 and drduh/config/scripts/macos-dns.sh .

Test DNSSEC validation

Test DNSSEC validation succeeds for signed zones – the answer should have NOERROR status and incorporate ad ease up :

$  dig +dnssec icann.org
 ; ; - > > HEADER < < - opcode : QUERY, status : NOERROR, id : 47039
 ; ; flags : qr rd radium ad ; QUERY : 1, ANSWER : 2, AUTHORITY : 0, ADDITIONAL : 1

Test DNSSEC establishment fails for zones that are signed improperly - the answer should have SERVFAIL status :

$  jab www.dnssec-failed.org
 ; ; - > > HEADER < < - opcode : QUERY, status : SERVFAIL, id : 15190
 ; ; flags : qr rd right ascension ; QUERY : 1, ANSWER : 0, AUTHORITY : 0, ADDITIONAL : 1

Captive portal

When macOS connects to new networks, it checks for Internet connectivity and may launch a Captive Portal assistant utility application .
An attacker could trigger the utility and direct a Mac to a locate with malware without user interaction, so it 's best to disable this sport and log in to prisoner portals using your even Web browser by navigating to a non-secure HTTP page and accepting a redirect to the captive portal site login interface ( after disabling any custom-made proxy or DNS settings ) .

$  sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active -bool 

false

besides see Apple 's secret `` wispr '' request, How to disable the captive portal vein window in Mac OS Lion and An undocumented change to Captive Network Assistant settings in OS X 10.10 Yosemite .

Certificate authorities

macOS comes with over 200 settle authority certificates installed from for-profit corporations like Apple, Verisign, Thawte, Digicert and politics agencies from China, Japan, Netherlands, U.S., and more ! These Certificate Authorities ( CAs ) are able of issuing SSL/TLS certificates for any domain, code sign certificates, etc .
For more information, see Certification Authority Trust Tracker, Analysis of the HTTPS security ecosystem ( pdf ), and You Won ’ thymine Be Needing These Any More : On Removing Unused Certificates From Trust Stores ( pdf ) .
Inspect system root certificates in Keychain Access, under the System Roots check or by using the security command line cock and /System/Library/Keychains/SystemRootCertificates.keychain file .
disable security authorities through Keychain Access by marking them as Never Trust and closing the window :
A certificate authority certificate
The hazard of a serviceman in the center attack in which a coerce or compromised certificate authority trusted by your system issues a fake/rogue SSL certificate is quite depleted, but still possible .

OpenSSL

Note This segment may be out of date .
The adaptation of OpenSSL in Sierra is 0.9.8zh which is not current. It does n't support TLS 1.1 or newer, egg-shaped crook ciphers, and more .
Since Apple 's official supported TLS library on macOS is Secure Transport, OpenSSL deprecated is considered deprecate ( according to the Cryptographic Services Guide. Apple 's translation of OpenSSL may besides have patches which may surprise you .
If you 're going to use OpenSSL on your Mac, download and install a recent interpretation of OpenSSL with brew install openssl. Note, linking brew to be used in favor of /usr/bin/openssl may interfere with built-in software. See topic # 39 .
Compare the TLS protocol and nothing between the home brew adaptation and the system adaptation of OpenSSL :

$  

~

/homebrew/bin/openssl version

;

echo

|

~

/homebrew/bin/openssl s_client -connect github.com:443

2>&1

|

grep -A2 SSL-Session OpenSSL 1.0.2j 26 september 2016 SSL-Session : protocol : TLSv1.2 zero : ECDHE-RSA-AES128-GCM-SHA256 $ /usr/bin/openssl version

;

echo

|

/usr/bin/openssl s_client -connect github.com:443

2>&1

|

grep -A2 SSL-Session OpenSSL 0.9.8zh 14 january 2016 SSL-Session : protocol : TLSv1 code : AES128-SHA

See besides Comparison of TLS implementations, How 's My SSL and Qualys SSL Labs Tools .

Curl

The version of Curl which comes with macOS uses Secure Transport for SSL/TLS validation .
If you prefer to use OpenSSL, install with brew install curl --with-openssl and ensure it 's the nonpayment with brew link --force curl
Download drduh/config/curlrc or see the man page :

$  curl -o 

~

/.curlrc hypertext transfer protocol : //raw.githubusercontent.com/drduh/config/master/curlrc

Web

Privoxy

Consider using Privoxy as a local proxy to filter Web browsing dealings .
Note macOS proxy settings are not universal ; apps and services may not honor system proxy settings. Ensure the application you wish to proxy is correctly configured and manually verify connections do n't leak. additionally, it may be potential to configure the pf firewall to transparently proxy all traffic .
A gestural installation package for privoxy can be downloaded from silvester.org.uk or Sourceforge. The sign software is more secure than the Homebrew version, and attracts full back from the Privoxy visualize .
alternatively, install and start privoxy using Homebrew :

$  brew install privoxy

$  brew services start privoxy

By default, privoxy listens on localhost, TCP port 8118 .
Set the arrangement HTTP proxy for your active network interface 127.0.0.1 and 8118 ( This can be done through System Preferences > Network > Advanced > Proxies ) :

$  sudo networksetup -setwebproxy 

"

Wi-Fi

"

127.0.0.1 8118

(Optional) Set the arrangement HTTPS proxy, which distillery allows for knowledge domain identify trickle, with :

$  sudo networksetup -setsecurewebproxy 

"

Wi-Fi

"

127.0.0.1 8118

Confirm the proxy is set :

$  scutil -- proxy
  {
 ExceptionsList :  {
 0 : *.local
 1 : 169.254/16
 }
 FTPPassive : 1
 HTTPEnable : 1
 HTTPPort : 8118
 HTTPProxy : 127.0.0.1
 }

Visit hypertext transfer protocol : //p.p/ in a browser, or with Curl :

$  ALL_PROXY=127.0.0.1:8118 lock -I hypertext transfer protocol : //p.p/
 HTTP/1.1 200 OK
 Content-Length : 2401
 Content-Type : text/html
 Cache-Control : no-cache

Privoxy already comes with many good rules, however you can besides write your own .
Download drduh/config/privoxy/config and drduh/config/privoxy/user.action to get started :

$  curl up -o homebrew/etc/privoxy/config hypertext transfer protocol : //raw.githubusercontent.com/drduh/config/master/privoxy/config

$  curl -o homebrew/etc/privoxy/user.action hypertext transfer protocol : //raw.githubusercontent.com/drduh/config/master/privoxy/user.action

Restart Privoxy and verify traffic is blocked or redirected :

$  sudo brew services restart privoxy

$  ALL_PROXY=127.0.0.1:8118 lock ads.foo.com/ -IL
 HTTP/1.1 403 Request blocked by Privoxy
 Content-Type : image/gif
 Content-Length : 64
 Cache-Control : no-cache

$  ALL_PROXY=127.0.0.1:8118 curl imgur.com/ -IL
 HTTP/1.1 302 Local Redirect from Privoxy
 location : hypertext transfer protocol : //imgur.com/
 Content-Length : 0

 HTTP/1.1 200 OK
 Content-Type : text/html ; charset=utf-8

You can replace ad images with pictures of kittens, for example, by starting a local anesthetic Web server and redirect blocked requests to localhost .

Browser

The Web browser poses the largest security and privacy risk, as its fundamental caper is to download and execute untrusted code from the Internet. This is an authoritative statement. The singular practice case of Web Browsers of operation in hostile environments, has forced them to adopt certain impressive security features. The cornerstone of Web Browser security is the Same Origin Policy ( SOP ). In a few words, SOP prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page 's Document Object Model ( DOM ). If SOP is compromised, the security of the whole Web Browser is compromised .
The best topple to ensure secure browsing careless your option of Web Browser is proper security hygiene. The majority of Web Browser exploits require social technology attacks to achieve native code performance. Always be mindful of the links you click and be extra careful when websites ask you to download and install software. 99 % percentage of the fourth dimension that software is malware .
Another crucial circumstance about Web Browser security is Web Extensions. Web Extensions greatly increase the attack surface of the Web Browser. This is an return that plagues Firefox and Chrome alike. fortunately, Web Extensions can only access specific browser APIs that are being governed by their manifest. That means we can quickly audit their demeanor and remove them if they request access to information they should n't ( why would an Ad blocker necessitate television camera access ? ). In the interest of security, it is best to limit your use of Web Extensions .
Mozilla Firefox, Google Chrome, Safari, and Tor Browser are covered in this guide. Each Web Browser offers sealed benefits and drawbacks regarding their security system and privacy. It is best to make an informed choice and not necessarily commit to entirely one .

