Apple OS X El Capitan (10.11) Secure Configuration Guide

securemac
This configuration guide is based on the DISA Apple OS 10.11 STIG version 1 release 1 (http://iase.disa.mil/stigs/os/mac/Pages/index.aspx, DoD PKI required), and a little bit of common sense information security. This guide is set up with the relevant DISA STIG configuration item, the commands to check for compliance, and the commands to fix non-compliant machines.

  • Check for FIPS 140 compliant Apple OS X CoreCrypto Module. Apple CryptoCore v6.0 is FIPS 140-2 compliant on on Intel i5, Xeon, and Core M processors only (note: does not include older Apple products circa 2009 running Core 2 Duo)

Minimum specs for CryptoCore 6.0: 2267 MHz clock, 1066 MHz bus, clock multiplier 8.5, L1 cache 64 kb code/ 64 kb data (8-way associative, direct-mapped, 64 byte line size, 2 x 32 kb), L2 3072 kb (direct-mapped, 12-way associative), no L3, 2 cores, 2 threads, -AES, +AMD64/EM64T, +MMX, +SSE, +SSE2, +SSE3, +SSE4.1, -SSE4.2, +SSSE3, -HT, +PowerNow!, -TrustedExecution, -TurboCore, -Virtualization, +VirusProtection, -GPU

