Top Related Projects
Guide to securing and improving privacy on macOS
Use your macOS terminal shell to do awesome things.
:wrench: .files, including ~/.macos — sensible hacker defaults for macOS
macOS Security Compliance Project
Easily configure macOS security settings from the terminal.
Quick Overview
osx-config-check is a shell script designed to check and analyze the security configuration of macOS systems. It performs various checks on system settings, security features, and installed software to identify potential vulnerabilities and provide recommendations for improving the overall security posture of the Mac.
Pros
- Comprehensive security checks covering a wide range of macOS settings and features
- Provides detailed explanations and recommendations for each identified issue
- Regularly updated to include checks for the latest macOS versions and security concerns
- Open-source project with community contributions and support
Cons
- Limited to macOS systems, not applicable for other operating systems
- Requires some technical knowledge to interpret and implement the recommendations
- May produce false positives or outdated recommendations if not regularly maintained
- Does not automatically fix issues, requiring manual intervention for remediation
Getting Started
To use osx-config-check:
-
Clone the repository:
git clone https://github.com/kristovatlas/osx-config-check.git
-
Navigate to the project directory:
cd osx-config-check
-
Run the script with sudo privileges:
sudo ./osx-config-check
-
Review the output and follow the recommendations to improve your Mac's security configuration.
Competitor Comparisons
Guide to securing and improving privacy on macOS
Pros of macOS-Security-and-Privacy-Guide
- Comprehensive guide covering a wide range of security and privacy topics
- Regularly updated with community contributions
- Includes detailed explanations and rationale for each recommendation
Cons of macOS-Security-and-Privacy-Guide
- Requires manual implementation of security measures
- May be overwhelming for beginners due to its extensive content
- Lacks automated checks or scripts for easy implementation
Code Comparison
macOS-Security-and-Privacy-Guide doesn't provide specific code snippets, as it's primarily a text-based guide. In contrast, osx-config-check offers automated checks using shell scripts. For example:
osx-config-check:
function check_ntp_enabled {
if [ "$ENABLE_NTP" = true ]; then
if /usr/sbin/systemsetup -getusingnetworktime | grep -q "Network Time: On"; then
pass "$CHECK_NAME"
else
fail "$CHECK_NAME"
fi
fi
}
macOS-Security-and-Privacy-Guide provides instructions like:
To enable NTP:
sudo systemsetup -setnetworktimeserver time.apple.com
sudo systemsetup -setusingnetworktime on
The main difference is that osx-config-check automates the checking process, while macOS-Security-and-Privacy-Guide provides manual instructions for users to implement security measures themselves.
Use your macOS terminal shell to do awesome things.
Pros of awesome-macos-command-line
- Comprehensive collection of macOS command-line tools and tips
- Well-organized into categories for easy navigation
- Regularly updated with new commands and features
Cons of awesome-macos-command-line
- Lacks automated security checks and configuration
- No built-in scripting for applying recommended settings
- Requires manual implementation of commands
Code Comparison
osx-config-check:
def check_ssh_config():
ssh_config = os.path.join(os.path.expanduser('~'), '.ssh', 'config')
if os.path.isfile(ssh_config):
with open(ssh_config, 'r') as f:
content = f.read()
if 'UseRoaming no' not in content:
return False
return True
awesome-macos-command-line:
# Disable SSH key roaming
echo "UseRoaming no" >> ~/.ssh/config
The osx-config-check repository provides a Python script to check and enforce security configurations on macOS systems. It offers automated checks and recommendations for improving system security.
In contrast, awesome-macos-command-line is a curated list of useful command-line tools and commands for macOS. It serves as a reference guide for users to manually implement various system configurations and optimizations.
While osx-config-check focuses on security and automation, awesome-macos-command-line offers a broader range of commands and utilities for general system management and productivity. Users may find value in combining both resources for a comprehensive approach to macOS configuration and management.