Firefox

Mozilla Firefox is an excellent browser angstrom well as being wholly open informant. Currently, Firefox is in a rebirth period. It replaces major parts of its infrastructure and code base under projects Quantum and Photon. separate of the Quantum project is to replace C++ code with Rust. Rust is a systems programming lyric with a stress on security and train of thought safety. It is expected that Rust adoption will greatly improve the overall security system model of Firefox .
Firefox offers a like security model to Chrome : it has a bug bounty program, although it is not a lucrative as Chrome 's. Firefox follows a six-week release bicycle similar to Chrome. See discussion in issues # 2 and # 90 for more information about certain differences in Firefox and Chrome .
Firefox supports user-supplied configuration files. See drduh/config/user.js, pyllyukko/user.js and ghacksuserjs/ghacks-user.js for recommend preferences and hardening measures. besides see NoScript, an annex which allows whitelist-based, preemptive script block .
Firefox is focused on exploiter privacy. It supports tracking protection in Private Browsing mode. The tracking protection can be enabled for the default option report, although it may break the shop experience on some websites. Another feature of speech for add privacy singular to Firefox is Containers, similar to Chrome profiles .
previous versions of Firefox used a Web Extension SDK that was quite encroaching and offered huge freedom to developers. deplorably, that exemption besides introduced a number of vulnerabilities in Firefox that greatly affected its users. You can find more information about vulnerabilities introduced by Firefox 's bequest extensions in this newspaper ( pdf ). presently, Firefox alone supports Web Extensions through the Web Extension Api, which is identical exchangeable to Chrome 's .
submission of Web Extensions in Firefox is free. vane Extensions in Firefox most of the prison term are clear source, although certain Web Extensions are proprietary .
Note Similar to Chrome and Safari, Firefox allows report synchronize across multiple devices. While store login passwords are encrypted, Firefox does not require a password to reveal their apparent text format. Firefox lone displays as yes/no prompt. This is an crucial security consequence. Keep that in heed if you sign in to your Firefox account from devices that do not belong to you and leave them neglected. The issue has been raised among the Firefox community and hopefully will be resolved in the come versions .
See drduh/config/firefox.user.js for extra Firefox shape options to improve security and privacy .

Chrome

Google Chrome is based on the overt source Chromium visualize with certain proprietary components :

  • Automatic updates with GoogleSoftwareUpdateDaemon.
  • Usage tracking and crash reporting, which can be disabled through Chrome's settings.
  • Chrome Web Store.
  • Adobe Flash Plugin - supports a Pepper API version of Adobe Flash which gets updated automatically with Chrome.
  • Media Codec support - adds support for proprietary codecs.
  • Chrome PDF viewer.
  • Non-optional tracking. Google Chrome installer includes a randomly generated token. The token is sent to Google after the installation completes in order to measure the success rate. The RLZ identifier stores information – in the form of encoded strings – like the source of chrome download and installation week. It doesn’t include any personal information and it’s used to measure the effectiveness of a promotional campaign. Chrome downloaded from Google’s website doesn’t have the RLZ identifier. The source code to decode the strings is made open by Google.

Chrome offers account synchronize between multiple devices. contribution of the synchronize data are stored web site credentials. The login passwords are encrypted and in order to entree them, a exploiter 's Google report password is required. You can use your Google history to sign to your Chrome customized settings from other devices while retaining your the security of your passwords .
Chrome 's Web shop for extensions requires a 5 dollar life tip in order to submit extensions. The low cost allows the exploitation of many quality Open Source Web Extensions that do not aim to monetize through custom .
Chrome has the largest contribution of global use and is the prefer target chopine for the majority of developers. major technologies are based on Chrome 's Open Source components, such as node.js which uses Chrome 's V8 Engine and the Electron model, which is based on Chromium and node.js. Chrome 's huge user floor makes it the most attractive aim for threat actors and security researchers. Despite under constants attacks, Chrome has retained an impressive security track record over the years. This is not a modest feat .
Chrome offers separate profiles, sandboxing, patronize updates ( including Flash, although you should disable it - see below ), and carries impressive credentials. In addition, Google offers a identical lucrative amplitude program for reporting vulnerabilities along with its own stick out Zero. This means that a large issue of highly talented and motivated people are constantly auditing Chrome 's code infrastructure .
Create separate Chrome profiles to reduce XSS hazard and compartmentalize cookies/identities. In each visibility, either disable Javascript in Chrome settings and manually whitelist allowed origins - or use uBlock Origin to manage Javascript and/or disable third-party scripts/frames. besides install HTTPSEverywhere to upgrade insecure connections .
Change the nonpayment search engine from Google to reduce extra trailing .
disable DNS prefetching ( see besides DNS Prefetching and Its Privacy Implications ( pdf ) ). eminence that Chrome may attempt to resolve DNS using Google 's 8.8.8.8 and 8.8.4.4 public nameservers .
read Chromium Security and Chromium Privacy for more detail, technical information .
Read Google 's privacy policy and teach which Google services collect personal data. Users can opt-out of services and see what character of information Google has stored in account settings .

Safari

Safari is the default Web browser of macOS. It is besides the most optimize browser for reducing battery use. Safari, like Chrome, has both Open Source and proprietary components. Safari is based on the capable source Web Engine WebKit, which is omnipresent among the macOS ecosystem. WebKit is used by Apple apps such as Mail, iTunes, iBooks, and the App Store. Chrome 's Blink engine is a branching of WebKit and both engines share a number of similarities .
Safari supports certain singular features that benefit exploiter security and privacy. content blockers enables the creation of capacity block rules without using Javascript. This govern based approach greatly improves memory practice, security, and privacy. Safari 11 introduced an healthy Tracking Prevention system. This feature mechanically removes tracking data stored in Safari after a period of non-interaction by the exploiter from the tracker 's web site .
like to Chrome and Firefox, Safari offers an receive only bounty program for bug report to a blue-ribbon number of security system researchers. The amplitude platform was announced during Apple 's presentation at BlackHat 2016 .
world wide web Extensions in Safari have an extra option to use native code in the Safari 's sandbox environment, in addition to Web Extension APIs. Web Extensions in Safari are besides distributed through Apple 's App store. App shop submission comes with the lend benefit of Web Extension code being audited by Apple. On the other hand App store meekness comes at a steep cost. annual developer subscription fee costs 100 USD ( in contrast to Chrome 's 5 dollar life fee and Firefox 's complimentary meekness ). The high gear cost is prohibitive for the majority of Open Source developers. As a resultant role, Safari has very few extensions to choose from. however, you should keep the high cost in thinker when installing extensions. It is expected that most Web Extensions will have some means of monetizing usage in order to cover developer costs. Be wary of Web Extensions whose source code is not assailable .
Safari syncs drug user preferences and saved passwords with iCloud Keychain. In orderliness to be viewed in plain text, a drug user must input the score password of the stream device. This means that users can sync data across devices with lend security .
Safari follows a slower liberation bicycle than Chrome and Firefox ( 3-4 minor releases, 1 major free, per year ). Newer features are slower to be adopted to the stable impart. Although security updates in Safari are handled independent of the static secrete schedule and issued mechanically through the App store. The Safari groove that follows a six-week handout hertz ( like to as Chrome and Firefox ) is called Safari Technology Preview and it is the recommend option rather of the stable distribution channel of Safari .
An excellent open reservoir ad blocker for Safari that in full leverages capacity blockers is dgraham/Ka-Block. See besides el1t/uBlock-Safari to disable hyperlink auditing beacons .

Other Web browsers

many Chromium-derived browsers are not recommended. They are normally closed generator, ailing maintained, have bugs, and make dubious claims to protect privacy. See The Private Life of Chromium Browsers .
early assorted browsers, such as Brave, are not evaluated in this guide, therefore are neither recommended nor actively discouraged from use .

Web browsers and privacy

All Web Browsers retain certain data about our crop habits. That information is used for a number of reasons. One of them is to improve the overall performance of the Web Browser. Most web Browsers offer prediction services to resolve misprint or URL redirections, storehouse analytics data of browse patterns, crash reports and total darkness number of known malicious servers. Those options can be turned on and off from each Web browser 's settings empanel .
Since Web browsers execute untrusted code from the server, it is important to understand what character of information can be accessed. The Navigator interface gives access to information about the Web Browser 's exploiter agent. Those include information such as the operate on organization, Web sites ' permissions, and the device 's battery level. For more information about security conscious browse and what type of information is being `` leaked '' by your browser, see HowTo : Privacy & Security Conscious Browsing, browserleaks.com and EFF Panopticlick .
To hinder third party trackers, it is recommended to disable third-party cookies in Web browser settings. A one-third party cookie is a cookie associated with a file requested by a different knowledge domain than the one the user is presently viewing. Most of the time third-party cookies are used to create browse profiles by tracking a drug user 's motion on the web. Disabling third-party cookies prevents HTTP responses and scripts from other domains from setting cookies. furthermore, cookies are removed from requests to domains that are not the document origin sphere, so cookies are merely sent to the current site that is being viewed .
besides be aware of WebRTC, which may reveal your local or public ( if connected to VPN ) IP address ( east ). In Firefox and Chrome/Chromium this can be disabled with extensions such as uBlock Origin and rentamob/WebRTC-Leak-Prevent. Disabling WebRTC in Safari is only potential with a organization chop .