  • Verify all application software is current
  • sudo defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e ‘s@^.* “\([0-9\\-]*\) .*$@\1@’); if [ “$LASTUPDATE” = “$(date +%Y-%m-%d)” ];then exit 0; fi; exit 1
  • sudo softwareupdate -i -a
  • Enable Auto Update
  • sudo softwareupdate –schedule | grep ‘Automatic check is on’
  • sudo softwareupdate –schedule on
  • Disable Bluetooth
  • defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState | grep 0
  • sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0; sudo killall -HUP blued
  • FIPS 140: check for FIPS 140 daemon (n/a for older hardware)
/System/Library/LaunchDaemons/com.apple.fipspost.plist
/usr/libexec/cc_fips_test
/usr/sbin/fips
  • [PASSED] Disable infrared receiver
  • defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled | grep 0
  • sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -int 0
  • Disable AirDrop
  • sudo defaults read com.apple.NetworkBrowser DisableAirDrop | grep 1
  • defaults write com.apple.NetworkBrowser DisableAirDrop -bool YES
  • Set time and date automatically
  • sudo systemsetup getusingnetworktime | grep ‘Network Time: Off’
  • sudo systemsetup setusingnetworktime off
  • Set an inactivity interval of 10 minutes (600 seconds) or less for the screen saver
  • UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep “IOPlatformUUID” | sed -e ‘s/^.*”\(.*\)”$/\1/’`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then exit 1; fi; fi; done; exit 0
  • UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep “IOPlatformUUID” | sed -e ‘s/^.*”\(.*\)”$/\1/’`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done
  • [PASSED] Enable secure screen saver corners
  • for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/com.apple.dock.plist; if [ -e $PREF ]; then CORNER=$(defaults read $PREF | grep corner | grep 6) && if [ -n “$CORNER” ]; then exit 1; fi; fi; done; exit 0
  • for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/com.apple.dock.plist; if [ -e $PREF ]; then CORNER=$(defaults read $PREF | grep corner | grep 6) && if [ -n “$CORNER” ]; then defaults write $PREF wvous-tr-corner 5; fi; fi; done;
  • Require a password to wake the computer from sleep or screen saver
  • defaults read com.apple.screensaver askForPassword | grep 1
  • defaults write com.apple.screensaver askForPassword -int 1
  • Ensure screen locks immediately when requested
  • defaults read com.apple.screensaver askForPasswordDelay | grep “0”
  • defaults write com.apple.screensaver askForPasswordDelay -int 0
  • Disable Remote Login
  • sudo systemsetup -getremoteappleevents | grep “Remote Apple Events: Off”
  • sudo systemsetup -setremoteappleevents off
  • Disable Internet Sharing
  • if [ -e /Library/Preferences/SystemConfiguration/com.apple.nat ]; then NAT=$(defaults read /Library/Preferences/SystemConfiguration/com.apple.nat | grep -i “Enabled = 0”) && if [ -n “$NAT” ]; then exit 1; fi; fi; exit 0
  • defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -int 0
  • Disable Screen Sharing
  • if [ -e /System/Library/LaunchDaemons/com.apple.screensharing.plist ]; then STATUS=$(launchctl load /System/Library/LaunchDaemons/com.apple.screensharing.plist | grep -v “Service is disabled”) && if [ -n “$STATUS” ]; then exit 1; fi; fi; exit 0
  • launchctl unload -w /System/Library/LaunchDaemons/com.apple.screensharing.plist
  • Disable Printer Sharing
  • if [ -n “$(system_profiler SPPrintersDataType | grep Shared | grep Yes)” ]; then exit 1; fi; exit 0
  • cupsctl –no-share-printers
  • [FIXED ] Disable Wake on Network Access
  • sudo systemsetup getwakeonnetworkaccess | grep “Wake On Network Access: Off”
  • sudo systemsetup -setwakeonnetworkaccess off
  • Disable File Sharing
  • if [ -n “$(launchctl list | egrep AppleFileServer)” ]; then exit 1; fi; if [ -n “$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)” ]; then exit 1; fi; exit 0;
  • launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist
  • Disable Remote Management
  • if [ -n “$(ps -ef | egrep “/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent”)” ]; then exit 1; fi; exit 0
  • sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop
  • Enable FileVault
  • diskutil cs list | grep -i “Encryption Status: Unlocked”
  • fdesetup enable
    • enter user name and password
    • save the recovery key in a secure location (outside the encrypted filespace, e.g. external USB drive, printed and locked away, or encrypted and e-mailed)
  • fdesetup can also be automated for distribution:
    • <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
      <plist version="1.0">
      <dict>
      <key>Username</key>
      <string>username</string>
      <key>Password</key>
      <string>password</string>
      <key>AdditionalUsers</key>
      <array>
          <dict>
              <key>Username</key>
              <string>username</string>
              <key>Password</key>
              <string>password</string>
          </dict>
          <dict>
              <key>Username</key>
              <string>username</string>
              <key>Password</key>
              <string>password</string>
          </dict>
      </array>
      </dict>
      </plist>
    • fdesetup enable -inputplist < /path/to/filename.plist
  • Destroy File Vault Key when going to standby
    • The FileVault key is stored in EFI memory for rapid recovery when coming out of standby. Most users will not care about this setting. Skip this step at your own risk.
  • pmset -g | grep DestroyFVKeyOnStandby | grep 1
  • sudo pmset -a destroyfvkeyonstandby 1
  • Enable hibernation mode (no memory power on sleep)
    • Other sites (e.g. MacWorld) have recommended setting the hibernate mode flag to 0, 3, or 5.
      • x xxxx xxx1 (bit 0) enable hibernate, suspend to disk, write sleep image file. hibernatemode 0 (0000 0000) means RAM is powered on with safe sleep disabled for faster awake time. hibernate mode 0.
        x xxxx xx1x (bit 1) safe sleep, suspend to RAM first, and hibernate when battery level critical. hibernatemode 2 (0000 0010) means RAM contents written to disk, and RAM shut down.
        x xxxx x1xx (bit 2) sleepimage file encryption.
        x xxxx 1xxxx (bit 3) dynamic pager will page out inactive pages prior to hibernation. hibernatemode 8 (0000 1000) is the default, with the RAM powered on, but its contents written to disk before sleeping.  The dynamic pager will page out the inactive pages prior to hibernation for smaller memory footprint.
        x xxx1 xxxx (bit 4) “encourages the dynamic pager to page out more aggressively prior to hibernation, for a smaller memory footprint.” hibernatemode 16 (0001 0000).
        x xx1x xxxx (bit 5) set “boot-switch-vars”, useful for CloverEFI on some Hacks. hibernate mode 32 (0010 0000). Same as mode 1 for users with secure virtual memory (System  Preferences > Security)
        x x1xx xxxx (bit 6) restart machine after writing sleepimage
        1xxx xxxx (bit 7) SSD mode invert. hibernatemode 128 (1000 0000) is the same as mode 8 for users with secure virtual memory (System Preferences > Security).
        1 xxxx xxxx (bit 8) dynamic sleepimage size
      • 0 0001 1001 hibernatemode 25 (bits 0, 3, and 5; modes 0, 8, and 32 combined) is only settable via pmset. The system will store a copy of memory to persistent storage (the disk), and will remove power to memory. The system will restore from disk image. If you want “hibernation” – slower sleeps, slower wakes, and better battery life, you should use this setting.
  • pmset -g | grep hibernatemode | grep 25
  • sudo pmset -a hibernatemode 25
  • Enable Gatekeeper
  • sudo softwareupdate –schedule | grep ‘Automatic check is on’
  • sudo softwareupdate –schedule on
  • Enable Firewall
  • spctl –status | grep “assessments enabled”
  • sudo spctl –master-enable
  • Enable Firewall Stealth Mode
  • test $(defaults read /Library/Preferences/com.apple.alf globalstate) -ge 1
  • defaults write /Library/Preferences/com.apple.alf globalstate -int 1
  • Disable signed apps from being auto-permitted to listen through firewall
  • /usr/libexec/ApplicationFirewall/socketfilterfw –getstealthmode | grep “Stealth mode enabled”
  • /usr/libexec/ApplicationFirewall/socketfilterfw –setstealthmode on
  • Disable iCloud drive
  • if [ -n “$(defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud | grep “0”)” ]; then exit 0; fi; exit 1;
  • defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool falsee
  • Require an administrator password to access system-wide preferences
  • if [ -n “$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E ‘(true|false)’ | grep ‘false’)” ]; then exit 0; fi; exit 1
  • security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c “Set :shared false” /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist
  • Disable IPv6
    • IPv6 (RFC 2460) can be secured on a network built from the ground up to support IPv6. For networks with a mix of IPv6 and IPv4 implementations, the security measures inherent to IPv6 will essentially be ignored and likely exploited by intruders who have sniffed out the mixed network. RFC 7123 walks through potential security mitigation techniques for a hybrid network. Example concerns:
      • NIDS configured for IPv4 will likely miss attacks in IPv6.
      • Firewalls may lack the ability to enforce policies in IPv6 and IPv4 at the same Grade of Protection (GoP) with the same Level of Confidence (LoC).
      • Known transition/ coexistence vulnerabilities between the two protocols could result in protected IPv4 connections becoming globally reachable via IPv6.
      • VPN would be difficult via IPv6 when deployed via dual-stacked host
      • Summary: disable IPv6 or build IPv6 from the ground up with temporary tunneling of IPv4 through IPv6 until the network is entirely single-stack hosted IPv6.
  • networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo “$i” | grep “IPv6: Automatic”) && if [ -n “$SUPPORT” ]; then exit 1; fi; done; exit 0
  • networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo “$i” | grep “IPv6: Automatic”) && if [ -n “$SUPPORT” ]; then networksetup -setv6off “$i”; fi; done;
  • Disable Previews
  • defaults read /Library/Preferences/com.apple.finder.plist | grep ShowIconThumbnails | grep 0
  • /usr/libexec/PlistBuddy -c “Add StandardViewOptions:ColumnViewOptions:ShowIconThumbnails bool NO” “/Library/Preferences/com.apple.finder.plist” && /usr/libexec/PlistBuddy -c “Add StandardViewSettings:ListViewSettings:showIconPreview bool NO” “/Library/Preferences/com.apple.finder.plist” && /usr/libexec/PlistBuddy -c “Add StandardViewSettings:IconViewSettings:showIconPreview bool NO” “/Library/Preferences/com.apple.finder.plist” && /usr/libexec/PlistBuddy -c “Add StandardViewSettings:ExtendedListViewSettings:showIconPreview bool NO” “/Library/Preferences/com.apple.finder.plist” && /usr/libexec/PlistBuddy -c “Add StandardViewOptions:ColumnViewOptions:ShowPreview bool NO” “/Library/Preferences/com.apple.finder.plist” && /usr/libexec/PlistBuddy -c “Add StandardViewSettings:ListViewSettings:showPreview bool NO” “/Library/Preferences/com.apple.finder.plist” && /usr/libexec/PlistBuddy -c “Add StandardViewSettings:IconViewSettings:showPreview bool NO” “/Library/Preferences/com.apple.finder.plist” && /usr/libexec/PlistBuddy -c “Add StandardViewSettings:ExtendedListViewSettings:showPreview bool NO” “/Library/Preferences/com.apple.finder.plist”
  • Secure Safari by crippling it
    • Use Chrome or Firefox instead.
  • defaults read com.apple.Safari WebKitOmitPDFSupport | grep 1
  • defaults write com.apple.Safari WebKitOmitPDFSupport -bool YES && defaults write com.apple.Safari WebKitJavaScriptEnabled -bool FALSE && defaults write com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool FALSE
  • [PASSED]Disable automatic loading of remote content by Mail.app
    • Consider webmail instead or external mail appliance
  • defaults read com.apple.mail-shared DisableURLLoading | grep 1
  • defaults write com.apple.mail-shared DisableURLLoading -bool true
  • Disable Captive Portal
    • The Captive Portal is a nuisance and a security concern: /System/Library/CoreServices/Captive Network Assistant.app.
    • Captive Portal will sometimes cache bad information. Try dscacheutil -flushcache
  • defaults read /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist | grep “Active = 0”
  • defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false
  • Enable logging
    • Good security measure for post-attack forensics.
  • defaults read /Library/Preferences/com.apple.alf loggingenabled | grep 1
  • sudo defaults write /Library/Preferences/com.apple.alf loggingenabled -bool true
  • [MANUAL VERIFICATION] Login/Apple ID and password
    • Apple sends clear text messages containing the name of the Apple OS X system to the Apple ID email address. For this reason, Apple OS X system names should not reveal a DoD affiliation, PII, or other sensitive information.
      • Be at least 15 characters long
      • Contain at least one upper-case alphabetic character
      • Have at least one lower-case alphabetic character
      • Have at least one numeric character
      • Have at least one“special”character(e.g.~!@#$%^&*()_+=-‘[]/?><)
  • $ echo “password” | cracklib-check
  • Enable logging
    • Good security measure for post-attack forensics.
  • defaults read /Library/Preferences/com.apple.alf loggingenabled | grep 1
  • sudo defaults write /Library/Preferences/com.apple.alf loggingenabled -bool true

//END

Advertisements

One thought on “Apple OS X El Capitan (10.11) Secure Configuration Guide

  1. Pingback: 2016: A year in review | Aerospace Cubicle Engineer (ACE)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s