:wrench: .files, including ~/.macos — sensible hacker defaults for macOS
Pros of dotfiles
- Comprehensive configuration for multiple tools and environments
- Active community with frequent updates and contributions
- Highly customizable with modular structure
Cons of dotfiles
- Potentially overwhelming for beginners due to extensive options
- May require more manual intervention to tailor to specific needs
Code Comparison
osx-config-check:
function check_ssh_config {
config_file="$HOME/.ssh/config"
if [ ! -f "$config_file" ]; then
warn "SSH config file not found."
return
}
dotfiles:
# SSH config
Host *
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_rsa
The osx-config-check repository focuses on checking existing configurations, while dotfiles provides ready-to-use configurations. osx-config-check's code snippet checks for the existence of an SSH config file, whereas dotfiles directly provides a sample SSH configuration.
osx-config-check is specifically tailored for macOS security checks, while dotfiles offers a broader range of configurations for various tools and platforms. dotfiles is more suitable for users looking to set up a comprehensive development environment, while osx-config-check is ideal for those focusing on macOS security audits.
macOS Security Compliance Project
Pros of macos_security
- Comprehensive coverage of macOS security configurations
- Regularly updated to align with the latest NIST guidelines
- Includes detailed explanations and rationale for each security setting
Cons of macos_security
- More complex implementation, requiring deeper technical knowledge
- Less user-friendly interface compared to osx-config-check
- Focuses primarily on enterprise environments, which may be overkill for individual users
Code Comparison
osx-config-check:
#!/bin/bash
function check_ssh_config {
if [ ! -e "$HOME/.ssh/config" ]; then
echo "OK: SSH config file not found."
return
}
macos_security:
def check_ssh_config():
ssh_config = os.path.expanduser('~/.ssh/config')
if not os.path.exists(ssh_config):
print("SSH config file not found.")
return
Both projects aim to enhance macOS security, but macos_security offers a more comprehensive and up-to-date approach, aligning with NIST guidelines. However, it may be more suitable for enterprise environments, while osx-config-check provides a simpler solution for individual users. The code comparison shows that macos_security uses Python, potentially offering more flexibility, while osx-config-check uses Bash scripting for its checks.
Easily configure macOS security settings from the terminal.
Pros of Stronghold
- More actively maintained with recent updates
- Offers a user-friendly command-line interface for easier configuration
- Provides more comprehensive security features, including FileVault encryption and firmware password setup
Cons of Stronghold
- May be overwhelming for less experienced users due to its extensive options
- Lacks some of the granular checks present in osx-config-check
Code Comparison
Stronghold:
def prompt_with_default(message, default="y"):
if default.lower() in ("y", "yes"):
prompt = f"{message} [Y/n]: "
elif default.lower() in ("n", "no"):
prompt = f"{message} [y/N]: "
else:
prompt = f"{message} [y/n]: "
user_input = input(prompt).strip().lower()
if user_input == "":
return default.lower()
else:
return user_input
osx-config-check:
def prompt_sudo():
sudo_pass = getpass.getpass("This script requires sudo privileges. Please enter your sudo password: ")
cmd = "sudo -S echo 'sudo authenticated'"
p = subprocess.Popen(cmd, stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
stdout, stderr = p.communicate(sudo_pass.encode('utf-8'))
if p.returncode != 0:
print("Failed to authenticate sudo")
sys.exit(1)
Both repositories aim to enhance macOS security, but Stronghold offers a more user-friendly approach with broader features, while osx-config-check provides more detailed checks for specific configurations.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
osx-config-check
Checks your OSX machine against various hardened configuration settings.
You can specify your own preferred configuration baseline by supplying your own Hjson file instead of the provided one.
Disclaimer
The authors of this tool are not responsible if running it breaks stuff; disabling features of your operating system and applications may disrupt normal functionality.
Once applied, the security configurations do not not guarantee security. You will still need to make good decisions in order to stay secure. The configurations will generally not help you if your computer has been previously compromised.
Configurations come from sites like:
Usage
You should download and run this application once for each OS X user account you have on your machine. Each user may be configured differently, and so each should be audited.
Download this app using Git, GitHub Desktop, or the "download as zip" option offered by GitHub. If you choose the zip option, unarchive the zip file after.