Plugins

Adobe Flash, Oracle Java, Adobe Reader, Microsoft Silverlight ( Netflix now works with HTML5 ) and other plugins are security system risks and should not be installed .
If they are necessity, only use them in a disposable virtual machine and subscribe to security announcements to make indisputable you 're always patched .
See Hacking Team Flash Zero-Day, Java Trojan BackDoor.Flashback, Acrobat Reader : security Vulnerabilities, and Angling for Silverlight Exploits for examples .

Tor

Tor is an anonymizing proxy which can be used for browsing the Web .
Download Tor Browser from Tor Project .
Do not attempt to configure early browsers or applications to use Tor as you may make a err which will compromise anonymity .
Download both the dmg and asc signature files, then verify the disk trope has been signed by Tor developers :

$  

cd

~

/Downloads $ charge Tor

*

TorBrowser-8.0.4-osx64_en-US.dmg : bzip2 compressed data, obstruct size = 900k TorBrowser-8.0.4-osx64_en-US.dmg.asc : PGP signature Signature ( old ) $ gpg Tor

*

asc [ ... ] gpg : Ca n't check key signature : No populace identify $ gpg -- recv 0x4E2C6E8793298290 gpg : identify 0x4E2C6E8793298290 : populace key `` Tor Browser Developers ( signing key ) " imported gpg : no ultimately trusted keys found gpg : total number processed : 1 gpg : imported : 1 $ gpg -- control Tor

*

asc gpg : assume signed data in 'TorBrowser-8.0.4-osx64_en-US.dmg ' gpg : touch made Mon Dec 10 07:16:22 2018 pacific time gpg : using RSA key 0xEB774491D9FF06E2 gpg : good key signature from `` Tor Browser Developers ( signing key ) " [unknown] gpg : warn : This key is not certified with a believe signature ! gpg : There is no reading that the signature belongs to the owner . primary key fingerprint : EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290 Subkey fingerprint : 1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2

Make indisputable Good signature from "Tor Browser Developers (signing key) " appears in the output. The admonitory about the cardinal not being certified is benign, as it has not even been manually assigned faith .
See How to verify signatures for packages for more information .
To finish installing Tor Browser, open the harrow effigy and drag the it into the Applications booklet, or with :

$  hdiutil mount TorBrowser-8.0.4-osx64_en-US.dmg

$  cp -r /Volumes/Tor 

\

Browser/Tor

\

Browser.app/

~

/Applications/

Verify the Tor application 's code signature was made by with The Tor Project 's Apple developer ID MADPSAYN6T, using the spctl -a -v and/or pkgutil --check-signature commands :

$  spctl -a -vv 

~

/Applications/Tor

\

Browser.app /Users/drduh/Applications/Tor Browser.app : accepted source=Developer ID origin=Developer ID Application : The Tor Project, Inc ( MADPSAYN6T ) $ pkgutil -- check-signature

~

/Applications/Tor

\

Browser.app package `` Tor Browser.app '' : status : signed by a certificate trusted by Mac OS X certificate chain : 1. Developer ID Application : The Tor Project, Inc ( MADPSAYN6T ) SHA1 fingermark : 95 80 54 F1 54 66 F3 9C C2 D8 27 7A 29 21 D9 61 11 93 B3 E8 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- - 2. Developer ID Certification Authority SHA1 fingerprint : 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- - 3. Apple Root CA SHA1 fingerprint : 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60

You can besides use the codesign command to examine an application 's code key signature :

$  codesign -dvv 

~

/Applications/Tor

\

Browser.app Executable=/Users/drduh/Applications/Tor Browser.app/Contents/MacOS/firefox Identifier=org.torproject.torbrowser Format=app pile with Mach-O reduce ( x86_64 ) CodeDirectory v=20200 size=229 flags=0x0 ( none ) hashes=4+3 location=embedded library validation warning=OS X SDK adaptation before 10.9 does not support Library Validation touch size=4247 Authority=Developer ID Application : The Tor Project, Inc ( MADPSAYN6T ) Authority=Developer ID Certification Authority Authority=Apple Root CA Signed Time=Dec 10, 2018 at 12:18:45 AM Info.plist entries=24 TeamIdentifier=MADPSAYN6T seal Resources version=2 rules=12 files=128 internal requirements count=1 size=188

To view fully certificate details for a gestural application, extract them with codesign and decode it with openssl :

$  codesign -d -- extract-certificates 

~

/Applications/Tor

\

Browser.app Executable=/Users/drduh/Applications/Tor Browser.app/Contents/MacOS/firefox $ file codesign

*

codesign0 : data codesign1 : data codesign2 : data $ openssl x509 -inform five hundred -in codesign0 -subject -issuer -startdate -enddate -noout subject= /UID=MADPSAYN6T/CN=Developer ID Application : The Tor Project, Inc ( MADPSAYN6T ) /OU=MADPSAYN6T/O=The Tor Project, Inc/C=US issuer= /CN=Developer ID Certification Authority/OU=Apple Certification Authority/O=Apple Inc./C=US notBefore=Apr 12 22:40:13 2016 GMT notAfter=Apr 13 22:40:13 2021 GMT $ openssl x509 -inform five hundred -in codesign0 -fingerprint -noout SHA1 Fingerprint=95:80:54 : F1:54:66 : F3:9C : C2 : D8:27:7A:29:21 : D9:61:11:93 : B3 : E8 $ openssl x509 -inform five hundred -in codesign0 -fingerprint -sha256 -noout SHA256 Fingerprint=B5:0D:47 : F0:3E : CB:42 : B6:68:1C:6F:38:06:2B : C2:9F:41 : fa : D6:54 : F1:29 : D3 : E4 : DD:9C : C7:49:35 : FF : F5 : D9

Tor traffic is encrypted to the exit node ( i.e., can not be read by a passive voice network eavesdropper ), but Tor use can be identified - for case, TLS handshake `` hostnames '' will show up in plaintext :

$  sudo tcpdump -An 

"

tcp

"

|

grep

"

www

"

listening on pktap, link-type PKTAP ( Apple DLT_PKTAP ), capture size 262144 bytes ... ... ... .... ''. ... www.odezz26nvv7jeqz1xghzs.com ... ... ... ... ... ... .... #. ! ... www.bxbko3qi7vacgwyk4ggulh.com ... ... ... .6 ... .m ... .. > ... : ... ... ... |../* Z ... .W ... .X=..6 ... C../ ... ... ... ... ... ... ... ... ... ... ... ... 0 ... 0..0 ... .... ' ... .F./0.. *.H ... ... ..0 % 1 # 0 ! ..U ... .www.b6zazzahl3h3faf4x2.com0 ... 160402000000Z..170317000000Z0'1 % 0 # ..U ... .www.tm3ddrghe22wgqna5u8g.net0..0..

See Tor Protocol Specification and Tor/TLSHistory for more information .
You may wish to additionally obfuscate Tor traffic using a pluggable transmit, such as Yawning/obfs4proxy or SRI-CSL/stegotorus .
This can be done by setting up your own Tor relay or finding an existing secret or public bridge to serve as an obfuscating entry node .
For supernumerary security system, use Tor inside a VirtualBox or VMware virtualized GNU/Linux or BSD machine .
finally, remember the Tor network provides anonymity, which is not necessarily synonymous with privacy. The Tor network does not guarantee protection against a ball-shaped perceiver able of traffic analysis and correlation. See besides Seeking Anonymity in an Internet Panopticon ( pdf ) and Traffic Correlation on Tor by Realistic Adversaries ( pdf ) .
besides see invisible Internet Project ( I2P ) and its Tor comparison .

VPN

Unencrypted network traffic is being actively monitored and possibly tampered with. Encrypted dealings even exposes connection metadata and could be used to infer behavior or specific actions .
It is a good idea to use a VPN with outgoing network traffic ( not split tunnel ) together with a trustworthy supplier. drduh/Debian-Privacy-Server-Guide is one of many available guides for setting up a personal VPN server .
Do n't just blindly sign up for a VPN service without understanding the full implications and how your traffic will be routed. If you do n't understand how the VPN works or are not familiar with the software used, you are credibly better off without it .
When choosing a VPN service or setting up your own, be surely to inquiry the protocols, samara substitution algorithm, authentication mechanisms, and character of encoding being used. Some protocols, such as PPTP, should be avoided in party favor of OpenVPN or Linux-based Wireguard on a Linux VM or via a set of cross platform tools .
Some clients may send dealings over the following available interface when VPN is interrupted or disconnected. See scy/8122924 for an model on how to allow traffic only over VPN .
Another set of scripts to lock down your system so it will only entree the internet via a VPN can be found as part of the Voodoo Privacy project - sarfata/voodooprivacy and there is an update guide to setting up an IPSec VPN on a virtual car ( hwdsl2/setup-ipsec-vpn ) or a stevedore container ( hwdsl2/docker-ipsec-vpn-server ) .
It may be worthwhile to consider the geographic location of the VPN supplier. See further discussion in issue # 114 .
besides see this technical overview of the macOS built-in VPN L2TP/IPSec and IKEv2 customer .
other open generator OpenVPN clients/GUI : Eddie, Pritunl are not evaluated in this guide, so are neither recommended nor actively discouraged from habit .
PGP is a standard for encrypting electronic mail end to end. That means only the choose recipients can decrypt a message, unlike regular e-mail which is understand and everlastingly archived by providers .
GPG, or GNU Privacy Guard, is a GPL-licensed open source broadcast compliant with the PGP standard .
GPG is used to verify signatures of software you download and install, vitamin a well as symmetrically or asymmetrically code files and text .
install from Homebrew with brew install gnupg .
If you prefer a graphic application, download and install GPG Suite .
Download drduh/config/gpg.conf to use recommend settings :

$  lock -o 

~

/.gnupg/gpg.conf hypertext transfer protocol : //raw.githubusercontent.com/drduh/config/master/gpg.conf

See drduh/YubiKey-Guide to securely generate and store GPG keys .
Read online guides and rehearse code and decrypting e-mail to yourself and your friends. Get them interest in this stuff !

