├── .gitignore
├── Upgrade-Bash.sh
├── .gitattributes
├── AutoHarden_MacOSX
    └── scripts
    │   ├── system-information
    │       └── system-information.sh
    │   ├── integrity
    │       └── system-integrity.sh
    │   ├── harden
    │       ├── sudo_harden.sh
    │       └── no_sudo_harden.sh
    │   ├── login
    │       └── login-hook.sh
    │   ├── logout
    │       └── logout-hook.sh
    │   ├── filevault
    │       └── filevault.sh
    │   ├── logo
    │       └── OpenNightshade-Mark.sh
    │   └── brew
    │       ├── brew-install.sh
    │       └── brew-harden.sh
├── README.md
├── Mac-Security-Audit.sh
└── MacOsX-Harden.sh


/.gitignore:
--------------------------------------------------------------------------------
1 | 
2 | AutoHarden_MacOSX/.DS_Store
3 | .DS_Store
4 | 


--------------------------------------------------------------------------------
/Upgrade-Bash.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | echo $BASH_VERSION
4 | 


--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 | 


--------------------------------------------------------------------------------
/AutoHarden_MacOSX/scripts/system-information/system-information.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | # Return Current User
4 | echo "$USER"


--------------------------------------------------------------------------------
/AutoHarden_MacOSX/scripts/integrity/system-integrity.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | # Check File Integrity of Essential Files
4 | shasum -a 256 /etc/hosts
5 | shasum -a 256 /etc/passwd


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # TheMacHardeningScripts
 2 | 
 3 | ## Description
 4 | 
 5 | Scripts to secure and harden mac os x
 6 | 
 7 | ## What Scripts To Use
 8 | 
 9 | Start off with using the homebrew harden script to harden homebrew.
10 | 


--------------------------------------------------------------------------------
/AutoHarden_MacOSX/scripts/harden/sudo_harden.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # [Security/Privacy] Disables Captive Portal which can be exploited
3 | sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false


--------------------------------------------------------------------------------
/AutoHarden_MacOSX/scripts/login/login-hook.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Path: /brew/brew-harden.sh | Created 1 Sept 2021
3 | # Description: A Bash Script To Harden and Secure Homebrew on Mac OS X
4 | # Author: @AtropineTears
5 | # Company: @NightshadeLabs


--------------------------------------------------------------------------------
/AutoHarden_MacOSX/scripts/logout/logout-hook.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Path: /brew/brew-harden.sh | Created 1 Sept 2021
3 | # Description: A Bash Script To Harden and Secure Homebrew on Mac OS X
4 | # Author: @AtropineTears
5 | # Company: @NightshadeLabs


--------------------------------------------------------------------------------
/AutoHarden_MacOSX/scripts/filevault/filevault.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Destroys Filevault Keys on Standby
 4 | # REQUIRES SUDO and FILEVAULT to be enabled
 5 | sudo pmset -a destroyfvkeyonstandby 1
 6 | sudo pmset -a hibernatemode 25
 7 | 
 8 | sudo pmset -a powernap 0
 9 | sudo pmset -a standby 0
10 | sudo pmset -a standbydelay 0
11 | sudo pmset -a autopoweroff 0


--------------------------------------------------------------------------------
/AutoHarden_MacOSX/scripts/logo/OpenNightshade-Mark.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Path: /brew/brew-harden.sh | Created 1 Sept 2021
3 | # Description: A Bash Script To Harden and Secure Homebrew on Mac OS X
4 | # Author: @AtropineTears
5 | # Company: @NightshadeLabs
6 | 
7 | # [Design] Sets The Login Window Screen To Display "Secured by OpenNightshade"
8 | # Turned Off for now
9 | # defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "Last Secured by NightshadeLabs"


--------------------------------------------------------------------------------
/Mac-Security-Audit.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Checks whether System Integrity Protection is Enabled
 4 | csrutil status | grep -w "Enabled"
 5 | 
 6 | # Check Whether Automatic Updates are Enabled (1 = yes)
 7 | defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates
 8 | 
 9 | # Check Remote Apple Events (should be off)
10 | systemsetup -getremoteappleevents | grep -w "Off"
11 | 
12 | # Check File Integrity of Essential Files
13 | shasum -a 256 /etc/hosts


--------------------------------------------------------------------------------
/AutoHarden_MacOSX/scripts/brew/brew-install.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # Filename: /brew/brew-install.sh | Created 1 Sept 2021
 3 | # Description: A Bash Script To Install Homebrew and xcode dev tools
 4 | # Author: @AtropineTears
 5 | # Company: @NightshadeLabs
 6 | 
 7 | # Todo: Add --cert-status (needs OpenSSL) to homebrew install and return hash of file (export it)
 8 | 
 9 | 
10 | 
11 | #-------Pre-Reqs---------#
12 | xcode-select --install
13 | 
14 | #-------Installation-------#
15 | # Description: Installs Homebrew with cURL using TLS 1.3 as minimum, and only resolves to using IPv4 Addresses.
16 | # Maybe Switch  To This| /usr/bin/ruby -e "$(curl --tlsv1.3 --ipv4 -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
17 | /bin/bash -c "$(curl --tlsv1.3 --ipv4 -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"


--------------------------------------------------------------------------------
/AutoHarden_MacOSX/scripts/harden/no_sudo_harden.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | #---Screensaver---#
 4 | # [Security] Ask for Password at Screensaver
 5 | defaults write com.apple.screensaver askForPassword -int 1
 6 | # [Security] Ask for Password as soon as Screensaver Starts
 7 | defaults write com.apple.screensaver askForPasswordDelay -int 0
 8 | 
 9 | #---Finder---#
10 | # [Security] Expose Hidden Files and Library Folders in Finder
11 | defaults write com.apple.finder AppleShowAllFiles -bool true
12 | chflags nohidden ~/Library
13 | # [Security] Show All Filename Extensions
14 | defaults write NSGlobalDomain AppleShowAllExtensions -bool true
15 | # [Privacy] Disables saving documents to iCloud
16 | defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false
17 | 
18 | #---ETC---#
19 | # [Privacy] Disable Crash Reporter
20 | defaults write com.apple.CrashReporter DialogType none
21 | # [Privacy] Disables creation of .DS_STORE files on Network Shares and USBs
22 | defaults write com.apple.desktopservices DSDontWriteNetworkStores -bool true
23 | defaults write com.apple.desktopservices DSDontWriteUSBStores -bool true


--------------------------------------------------------------------------------
/MacOsX-Harden.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | #---Updates---#
 4 | # Updates System
 5 | softwareupdate -l
 6 | # Turns on Automatic System Updates
 7 | defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -int 1
 8 | 
 9 | #---Remote Apple Events---#
10 | # Disables Remote Apple Events
11 | systemsetup -setremoteappleevents off
12 | 
13 | #---MetaData---#
14 | # Prohibits MAC OS X from creating temporary files on remote volumes
15 | defaults write com.apple.desktopservices DSDontWriteNetworkStores -bool true
16 | defaults write com.apple.desktopservices DSDontWriteUSBStores -bool true
17 | 
18 | #---Captive Portal---#
19 | # Disables Captive Portal
20 | defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false
21 | 
22 | 
23 | #---File Vault---#
24 | # Destroys Filevault Keys From Memory on Hibernation
25 | pmset -a destroyfvkeyonstandby 1
26 | pmset -a hibernatemode 25
27 | 
28 | pmset -a powernap 0
29 | pmset -a standby 0
30 | pmset -a standbydelay 0
31 | pmset -a autopoweroff 0
32 | 
33 | 
34 | #---Firewall Config---#
35 | /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on # Turn on Firewall
36 | /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on # Turn on Firewall Logging
37 | /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on # Turn on Stealth Mode (Does Not Respond To ICMP Packets)
38 | /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned off # Disallow Signed Built-In Software From Passing the Firewall
39 | /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off # Disallow Signed Applications from bypassing the Firewall
40 | 
41 | pkill -HUP socketfilterfw # Restarts Firewall
42 | #----------------------#
43 | 
44 | # Invalidates Sudo Session after script completion
45 | sudo -k


--------------------------------------------------------------------------------
/AutoHarden_MacOSX/scripts/brew/brew-harden.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # Path: /brew/brew-harden.sh | Created 1 Sept 2021
 3 | # Description: A Bash Script To Harden and Secure Homebrew on Mac OS X
 4 | # Author: @AtropineTears
 5 | # Company: @NightshadeLabs
 6 | 
 7 | #------METADATA------#
 8 | echo 'Filename: brew-harden.sh | created by @NightshadeLabs and @AtropineTears'
 9 | echo 'Notice: When using Homebrew, you should NEVER use sudo as it is not required. You should go by the least privelege available.'
10 | # Print out the homebrew log file
11 | echo 'HOMEBREW LOG PATH: ~/Library/Logs/Homebrew/'
12 | 
13 | #------CONSTANTS-------#
14 | CONSTANT_LOG_PATH='~/Library/Logs/Homebrew/'
15 | 
16 | 
17 | #------Https-Only-------#
18 | # [SECURITY]
19 | # NOTE: While ensuring your downloads are fully secure, this is likely to cause from-source SourceForge, some GNU & GNOME-hosted formulae to fail to download
20 | # Sets Env Variable For Homebrew to only use HTTPS.
21 | export HOMEBREW_NO_INSECURE_REDIRECT=1
22 | 
23 | # [SECURITY]
24 | # Requires SHA256 hash of homebrew cask packages
25 | # TODO: Check whether I need to remove parenthesis
26 | export HOMEBREW_CASK_OPTS="--require-sha"
27 | 
28 | # [SECURITY]
29 | # Forces The Use of Homebrew's version of cURL rather than the systems (which may be outdated)
30 | export HOMEBREW_FORCE_BREWED_CURL=1
31 | 
32 | # [SECURITY]
33 | # Displays timestamps for when formulas are installed
34 | export HOMEBREW_DISPLAY_INSTALL_TIMES=1
35 | 
36 | 
37 | # [GENERAL]
38 | # Sets Homebrew Auto Update To Default of 60 seconds
39 | export HOMEBREW_AUTO_UPDATE_SECS=60
40 | 
41 | # [SECURITY]
42 | # Sets Homebrew To Display Install Time of Packages
43 | export HOMEBREW_DISPLAY_INSTALL_TIMES=1
44 | 
45 | #-------ANALYTICS-------#
46 | # [PRIVACY]
47 | # Turns off Homebrew Analytical Data to be sent to developers
48 | export HOMEBREW_NO_ANALYTICS=1
49 | brew analytics off
50 | 
51 | 
52 | # [UPDATING]
53 | # Sets updates to happen every 300 seconds (?)
54 | export HOMEBREW_AUTO_UPDATE_SECS=300
55 | 
56 | #-------Autoclean-------#
57 | # [CLEANUP]
58 | # Cleans up formulae every 3 days
59 | # Default: 30
60 | export HOMEBREW_CLEANUP_PERIODIC_FULL_DAYS=3
61 | 
62 | # Makes sure Homebrew Auto-Updates before running brew install, brew upgrade, or brew tap
63 | # Default: Turned Off
64 | # export HOMEBREW_NO_AUTO_UPDATE=0
65 | 
66 | #-------Set Autoupdate and Set Autoupgrade-------#
67 | # Automatically updates/upgrades every twelve hours. It will also send a notficiation when it is updating. The first time it is called it will also upgrade right then and there.
68 | brew autoupdate start 43200 --upgrade --enable-notification --immediate
69 | 
70 | # Installs OpenSSL and cURL with OpenSSL
71 | brew install openssl
72 | brew install curl --with-openssl
73 | brew link --force curl


--------------------------------------------------------------------------------