In the Terminal
application, navigate to the directory that contains this app. You can use the cd
command (see example below) to change directories. If you've downloaded the file to your "Downloads" directory, you might find the app here:
cd ~/Downloads/osx-config-check
If that directory doesn't exist because the folder you retrieved is named slightly different (such as 'osx-config-check-master' or 'osx-config-check-1.0.0'), you can always type in a portion of the directory name and hit the [TAB] key in Terminal to auto-complete the rest.
Next run the app as follows:
python app.py
This will take you through a series of interactive steps that checks your machine's configuration, and offers to fix misconfigurations for you.
Intermediate users and advanced users can also invoke various command-line arguments:
Usage: python app.py [OPTIONS]
OPTIONS:
--debug-print Enables verbose output for debugging the tool.
--report-only Only reports on compliance and does not offer to fix broken configurations.
--disable-logs Refrain from creating a log file with the results.
--disable-prompt Refrain from prompting user before applying fixes.
--skip-sudo-checks Do not perform checks that require sudo privileges.
--help -h Print this usage information.
Sample Output
osx-config-check v1.1.0 (ivysaur)
Download the latest copy of this tool at: https://github.com/kristovatlas/osx-config-check
Report bugs/issues:
* GitHub: https://github.com/kristovatlas/osx-config-check/issues
* Twitter: https://twitter.com/kristovatlas
------------------------------------------------------------------------------------------
CHECK #1: Homebrew is installed.... PASSED!
CHECK #2: Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)... PASSED!
CHECK #3: Java Runtime Environment is up to date.... PASSED!
CHECK #4: The System Preferences application is currently closed.... PASSED!
CHECK #5: Current user is a non-admin account.... FAILED!
CHECK #6: The OSX application firewall is enabled (system-wide).... PASSED!
CHECK #7: The OSX application firewall is enabled (current user only).... PASSED!
CHECK #8: A password is required to wake the computer from sleep or screen saver (system-wide).... PASSED!
CHECK #9: A password is required to wake the computer from sleep or screen saver (current user only).... PASSED!
CHECK #10: There is no delay between starting the screen saver and locking the machine (system-wide).... PASSED!
CHECK #11: There is no delay between starting the screen saver and locking the machine (current user only).... PASSED!
CHECK #12: Logging is enabled for the operating system.... PASSED!
CHECK #13: Homebrew analytics are disabled.... PASSED!
CHECK #14: Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)... PASSED!
CHECK #15: Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)... PASSED!
CHECK #16: Automatic whitelisting of Apple-signed applications through the firewall is disabled (system-wide).... PASSED!
CHECK #17: Automatic whitelisting of Apple-signed applications through the firewall is disabled (current user only).... PASSED!
CHECK #18: Captive portal for connecting to new networks is disabled to prevent MITM attacks.... PASSED!
CHECK #19: OpenSSL is up to date.... PASSED!
CHECK #20: Hidden files are displayed in Finder.... PASSED!
CHECK #21: All application software is currently up to date.... PASSED!
CHECK #22: Automatic check for software updates is enabled.... SKIPPED!
CHECK #23: GateKeeper protection against untrusted applications is enabled.... PASSED!
CHECK #24: Bluetooth is disabled.... FAILED!
CHECK #25: The infrared receiver is disabled.... PASSED!
CHECK #26: AirDrop file sharing is disabled.... PASSED!
CHECK #27: File sharing is disabled.... PASSED!
CHECK #28: Printer sharing is disabled.... PASSED!
CHECK #29: Remote login is disabled.... FAILED!
CHECK #30: Remote Management is disabled.... PASSED!
CHECK #31: Remote Apple events are disabled.... FAILED!
CHECK #32: Internet Sharing is disabled on all network interfaces.... PASSED!
CHECK #33: Wake on Network Access feature is disabled.... FAILED!
CHECK #34: Automatic setting of time and date is disabled.... FAILED!
CHECK #35: IPv6 is disabled on all network interfaces.... PASSED!