OTR

OTR stands for off-the-record and is a cryptanalytic protocol for encrypting and authenticating conversations over instantaneous messaging .
You can use OTR on top of any existing XMPP old world chat overhaul, even Google Hangouts ( which entirely encrypts conversations between users and the server using TLS ).

The first time you start a conversation with person new, you 'll be asked to verify their public cardinal fingerprint. Make sure to do this in person or by some other dependable means ( e.g. GPG encrypted mail ) .
A popular macOS GUI customer for XMPP and early new world chat protocols is Adium .
other XMPP clients include profanity and agl/xmpp-client. Another relatively new XMPP chat customer is CoyIM, it 's focus and security and has built-in support for OTR and Tor .
If you want to know how OTR works, read the paper Off-the-Record Communication, or, Why not To Use PGP ( pdf )

Viruses and malware

There is an ever-increasing amount of Mac malware in the wild. Macs are n't immune from viruses and malicious software !
Some malware comes bundled with both lawful software, such as the Java bundling Ask Toolbar, and some with bastard software, such as Mac.BackDoor.iWorm bundled with commandeer programs. Malwarebytes Anti-Malware for Mac is an excellent broadcast for ridding oneself of `` garden-variety '' malware and early `` crapware '' .
See Methods of malware continuity on Mac OS X ( pdf ) and Malware Persistence on OS X Yosemite to learn about how garden-variety malware functions .
You could sporadically run a tool like Knock Knock to examine persistent applications ( e.g. scripts, binaries ). But by then, it is probably besides late. possibly applications such as Block Block and Ostiarius will help. See warnings and caveats in issue # 90 first, however. An open-source alternate could be maclaunch.sh .
Anti-virus programs are a double-edged sword -- not then useful for advanced users and will likely increase attack come on against sophisticate threats ; however possibly utilitarian for catching `` garden variety '' malware on novice users ' Macs. There is besides the extra action overhead to consider when using `` active '' scan features .
see Sophail : give attacks against Antivirus ( pdf ), Analysis and Exploitation of an ESET Vulnerability, a fiddling Avast RCE, Popular Security Software Came Under Relentless NSA and GCHQ Attacks, How Israel Caught Russian Hackers Scouring the World for U.S. Secrets and AVG : `` Web TuneUP '' extension multiple critical vulnerabilities .
therefore, the best anti-virus is Common Sense 2020. See discussion in return # 44 .
local privilege escalation bugs are enough on macOS, so always be careful when downloading and running untrusted programs or trusted programs from third party websites or downloaded over HTTP ( exemplar ) .
Subscribe to updates at The Safe Mac and Malwarebytes Blog for current Mac security news .
To scan an application with multiple AV products and examine its behavior, upload it to VirusTotal .
besides check out Hacking Team malware for macOS : solution initiation for MacOS, Support driver for Mac Agent and RCS Agent for Mac, which is a good example of advanced malware with capabilities to hide from userland ( for example, ps, ls ). For more, see A brief psychoanalysis of an RCS Implant Installer and reverse.put.as

System Integrity Protection

System Integrity Protection ( SIP ) is a security feature since OS X 10.11 `` El Capitan ''. It is enabled by default, but can be disabled, which may be necessary to change some system settings, such as deleting beginning certificate authorities or unloading certain launch daemons. Keep this feature on, as it is by default option .
From What 's New in OS X 10.11 :

A modern security policy that applies to every run process, including privileged code and code that runs out of the sandbox. The policy extends extra protections to components on harrow and at run-time, only allowing system binaries to be modified by the system installer and software updates. Code injection and runtime attachments to system binaries are no long permitted .

besides see What is the “ rootless ” feature in El Capitan, actually ?
Some MacBook hardware has shipped with SIP disabled. To verify SIP is enabled, use the command csrutil status, which should return : System Integrity Protection status: enabled. Otherwise, enable SIP through Recovery Mode .

Gatekeeper and XProtect

Gatekeeper and the quarantine system sample to prevent unsigned or `` badly '' programs and files from running and opening .
XProtect prevents the murder of known bad files and outdated plugin versions, but does nothing to cleanup or stop existing malware .
Both offer trivial protective covering against park risks and are finely at default settings .
See besides Mac Malware Guide : How does Mac OS X protect me ? and Gatekeeper, XProtect and the Quarantine attribute .
Note Quarantine stores information about download files in ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2, which may pose a privacy gamble. To examine the file, merely use strings or the stick to command :

$  

echo

'

SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp,

'

\ 'LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent ; ' | \ sqlite3 /Users/ $ USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2

See hera for more information .
To permanently disable this feature of speech, clear the file and make it immutable :

$  : 

>

~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 $ sudo chflags schg

~

/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2

alternatively, you can besides disable Gatekeeper using the succeed command :
sudo spctl --master-disable
( See hypertext transfer protocol : //disable-gatekeeper.github.io/ and hypertext transfer protocol : //objective-see.com/blog/blog_0x64.html for reference )

Metadata and artifacts

macOS attaches metadata ( HFS+ extended attributes ) to downloaded files, which can be viewed with the mdls and xattr commands :

$  fifty -l @ 

~

/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg -rw-r -- gas constant -- @ 1 drduh staff 63M Jan 1 12:00 TorBrowser-8.0.4-osx64_en-US.dmg com.apple.metadata : kMDItemWhereFroms 46B com.apple.quarantine 57B $ mdls

~

/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg kMDItemContentCreationDate = 2019-01-01 00:00:00 +0000 kMDItemContentCreationDate_Ranking = 2019-01-01 00:00:00 +0000 kMDItemContentModificationDate = 2019-01-01 00:00:00 +0000 kMDItemContentType = `` com.apple.disk-image-udif '' kMDItemContentTypeTree = ( `` public.archive '' , `` public.item '' , `` public.data '' , `` public.disk-image '' , `` com.apple.disk-image '' , `` com.apple.disk-image-udif '' ) kMDItemDateAdded = 2019-01-01 00:00:00 +0000 kMDItemDateAdded_Ranking = 2019-01-01 00:00:00 +0000 kMDItemDisplayName = `` TorBrowser-8.0.4-osx64_en-US.dmg '' kMDItemFSContentChangeDate = 2019-01-01 00:00:00 +0000 kMDItemFSCreationDate = 2019-01-01 00:00:00 +0000 kMDItemFSCreatorCode = `` '' kMDItemFSFinderFlags = 0 kMDItemFSHasCustomIcon = ( nothing ) kMDItemFSInvisible = 0 kMDItemFSIsExtensionHidden = 0 kMDItemFSIsStationery = ( null ) kMDItemFSLabel = 0 kMDItemFSName = `` TorBrowser-8.0.4-osx64_en-US.dmg '' kMDItemFSNodeCount = ( null ) kMDItemFSOwnerGroupID = 5000 kMDItemFSOwnerUserID = 501 kMDItemFSSize = 65840402 kMDItemFSTypeCode = `` '' kMDItemInterestingDate_Ranking = 2019-01-01 00:00:00 +0000 kMDItemKind = `` Disk Image '' kMDItemWhereFroms = ( `` hypertext transfer protocol : //dist.torproject.org/torbrowser/8.0.4/TorBrowser-8.0.4-osx64_en-US.dmg '' , `` hypertext transfer protocol : //www.torproject.org/projects/torbrowser.html.en '' ) $ xattr -l

~

/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg com.apple.metadata : kMDItemWhereFroms : 00000000 62 70 6C 69 73 74 30 30 A2 01 02 5F 10 4D 68 74 |bplist00 ... _.Mht| 00000010 74 70 73 3A 2F 2F 64 69 73 74 2E 74 6F 72 70 72 |tps : //dist.torpr| 00000020 6F 6A 65 63 74 2E 6F 72 67 2F 74 6F 72 62 72 6F |oject.org/torbro| [ ... ] com.apple.quarantine : 0081 ; 58519ffa ; Google Chrome.app ; 1F032CAB-F5A1-4D92-84EB-CBECA971B7BC

Metadata attributes can besides be removed with the -d flag :

$  xattr -d com.apple.metadata : kMDItemWhereFroms 

~

/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg $ xattr -d com.apple.quarantine

~

/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg $ xattr -l

~

/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg [ No output expected ]

early metadata and artifacts may be found in the directories including, but not limited to, ~/Library/Preferences/, ~/Library/Containers//Data/Library/Preferences, /Library/Preferences, some of which is detailed below .
~/Library/Preferences/com.apple.sidebarlists.plist contains historic list of volumes attached. To clear it, use the command /usr/libexec/PlistBuddy -c "delete :systemitems:VolumesList" ~/Library/Preferences/com.apple.sidebarlists.plist
/Library/Preferences/com.apple.Bluetooth.plist contains Bluetooth metadata, including device history. If Bluetooth is not used, the metadata can be cleared with :

$  sudo defaults erase /Library/Preferences/com.apple.Bluetooth.plist DeviceCache
$  sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist IDSPairedDevices
$  sudo defaults delete /Library/Preferences/com.apple.Bluetooth.plist PANDevices
$  sudo defaults erase /Library/Preferences/com.apple.Bluetooth.plist PANInterfaces
$  sudo defaults erase /Library/Preferences/com.apple.Bluetooth.plist SCOAudioDevices

/var/spool/cups contains the CUPS printer occupation cache. To clear it, use the commands :

$  sudo rm -rfv /var/spool/cups/c0 

*

$ sudo rm -rfv /var/spool/cups/tmp/

*

$ sudo rm -rfv /var/spool/cups/cache/job.cache

*

To clear the list of io devices connected, use :

$  sudo defaults erase /Users/ 

$USER

/Library/Preferences/com.apple.iPod.plist

"

conn:128:Last Connect

"

$ sudo defaults delete /Users/

$USER

/Library/Preferences/com.apple.iPod.plist Devices $ sudo defaults delete /Library/Preferences/com.apple.iPod.plist

"

conn:128:Last Connect

"

$ sudo defaults erase /Library/Preferences/com.apple.iPod.plist Devices $ sudo rm -rfv /var/db/lockdown/

*

Quicklook thumbnail data can be cleared using the qlmanage -r cache command, but this writes to the file resetreason in the Quicklook directories, and states that the Quicklook cache was manually cleared. Disable the thumbnail cache with qlmanage -r disablecache
It can besides be manually cleared by getting the directory names with getconf DARWIN_USER_CACHE_DIR and sudo getconf DARWIN_USER_CACHE_DIR, then removing them :

$  rm -rfv 

$(

getconf DARWIN_USER_CACHE_DIR

)

/com.apple.QuickLook.thumbnailcache/exclusive $ rm -rfv

$(

getconf DARWIN_USER_CACHE_DIR

)

/com.apple.QuickLook.thumbnailcache/index.sqlite $ rm -rfv

$(

getconf DARWIN_USER_CACHE_DIR

)

/com.apple.QuickLook.thumbnailcache/index.sqlite-shm $ rm -rfv

$(

getconf DARWIN_USER_CACHE_DIR

)

/com.apple.QuickLook.thumbnailcache/index.sqlite-wal $ rm -rfv

$(

getconf DARWIN_USER_CACHE_DIR

)

/com.apple.QuickLook.thumbnailcache/resetreason $ rm -rfv

$(

getconf DARWIN_USER_CACHE_DIR

)

/com.apple.QuickLook.thumbnailcache/thumbnails.data

similarly, for the root user :

$  sudo rm -rfv 

$(

getconf DARWIN_USER_CACHE_DIR

)

/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandler $ sudo rm -rfv

$(

getconf DARWIN_USER_CACHE_DIR

)

/com.apple.QuickLook.thumbnailcache/exclusive $ sudo rm -rfv

$(

getconf DARWIN_USER_CACHE_DIR

)

/com.apple.QuickLook.thumbnailcache/index.sqlite $ sudo rm -rfv

$(

getconf DARWIN_USER_CACHE_DIR

)

/com.apple.QuickLook.thumbnailcache/index.sqlite-shm $ sudo rm -rfv

$(

getconf DARWIN_USER_CACHE_DIR

)

/com.apple.QuickLook.thumbnailcache/index.sqlite-wal $ sudo rm -rfv

$(

getconf DARWIN_USER_CACHE_DIR

)

/com.apple.QuickLook.thumbnailcache/resetreason $ sudo rm -rfv

$(

getconf DARWIN_USER_CACHE_DIR

)

/com.apple.QuickLook.thumbnailcache/thumbnails.data $ sudo rm -rfv

$(

getconf DARWIN_USER_CACHE_DIR

)

/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandler

besides see 'quicklook ' hoard may leak encrypted data .
To unclutter Finder preferences :

$  defaults delete 

~

/Library/Preferences/com.apple.finder.plist FXDesktopVolumePositions $ defaults edit

~

/Library/Preferences/com.apple.finder.plist FXRecentFolders $ defaults delete

~

/Library/Preferences/com.apple.finder.plist RecentMoveAndCopyDestinations $ defaults edit

~

/Library/Preferences/com.apple.finder.plist RecentSearches $ defaults delete

~

/Library/Preferences/com.apple.finder.plist SGTRecentFileSearches

Additional diagnostic files may be found in the following directories - but caution should be taken before removing any, as it may break logging or cause other issues :

/var/db/CoreDuet/
/var/db/diagnostics/
/var/db/systemstats/
/var/db/uuidtext/
/var/log/DiagnosticMessages/

macOS stored prefer Wi-Fi data ( including credentials ) in NVRAM. To clear it, use the trace commands :

$  sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843 : current-network
$  sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843 : preferred-networks
$  sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843 : preferred-count

macOS may collect sensible information about what you type, flush if drug user dictionary and suggestions are off. To remove them, and prevent them from being created again, use the follow commands :

$  rm -rfv 

"

~/Library/LanguageModeling/*

"

"

~/Library/Spelling/*

"

"

~/Library/Suggestions/*

"

$ chmod -R 000

~

/Library/LanguageModeling

~

/Library/Spelling

~

/Library/Suggestions $ chflags -R uchg

~

/Library/LanguageModeling

~

/Library/Spelling

~

/Library/Suggestions

QuickLook application support metadata can be cleared and locked with the succeed commands :

$  rm -rfv 

"

~/Library/Application Support/Quick Look/*

"

$ chmod -R 000

"

~/Library/Application Support/Quick Look

"

$ chflags -R uchg

"

~/Library/Application Support/Quick Look

"

Document rewrite metadata is stored in /.DocumentRevisions-V100 and can be cleared and locked with the following commands - caution should be taken as this may break some core Apple applications :

$  sudo rm -rfv /.DocumentRevisions-V100/ 

*

$ sudo chmod -R 000 /.DocumentRevisions-V100 $ sudo chflags -R uchg /.DocumentRevisions-V100

Saved application state metadata may be cleared and locked with the following commands :

$  rm -rfv 

"

~/Library/Saved Application State/*

"

$ rm -rfv

"

~/Library/Containers//Saved Application State

"

$ chmod -R 000

"

~/Library/Saved Application State/

"

$ chmod -R 000

"

~/Library/Containers//Saved Application State

"

$ chflags -R uchg

"

~/Library/Saved Application State/

"

$ chflags -R uchg

"

~/Library/Containers//Saved Application State

"

Autosave metadata can be cleared and locked with the keep up commands :

$  rm -rfv 

"

~/Library/Containers//Data/Library/Autosave Information

"

$ rm -rfv

"

~/Library/Autosave Information

"

$ chmod -R 000

"

~/Library/Containers//Data/Library/Autosave Information

"

$ chmod -R 000

"

~/Library/Autosave Information

"

$ chflags -R uchg

"

~/Library/Containers//Data/Library/Autosave Information

"

$ chflags -R uchg

"

~/Library/Autosave Information

"

The Siri analytics database, which is created even if the Siri launch agent disabled, can be cleared and locked with the follow commands :

$  rm -rfv 

~

/Library/Assistant/SiriAnalytics.db $ chmod -R 000

~

/Library/Assistant/SiriAnalytics.db $ chflags -R uchg

~

/Library/Assistant/SiriAnalytics.db

~/Library/Preferences/com.apple.iTunes.plist contains iTunes metadata. holocene iTunes search data may be cleared with the following instruction :

$  defaults delete 

~

/Library/Preferences/com.apple.iTunes.plist recentSearches

If you do not use Apple ID-linked services, the follow key may be cleared, excessively, using the follow commands :

$  defaults edit 

~

/Library/Preferences/com.apple.iTunes.plist StoreUserInfo $ defaults erase

~

/Library/Preferences/com.apple.iTunes.plist WirelessBuddyID

All media played in QuickTime Player can be found in :

~/Library/Containers/com.apple.QuickTimePlayerX/Data/Library/Preferences/com.apple.QuickTimePlayerX.plist

Additional metadata may exist in the following files :

~/Library/Containers/com.apple.appstore/Data/Library/Preferences/com.apple.commerce.knownclients.plist
~/Library/Preferences/com.apple.commerce.plist
~/Library/Preferences/com.apple.QuickTimePlayerX.plist

Passwords

Generate potent passwords with respective programs or directly from /dev/urandom :

$  openssl rand -base64 30
 qb8ZWbUU2Ri3FOAPY/1wKSFAJwMXmpQM4mZU4YbO

$  gpg -- gen-random -a 0 90 

|

fold -w 40 3e+kfHOvovHVXxZYPgu+OOWQ1g1ttbljr+kNGv7f loD//RsjUXYGIjfPM/bT0itsoEstyGLVUsFns8wP zYM8VRBga+TsnxWrS7lWKfH1uvVPowzkq9kXCdvJ $ LANG=C tr -dc

'

A-F0-9

'

<

/dev/urandom

|

fold -w 40

|

head -n 5 45D0371481EE5E5A5C1F68EA59E69F9CA52CB321 A30B37A00302643921F205621B145E7EAF520164 B6EF38A2DA1D0586D20105502AFFF0468EA5F16A 029D6EA9F76CD64D3356E342EA154BEFEBE23387 07F468F0569579A0A06471247CABC4F4C1386E24 $ tr -dc

'

[:alnum:]

'

<

/dev/urandom

|

fold -w 40

|

head -n5 zmj8S0iuxud8y8YHjzdg7Hefu6U1KAYBiLl3aE8v nCNpuMkWohTjQHntTzbiLQJG5zLzEHWSWaYSwjtm R2L6M909S3ih852IkJqQFMDawCiHcpPBxlllAPrt aZOXKVUmxhzQwVSYb6nqAbGTVMFSJOLf094bFZAb HfgwSNlkVBXwIPQST6E6x6vDNCCasMLSSOoTUfSK $ tr -dc

'

[:lower:]

'

<

/dev/urandom

|

fold -w 40

|

forefront -n5 gfvkanntxutzwxficgvavbwdvttexdezdftvvtmn lgrsuiugwkqbtbkyggcbpbqlynwbiyxzlabstqcf ufctdlsbyonkowzpmotxiksnsbwdzkjrjsupoqvr hjwibdjxtmuvqricljayzkgdfztcmapsgwsubggr bjstlmvwjczakgeetkbmwbjnidbeaerhaonpkacg $ tr -dc

'

[:upper:]

'

<

/dev/urandom

|

fold -w 40

|

promontory -n5 EUHZMAOBOLNFXUNNDSTLJTPDCPVQBPUEQOLRZUQZ HVNVKBEPAAYMXRCGVCNEZLFHNUYMRYPTWPWOOZVM TAHEUPQJTSYQVJVYSKLURESMKWEZONXLUDHWQODB PRDITWMAXXZLTRXEEOGOSGAWUXYDGDRJYRHUWICM VHERIQBLBPHSIUZSGYZRDHTNAPUGJMRODIKBWZRJ $ tr -dc

'

[:graph:]

'

<

/dev/urandom

|

fold -w 40

|

lead -n5 n\T2|zUz : \C, @ z9 ! # p3 ! B/ [ t6m : B94 } q & metric ton ( ^ ) Ol~ J % MMDbAgGdP } zrSQO ! 3mrP3 $ w !. [ Ng_xx-_ [ C < 3g ^ ) 6V & * < 2 '' ZOgU.mBd ] iInvFKiT

+RE]UYPIf3:StX`y#w,.iG~g"urD)'FnDIFI_q^)

6?HRillpgvvFDBAr4[:H{^oAL<`Em7$roF=2w;1~

You can besides generate passwords, evening memorable ones, using Keychain Access password adjunct, or a instruction trace equivalent like anders/pwgen .
Keychains are encrypted with a PBKDF2 derived key and are a reasonably safe place to storehouse credentials. See besides Breaking into the OS X keychain. besides be aware that Keychain does not encrypt the names corresponding to password entries .
alternatively, you can manage an code passwords file yourself with GnuPG ( see drduh/Purse and drduh/pwd.sh for case ) .
In addition to passwords, ensure eligible on-line accounts, such as GitHub, Google accounts, trust, have two factor authentication enabled .
Yubikey offers low-cost hardware tokens. See drduh/YubiKey-Guide and trmm.net/Yubikey. One of two Yubikey 's slots can besides be programmed to emit a long, static password ( which can be used in combination with a unretentive, memorize password, for exemplar ) .
In Addition to Login and other PAMs, you can use Yubikey to secure your login and sudo, here is a pdf guide from Yubico. Yubikey are a bit costly, there is cheaper alternative, but not as adequate to, U2F Zero. hera is a great lead to set it up

Backup

Always encrypt files locally before backing them up to external media or on-line services .
One manner is to use a symmetrical nothing with GPG and a password of your choose. Files can besides be encrypted to a public key with GPG, with the private key stored on YubiKey .
To compress and encrypt a directory :

$  tar zcvf - 

~

/Downloads

|

gpg -c

>

~

/Desktop/backup-

$(

date +%F-%H%M

)

.tar.gz.gpg mariner : Removing leading '/ ' from penis names a Users/drduh/Downloads a Users/drduh/Downloads/.DS_Store a Users/drduh/Downloads/.localized a Users/drduh/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg.asc a Users/drduh/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg

To decrypt and decompress the directory :

$  gpg -o 

~

/Desktop/decrypted-backup.tar.gz -d

~

/Desktop/backup-2015-01-01-0000.tar.gz.gpg gpg : AES256 encrypted data gpg : encrypted with 1 passphrase $ mariner zxvf

~

/Desktop/decrypted-backup.tar.gz tar : Removing leading '/ ' from penis names ten Users/drduh/._Downloads adam Users/drduh/Downloads/ x Users/drduh/Downloads/._.DS_Store ten Users/drduh/Downloads/.DS_Store x Users/drduh/Downloads/.localized x Users/drduh/Downloads/._TorBrowser-8.0.4-osx64_en-US.dmg.asc x Users/drduh/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg.asc x Users/drduh/Downloads/._TorBrowser-8.0.4-osx64_en-US.dmg x Users/drduh/Downloads/TorBrowser-8.0.4-osx64_en-US.dmg

You can besides create and use encrypted volumes using Disk Utility or hdiutil :

$  hdiutil create 

~

/Desktop/encrypted.dmg -encryption -size 50M -volname

"

secretStuff

"

-fs JHFS+ Enter a new password to secure `` encrypted.dmg '' : re-enter new password : ... ... ... ... ... ... ... ... ... ... ... ... Created : /Users/drduh/Desktop/encrypted.img $ hdiutil mount

~

/Desktop/encrypted.dmg Enter password to access `` encrypted.dmg '' : [ ... ] /Volumes/secretStuff $ cp -v

~

/Documents/passwords.txt /Volumes/secretStuff [ ... ] $ hdiutil eject /Volumes/secretStuff `` disk4 '' unmounted . `` disk4 '' ejected .

With hdiutil you are besides able to add the choice -type SPARSE-BUNDLE. With these sparse bundles you may achieve faster backups because after the first gear run, the updated data and some pad needs to be transferred .
A bare way to synchronize this code booklet to another server is using rsync :

 rsync -- recursive -- times -- build up -- erase -- long-winded -- stats MyEncryptedDrive.sparsebundle exploiter @ server : /path/to/backup

See besides the pursuit applications and services : Tresorit, SpiderOak, Arq, Espionage, and restic .
macOS remembers access points it has connected to. Like all radio devices, the Mac will broadcast all access steer names it remembers ( for example, MyHomeNetwork ) each time it looks for a network, such as when waking from sleep .
This is a privacy risk, therefore remove networks from the list in System Preferences > Network > Advanced when they are no farseeing needed .
besides see Signals from the Crowd : Uncovering Social Relationships through Smartphone Probes ( pdf ) and Wi-Fi told me everything about you ( pdf ) .
Saved Wi-Fi information ( SSID, last connection, etc. ) can be found in :

/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist

You may want to spoof the MAC address of the network batting order before connecting to new and untrusted wireless networks to mitigate passive fingerprinting :

$  sudo ifconfig en0 ether 

$(

openssl rand -hex 6

|

sed

'

s%\(..\)%\1:%g; s%.$%%

'

)

macOS stores Wi-Fi SSIDs and passwords in NVRAM in regulate for Recovery Mode to access the Internet. Be sure to either clear NVRAM or de-authenticate your Mac from your Apple account, which will clear the NVRAM, before passing a Mac along. Resetting the SMC will clear some of the NVRAM, but not all .
Note MAC addresses will reset to hardware defaults on each boot .
finally, WEP protective covering on wireless networks is not secure and you should only connect to WPA2 protected networks when possible .

SSH

For outgoing SSH connections, use hardware or password-protected keys, set up distant hosts and consider hashing them for added privacy. See drduh/config/ssh_config for recommend node options .
You can besides use ssh to create an code tunnel to send traffic through, exchangeable to a VPN .
For model, to use Privoxy running on a remote control host interface 8118 :

$  ssh -C -L 5555:127.0.0.1:8118 you @ remote-host.tld

$  sudo networksetup -setwebproxy 

"

Wi-Fi

"

127.0.0.1 5555 $ sudo networksetup -setsecurewebproxy

"

Wi-Fi

"

127.0.0.1 5555

Or to use an ssh association as a SOCKS proxy :

$  ssh -NCD 3000 you @ remote-host.tld

By default, macOS does not have sshd or Remote Login enabled .
To enable sshd and allow incoming ssh connections :

$  sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist

Or use the System Preferences > Sharing menu .
If enabling sshd, be indisputable to disable password authentication and consider far hardening your configuration. See drduh/config/sshd_config for recommend options .
Confirm whether sshd is running :

$  sudo lsof -Pni TCP:22

Physical access

Keep your Mac physically secure at all times. Do n't leave it unattended in public spaces, such as hotels .
A skilled attacker with unsupervised physical access to your calculator can infect the boot ROM to install a keylogger and steal your password, for exercise - watch Thunderstrike .
A helpful tool is usbkill, which is an anti-forensic kill-switch that waits for a exchange on your USB ports and then immediately shuts down your calculator .
Consider purchasing a privacy filter for your screen to thwart shoulder surfers .
Superglues or epoxy resins can besides be used to disable physical access to computer ports. Nail polish and tamper-evidence seals can be applied to components to detect tamper .

System monitoring

OpenBSM audit

macOS has a herculean OpenBSM ( Basic Security Module ) auditing capability. You can use it to monitor work execution, network action, and a lot more .
To tail audited account logs, use the praudit utility :

$  sudo praudit -l /dev/auditpipe
 header,201,11, execve ( 2 ) ,0, Thu Sep 1 12:00:00 2015, + 195 millisecond, white house arg, /Applications/.evilapp/rootkit, way, /Applications/.evilapp/rootkit, path, /Applications/.evilapp/rootkit, attribute,100755, rout, wheel,16777220,986535,0, subject, drduh, etymon, wheel, root, wheel,412,100005,50511731,0.0.0.0, revert, success,0, trailer,201 ,
 header,88,11, connect ( 2 ) ,0, Thu Sep 1 12:00:00 2015, + 238 millisecond, argument,1,0x5, fd, socket-inet,2,443,173.194.74.104, discipline, drduh, beginning, wheel, root, wheel,326,100005,50331650,0.0.0.0, return, failure : operation now in progress,4354967105, trailer,88
 header,111,11, OpenSSH login,0, Thu Sep 1 12:00:00 2015, + 16 millisecond, subject_ex, drduh, drduh, staff, drduh, staff,404,404,49271, ::1, text, successful login drduh, reelect, success,0, trailer,111 ,

See the manual pages for audit, praudit, audit_control and early files in /etc/security
Note although man audit says the -s pin will synchronize the audit configuration, it appears necessary to reboot for changes to take effect .
See articles on ilostmynotes.blogspot.com and derflounder.wordpress.com for more information .

DTrace

Note System Integrity Protection interferes with DTrace, so it is not potential to use it in holocene macOS versions without disabling SIP .

  • iosnoop monitors disk I/O
  • opensnoop monitors file opens
  • execsnoop monitors execution of processes
  • errinfo monitors failed system calls
  • dtruss monitors all system calls

See man -k dtrace for more information .

Execution

ps -ef lists data about all running processes .
You can besides view processes with Activity Monitor .
launchctl list and sudo launchctl list number loaded and running exploiter and arrangement launch daemons and agents .

Network

number open network files :

$  sudo lsof -Pni

list contents of respective network-related data structures :

$  sudo netstat -atln

Wireshark can be used from the command line with tshark .
Monitor DNS queries and replies :

$  tshark -Y 

"

dns.flags.response == 1

"

-Tfields \ -e frame.time_delta \ -e dns.qry.name \ -e dns.a \ -Eseparator= ,

Monitor HTTP requests and responses :

$  tshark -Y 

"

http.request or http.response

"

-Tfields \ -e ip.dst \ -e http.request.full_uri \ -e http.request.method \ -e http.response.code \ -e http.response.phrase \ -Eseparator=/s

Monitor x509 ( SSL/TLS ) certificates :

$  tshark -Y 

"

ssl.handshake.certificate

"

-Tfields \ -e ip.src \ -e x509sat.uTF8String \ -e x509sat.printableString \ -e x509sat.universalString \ -e x509sat.IA5String \ -e x509sat.teletexString \ -Eseparator=/s -Equote=d

besides see the childlike network monitor application BonzaiThePenguin/Loading .

Binary Whitelisting

google/santa is a security software developed for Google 's corporate Macintosh fleet and loose sourced .

Santa is a binary whitelisting/blacklisting system for macOS. It consists of a kernel extension that monitors for executions, a userland devil that makes execution decisions based on the contents of a SQLite database, a GUI agentive role that notifies the user in encase of a barricade decision and a command-line utility for managing the system and synchronizing the database with a server .

Santa uses the Kernel Authorization API to monitor and allow/disallow binaries from executing in the kernel. Binaries can be white- or black-listed by unique hash or signing developer certificate. Santa can be used to only allow trusted code execution, or to blacklist known malware from executing on a Mac, exchangeable to Bit9 software for Windows .
Note Santa does not presently have a graphic exploiter interface for managing rules. The take after instructions are for advanced users only !
To install Santa, visit the Releases page and download the latest phonograph record trope, the hop on it and install the control software :

$  hdiutil mount 

~

/Downloads/santa-0.9.20.dmg $ sudo installer -pkg /Volumes/santa-0.9.20/santa-0.9.20.pkg -tgt /

By default, Santa installs in `` Monitor '' mode ( intend, nothing gets blocked, only logged ) and comes with two rules : one for Apple binaries and another for Santa software itself .
Verify Santa is running and its kernel faculty is loaded :

$  santactl status
 > > > Daemon Info
 Mode | Monitor
 File Logging | no
 Watchdog CPU Events | 0 ( Peak : 0.00 % )
 Watchdog RAM Events | 0 ( Peak : 0.00MB )
 > > > Kernel Info
 Kernel cache count | 0
 > > > Database Info
 binary Rules | 0
 Certificate Rules | 2
 Events Pending Upload | 0

$  phosphorus -ef 

|

grep

"

[s]anta

"

0 786 1 0 10:01AM ? ? 0:00.39 /Library/Extensions/santa-driver.kext/Contents/MacOS/santad -- syslog $ kextstat

|

grep santa claus 119 0 0xffffff7f822ff000 0x6000 0x6000 com.google.santa-driver ( 0.9.14 ) 693D8E4D-3161-30E0-B83D-66A273CAE026 < 5 4 3 1 >

Create a blacklist rule to prevent iTunes from executing :

$  sudo santactl rule -- blacklist -- path /Applications/iTunes.app/
 Added rule for SHA-256 : e1365b51d2cb2c8562e7f1de36bfb3d5248de586f40b23a2ed641af2072225b3 .

Try to launch iTunes - it will be blocked .

$  clear /Applications/iTunes.app/
 LSOpenURLsWithRole ( ) failed with error -10810 for the file /Applications/iTunes.app .

Santa block dialog when attempting to run a blacklisted program
To remove the convention :

$  sudo santactl dominion -- remove -- path /Applications/iTunes.app/
 Removed principle for SHA-256 : e1365b51d2cb2c8562e7f1de36bfb3d5248de586f40b23a2ed641af2072225b3 .

open iTunes :

$  open /Applications/iTunes.app/
 [ iTunes will open successfully ]

Create a new, example C plan :

$  big cat 

<<

EOF

> foo.c

>

#

include

>

main

( ) { printf (

"

Hello World\n”); }

> EOF

Compile the program with GCC ( requires installation of Xcode or command-line tools ) :

$  gcc -o foo foo.c

$  file foo
 foo : Mach-O 64-bit feasible x86_64

$  codesign -d foo
 foo : code object is not signed at all

Run it :

$  ./foo
 Hello World

Toggle Santa into `` Lockdown '' modality, which only allows whitelisted binaries to run :

$ sudo defaults write /var/db/santa/config.plist ClientMode -int 2

Try to run the unsigned binary :

$  ./foo
 knock : ./foo : operation not permitted

 Santa

 The follow application has been blocked from executing
 because its trustworthiness can not be determined .

 way : /Users/demouser/foo
 identifier : 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed
 rear : bash ( 701 )

To whitelist a specific binary star, determine its SHA-256 union :

$  santactl fileinfo /Users/demouser/foo
 way : /Users/demouser/foo
 SHA-256 : 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed
 SHA-1 : 4506f3a8c0a5abe4cacb98e6267549a4d8734d82
 type : feasible ( x86-64 )
 Code-signed : nobelium
 rule : Blacklisted ( Unknown )

Add a whitelist rule :

$  sudo santactl predominate -- whitelist -- sha256 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed
 Added rule for SHA-256 : 4e11da26feb48231d6e90b10c169b0f8ae1080f36c168ffe53b1616f7505baed .

Run it :

$  ./foo
 Hello World

It 's allowed and works !
Applications can besides be whitelisted by developer certificate ( so that newfangled binary versions will not need to be manually whitelisted on each update ). For exercise, download and run Google Chrome - it will be blocked by Santa in `` Lockdown '' mode :

$  curl -sO hypertext transfer protocol : //dl.google.com/chrome/mac/stable/GGRO/googlechrome.dmg

$  hdiutil climb googlechrome.dmg

$  cp -r /Volumes/Google 

\

Chrome/Google

\

Chrome.app /Applications/ $ capable /Applications/Google

\

Chrome.app/ LSOpenURLsWithRole ( ) failed with error -10810 for the file /Applications/Google Chrome.app .

Whitelist the application by its developer certificate ( first token in the Signing Chain ) :

$  santactl fileinfo /Applications/Google 

\

Chrome.app/ path : /Applications/Google Chrome.app/Contents/MacOS/Google Chrome SHA-256 : 0eb08224d427fb1d87d2276d911bbb6c4326ec9f74448a4d9a3cfce0c3413810 SHA-1 : 9213cbc7dfaaf7580f3936a915faa56d40479f6a Bundle list : Google Chrome bunch version : 2883.87 Bundle Version Str : 55.0.2883.87 character : feasible ( x86-64 ) Code-signed : yes rule : Blacklisted ( Unknown ) Signing chain : 1. SHA-256 : 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153 SHA-1 : 85cee8254216185620ddc8851c7a9fc4dfe120ef common name : Developer ID Application : Google Inc . constitution : Google Inc . organizational unit : EQHXZ8M8AV valid From : 2012/04/26 07:10:10 -0700 valid Until : 2017/04/27 07:10:10 -0700 2. SHA-256 : 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f SHA-1 : 3b166c3b7dc4b751c9fe2afab9135641e388e186 common name : Developer ID Certification Authority administration : Apple Inc . organizational unit of measurement : Apple Certification Authority valid From : 2012/02/01 14:12:15 -0800 valid Until : 2027/02/01 14:12:15 -0800 3. SHA-256 : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024 SHA-1 : 611e5b662c593a08ff58d14ae22452d198df6c60 common name : Apple Root CA organization : Apple Inc . organizational unit : Apple Certification Authority valid From : 2006/04/25 14:40:36 -0700 valid Until : 2035/02/09 13:40:36 -0800

In this case, 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153 is the SHA-256 of Google ’ south Apple developer certificate ( team ID EQHXZ8M8AV ). To whitelist it :

$  sudo santactl rule -- whitelist -- certificate -- sha256 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153
 Added convention for SHA-256 : 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153 .

Google Chrome should now launch, and subsequent updates to the application will continue to work a long as the code signing security doesn ’ deoxythymidine monophosphate change or die .
To disable `` Lockdown '' mode :

$  sudo defaults edit /var/db/santa/config.plist ClientMode

See /var/log/santa.log to monitor ALLOW and DENY performance decisions .
A log and shape server for Santa is available in Zentral, an open source event monitor solution and TLS server for osquery and Santa .
Zentral will support Santa in both MONITORING and LOCKDOWN process manner. Clients need to be enrolled with a TLS connection to sync Santa Rules, all Santa events from endpoints are aggregated and logged back in Zentral. Santa events can trigger actions and notifications from within the Zentral Framework .
Note Python, Bash and other interpreters are whitelisted ( since they are signed by Apple 's developer certificate ), so Santa will not be able to block such scripts from executing. frankincense, a potential non-binary program which disables Santa is a weakness ( not vulnerability, since it is so by design ) to take notice of .

Miscellaneous

disable Diagnostics & Usage Data .
If you want to play music or watch videos, use VLC media player which is release and receptive source .
If you want to use torrents, use Transmission which is release and open source ( note : like all software, flush open reservoir projects, malware may calm find its way in ). You may besides wish to use a pulley tilt to avoid peering with known bad hosts - watch Which is the best blocklist for Transmission and johntyree/3331662 .
oversee default file handlers with duti, which can be installed with brew install duti. One reason to manage extensions is to prevent auto-mounting of outback file systems in Finder ( see Protecting Yourself From Sparklegate ). here are several commend file handlers to manage :

$  duti -s com.apple.Safari alpha fetoprotein

$  duti -s com.apple.Safari file transfer protocol

$  duti -s com.apple.Safari nfs

$  duti -s com.apple.Safari smb

$  duti -s com.apple.TextEdit public.unix-executable

Monitor system logs with the Console application or syslog -w or /usr/bin/log stream commands .
In systems prior to macOS Sierra ( 10.12 ), enable the tty_tickets flag in /etc/sudoers to restrict the sudo seance to the Terminal window/tab that started it. To do so, use sudo visudo and add the credit line Defaults tty_tickets .
Set your screen to lock vitamin a soon as the screensaver starts :

$  defaults write com.apple.screensaver askForPassword -int 1

$  defaults write com.apple.screensaver askForPasswordDelay -int 0

Expose obscure files and Library booklet in finder :

$  defaults write com.apple.finder AppleShowAllFiles -bool 

true

$ chflags nohidden

~

/Library

Show all filename extensions ( so that `` Evil.jpg.app '' can not masquerade easily ) .

$  defaults write NSGlobalDomain AppleShowAllExtensions -bool 

true

Do n't default to saving documents to iCloud :

$  defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool 

false

enable Secure Keyboard Entry in Terminal ( unless you use YubiKey or applications such as TextExpander ) .
disable crash reporter ( the dialogue which appears after an application crashes and prompts to report the problem to Apple ) :

$  defaults write com.apple.CrashReporter DialogType none

disable Bonjour multicast advertisements :

$  sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES

disable Handoff and Bluetooth features, if they are n't necessary .
Consider sandboxing your applications. See fG ! Sandbox Guide ( pdf ) and s7ephen/OSX-Sandbox -- Seatbelt -- Profiles .
Did you know Apple has not shipped a calculator with TPM since 2006 ?
macOS comes with this credit line in /etc/sudoers :

Defaults env_keep += "HOME MAIL"

Which stops sudo from changing the HOME variable star when you elevate privileges. This means it will execute as beginning the bash dotfiles in the non-root drug user 's home directory when you run `` sudo knock ''. It is advisable to comment this channel out to avoid a potentially easy room for malware or a local attacker to escalate privileges to root .
If you want to retain the appliance of the root user having a non-root user 's family directory, you can append an export line to /var/root/.bashrc, e.g. :

 export HOME=/Users/blah

Set a custom umask :

$  sudo launchctl config user 

umask

077

Reboot, create a file in Finder and verify its permissions ( macOS default allows 'group/other ' read access ) :

$  lambert -ld umask 

*

drwx -- -- -- 2 kevin staff 64 Dec 4 12:27 umask_testing_dir -rw -- -- -- - @ 1 kevin staff 2026566 Dec 4 12:28 umask_testing_file

Related software

  • CISOfy/lynis - Cross-platform security auditing tool and assists with compliance testing and system hardening.
  • Dylib Hijack Scanner - Scan for applications that are either susceptible to dylib hijacking or have been hijacked.
  • F-Secure XFENCE (formerly Little Flocker) - "Little Snitch for files"; prevents applications from accessing files.
  • Lockdown - Audits and remediates security configuration settings.
  • Zentral - A log and configuration server for santa and osquery. Run audit and probes on inventory, events, logfiles, combine with point-in-time alerting. A full Framework and Django web server build on top of the elastic stack (formerly known as ELK stack).
  • facebook/osquery - Can be used to retrieve low level system information. Users can write SQL queries to retrieve system information.
  • google/grr - Incident response framework focused on remote live forensics.
  • jipegit/OSXAuditor - Analyzes artifacts on a running system, such as quarantined files, Safari, Chrome and Firefox history, downloads, HTML5 databases and localstore, social media and email accounts, and Wi-Fi access point names.
  • kristovatlas/osx-config-check - Checks your OSX machine against various hardened configuration settings.
  • libyal/libfvde - Library to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes.
  • stronghold - Securely and easily configure your Mac from the terminal. Inspired by this guide.
  • yelp/osxcollector - Forensic evidence collection & analysis toolkit for OS X.
  • The Eclectic Light Company - Downloads - A collection of useful diagnostics and control applications and utilities for macOS.
  • Pareto Security - A MenuBar app to automatically audit your Mac for basic security hygiene.

Additional resources

informant : https://themedipia.com
Category : Website hosting

Leave a Reply

Your email address will not be published.