CHECK #36: An administrator password is required to change system-wide preferences.... PASSED!
CHECK #37: Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)... PASSED!
CHECK #38: The File Vault key is protected when going to standby mode.... PASSED!
CHECK #39: The system will store a copy of memory to persistent storage, and will remove power to memory.... PASSED!
CHECK #40: git is up to date or is not installed... PASSED!
CHECK #41: Apple Push Notifications are disabled.... PASSED!
CHECK #42: Google DNS servers are used by default on all network interfaces.... PASSED!
CHECK #43: The curl utility is up to date or absent from the system.... PASSED!
CHECK #44: FileVault file system encryption is enabled.... PASSED!
CHECK #45: FileVault file system encryption is enabled at the root directory.... PASSED!
CHECK #46: The idle timer for screen saver activation is set to 10 minutes or less.... PASSED!
CHECK #47: System Integrity Protection (SIP) is enabled.... PASSED!
CHECK #48: The Safari application is currently closed.... PASSED!
CHECK #49: Safari will not auto-fill credit card data.... PASSED!
CHECK #50: Safari will not auto-fill your contact data.... PASSED!
CHECK #51: Safari will not auto-fill miscellaneous forms.... PASSED!
CHECK #52: Safari will not auto-fill usernames or passwords.... PASSED!
CHECK #53: Files downloaded in Safari are not automatically opened.... PASSED!
CHECK #54: Cookies and local storage are always blocked in Safari.... PASSED!
CHECK #55: Safari extensions are disabled.... PASSED!
CHECK #56: The Safari web browser will warn when visiting known fraudulent websites.... PASSED!
CHECK #57: JavaScript is disabled in the Safari web browser.... PASSED!
CHECK #58: JavaScript is disabled in the Safari web browser (Legacy version).... PASSED!
CHECK #59: Pop-up windows are blocked in the Safari web browser.... PASSED!
CHECK #60: Pop-up windows are blocked in the Safari web browser (Legacy version).... PASSED!
CHECK #61: The WebGL plug-in is disabled in the Safari web browser.... PASSED!
CHECK #62: Plug-ins are disabled in the Safari web browser.... PASSED!
CHECK #63: Plug-ins are disabled in the Safari web browser (Legacy version).... PASSED!
CHECK #64: Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.... PASSED!
CHECK #65: The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.... PASSED!
CHECK #66: The Java plug-in is disabled in the Safari web browser.... PASSED!
CHECK #67: The Java plug-in is disabled in the Safari web browser (Legacy version).... PASSED!
CHECK #68: The Safari web browser is configured to treat SHA-1 certificates as insecure.... PASSED!
CHECK #69: The Safari web browser will not pre-load webpages that rank highly as search matches.... PASSED!
CHECK #70: The Safari web browser will not include search engine suggestions for text typed in the location bar.... PASSED!
CHECK #71: The Safari web browser's search suggestions are disabled.... PASSED!
CHECK #72: The Safari web browser uses the Do-Not-Track HTTP header.... PASSED!
CHECK #73: PDF viewing is disabled in the Safari web browser.... PASSED!
CHECK #74: Full website addresses are displayed in the location bar of the Safari web browser.... PASSED!
CHECK #75: The Mail application is currently closed.... PASSED!
CHECK #76: Apple Mail does not automatically load remote content in e-mails.... PASSED!
CHECK #77: Mail identified by Apple Mail as junk is sent to the Junk mailbox.... PASSED!
CHECK #78: GPGMail is in use.... PASSED!
CHECK #79: New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.... PASSED!
CHECK #80: New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.... PASSED!
CHECK #81: New e-mails composed in Apple Mail are signed by GPGMail.... PASSED!
CHECK #82: Apple Mail automatically checks for updates to GPGMail.... PASSED!
CHECK #83: The Google Chrome browser is currently closed.... FAILED!
CHECK #84: All Google Chrome web browser profiles prevent information leakage through navigation errors.... PASSED!
CHECK #85: All Google Chrome web browser profiles prevent information leakage through URL suggestions.... PASSED!
CHECK #86: All Google Chrome web browser profiles prevent information leakage through network prediction.... PASSED!
CHECK #87: All Google Chrome web browser profiles prevent information leakage by blocking security incidents reports to Google.... FAILED!
CHECK #88: All Google Chrome web browser profiles have Google Safe Browsing enabled.... FAILED!
CHECK #89: All Google Chrome web browser profiles prevent information leakage through spell-checking network services.... FAILED!
CHECK #90: All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.... PASSED!
CHECK #91: All Google Chrome web browser profiles use the Do-Not-Track HTTP header.... PASSED!
CHECK #92: All Google Chrome web browser profiles prevent pop-ups.... PASSED!
CHECK #93: All Google Chrome web browser profiles prevent geolocation by websites.... PASSED!
CHECK #94: All Google Chrome web browser profiles block unsandboxed plug-in software.... PASSED!
CHECK #95: All Google Chrome web browser profiles prevent filling personal information into forms automatically.... PASSED!
CHECK #96: All Google Chrome web browser profiles have disabled Password Manager.... FAILED!
CHECK #97: All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.... FAILED!
CHECK #98: All Google Chrome web browser profiles have disabled Google CloudPrint.... PASSED!
CHECK #99: All Google Chrome web browser profiles block Flash cookies.... PASSED!
CHECK #100: All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.... PASSED!
CHECK #101: All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.... FAILED!
CHECK #102: All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.... PASSED!
CHECK #103: All Google Chrome web browser profiles have disabled the Native Client plug-in.... FAILED!
CHECK #104: All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.... PASSED!
CHECK #105: All Google Chrome web browser profiles have enabled the uBlock Origin extension.... FAILED!
CHECK #106: All Google Chrome web browser profiles have enabled the Ghostery extension.... FAILED!
CHECK #107: All Google Chrome web browser profiles have enabled the ScriptSafe extension.... FAILED!
CHECK #108: Google Chrome is the default web browser.... PASSED!
CHECK #109: OSX/Keydnap malware is not present.... PASSED!
Configurations passed total: 91 (83.49%)
Configurations failed or skipped total: 18 (16.51%)
Configurations passed without applying fix: 91 (83.49%)
Configurations passed after applying fix: 0 (0.00%)
Configurations failed and fix failed: 0 (0.00%)
Configurations failed and fix skipped: 17 (15.60%)
Configurations failed and fix declined: 0 (0.00%)
Configuration checks skipped: 1 (0.92%)
Wrote results to '~/Documents/osx-config-check_2016-09-15_17-44-48.log'. Please review the contents before submitting them to third parties, as they may contain sensitive information about your system.
==========================
Troubleshooting
Errors related to "sudo" or "sudoers"
If you receive an error message referencing these terms, the user you are currently logged in as may not be permitted to temporarily assume elevated privileges, preventing this tool from fully auditing and/or fixing your user's configuration. If you have added a non-Administrator user to your machine to help secure it, you will find that your non-Administrator user is not part of the "sudoers" list by default. To learn about how to add your user to the "sudoers" list, please refer to this link.
Trouble Connecting to Wi-Fi
This tool encourages users to use DNS servers run by the Google corporation. This can break some wi-fi networks that use "active portals" to login, like those found at cafes, airports, etc. If you're having trouble connecting to a wi-fi network after using this tool, please use the "dns_helper" tool included. From the terminal application, run:
bash dns_helper.sh
And follow the instructions on the screen carefully.
Something in OS X broke!
A few users have observed that features like screen saver activation with hot corners stopped working after applying configuration fixes. These problems have so far been remedied simply by restarting the system.
Contributing
Please read CONTRIBUTING.md before submitting pull requests to the repository.
Similar Projects
Contributors
- Kristov Atlas (maintainer)
Top Related Projects
Guide to securing and improving privacy on macOS
Use your macOS terminal shell to do awesome things.
:wrench: .files, including ~/.macos — sensible hacker defaults for macOS
macOS Security Compliance Project
Easily configure macOS security settings from the terminal.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot