├── .gitignore ├── Applications ├── Apple_Mail_8 │ ├── images │ │ ├── mail_1.png │ │ ├── mail_2.png │ │ ├── mail_3.png │ │ ├── mail_4.png │ │ ├── mail_5.png │ │ └── mail_6.png │ └── index.rst ├── Apple_Mail_9 │ ├── images │ │ ├── mail_1.png │ │ ├── mail_2.png │ │ ├── mail_3.png │ │ ├── mail_4.png │ │ ├── mail_5.png │ │ └── mail_6.png │ └── index.rst ├── Apple_Safari_8 │ ├── images │ │ ├── safari_advanced_1.png │ │ ├── safari_autofill_1.png │ │ ├── safari_general_1.png │ │ ├── safari_general_2.png │ │ ├── safari_general_3.png │ │ ├── safari_general_4.png │ │ ├── safari_passwords_1.png │ │ ├── safari_privacy_1.png │ │ ├── safari_search_1.png │ │ ├── safari_search_2.png │ │ ├── safari_security_1.png │ │ ├── safari_security_2.png │ │ └── safari_security_3.png │ └── index.rst ├── Apple_Safari_9 │ ├── images │ │ ├── safari_advanced_1.png │ │ ├── safari_autofill_1.png │ │ ├── safari_general_1.png │ │ ├── safari_general_2.png │ │ ├── safari_general_3.png │ │ ├── safari_general_4.png │ │ ├── safari_passwords_1.png │ │ ├── safari_privacy_1.png │ │ ├── safari_search_1.png │ │ ├── safari_search_2.png │ │ ├── safari_security_1.png │ │ ├── safari_security_2.png │ │ └── safari_security_3.png │ └── index.rst ├── GPG_Suite │ ├── images │ │ ├── gpgmail_1.png │ │ └── gpgmail_2.png │ └── index.rst ├── LittleSnitch_3 │ ├── images │ │ ├── littlesnitch_1.png │ │ ├── littlesnitch_2.png │ │ ├── littlesnitch_3.png │ │ └── littlesnitch_4.png │ └── index.rst ├── MongoDB_2 │ └── index.rst ├── MySQL │ └── index.rst ├── Nginx │ └── index.rst ├── OpenSSH │ └── index.rst ├── OpenVPN │ └── index.rst └── index.rst ├── Makefile ├── OS ├── MacOS_10.12_Sierra │ ├── images │ │ ├── finder_1.png │ │ ├── settings_desktop_1.png │ │ ├── settings_general_1.png │ │ ├── settings_general_2.png │ │ ├── settings_security_1.png │ │ ├── settings_security_2.png │ │ ├── settings_security_3.png │ │ ├── settings_security_4.png │ │ ├── settings_security_5.png │ │ ├── settings_security_6.png │ │ ├── settings_security_7.png │ │ ├── settings_security_8.png │ │ ├── settings_security_9.png │ │ ├── settings_spotlight_1.png │ │ ├── settings_spotlight_2.png │ │ ├── settings_users_1.png │ │ ├── settings_users_2.png │ │ └── settings_users_3.png │ └── index.rst ├── OSX_10.10_Yosemite │ ├── images │ │ ├── finder_1.png │ │ ├── finder_2.png │ │ ├── settings_desktop_1.png │ │ ├── settings_general_1.png │ │ ├── settings_general_2.png │ │ ├── settings_security_1.png │ │ ├── settings_security_2.png │ │ ├── settings_security_3.png │ │ ├── settings_security_4.png │ │ ├── settings_security_5.png │ │ ├── settings_security_6.png │ │ └── settings_security_7.png │ └── index.rst ├── OSX_10.11_El_Capitan │ ├── images │ │ ├── finder_1.png │ │ ├── settings_desktop_1.png │ │ ├── settings_general_1.png │ │ ├── settings_general_2.png │ │ ├── settings_security_1.png │ │ ├── settings_security_2.png │ │ ├── settings_security_3.png │ │ ├── settings_security_4.png │ │ ├── settings_security_5.png │ │ ├── settings_security_6.png │ │ ├── settings_security_7.png │ │ ├── settings_security_8.png │ │ ├── settings_security_9.png │ │ ├── settings_spotlight_1.png │ │ ├── settings_spotlight_2.png │ │ ├── settings_users_1.png │ │ ├── settings_users_2.png │ │ └── settings_users_3.png │ └── index.rst └── index.rst ├── README.rst ├── conf.py ├── index.rst └── requirements.txt /.gitignore: -------------------------------------------------------------------------------- 1 | # Compiled source # 2 | ################### 3 | *.com 4 | *.class 5 | *.dll 6 | *.exe 7 | *.o 8 | *.so 9 | *.pyc 10 | *.pyo 11 | 12 | # Packages # 13 | ############ 14 | # it's better to unpack these files and commit the raw source 15 | # git has its own built in compression methods 16 | *.7z 17 | *.dmg 18 | *.gz 19 | *.iso 20 | *.jar 21 | *.rar 22 | *.tar 23 | *.zip 24 | 25 | # Logs and databases # 26 | ###################### 27 | *.log 28 | *.sql 29 | *.sqlite 30 | 31 | # OS generated files # 32 | ###################### 33 | .DS_Store 34 | .DS_Store? 35 | ._* 36 | .Spotlight-V100 37 | .Trashes 38 | Icon? 39 | ehthumbs.db 40 | Thumbs.db 41 | 42 | # Development env # 43 | ################### 44 | .project 45 | .sublime-project 46 | .pydevproject 47 | .idea 48 | _build/* -------------------------------------------------------------------------------- /Applications/Apple_Mail_8/images/mail_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Mail_8/images/mail_1.png -------------------------------------------------------------------------------- /Applications/Apple_Mail_8/images/mail_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Mail_8/images/mail_2.png -------------------------------------------------------------------------------- /Applications/Apple_Mail_8/images/mail_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Mail_8/images/mail_3.png -------------------------------------------------------------------------------- /Applications/Apple_Mail_8/images/mail_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Mail_8/images/mail_4.png -------------------------------------------------------------------------------- /Applications/Apple_Mail_8/images/mail_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Mail_8/images/mail_5.png -------------------------------------------------------------------------------- /Applications/Apple_Mail_8/images/mail_6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Mail_8/images/mail_6.png -------------------------------------------------------------------------------- /Applications/Apple_Mail_8/index.rst: -------------------------------------------------------------------------------- 1 | Apple Mail 8 2 | ------------ 3 | 4 | Apple Mail is a mail client application shipped by default with Max OS X. 5 | 6 | This chapter is dedicated to configuring Apple Mail version 8.x. Itcomes by default with Mac OS X 10.10 7 | (Yosemite). 8 | 9 | .. contents:: 10 | :local: 11 | 12 | Disable automatic account settings 13 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 14 | 15 | If this options is enabled Mail automatically manage settings for your email account in Mail, such as port numbers 16 | and authentication methods. 17 | It is not suggested to not leave Mail the control over so critical settings and disable this option. 18 | 19 | To disable automatic account settings, go to: 20 | 21 | Open Apple Mail ⇒ Accounts ⇒ Select your mail account ⇒ Advanced 22 | 23 | Uncheck "Automatically detect and maintain account settings". 24 | 25 | .. image:: images/mail_4.png 26 | :align: center 27 | 28 | Disable automatic attachment download 29 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 30 | 31 | If this options is enabled Mail automatically downloads all attachments for your email account in Mail. 32 | It is suggested to keep the control over what is downloaded so disable this option, automatically download 33 | attacchments is pretty dangerous, just think to someone sending you an email with an image on a controlled 34 | server, he could be able to track your IP address. 35 | 36 | It is suggested to disable automatic attachments download, go to: 37 | 38 | Open Apple Mail ⇒ Accounts ⇒ Select your mail account ⇒ Advanced 39 | 40 | Uncheck "Automatically download all attachments". 41 | 42 | .. image:: images/mail_5.png 43 | :align: center 44 | 45 | Disable automatic loading of remote content 46 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 47 | 48 | Mail defaults to automatically load any images, styles etc, that are included in any email, regardless of sender. Not 49 | only can this be an attack-vector, but it's also commonly used for tracking, leading to loss of privacy. 50 | 51 | Don't worry about disabling the automatic loading though, you'll still be able to load remote images and stylesheets for 52 | any mail with a single click. 53 | 54 | To disable automatic loading of remote content, go to: 55 | 56 | Open Apple Mail ⇒ Preferences ⇒ Viewing 57 | 58 | Uncheck "Load remote content in messages". 59 | 60 | .. image:: images/mail_6.png 61 | :align: center 62 | 63 | If you want to definitely block any connections it is suggested to configure a firewall, i.e. Little Snitch, 64 | and permit connections starting from Mail.app only to your mail server. 65 | 66 | Disable MailDrop 67 | ^^^^^^^^^^^^^^^^ 68 | 69 | MailDrop is a new feature is Yosemite which allows you to deliver large size attachment, they are uploaded to Apple Cloud 70 | and then fetched by your recipients. This is a great feature but it needs to disclose your file to Apple Cloud. 71 | It is suggested to disable this feature and use other technolgy under your full control to transfer big files. 72 | 73 | To disable invitation import, go to: 74 | 75 | Open Apple Mail ⇒ Accounts ⇒ Select your mail account ⇒ Advanced 76 | 77 | Uncheck "Send large attachments with Mail Drop". 78 | 79 | .. image:: images/mail_3.png 80 | :align: center 81 | 82 | Never add invitations to calendar automatically 83 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 84 | 85 | Apple Mail has the feature to automatically add invitations to your calendar. 86 | It is suggested to not allow Apple Mail to automatically parse invitations and launch an external application to avoid 87 | possible future exploitation with a new vulnerability. 88 | 89 | To disable invitation import, go to: 90 | 91 | Open Apple Mail ⇒ General 92 | 93 | Set "Add invitations to Calendar" to "Never". 94 | 95 | .. image:: images/mail_1.png 96 | :align: center 97 | 98 | Never add invitations to calendar automatically 99 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 100 | 101 | If you open an attachment in Apple Mail, it stores the file in your disk, inside your attachment download folder, and by 102 | default leaves it forever. 103 | It is not suggested to leave mail attachements on disk, because they can be some kind of untrusted files. 104 | 105 | To remove downloaded files, go to: 106 | 107 | Open Apple Mail ⇒ General 108 | 109 | Set "Remove unedited downloads" to "When Mail Quits". 110 | 111 | .. image:: images/mail_2.png 112 | :align: center 113 | 114 | Use only SSL/TLS protocols 115 | ^^^^^^^^^^^^^^^^^^^^^^^^^^ 116 | 117 | Classic mail protocols like SMTP, POP and IMAPS are plain text protocol without any encryption, it means your data and 118 | credentials are send in plain text. 119 | It is suggested to use only encrypted protocols. 120 | Ask your email provider for encrypted email protocols support and configure your mail account properly. 121 | 122 | To configure your email account, go to: 123 | 124 | Open Apple Mail ⇒ Accounts 125 | 126 | Using GPG 127 | ^^^^^^^^^ 128 | 129 | GPG is a software to encrypt, decrypt, sign and verify files or messages. It is widely used and its adoption is 130 | suggested to protect your privacy. 131 | 132 | `GPGTools `_ is a suite designed to bring GPG on Mac OS X and add encryption to Apple Mail. 133 | 134 | It is suggested to download and install `GPGTools `_. 135 | -------------------------------------------------------------------------------- /Applications/Apple_Mail_9/images/mail_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Mail_9/images/mail_1.png -------------------------------------------------------------------------------- /Applications/Apple_Mail_9/images/mail_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Mail_9/images/mail_2.png -------------------------------------------------------------------------------- /Applications/Apple_Mail_9/images/mail_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Mail_9/images/mail_3.png -------------------------------------------------------------------------------- /Applications/Apple_Mail_9/images/mail_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Mail_9/images/mail_4.png -------------------------------------------------------------------------------- /Applications/Apple_Mail_9/images/mail_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Mail_9/images/mail_5.png -------------------------------------------------------------------------------- /Applications/Apple_Mail_9/images/mail_6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Mail_9/images/mail_6.png -------------------------------------------------------------------------------- /Applications/Apple_Mail_9/index.rst: -------------------------------------------------------------------------------- 1 | Apple Mail 9 2 | ------------ 3 | 4 | Apple Mail is a mail client application shipped by default with Max OS X. 5 | 6 | This chapter is dedicated to configuring Apple Mail version 9.x. It comes by default with Mac OS X 10.11 (El Capitan). 7 | 8 | .. contents:: 9 | :local: 10 | 11 | Disable automatic account settings 12 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 13 | 14 | If this options is enabled Mail automatically manage settings for your email account in Mail, such as port numbers 15 | and authentication methods. 16 | It is not suggested to not leave Mail the control over so critical settings and disable this option. 17 | 18 | To disable automatic account settings, go to: 19 | 20 | Open Apple Mail ⇒ Accounts ⇒ Select your mail account ⇒ Advanced 21 | 22 | Uncheck "Automatically detect and maintain account settings". 23 | 24 | .. image:: images/mail_4.png 25 | :align: center 26 | 27 | Disable automatic attachment download 28 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 29 | 30 | If this options is enabled Mail automatically downloads all attachments for your email account in Mail. 31 | It is suggested to keep the control over what is downloaded so disable this option, automatically download 32 | attacchments is pretty dangerous, just think to someone sending you an email with an image on a controlled 33 | server, he could be able to track your IP address. 34 | 35 | It is suggested to disable automatic attachments download, go to: 36 | 37 | Open Apple Mail ⇒ Accounts ⇒ Select your mail account ⇒ Advanced 38 | 39 | Uncheck "Automatically download all attachments". 40 | 41 | .. image:: images/mail_5.png 42 | :align: center 43 | 44 | Disable automatic loading of remote content 45 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 46 | 47 | Mail defaults to automatically load any images, styles etc, that are included in any email, regardless of sender. Not 48 | only can this be an attack-vector, but it's also commonly used for tracking, leading to loss of privacy. 49 | 50 | Don't worry about disabling the automatic loading though, you'll still be able to load remote images and stylesheets for 51 | any mail with a single click. 52 | 53 | To disable automatic loading of remote content, go to: 54 | 55 | Open Apple Mail ⇒ Preferences ⇒ Viewing 56 | 57 | Uncheck "Load remote content in messages". 58 | 59 | .. image:: images/mail_6.png 60 | :align: center 61 | 62 | If you want to definitely block any connections it is suggested to configure a firewall, i.e. Little Snitch, 63 | and permit connections starting from Mail.app only to your mail server. 64 | 65 | Disable MailDrop 66 | ^^^^^^^^^^^^^^^^ 67 | 68 | MailDrop is a new feature is Yosemite which allows you to deliver large size attachment, they are uploaded to Apple Cloud 69 | and then fetched by your recipients. This is a great feature but it needs to disclose your file to Apple Cloud. 70 | It is suggested to disable this feature and use other technolgy under your full control to transfer big files. 71 | 72 | To disable invitation import, go to: 73 | 74 | Open Apple Mail ⇒ Accounts ⇒ Select your mail account ⇒ Advanced 75 | 76 | Uncheck "Send large attachments with Mail Drop". 77 | 78 | .. image:: images/mail_3.png 79 | :align: center 80 | 81 | Never add invitations to calendar automatically 82 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 83 | 84 | Apple Mail has the feature to automatically add invitations to your calendar. 85 | It is suggested to not allow Apple Mail to automatically parse invitations and launch an external application to avoid 86 | possible future exploitation with a new vulnerability. 87 | 88 | To disable invitation import, go to: 89 | 90 | Open Apple Mail ⇒ General 91 | 92 | Set "Add invitations to Calendar" to "Never". 93 | 94 | .. image:: images/mail_1.png 95 | :align: center 96 | 97 | Never add invitations to calendar automatically 98 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 99 | 100 | If you open an attachment in Apple Mail, it stores the file in your disk, inside your attachment download folder, and by 101 | default leaves it forever. 102 | It is not suggested to leave mail attachements on disk, because they can be some kind of untrusted files. 103 | 104 | To remove downloaded files, go to: 105 | 106 | Open Apple Mail ⇒ General 107 | 108 | Set "Remove unedited downloads" to "When Mail Quits". 109 | 110 | .. image:: images/mail_2.png 111 | :align: center 112 | 113 | Use only SSL/TLS protocols 114 | ^^^^^^^^^^^^^^^^^^^^^^^^^^ 115 | 116 | Classic mail protocols like SMTP, POP and IMAPS are plain text protocol without any encryption, it means your data and 117 | credentials are send in plain text. 118 | It is suggested to use only encrypted protocols. 119 | Ask your email provider for encrypted email protocols support and configure your mail account properly. 120 | 121 | To configure your email account, go to: 122 | 123 | Open Apple Mail ⇒ Accounts 124 | 125 | Using GPG 126 | ^^^^^^^^^ 127 | 128 | GPG is a software to encrypt, decrypt, sign and verify files or messages. It is widely used and its adoption is 129 | suggested to protect your privacy. 130 | 131 | `GPGTools `_ is a suite designed to bring GPG on Mac OS X and add encryption to Apple Mail. 132 | 133 | It is suggested to download and install `GPGTools `_. 134 | -------------------------------------------------------------------------------- /Applications/Apple_Safari_8/images/safari_advanced_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Safari_8/images/safari_advanced_1.png -------------------------------------------------------------------------------- /Applications/Apple_Safari_8/images/safari_autofill_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Safari_8/images/safari_autofill_1.png -------------------------------------------------------------------------------- /Applications/Apple_Safari_8/images/safari_general_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Safari_8/images/safari_general_1.png -------------------------------------------------------------------------------- /Applications/Apple_Safari_8/images/safari_general_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Safari_8/images/safari_general_2.png -------------------------------------------------------------------------------- /Applications/Apple_Safari_8/images/safari_general_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Safari_8/images/safari_general_3.png -------------------------------------------------------------------------------- /Applications/Apple_Safari_8/images/safari_general_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Safari_8/images/safari_general_4.png -------------------------------------------------------------------------------- /Applications/Apple_Safari_8/images/safari_passwords_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Safari_8/images/safari_passwords_1.png -------------------------------------------------------------------------------- /Applications/Apple_Safari_8/images/safari_privacy_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Safari_8/images/safari_privacy_1.png -------------------------------------------------------------------------------- /Applications/Apple_Safari_8/images/safari_search_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Safari_8/images/safari_search_1.png -------------------------------------------------------------------------------- /Applications/Apple_Safari_8/images/safari_search_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Safari_8/images/safari_search_2.png -------------------------------------------------------------------------------- /Applications/Apple_Safari_8/images/safari_security_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Safari_8/images/safari_security_1.png -------------------------------------------------------------------------------- /Applications/Apple_Safari_8/images/safari_security_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Safari_8/images/safari_security_2.png -------------------------------------------------------------------------------- /Applications/Apple_Safari_8/images/safari_security_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Safari_8/images/safari_security_3.png -------------------------------------------------------------------------------- /Applications/Apple_Safari_8/index.rst: -------------------------------------------------------------------------------- 1 | Apple Safari 8 2 | -------------- 3 | 4 | According to `Wikipedia `_ Safari is *"a web browser developed by 5 | Apple Inc. included with the OS X and iOS operating systems. First released as a public beta on January 7, 2003, on the 6 | company's OS X operating system, it became Apple's default browser beginning with Mac OS X v10.3 "Panther". 7 | The native browser of iOS is also called Safari, but has a different UI and uses a different WebKit version and API"*. 8 | 9 | This chapter is dedicated to configuring Apple Safari version 8.x. It comes by default with Mac OS X 10.10 (Yosemite). 10 | 11 | .. contents:: 12 | :local: 13 | 14 | Change default search engine 15 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 16 | 17 | Change default search engine to `DuckDuckGo `_, it is a search engine who takes care of your privacy. 18 | Go to: 19 | 20 | Open Safari ⇒ Preferences ⇒ Search 21 | 22 | Set “Search engine” to “DuckDuckGo”. 23 | 24 | .. image:: images/safari_search_1.png 25 | :align: center 26 | 27 | Clear history 28 | ^^^^^^^^^^^^^ 29 | 30 | Used to never leave navigation traces in browser history. 31 | Go to: 32 | 33 | Open Safari ⇒ Preferences ⇒ General 34 | 35 | Set “Remove history items” to “After one day”. 36 | Set “Remove download list items” to “Upon successful download”. 37 | 38 | .. image:: images/safari_general_3.png 39 | :align: center 40 | 41 | Control third party plugins 42 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^ 43 | 44 | Most browsers allow the continuous running of all third party scripts, giving malware an huge surface area of attack 45 | to get into your machine. 46 | Safari can ask for user permission each time a plugin is run, this is a good practice to control which website is asking 47 | your browser to run a plugin. 48 | It is suggested to control the run of WebGL plugins, go to: 49 | 50 | Open Safari ⇒ Preferences ⇒ Security 51 | 52 | Check “Allow WebGL” and click on "Website Settings...", set "When visiting other websites" to "Ask". 53 | 54 | .. image:: images/safari_security_2.png 55 | :align: center 56 | 57 | It is suggested to control the run of WebGL plugins, go to: 58 | 59 | Open Safari ⇒ Preferences ⇒ Security 60 | 61 | Check “Allow Plug-ins” and click on "Website Settings...", set "When visiting other websites" to "Ask". 62 | 63 | .. image:: images/safari_security_3.png 64 | :align: center 65 | 66 | Disable AutoFill 67 | ^^^^^^^^^^^^^^^^ 68 | 69 | Disables automatic fill of forms. 70 | Go to: 71 | 72 | Open Safari ⇒ Preferences ⇒ AutoFill 73 | 74 | Unckeck all boxes. 75 | 76 | .. image:: images/safari_autofill_1.png 77 | :align: center 78 | 79 | Disable AutoFill username and passwords 80 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 81 | 82 | Disables automatic fill of forms with usernames and passwords. 83 | Go to: 84 | 85 | Open Safari ⇒ Preferences ⇒ Passwords 86 | 87 | Uncheck “AutoFill user names and passwords”. 88 | 89 | .. image:: images/safari_passwords_1.png 90 | :align: center 91 | 92 | Disable open files after download 93 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 94 | 95 | Disables automatic opening of downloaded file, even if they are safe. It is suggested to never run arbitrary files 96 | downloaded. 97 | Go to: 98 | 99 | Open Safari ⇒ Preferences ⇒ General 100 | 101 | Uncheck “Open ‘safe’ files after downloading”. 102 | 103 | .. image:: images/safari_general_4.png 104 | :align: center 105 | 106 | Disable search suggestions 107 | ^^^^^^^^^^^^^^^^^^^^^^^^^^ 108 | 109 | Disables suggestions to avoid leaking potential data when typing in the search box. 110 | Go to: 111 | 112 | Open Safari ⇒ Preferences ⇒ Search 113 | 114 | Uncheck “Include search engine suggestions”. 115 | Uncheck “Include Spotlight suggestions”. 116 | 117 | .. image:: images/safari_search_2.png 118 | :align: center 119 | 120 | Disable website tracking 121 | ^^^^^^^^^^^^^^^^^^^^^^^^ 122 | 123 | Disables website tracking asking sites to do not track. 124 | Go to: 125 | 126 | Open Safari ⇒ Preferences ⇒ Privacy 127 | 128 | Check “Ask website not to track me”. 129 | 130 | .. image:: images/safari_privacy_1.png 131 | :align: center 132 | 133 | Open with a private window 134 | ^^^^^^^^^^^^^^^^^^^^^^^^^^ 135 | 136 | Set Safari to open only in new private window to keep your privacy. 137 | Go to: 138 | 139 | Open Safari ⇒ Preferences ⇒ General 140 | 141 | Set “Safari opens with” to “A new private window”. 142 | 143 | .. image:: images/safari_general_1.png 144 | :align: center 145 | 146 | Open with an empty page 147 | ^^^^^^^^^^^^^^^^^^^^^^^ 148 | 149 | Set Safari to open new windows and tabs with an empty page. 150 | Go to: 151 | 152 | Open Safari ⇒ Preferences ⇒ General 153 | 154 | Set “New windows open with” to “Empty Page”. 155 | Set “New tabs open with” to “Empty Page”. 156 | 157 | .. image:: images/safari_general_2.png 158 | :align: center 159 | 160 | Show website address 161 | ^^^^^^^^^^^^^^^^^^^^ 162 | 163 | By default Safari shows only the domain in the address bar, it is suggested to show the whole website address. 164 | Go to: 165 | 166 | Open Safari ⇒ Preferences ⇒ Advances 167 | 168 | Check “Show full website address”. 169 | 170 | .. image:: images/safari_advanced_1.png 171 | :align: center 172 | 173 | Warn when visiting a fraudulent website 174 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 175 | 176 | Safari can check the website you are visiting against a public and free feed on malicious websites. 177 | It is suggested to enable fraudulent website detection, go to: 178 | 179 | Open Safari ⇒ Preferences ⇒ Security 180 | 181 | Check “Warn when visiting a fraudulent website”. 182 | 183 | .. image:: images/safari_security_1.png 184 | :align: center -------------------------------------------------------------------------------- /Applications/Apple_Safari_9/images/safari_advanced_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Safari_9/images/safari_advanced_1.png -------------------------------------------------------------------------------- /Applications/Apple_Safari_9/images/safari_autofill_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Safari_9/images/safari_autofill_1.png -------------------------------------------------------------------------------- /Applications/Apple_Safari_9/images/safari_general_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Safari_9/images/safari_general_1.png -------------------------------------------------------------------------------- /Applications/Apple_Safari_9/images/safari_general_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Safari_9/images/safari_general_2.png -------------------------------------------------------------------------------- /Applications/Apple_Safari_9/images/safari_general_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Safari_9/images/safari_general_3.png -------------------------------------------------------------------------------- /Applications/Apple_Safari_9/images/safari_general_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Safari_9/images/safari_general_4.png -------------------------------------------------------------------------------- /Applications/Apple_Safari_9/images/safari_passwords_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Safari_9/images/safari_passwords_1.png -------------------------------------------------------------------------------- /Applications/Apple_Safari_9/images/safari_privacy_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Safari_9/images/safari_privacy_1.png -------------------------------------------------------------------------------- /Applications/Apple_Safari_9/images/safari_search_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Safari_9/images/safari_search_1.png -------------------------------------------------------------------------------- /Applications/Apple_Safari_9/images/safari_search_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Safari_9/images/safari_search_2.png -------------------------------------------------------------------------------- /Applications/Apple_Safari_9/images/safari_security_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Safari_9/images/safari_security_1.png -------------------------------------------------------------------------------- /Applications/Apple_Safari_9/images/safari_security_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Safari_9/images/safari_security_2.png -------------------------------------------------------------------------------- /Applications/Apple_Safari_9/images/safari_security_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/Apple_Safari_9/images/safari_security_3.png -------------------------------------------------------------------------------- /Applications/Apple_Safari_9/index.rst: -------------------------------------------------------------------------------- 1 | Apple Safari 9 2 | -------------- 3 | 4 | According to `Wikipedia `_ Safari is *"a web browser developed by 5 | Apple Inc. included with the OS X and iOS operating systems. First released as a public beta on January 7, 2003, on the 6 | company's OS X operating system, it became Apple's default browser beginning with Mac OS X v10.3 "Panther". 7 | The native browser of iOS is also called Safari, but has a different UI and uses a different WebKit version and API"*. 8 | 9 | This chapter is dedicated to configuring Apple Safari version 9.x. It comes by default with Mac OS X 10.11 (El Capitan). 10 | 11 | .. contents:: 12 | :local: 13 | 14 | Change default search engine 15 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 16 | 17 | Change default search engine to `DuckDuckGo `_, it is a search engine who takes care of your privacy. 18 | Go to: 19 | 20 | Open Safari ⇒ Preferences ⇒ Search 21 | 22 | Set “Search engine” to “DuckDuckGo”. 23 | 24 | .. image:: images/safari_search_1.png 25 | :align: center 26 | 27 | Clear history 28 | ^^^^^^^^^^^^^ 29 | 30 | Used to never leave navigation traces in browser history. 31 | Go to: 32 | 33 | Open Safari ⇒ Preferences ⇒ General 34 | 35 | Set “Remove history items” to “After one day”. 36 | Set “Remove download list items” to “Upon successful download”. 37 | 38 | .. image:: images/safari_general_3.png 39 | :align: center 40 | 41 | Control third party plugins 42 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^ 43 | 44 | Most browsers allow the continuous running of all third party scripts, giving malware an huge surface area of attack 45 | to get into your machine. 46 | Safari can ask for user permission each time a plugin is run, this is a good practice to control which website is asking 47 | your browser to run a plugin. 48 | It is suggested to control the run of WebGL plugins, go to: 49 | 50 | Open Safari ⇒ Preferences ⇒ Security 51 | 52 | Check “Allow WebGL” and click on "Website Settings...", set "When visiting other websites" to "Ask". 53 | 54 | .. image:: images/safari_security_2.png 55 | :align: center 56 | 57 | It is suggested to control the run of WebGL plugins, go to: 58 | 59 | Open Safari ⇒ Preferences ⇒ Security 60 | 61 | Check “Allow Plug-ins” and click on "Website Settings...", set "When visiting other websites" to "Ask". 62 | 63 | .. image:: images/safari_security_3.png 64 | :align: center 65 | 66 | Disable AutoFill 67 | ^^^^^^^^^^^^^^^^ 68 | 69 | Disables automatic fill of forms. 70 | Go to: 71 | 72 | Open Safari ⇒ Preferences ⇒ AutoFill 73 | 74 | Unckeck all boxes. 75 | 76 | .. image:: images/safari_autofill_1.png 77 | :align: center 78 | 79 | Disable AutoFill username and passwords 80 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 81 | 82 | Disables automatic fill of forms with usernames and passwords. 83 | Go to: 84 | 85 | Open Safari ⇒ Preferences ⇒ Passwords 86 | 87 | Uncheck “AutoFill user names and passwords”. 88 | 89 | .. image:: images/safari_passwords_1.png 90 | :align: center 91 | 92 | Disable open files after download 93 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 94 | 95 | Disables automatic opening of downloaded file, even if they are safe. It is suggested to never run arbitrary files 96 | downloaded. 97 | Go to: 98 | 99 | Open Safari ⇒ Preferences ⇒ General 100 | 101 | Uncheck “Open ‘safe’ files after downloading”. 102 | 103 | .. image:: images/safari_general_4.png 104 | :align: center 105 | 106 | Disable search suggestions 107 | ^^^^^^^^^^^^^^^^^^^^^^^^^^ 108 | 109 | Disables suggestions to avoid leaking potential data when typing in the search box. 110 | Go to: 111 | 112 | Open Safari ⇒ Preferences ⇒ Search 113 | 114 | Uncheck “Include search engine suggestions”. 115 | Uncheck “Include Spotlight suggestions”. 116 | 117 | .. image:: images/safari_search_2.png 118 | :align: center 119 | 120 | Disable website tracking 121 | ^^^^^^^^^^^^^^^^^^^^^^^^ 122 | 123 | Disables website tracking asking sites to do not track. 124 | Go to: 125 | 126 | Open Safari ⇒ Preferences ⇒ Privacy 127 | 128 | Check “Ask website not to track me”. 129 | 130 | .. image:: images/safari_privacy_1.png 131 | :align: center 132 | 133 | Open with a private window 134 | ^^^^^^^^^^^^^^^^^^^^^^^^^^ 135 | 136 | Set Safari to open only in new private window to keep your privacy. 137 | Go to: 138 | 139 | Open Safari ⇒ Preferences ⇒ General 140 | 141 | Set “Safari opens with” to “A new private window”. 142 | 143 | .. image:: images/safari_general_1.png 144 | :align: center 145 | 146 | Open with an empty page 147 | ^^^^^^^^^^^^^^^^^^^^^^^ 148 | 149 | Set Safari to open new windows and tabs with an empty page. 150 | Go to: 151 | 152 | Open Safari ⇒ Preferences ⇒ General 153 | 154 | Set “New windows open with” to “Empty Page”. 155 | Set “New tabs open with” to “Empty Page”. 156 | 157 | .. image:: images/safari_general_2.png 158 | :align: center 159 | 160 | Show website address 161 | ^^^^^^^^^^^^^^^^^^^^ 162 | 163 | By default Safari shows only the domain in the address bar, it is suggested to show the whole website address. 164 | Go to: 165 | 166 | Open Safari ⇒ Preferences ⇒ Advanced 167 | 168 | Check “Show full website address”. 169 | 170 | .. image:: images/safari_advanced_1.png 171 | :align: center 172 | 173 | Warn when visiting a fraudulent website 174 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 175 | 176 | Safari can check the website you are visiting against a public and free feed on malicious websites. 177 | It is suggested to enable fraudulent website detection, go to: 178 | 179 | Open Safari ⇒ Preferences ⇒ Security 180 | 181 | Check “Warn when visiting a fraudulent website”. 182 | 183 | .. image:: images/safari_security_1.png 184 | :align: center -------------------------------------------------------------------------------- /Applications/GPG_Suite/images/gpgmail_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/GPG_Suite/images/gpgmail_1.png -------------------------------------------------------------------------------- /Applications/GPG_Suite/images/gpgmail_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/GPG_Suite/images/gpgmail_2.png -------------------------------------------------------------------------------- /Applications/GPG_Suite/index.rst: -------------------------------------------------------------------------------- 1 | GPG Suite 2 | --------- 3 | 4 | According to `GPG Tools official website `_ GPG Tools is used *"to encrypt, decrypt, sign and 5 | verify files or messages. Manage your GPG Keychain with a few simple clicks and experience the full power of GPG"*. 6 | GPG Suite is an implementation of GPG for Mac OS X with a keychain and an Apple Mail extension. 7 | 8 | .. contents:: 9 | :local: 10 | 11 | Automatic update check 12 | ^^^^^^^^^^^^^^^^^^^^^^ 13 | 14 | It is recommended to keep software always updated. 15 | To enable automatic update check, go to: 16 | 17 | Open Apple Mail ⇒ Preferences ⇒ GPGMail panel 18 | 19 | Check "Automatically check for updates" option. 20 | 21 | .. image:: images/gpgmail_2.png 22 | :align: center 23 | 24 | Check installation package signature 25 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 26 | 27 | The installation package is provided with an hash signature and a GPG signature. 28 | It is recommended to check digital signature before the installation. 29 | 30 | Encrypt drafts 31 | ^^^^^^^^^^^^^^ 32 | 33 | It is recommended to store mail drafts in an encrypted format, to avoid leak of draft emails saved in clear text. 34 | To enable drafts encryption, go to: 35 | 36 | Open Apple Mail ⇒ Preferences ⇒ GPGMail panel 37 | 38 | Check "Encrypt drafts" option. 39 | 40 | .. image:: images/gpgmail_1.png 41 | :align: center -------------------------------------------------------------------------------- /Applications/LittleSnitch_3/images/littlesnitch_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/LittleSnitch_3/images/littlesnitch_1.png -------------------------------------------------------------------------------- /Applications/LittleSnitch_3/images/littlesnitch_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/LittleSnitch_3/images/littlesnitch_2.png -------------------------------------------------------------------------------- /Applications/LittleSnitch_3/images/littlesnitch_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/LittleSnitch_3/images/littlesnitch_3.png -------------------------------------------------------------------------------- /Applications/LittleSnitch_3/images/littlesnitch_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/Applications/LittleSnitch_3/images/littlesnitch_4.png -------------------------------------------------------------------------------- /Applications/LittleSnitch_3/index.rst: -------------------------------------------------------------------------------- 1 | LittleSnitch 3 2 | -------------- 3 | 4 | According to the vendor `website `_ LittleSnitch is *"a firewall 5 | that intercepts unwanted connection attempts, and lets you decide how to proceed"*. 6 | 7 | It is really common, and a best practice, to replace Mac OS X default firewall with a more advanced firewall like Little 8 | Snitch. 9 | 10 | This chapter is dedicated to configuring Little Snitch 3. 11 | 12 | .. contents:: 13 | :local: 14 | 15 | Show full details 16 | ^^^^^^^^^^^^^^^^^ 17 | 18 | It is suggested to enable an advanced mode to all event's details. 19 | Start Little Snitch. 20 | Go to: 21 | 22 | Preferences ⇒ Alert 23 | 24 | Set "Detail Level" to "Show Full Details". 25 | 26 | .. image:: images/littlesnitch_1.png 27 | :align: center 28 | 29 | Enable update check 30 | ^^^^^^^^^^^^^^^^^^^ 31 | 32 | By default automatic update check is disabled, it is suggested to enable it. 33 | Start Little Snitch. 34 | Go to: 35 | 36 | Preferences ⇒ Update 37 | 38 | Check "Automatic check for updates" and set it to "Daily". 39 | 40 | .. image:: images/littlesnitch_2.png 41 | :align: center 42 | 43 | Disable scripting access 44 | ^^^^^^^^^^^^^^^^^^^^^^^^ 45 | 46 | Scripting access is a security risk because a malicious software could be able to add rules to LittleSnitch and/or modify its behavior. 47 | It is suggested to disable it, it is usually disabled by default. 48 | Start Little Snitch. 49 | Go to: 50 | 51 | Preferences ⇒ Security 52 | 53 | Un-check "Allow GUI Scripting access to Little Snitch". 54 | Un-check "Allow Scripting Additions". 55 | 56 | .. image:: images/littlesnitch_4.png 57 | :align: center 58 | 59 | Mark ruled as unapproved 60 | ^^^^^^^^^^^^^^^^^^^^^^^^ 61 | 62 | By default rules created with the alert window are auto approved. It is a good practice to create it as not approved, and review them all later. 63 | Start Little Snitch. 64 | Go to: 65 | 66 | Preferences ⇒ Advanced 67 | 68 | Check "Mark rules from connection alert as unapproved". 69 | 70 | .. image:: images/littlesnitch_3.png 71 | :align: center 72 | -------------------------------------------------------------------------------- /Applications/MongoDB_2/index.rst: -------------------------------------------------------------------------------- 1 | MongoDB 2 | ------- 3 | 4 | According to `MongoDB official website `_ MongoDB is *"a document database that provides high 5 | performance, high availability, and easy scalability"*. 6 | 7 | This chapter is dedicated to configuring MongoDB version 2.x. 8 | 9 | .. contents:: 10 | :local: 11 | 12 | Authentication 13 | ^^^^^^^^^^^^^^ 14 | 15 | Authentication is the process of verifying the identity of a client or a user. MongoDB supports different authentication 16 | mechanisms, it is suggested to always use authentication for all users and clients (with different credentials for each 17 | one). 18 | Even if you have deployed MongoDB servers in a trusted network it is good security practice to enable authentication. 19 | Please refer to MongoDB documentation to understand how create and use users over different authentication mechanisms. 20 | 21 | Authorization 22 | ^^^^^^^^^^^^^ 23 | 24 | Authorization is a set of roles to give users permissions that pair resources with allowed operations. 25 | It is suggested to use authorization to fine tune users profiles and let each user access the data or run the 26 | operations it needs. 27 | MongoDB does not enable authorization by default, you can enable authorization using the *--auth* option. Example:: 28 | 29 | $ mongod --auth 30 | 31 | Or set it in the configuartion file:: 32 | 33 | auth = true 34 | 35 | Please refer to MongoDB documentation to understand how to work with authorization mechanisms. 36 | 37 | Disable Localhost Exception 38 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^ 39 | 40 | The localhost exception allows you to enable authorization before creating the first user in the system. When active, 41 | the localhost exception allows all connections from the localhost interface to have full access to that instance. The 42 | exception applies only when there are no users created in the MongoDB instance. 43 | To prevent unauthorized access to a cluster’s shards, you must either create an administrator on each shard 44 | or disable the localhost exception. To disable the localhost exception, add setParameter to set the 45 | *enableLocalhostAuthBypass* parameter to 0 during startup. Example:: 46 | 47 | $ mongod --setParameter enableLocalhostAuthBypass=0 48 | 49 | Or set it in the configuration file:: 50 | 51 | setParameter = enableLocalhostAuthBypass=0 52 | 53 | Disable server side scripting 54 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 55 | 56 | In some server-side operations (i.e. mapReduce, group, eval, $where), MongoDB supports the execution of JavaScript 57 | code. To mitigate the exploiting of a possible application level vulnerability, if you do not use these operations, 58 | it is suggested to disable server-side scripting. 59 | To disable server-side scripting add *noscripting* parameter during startup. Example:: 60 | 61 | $ mongod --noscripting 62 | 63 | Or set it in the configuartion file:: 64 | 65 | noscripting = false 66 | 67 | Disable status interface 68 | ^^^^^^^^^^^^^^^^^^^^^^^^ 69 | 70 | The status interface is an HTTP server exposing a web page that contains some statistics that may of interest 71 | to system administrators. 72 | It is suggested to disable the status interface to not expose an unused service. 73 | To disable the status interface add *nohttpinterface* argument during startup. Example:: 74 | 75 | $ mongod --nohttpinterface 76 | 77 | Or set it in the configuartion file:: 78 | 79 | nohttpinterface = true 80 | 81 | Since version 2.6 MongoDB disables the HTTP interface by default. 82 | 83 | Disable the REST interface 84 | ^^^^^^^^^^^^^^^^^^^^^^^^^^ 85 | 86 | The REST interface is s a fully interactive administrative REST interface, 87 | which is disabled by default. 88 | This interface does not support any authentication and you should always restrict access to this interface to only 89 | allow trusted clients to connect to this port. 90 | It is suggested to leave this interface disabled, removing the following arguments by the command line, 91 | if present:: 92 | 93 | $ mongod --rest --httpinterface 94 | 95 | Or disable it in the configuartion file:: 96 | 97 | rest = false 98 | 99 | If you have to leave this interface enabled, you should only allow trusted clients 100 | to access this service (using proper firewall rules). 101 | 102 | Encryption 103 | ^^^^^^^^^^ 104 | 105 | MongoDB clients can use SSL to encrypt connections to mongo instances. 106 | It is suggested to always use SSL encryption when accessing MongoDB over a network. 107 | 108 | Please refer to MongoDB documentation to understand how to setup SSL encryption. 109 | 110 | Limit Network Exposure 111 | ^^^^^^^^^^^^^^^^^^^^^^ 112 | 113 | Restriction access to the database service is a critical aspect of service security. It is suggested to do not expose 114 | your database to resources that are not in need to access it. 115 | You can use the *--bind_ip* option on the command line at run time or the *bindIp* in the configuration file to limit the network 116 | accessibility of a MongoDB program. Example:: 117 | 118 | $ mongod --bind_ip 127.0.0.1 119 | 120 | Or set it in the configuration file:: 121 | 122 | bind_ip = 127.0.0.1 123 | 124 | If you need fine tuned network access limitation not limited to binding on an interface is suggested to use a firewall 125 | to place custom network traffic ACLs. 126 | 127 | Run MongoDB with a dedicated user 128 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 129 | 130 | Privilege separation should always be used, it is suggested to run MongoDB processes with a dedicated user account (an 131 | operative system account with the minimum privileges needed to run the service). 132 | Most installers already creates a dedicated user when installing MongoDB. 133 | 134 | References 135 | ^^^^^^^^^^ 136 | 137 | * https://docs.mongodb.com/manual/administration/security-checklist/ -------------------------------------------------------------------------------- /Applications/MySQL/index.rst: -------------------------------------------------------------------------------- 1 | MySQL Server 2 | ------------ 3 | 4 | According to `MySQL official website `_ MySQL is *"open-source relational database management system (RDBMS)"*. 5 | 6 | .. contents:: 7 | :local: 8 | 9 | Connection Encryption 10 | ^^^^^^^^^^^^^^^^^^^^^ 11 | 12 | By default MySQL connections are not encrypted and everything flows over network in open text. 13 | If you are using MySQL over a network it is suggested to use encryption, refer to MySQL documentation to understand how 14 | to configure an encryption mechanism. 15 | 16 | Connection Error Limit 17 | ^^^^^^^^^^^^^^^^^^^^^^ 18 | 19 | It is suggested to apply host ban to clients with many unsuccessful authentications. 20 | As stated in `MySQL documentation `_: 21 | 22 | *If there are more than this number of interrupted connections from a host, that host is blocked from further connections. You can unblock blocked hosts with the FLUSH HOSTS statement. 23 | If a connection is established successfully within fewer than max_connect_errors attempts after a previous connection was interrupted, the error count for the host is cleared to zero. However, once a host is blocked, the FLUSH HOSTS statement is the only way to unblock it.* 24 | 25 | Edit the configuration file *my.cnf* and set *max_connect_errors*:: 26 | 27 | max_connect_errors = 3 28 | 29 | Disable LOAD DATA LOCAL INFILE 30 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 31 | 32 | The LOAD DATA LOCAL INFILE command allows users, or an attacker, to read local files and even access other files on the operating system. 33 | It is also a common command used by attackers exploiting by methods such as SQL injection. 34 | It is suggested to disable the command, edit the configuration file *my.cnf* and set *local-infile*:: 35 | 36 | local-infile=0 37 | 38 | Disable SHOW DATABASES 39 | ^^^^^^^^^^^^^^^^^^^^^^ 40 | 41 | SHOW DATABASES is a command used by users, or attackers, to list all databases available. 42 | Stripping remote attackers of their information gathering capabilities is critical to a secure security posture. 43 | It is suggested to disable the command, edit the configuration file *my.cnf* and add *skip-show-database* to the [mysqld] section :: 44 | 45 | [mysqld] 46 | skip-show-database 47 | 48 | Hardening Script 49 | ^^^^^^^^^^^^^^^^ 50 | 51 | MySQL comes with an hardening script to check database server security and remove some default settings. 52 | You can run it with the command:: 53 | 54 | mysql_secure_installation 55 | 56 | It will ask you for your desired hardening level through some questions. 57 | 58 | Interface Binding 59 | ^^^^^^^^^^^^^^^^^ 60 | 61 | If you don't need to access your database from another machine it is suggested to bind MySQL service 62 | on localhost only, edit the configuration file *my.cnf* and set *bind-address*:: 63 | 64 | bind-address = 127.0.0.1 65 | 66 | You can also disable networking if not used with *skip-networking* option. 67 | 68 | Privilege Hardening 69 | ^^^^^^^^^^^^^^^^^^^ 70 | You should carefully manager users and privileges, it is suggested to follow at least these best practices: 71 | 72 | * Each application that uses MySQL should have its own user that only has limited privileges and only has access to the databases it needs to run. 73 | * Never use ALL TO *.*. 74 | * Never use % for a hostname 75 | * Application user permissions should be restrictive as possible 76 | * Only allow super privileges to dba accounts, and localhost 77 | * Never ever give users global privileges, except for root, backup user, monitoring user, replication user 78 | * Take extra caution when granting SUPER or FILE privileges: SUPER can modify runtime configuration and become other users, FILE allows reading or writing files as MySQL process 79 | 80 | Rename root User 81 | ^^^^^^^^^^^^^^^^ 82 | 83 | It is suggested to change the root login name. If an attacker is trying to access the root MySQL login, they will need to perform the additional step of finding the username. 84 | 85 | The root login can be changed with the following SQL commands:: 86 | 87 | RENAME USER 'root'@'localhost' TO 'foobar'@'localhost'; 88 | FLUSH PRIVILEGES; 89 | 90 | 91 | References 92 | ^^^^^^^^^^ 93 | 94 | * https://www.owasp.org/index.php/OWASP_Backend_Security_Project_MySQL_Hardening 95 | -------------------------------------------------------------------------------- /Applications/Nginx/index.rst: -------------------------------------------------------------------------------- 1 | Nginx 2 | ----- 3 | 4 | According to `Nginx official website `_ Nginx is *"is an HTTP and reverse proxy server, a mail 5 | proxy server, and a generic TCP proxy server, originally written by Igor Sysoev. For a long time, it has been running 6 | on many heavily loaded Russian sites including Yandex, Mail.Ru, VK, and Rambler."*. 7 | 8 | .. contents:: 9 | :local: 10 | 11 | Catch all deny virtualhost 12 | ^^^^^^^^^^^^^^^^^^^^^^^^^^ 13 | 14 | A catch all virtual host is the website server when your website is accessed by IP address and not by hostname. 15 | It is usually used only by bots and attackers, so it is suggested to setup a virtual host listening on your IP website 16 | and deny all requests. 17 | Create a virtualhost with the following configuration:: 18 | 19 | server { 20 | listen 80 default; 21 | server_name _; 22 | deny all; 23 | } 24 | 25 | Enable Anti-Clickjacking Header 26 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 27 | 28 | The X-Frame-Options will instruct a browser to load the resources only from the same origin, this means the page 29 | can't load inside a framed tag (i.e. frame or iframe). Use this only if your business doesn't plan to have the 30 | site loaded in a frame. 31 | Add the following code to your virtual host or server block of your site:: 32 | 33 | add_header X-Frame-Options "SAMEORIGIN"; 34 | 35 | Enable HTTP Strict Transport Security 36 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 37 | 38 | If it apply to your website, it is suggested to consider enabling HSTS (HTTP Strict Transport Security) mechanism, 39 | which let browsers to communicate with your websites only over HTTPS protocol. 40 | This mechanism is designed to reduce man in the middle attacks (MiTM). 41 | In order to enable HSTS on Nginx, you should need to add this code to your virtual host or server block of your site:: 42 | 43 | add_header Strict-Transport-Security max-age=15768000; 44 | 45 | Example of a redirect virtual host with HSTS enabled:: 46 | 47 | server { 48 | listen 80; 49 | add_header Strict-Transport-Security max-age=15768000; 50 | return 301 https://www.example.com$request_uri; 51 | } 52 | 53 | Enable X-XSS Protection 54 | ^^^^^^^^^^^^^^^^^^^^^^^ 55 | 56 | The X-XSS protection is used to mitigate Cross-Site scripting attacks. 57 | Add the following code to your virtual host or server block of your site:: 58 | 59 | add_header X-XSS-Protection "1; mode=block"; 60 | 61 | Deny access to some resources 62 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 63 | 64 | Sometimes critical data are published during application deploy. It is suggested to deny access to sensitive resources, 65 | for example the *.git* folder, adding a location statement to deny access to *.git* or another resource:: 66 | 67 | server { 68 | location ~ /\.git { 69 | deny all; 70 | } 71 | } 72 | 73 | Deny illegal Host headers 74 | ^^^^^^^^^^^^^^^^^^^^^^^^^ 75 | 76 | Malicious bots or vulnerability probing usually sends also requests with an 77 | improper or empty Host header. 78 | The default technique to block this kind of attempts is to use a "Catch all 79 | virtualhost", but in some cases, for example if your website is SSL/TLS 80 | encrypted, you can't use a default virtualhost. 81 | It is suggested to block all requests with an illegal Host header with the 82 | following configuration (example.com is your website in this example):: 83 | 84 | server { 85 | # Deny illegal Host headers. 86 | if ($host !~* ^(example.com|www.example.com)$ ) { 87 | return 444; 88 | } 89 | } 90 | 91 | The returned HTTP error code 444 is used in Nginx logs to indicate that the 92 | server has returned no response to the client and closed the connection (useful 93 | to block malicious requests). 94 | 95 | Disable Autoindex 96 | ^^^^^^^^^^^^^^^^^ 97 | 98 | It is suggested to disable the autoindex module, disabling the directive *autoindex* in your command location block:: 99 | 100 | autoindex off; 101 | 102 | Disable Content-type Sniffing 103 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 104 | 105 | This header will prevent the browser from interpreting files as something else than declared by the content type 106 | in the HTTP headers. 107 | Add the following code to your virtual host or server block of your site:: 108 | 109 | add_header X-Content-Type-Options nosniff; 110 | 111 | Disable Server Signature 112 | ^^^^^^^^^^^^^^^^^^^^^^^^ 113 | 114 | By default Nginx sends banner with version number, it is suggested to disable server banner disabling *server_tokens* in 115 | global configuration file:: 116 | 117 | server_tokens off; 118 | 119 | For more information see: https://wiki.nginx.org/HttpCoreModule#server_tokens 120 | 121 | Disable SSI module 122 | ^^^^^^^^^^^^^^^^^^ 123 | 124 | It is suggested to disable the HTTP SSI module. 125 | Add the following code to your virtual host or server block of your site:: 126 | 127 | ssi off; 128 | 129 | For more information see: https://nginx.org/en/docs/http/ngx_http_ssi_module.html 130 | -------------------------------------------------------------------------------- /Applications/OpenSSH/index.rst: -------------------------------------------------------------------------------- 1 | OpenSSH 2 | ------- 3 | 4 | According to `OpenSSH official website `_ OpenSSH is used *"OpenSSH is a free version of the 5 | SSH connectivity tools that technical users of the Internet rely on. Users of telnet, rlogin, and ftp may not realize 6 | that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic 7 | (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. 8 | Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all 9 | SSH protocol versions"*. 10 | Different versions of OpenSSH support different options which are not always compatible. This guide show settings for the most commonly deployed OpenSSH versions. 11 | 12 | .. contents:: 13 | :local: 14 | 15 | Change port number 16 | ^^^^^^^^^^^^^^^^^^ 17 | 18 | SSH default port (22/tcp) is a service target of worms, script kiddies, and all kind of brute forcing around. 19 | It is suggested to edit *sshd_config* file (usually located in */etc/ssh/sshd_config*) to run the SSH daemon on a non default 20 | port, using the *Port* option:: 21 | 22 | Port 34567 23 | 24 | Compression after authentication 25 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 26 | 27 | It is suggested to enable compression only after authentication. 28 | Open *sshd_config* (usually located in */etc/ssh/sshd_config*) and make sure following value is configured:: 29 | 30 | Compression delayed 31 | 32 | Configure Idle Log Out Timeout Interval 33 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 34 | 35 | Users can login to server via ssh, it is suggested to set an idle timeout interval to avoid unattended ssh session. 36 | Open *sshd_config* (usually located in */etc/ssh/sshd_config*) and make sure following values are configured:: 37 | 38 | ClientAliveInterval 300 39 | ClientAliveCountMax 0 40 | 41 | Enable strict mode 42 | ^^^^^^^^^^^^^^^^^^ 43 | 44 | Using strict mode you can enforce some checks on important files inside users' home directory have the proper privileges 45 | and ownership, SSH daemon will only allow a remote user to log on if checks pass. 46 | It is suggested to enable strict mode editing *sshd_config* file and enabling *StrictModes*:: 47 | 48 | StrictModes yes 49 | 50 | Enable a Warning Banner 51 | ^^^^^^^^^^^^^^^^^^^^^^^ 52 | 53 | Set a warning banner by updating *sshd_config* with the following line:: 54 | 55 | Banner /etc/issue 56 | 57 | This setting is suggested *only* on intranet facing servers. If you are using a custom banner on an internet facing 58 | system you are disclosing some kind of information and it is quite easy to fingerprint and track your system. 59 | For example think about your "fingerprint prone" SSH server published as an hidden node. Anyone could correlate the 60 | unique banner with you. 61 | 62 | Disable .rhosts Files 63 | ^^^^^^^^^^^^^^^^^^^^^ 64 | 65 | SSH can be configured to emulate the behavior of the obsolete rsh command honoring *.rhosts* files. 66 | This is historically unsafe and it is suggested to disable it, edit *sshd_config* file and disable *IgnoreRhosts*:: 67 | 68 | IgnoreRhosts yes 69 | 70 | Disable Challenge Response 71 | ^^^^^^^^^^^^^^^^^^^^^^^^^^ 72 | 73 | You should also disable challenge-response authentication, in case your version of OpenSSH is using PAM to authenticate. 74 | It is suggested to edit *sshd_config* file and disable *ChallengeResponseAuthentication*:: 75 | 76 | ChallengeResponseAuthentication no 77 | 78 | Disable Empty Passwords 79 | ^^^^^^^^^^^^^^^^^^^^^^^ 80 | 81 | You need to explicitly disallow remote login from accounts with empty passwords, update *sshd_config* with the following 82 | line:: 83 | 84 | PermitEmptyPasswords no 85 | 86 | Disable gateway for forwarded ports 87 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 88 | 89 | SSH binds local port forwardings to the loopback address only, as default. 90 | This is a security feature to prevent other remote hosts from connecting to forwarded ports. 91 | The *GatewayPorts* option can be used to specify if this is the expected behaviour. 92 | It is suggested to disable *GatewayPorts*, it is already disabled by default in most distributions, edit *sshd_config* 93 | file and disable *IgnoreRhosts*:: 94 | 95 | GatewayPorts no 96 | 97 | Disable Host-Based Authentication 98 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 99 | 100 | It is suggested to disable host-based authentication, as *.rhost* based authenticaiton, it is not rock solid authentication. 101 | To disable host-based authentication, edit *sshd_config* file and disable *HostbasedAuthentication*:: 102 | 103 | HostbasedAuthentication no 104 | 105 | Disable Password Authentication 106 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 107 | 108 | By default SSH can use keys or password to provide authentication, passwords are prone to brute force attacks. 109 | It is suggested to use keys only and completely disable password-based logins. 110 | To stop password based authentication, edit *sshd_config* file and disable *PasswordAuthentication*:: 111 | 112 | PasswordAuthentication no 113 | 114 | Disable Protocol 1 115 | ^^^^^^^^^^^^^^^^^^ 116 | 117 | The legacy SSH protocol 1 is not secure: it suffers of man-in-the-middle attacks and it has a myriad of vulnerabilities; 118 | it should be disabled although in most cases it already is 119 | by default. 120 | It is suggested to edit *sshd_config* file and add the following line to use only SSH protocol version 2:: 121 | 122 | Protocol 2 123 | 124 | Disable Roaming 125 | ^^^^^^^^^^^^^^^ 126 | 127 | OpenSSH has some undocumented, and rarely used features. It is suggested to disable roaming feature, 128 | in the past it leads to a known vulnerability. 129 | Add to *ssh_config* file:: 130 | 131 | Host * 132 | UseRoaming no 133 | 134 | Disable Root Logins 135 | ^^^^^^^^^^^^^^^^^^^ 136 | 137 | It is suggested to not enable root login via SSH, this account has high privileges and it is usually target of attacks. 138 | A good practice is to login with a normal user, the root account is still available by using *su* and *sudo* tools. 139 | To disallow logins with user root, edit */sshd_config* file and make sure you have the following entry:: 140 | 141 | PermitRootLogin no 142 | 143 | Disable SSH forwarding 144 | ^^^^^^^^^^^^^^^^^^^^^^ 145 | 146 | Port forwarding via SSH (SSH tunneling) creates a secure connection between a local computer and a remote 147 | machine through which services can be relayed. 148 | It is suggested to disable this feature, update *sshd_config* with the following line:: 149 | 150 | AllowTcpForwarding no 151 | 152 | Sometimes you would enable SSH forwarding just for some users, for example the following lines enable it for 153 | foobar:: 154 | 155 | AllowTcpForwarding no 156 | Match User foobar 157 | AllowTcpForwarding yes 158 | 159 | Disable TCP forwarding 160 | ^^^^^^^^^^^^^^^^^^^^^^ 161 | 162 | SSH supports "traffic tunneling", it is used to forward TCP traffic over SSH channel. 163 | If you are not using this feature it is suggested to disable it. 164 | To disable TCP forwarding, edit *sshd_config* file and disable *AllowTcpForwarding*:: 165 | 166 | AllowTcpForwarding no 167 | 168 | Disable user environment 169 | ^^^^^^^^^^^^^^^^^^^^^^^^ 170 | 171 | Users logging via SSH are usually able to set environment options and potentially bypass some access restrictions. 172 | It is suggested, if this feature is not needed, to remove this permission, edit *sshd_config* file and disable 173 | *PermitUserEnvironment*:: 174 | 175 | PermitUserEnvironment no 176 | 177 | Disable X11 forwarding 178 | ^^^^^^^^^^^^^^^^^^^^^^ 179 | 180 | SSH supports X display forwarding, so X11 applications started on the remote system via SSH have their display shown on 181 | the client. 182 | If this feature is not used it is suggested to disable it, although it is disabled by default in most distributions. 183 | To disable X11 forwarding, edit *sshd_config* file and disable *X11Forwarding*:: 184 | 185 | X11Forwarding no 186 | 187 | Display a warning message before login 188 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 189 | 190 | A pre login SSH banner shows before the password prompt, during an interactive session. 191 | It is usually used for legal warnings or to show the terms by which someone is allowed to use the system. 192 | This message is commonly located in */etc/issue* but you can also use your custom file, for example */etc/ssh/banner*. 193 | It is suggested to use a warning banner, edit *sshd_config* file and set *Banner* option:: 194 | 195 | Banner /etc/ssh/banner 196 | 197 | Do not use SSH Agent Forwarding 198 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 199 | 200 | SSH Agent Forwarding is as an easy way to connect to a host with your SSH key and from there connect to another host with the same key. 201 | For example this is used when you cannot connect directly to the second host from your workstation. 202 | To enable SSH Agent Forwarding from command line you have to use ssh -A from command line or edit the AgentForward option in 203 | your SSH configuration file. 204 | It is suggested to not use SSH Agent Forwarding because it comes at cost of a security issue: a port-forwarding will be set up to 205 | connect you to the second host, so anyone with sufficient permission on the first host could be able to use that socket to connect 206 | to and use your local ssh-agent. 207 | It is recommended to never use SSH Agent Forwarding, if it is really needed by your use case it is suggested to use the option 208 | ProxyCommand instead. 209 | 210 | Hash Known Hosts 211 | ^^^^^^^^^^^^^^^^ 212 | 213 | If a machine is compromised, a good idea is to minimize how much usable information is given to an attacker. The known_hosts 214 | file is a source of relevant information. 215 | *HashKnownHosts* is a configurable option, used to hash host names and addresses when they are added to *~/.ssh/known_hosts*. 216 | It is suggested to enable it, addint to your SSH configuration file:: 217 | 218 | HashKnownHosts Yes 219 | 220 | Key storage 221 | ^^^^^^^^^^^ 222 | 223 | It is suggested to store your SSH keys in a secure storage and always encrypt your key files using a strong 224 | password. 225 | For example, you may want to store them on a secure and encrypted pendrive and only plug it in when you want 226 | to use SSH. 227 | 228 | Increase Key Strength 229 | ^^^^^^^^^^^^^^^^^^^^^ 230 | 231 | It is suggested to use a length more than the default one. 232 | The following command instructs ssh-keygen with *-b* argument to generate a 4096-bit key:: 233 | 234 | $ ssh-keygen -b 4096 -t rsa -f ~/.ssh/id_rsa 235 | 236 | Feel free to increase this to your desired key length although remember to use powers of two. 237 | To slow down cracking attempts it is suggested to iterate the hash function many times, for example 238 | iterating 6000 times using the *-a* option:: 239 | 240 | $ ssh-keygen -b 4096 -a 6000 -t rsa -f ~/.ssh/id_rsa 241 | 242 | Limit port forwarding 243 | ^^^^^^^^^^^^^^^^^^^^^ 244 | 245 | You don't want to expose the ports you open with port forwarding to other people. 246 | It is suggested to disable *GatewayPorts*, although in most distribution it is by default, to ensure that any 247 | port forwarding is limited to the local machine:: 248 | 249 | GatewayPorts no 250 | 251 | Limiting brute forcing attempts 252 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 253 | 254 | SSH is a service target of worms, script kiddies, and all kind of brute forcing around. 255 | It's a good idea to limit the maximum amount of login tries for second. This can be achieved with a few iptables 256 | lines or with `DenyHosts `_. 257 | 258 | Message authentication codes 259 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 260 | 261 | There are multiple ways to combine ciphers and MACs but only Encrypt-then-MAC should be used. 262 | It is suggested to use a selected list of MACs, edit *sshd_config* file:: 263 | 264 | MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com 265 | 266 | Also set the same configuration for SSH client, edit *ssh_config* file:: 267 | 268 | Host * 269 | MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com 270 | 271 | OTP Setup 272 | ^^^^^^^^^ 273 | 274 | Usually SSH only verifies one thing, your password or your private key, although multiple authentication methods 275 | were allowed. 276 | Here we are going to see how to use Google Authentication as a OTP token during SSH authentication. 277 | Install the Google Authenticator PAM module, for example in Ubuntu you can use this command:: 278 | 279 | apt-get install libpam-google-authenticator 280 | 281 | Run the command *google-authenticator* for each user you need an OTP token on your device, you will get some 282 | questions to configure the token generator and at the end, a QR code will be displayed. Use it to setup your access 283 | token, for example on your phone, and safely save all the codes displayed. 284 | 285 | Configure SSH to use PAM editing *sshd_config* file with these values:: 286 | 287 | ChallengeResponseAuthentication yes 288 | PasswordAuthentication no 289 | AuthenticationMethods publickey,keyboard-interactive 290 | UsePAM yes 291 | PubkeyAuthentication yes 292 | 293 | Restart the SSH service. Now edit the PAM configuration to use Google Authentication, edit /etc/pam.d/sshd and replace the line:: 294 | 295 | @include common-auth 296 | 297 | With the line:: 298 | 299 | auth required pam_google_authenticator.so 300 | 301 | Now SSH logins will require a private key, and after it will additionally require an OTP token. 302 | Log in as the user you’ll be logging in with remotely and run the *google-authenticator* command to create a 303 | secret key for that user. 304 | Restart SSH deamon. 305 | 306 | Restrict IP Listen Address 307 | ^^^^^^^^^^^^^^^^^^^^^^^^^^ 308 | 309 | If you are in a multi homed setup (with multiple network interfaces) it is suggested to avoid having SSH listening on 310 | all interfaces, unless it is really needed. For example only a specific IP should be used for SSH. 311 | To specify on which IP to listen, edit *sshd_config* file use *ListenAddress* option, for example to listen only on the 312 | interface with IP 192.168.0.1:: 313 | 314 | ListenAddress 192.168.0.1 315 | 316 | Reduce Grace Time 317 | ^^^^^^^^^^^^^^^^^ 318 | 319 | It is suggested to lower the default grace time for authenticating a user, it is only necessary if you are on a very 320 | slow connection otherwise it will hold unauthenticated connections open for some time. 321 | To reduce the gracetime to 30 seconds, edit *sshd_config* file use *LoginGraceTime* option:: 322 | 323 | LoginGraceTime 30 324 | 325 | Route traffic over TOR 326 | ^^^^^^^^^^^^^^^^^^^^^^ 327 | 328 | If you would like to provide an additional layer of encryption, server authentication and some traffic analysis 329 | resistance you can access your SSH as an hidden service over TOR. 330 | Note: Attackers can still attack the SSH service, but don't know who they are attacking. 331 | This hardening step is not suggested, only a desiderata in needs of mention. 332 | 333 | If you want to access your SSH daemon only via hidden service, bind it only to localhost, edit *sshd_config*:: 334 | 335 | ListenAddress 127.0.0.1:22 336 | 337 | Create youe hidden service editing *torrc* (usually in */etc/tor/torrc*):: 338 | 339 | HiddenServiceDir /var/lib/tor/hidden_service/ssh 340 | HiddenServicePort 22 127.0.0.1:22 341 | 342 | You will find the hostname you have to use in */var/lib/tor/hidden_service/ssh/hostname*. 343 | Now you have to configure SSH client to connect over TOr. Install *socat* (it is used to route traffic over 344 | TOR) and configure SSH to use *socat* for each domain ending with *.onion*, editing *ssh_config*:: 345 | 346 | Host *.onion 347 | ProxyCommand socat - SOCKS4A:localhost:%h:%p,socksport=9050 348 | 349 | Symmetric ciphers 350 | ^^^^^^^^^^^^^^^^^ 351 | 352 | Symmetric ciphers are used to encrypt the transmission after the initial key exchange and successful authentication. 353 | 354 | It is suggested to use a selected list of strong ciphers, edit *sshd_config* file:: 355 | 356 | Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr 357 | 358 | Also set the same configuration for SSH client, edit *ssh_config* file:: 359 | 360 | Host * 361 | Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr 362 | 363 | Use PAM 364 | ^^^^^^^ 365 | 366 | By default, OpenSSH uses PAM for the authentication of users. 367 | PAM (Pluggable Authentication Modules) is a powerful framework for managing authentication of users. 368 | Using PAM you can enforce rules during the authentication (i.e. limiting access based on login count). 369 | It is suggested to use PAM for SSH authentication too, edit *sshd_config* file and enable *UsePAM*:: 370 | 371 | UsePAM yes 372 | 373 | Use privilege separation 374 | ^^^^^^^^^^^^^^^^^^^^^^^^ 375 | 376 | It is a good practice to never run processes as root, if yoi enable SSH privilege separation, the SSHd process has a 377 | tiny footprint running as root and it drops privileges as soon as possible to run as unprivileged process. 378 | It is suggested to enable privilege separation (usually it is enabled by default), edit */sshd_config* file and 379 | enable *UsePrivilegeSeparation*:: 380 | 381 | UsePrivilegeSeparation yes 382 | 383 | Use strong key algorithms 384 | ^^^^^^^^^^^^^^^^^^^^^^^^^ 385 | 386 | SSH supports different key exchange algorithms, ciphers and message authentication codes. There are ciphers for any 387 | security level. 388 | It is suggested to use only strong key exchange protocols, edit *sshd_config* file and set *KexAlgorithms*:: 389 | 390 | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 391 | 392 | Edit *ssh_config* file and set *KexAlgorithms*:: 393 | 394 | # Github needs diffie-hellman-group-exchange-sha1 some of the time but not always. 395 | #Host github.com 396 | # KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 397 | 398 | Host * 399 | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 400 | 401 | Open */etc/ssh/moduli* if exists, and delete lines where the 5th column is less than 2000:: 402 | 403 | awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli" 404 | wc -l "${HOME}/moduli" # make sure there is something left 405 | mv "${HOME}/moduli" /etc/ssh/moduli 406 | If it does not exist, create it: 407 | 408 | ssh-keygen -G "${HOME}/moduli" -b 4096 409 | ssh-keygen -T /etc/ssh/moduli -f "${HOME}/moduli" 410 | rm "${HOME}/moduli" 411 | 412 | Whitelisting / blacklisting users 413 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 414 | 415 | By default all systems user can login via SSH using their password or public key. 416 | Sometime you create UNIX / Linux user account for ftp or email purpose. However, those user can login 417 | to system using SSH. 418 | To only allow antani and tapioco user to use the system via SSH, add the following to *sshd_config*:: 419 | 420 | AllowUsers antani tapioco 421 | 422 | Alternatively, you can allow all users to login via SSH but deny only a few users, with the following line:: 423 | 424 | DenyUsers foo bar 425 | 426 | You can also configure Linux PAM allows or deny login via the sshd server. 427 | 428 | Whitelisting / blacklisting groups 429 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 430 | 431 | By default all systems user can login via SSH using their password or public key. 432 | Sometime you create UNIX / Linux user account for ftp or email purpose. However, those user can login 433 | to system using SSH. 434 | To only allow users in a group (fo example in the foo group), add the following to *sshd_config*:: 435 | 436 | AllowGroups foo 437 | 438 | Alternatively, you can allow all users to login via SSH but deny only the users in the foo group, with the following line:: 439 | 440 | DenyGroups foo 441 | 442 | You can also configure Linux PAM allows or deny login via the sshd server. 443 | 444 | References 445 | ^^^^^^^^^^ 446 | 447 | * https://heipei.github.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/ 448 | * https://stribika.github.io/2015/01/04/secure-secure-shell.html 449 | -------------------------------------------------------------------------------- /Applications/OpenVPN/index.rst: -------------------------------------------------------------------------------- 1 | OpenVPN 2 | ------- 3 | 4 | According to `OpenVPN official website `_ OpenVPN is *"an open-source software that implements virtual private network (VPN) techniques for creating secure point-to-point connections"*. 5 | 6 | .. contents:: 7 | :local: 8 | 9 | Additional authentication 10 | ^^^^^^^^^^^^^^^^^^^^^^^^^ 11 | 12 | If possibile, it is suggested to request an additional authentication in addition to a client certificate. 13 | This could protect you in case of certificate loss. 14 | Additional authentication could be configured server side in two ways: 15 | 16 | * Using the *auth-user-pass-verify* 17 | * Using a plugin (i.e. PAM) 18 | 19 | Attacks on default gateway 20 | ^^^^^^^^^^^^^^^^^^^^^^^^^^ 21 | 22 | OpenVPN is commonly used to route all traffic or only some subnets through the VPN tunnel. This is 23 | implemented adding wide scope routing rules. 24 | A rogue DHCP server able to push more specific routes could be able to take precedence on the routing 25 | table and route your traffic outside the VPN. 26 | To prevent this kind of attacks it is suggested to configure your DHCP client to ignore classless static 27 | routes. 28 | A rogue DHCP couls also push a subnet mask for an extremely large subnet, so all the traffic could be 29 | routed on the local network and not in the VPN. 30 | This issue has not an easy solution, it depends by your OS, for example in Linux you can use advanced routing 31 | and multiple routing table (see https://www.agwa.name/blog/post/hardening_openvpn_for_def_con). 32 | 33 | Custom Port 34 | ^^^^^^^^^^^ 35 | 36 | It is suggested to move OpenVPN from the default port to a custom one. 37 | For example we are setting it on port 10000, edit the server configuration file as follows:: 38 | 39 | port 10000 40 | 41 | Disable IPv6 42 | ^^^^^^^^^^^^ 43 | 44 | You know, IPv6 could be a security beast. Unless you are using IPv6 in your OpenVPN tunnerl, then all IPv6 traffic from your client will bypass the VPN and egress over the local network. 45 | It is suggested to disable IPv6 support in your OS if you are not using it. 46 | 47 | Disable management interface 48 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 49 | 50 | The OpenVPN Management interface allows OpenVPN to be remotely administered. 51 | It is suggested to disable or restrict to localhost (or local trusted clients) the management interface. 52 | Edit the server configuration file and comment the *management* option or make sure it is only accessible 53 | via localhost:: 54 | 55 | # management 127.0.0.1 8000 56 | 57 | DNS management 58 | ^^^^^^^^^^^^^^ 59 | 60 | When you are using a VPN tunnel, you should use only a trusted DNS server. 61 | If an attacker is able to push a rogue DNS server it is a game over for you because he could redirect all 62 | your traffic outside the VPN. 63 | It should take care of your configured DNS servers, unfortunately how DHCP clients manage pushed DNS servers 64 | depends by operating systems. Some systems do it incredibly poorly and it is possible to change your DNS 65 | server, by pushing it via DHCP, after the VPN tunnel startup. 66 | It is suggested to pin your DNS servers to be suere you are always using the right one. 67 | 68 | Don not allow certificate re-use 69 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 70 | 71 | Certificates should not be shared and each VPN client must have its unique certificate. 72 | Is is suggested to enforce it disabling the *duplicate-cn* in the server configuration file, if present, 73 | commenting or deleting it, as follows:: 74 | 75 | # duplicate-cn 76 | 77 | Key Size 78 | ^^^^^^^^ 79 | 80 | It is suggested to use a key size of, at least 2048 bits (better 4096 bits), for your certificates. 81 | If you are creating certificates with OpenSSL you have to modify the *default_bits* parameter. 82 | 83 | Limit concurrent clients 84 | ^^^^^^^^^^^^^^^^^^^^^^^^ 85 | 86 | It is suggested to restrict the maximum number of concurrent clients to a reasonable number. 87 | Set *max-clients* in the server configuration file, as follows (limited at 100 clients in the example):: 88 | 89 | max-clients 100 90 | 91 | Migrate from old cipher 92 | ^^^^^^^^^^^^^^^^^^^^^^^ 93 | 94 | If using OpenVPN v2.4, Negotiable Crypto Parameters (NCP) allows to seamlessly migrate away from deprecated ciphers without much extra work. If both client and server runs OpenVPN v2.4 without NCP being disabled (--ncp-disable), the tunnel will automatically be upgraded to AES-256-GCM. If the environment also uses clients older than OpenVPN v2.4, the server can deploy:: 95 | 96 | ncp-ciphers AES-256-GCM:AES-256-CBC:BF-CBC 97 | 98 | This will allow older clients to add or change --cipher to use AES-256-CBC instead of the default BF-CBC or any other cipher enlisted. This can be done on client configuration files on a one-by-one approach. Unmodified clients will be able to connect as before. Once all clients have been updated to OpenVPN v2.4 or later (preferred) or have their configuration altered, the --ncp-ciphers list can be modified to remove BF-CBC. 99 | 100 | This migration approach will not work after the release of OpenVPN v2.6. As of that release, BF-CBC, CAST or RC2 ciphers will not be accepted any more. 101 | 102 | Persistent VPN device 103 | ^^^^^^^^^^^^^^^^^^^^^ 104 | 105 | If your connection is interrupted and OpenVPN is trying to reconnect, in the meanwhile, traffic is passing 106 | by your default route, bypassing your VPN. 107 | It is suggested to configure OpenVPN to keep the device open and to hold traffic until the connection 108 | is restored, add the following option to the configuration file:: 109 | 110 | persist-tun 111 | 112 | Run as unprivileged user 113 | ^^^^^^^^^^^^^^^^^^^^^^^^ 114 | 115 | It is suggested to run OpenVPN process as unprivileged user. 116 | Add the following lines to the configuration file:: 117 | 118 | user nobody 119 | group nobody 120 | 121 | Secure Ciphers 122 | ^^^^^^^^^^^^^^ 123 | 124 | It is suggested to use strong symmetric ciphers (at least 256bit). 125 | For example, add to both server and client configuration file the following to use AES-256:: 126 | 127 | cipher AES-256-CBC 128 | 129 | Is also suggested to limit the use of TLS ciphersuites with:: 130 | 131 | tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 132 | 133 | Secure PKI Management 134 | ^^^^^^^^^^^^^^^^^^^^^ 135 | 136 | OpenVPN authentication, in most cases, is based on PKI and X.509 certificates. Practicing secure PKI management 137 | is mandatory to safeguard, also, OpenVPN. 138 | It is suggested to follow best practices for secure PKI management, for example: 139 | 140 | * Secure management of CA PKI. 141 | * Generate private keys on the target system and never transport them. 142 | * Never share private keys. 143 | * Use certificate passwords if possibile and use a secure password policy. 144 | * Use a CRL and revoke lost/compromised keys. 145 | 146 | Set minimum TLS version 147 | ^^^^^^^^^^^^^^^^^^^^^^^ 148 | 149 | It is suggested to set minimum TLS version editing the configuration file and adding:: 150 | 151 | tls-version-min 1.2 152 | 153 | SHA-2 for message authentication 154 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 155 | 156 | It is suggested to use strong alghoritm for message authentication (HMAC). 157 | Add the following line to the configuration file:: 158 | 159 | auth SHA-256 160 | 161 | Use PSK 162 | ^^^^^^^ 163 | 164 | The *--tls-auth* option uses a static pre-shared key (PSK) shared among all connected peers. 165 | This is an extra layer of protection to the TLS channel by requiring that incoming connections are correctly HMAC 166 | signed by the PSK key. 167 | This feature could protect your VPN server by DoS attacks aimed to load your CPU load, by port scanning avoiding 168 | service fingerprinting, and act as second line of defense for SSL library vulnerabilities. 169 | Generate a PSK with the command:: 170 | 171 | openvpn --genkey --secret ta.key 172 | 173 | Add the following line to your server configuration:: 174 | 175 | tls-auth ta.key 176 | 177 | Add the following line to your server configuration:: 178 | 179 | tls-auth ta.key 180 | 181 | Beware, the *--tls-auth* key is changed, it must be changed on all peers at the same time, so it could 182 | potentially lead to a network management horror story. It is suggested to use it with care. 183 | 184 | Verify Certificate subject name 185 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 186 | 187 | This is not a general reccomendation although in some cases could be useful to verirify X.509 certificate 188 | subject name on the client. 189 | Add to the client configuration file the following line:: 190 | 191 | verify-x509-name 'C=XX, O=Example, CN=example.xxx' subject 192 | 193 | Verify CRL 194 | ^^^^^^^^^^ 195 | 196 | It is suggested to erify revoked client certificates, they should not connect or keep a connection alive. 197 | Add *crl-verify* to the server configuration file, as follows:: 198 | 199 | crl-verify path/yourcrl.pem 200 | 201 | Verify the server certificate 202 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 203 | 204 | It is recommended to check that the server certificate contains a specific key usage and and extended key usage. 205 | Add to the client configuration file the following line:: 206 | 207 | remote-cert-tls server 208 | 209 | This also is a measure to prevent a client using his certificate to impersonate a server. 210 | 211 | Certificates using the X509v3 format have key usage flags set. Clients should use certificates with the "TLS Web Client Authentication" set and servers with "TLS Web Server Authentication" set. 212 | 213 | Add to the client configuration file the following line:: 214 | 215 | remote-cert-eku "TLS Web Server Authentication" 216 | 217 | Add to the server configuration file the following line:: 218 | 219 | remote-cert-eku "TLS Web Client Authentication" 220 | 221 | References 222 | ^^^^^^^^^^ 223 | 224 | * https://community.openvpn.net/openvpn/wiki/Hardening 225 | * https://www.agwa.name/blog/post/hardening_openvpn_for_def_con 226 | -------------------------------------------------------------------------------- /Applications/index.rst: -------------------------------------------------------------------------------- 1 | ********************* 2 | Application Hardening 3 | ********************* 4 | 5 | This chapter describe how to harden standalone applications. It is divided in two sections: client side applications 6 | (i.e. browser, email client) and server side applications (i.e. web server, file server). 7 | 8 | .. toctree:: 9 | :maxdepth: 1 10 | :glob: 11 | 12 | */index -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # Makefile for Sphinx documentation 2 | # 3 | 4 | # You can set these variables from the command line. 5 | SPHINXOPTS = 6 | SPHINXBUILD = sphinx-build 7 | PAPER = 8 | BUILDDIR = _build 9 | 10 | # User-friendly check for sphinx-build 11 | ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1) 12 | $(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don't have Sphinx installed, grab it from https://www.sphinx-doc.org/) 13 | endif 14 | 15 | # Internal variables. 16 | PAPEROPT_a4 = -D latex_paper_size=a4 17 | PAPEROPT_letter = -D latex_paper_size=letter 18 | ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . 19 | # the i18n builder cannot share the environment and doctrees with the others 20 | I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . 21 | 22 | .PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest gettext 23 | 24 | help: 25 | @echo "Please use \`make ' where is one of" 26 | @echo " html to make standalone HTML files" 27 | @echo " dirhtml to make HTML files named index.html in directories" 28 | @echo " singlehtml to make a single large HTML file" 29 | @echo " pickle to make pickle files" 30 | @echo " json to make JSON files" 31 | @echo " htmlhelp to make HTML files and a HTML help project" 32 | @echo " qthelp to make HTML files and a qthelp project" 33 | @echo " devhelp to make HTML files and a Devhelp project" 34 | @echo " epub to make an epub" 35 | @echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter" 36 | @echo " latexpdf to make LaTeX files and run them through pdflatex" 37 | @echo " latexpdfja to make LaTeX files and run them through platex/dvipdfmx" 38 | @echo " text to make text files" 39 | @echo " man to make manual pages" 40 | @echo " texinfo to make Texinfo files" 41 | @echo " info to make Texinfo files and run them through makeinfo" 42 | @echo " gettext to make PO message catalogs" 43 | @echo " changes to make an overview of all changed/added/deprecated items" 44 | @echo " xml to make Docutils-native XML files" 45 | @echo " pseudoxml to make pseudoxml-XML files for display purposes" 46 | @echo " linkcheck to check all external links for integrity" 47 | @echo " doctest to run all doctests embedded in the documentation (if enabled)" 48 | 49 | clean: 50 | rm -rf $(BUILDDIR)/* 51 | 52 | html: 53 | $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html 54 | @echo 55 | @echo "Build finished. The HTML pages are in $(BUILDDIR)/html." 56 | 57 | dirhtml: 58 | $(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml 59 | @echo 60 | @echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml." 61 | 62 | singlehtml: 63 | $(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml 64 | @echo 65 | @echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml." 66 | 67 | pickle: 68 | $(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle 69 | @echo 70 | @echo "Build finished; now you can process the pickle files." 71 | 72 | json: 73 | $(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json 74 | @echo 75 | @echo "Build finished; now you can process the JSON files." 76 | 77 | htmlhelp: 78 | $(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp 79 | @echo 80 | @echo "Build finished; now you can run HTML Help Workshop with the" \ 81 | ".hhp project file in $(BUILDDIR)/htmlhelp." 82 | 83 | qthelp: 84 | $(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp 85 | @echo 86 | @echo "Build finished; now you can run "qcollectiongenerator" with the" \ 87 | ".qhcp project file in $(BUILDDIR)/qthelp, like this:" 88 | @echo "# qcollectiongenerator $(BUILDDIR)/qthelp/Ghiro.qhcp" 89 | @echo "To view the help file:" 90 | @echo "# assistant -collectionFile $(BUILDDIR)/qthelp/Ghiro.qhc" 91 | 92 | devhelp: 93 | $(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp 94 | @echo 95 | @echo "Build finished." 96 | @echo "To view the help file:" 97 | @echo "# mkdir -p $$HOME/.local/share/devhelp/Ghiro" 98 | @echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/Ghiro" 99 | @echo "# devhelp" 100 | 101 | epub: 102 | $(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub 103 | @echo 104 | @echo "Build finished. The epub file is in $(BUILDDIR)/epub." 105 | 106 | latex: 107 | $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex 108 | @echo 109 | @echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex." 110 | @echo "Run \`make' in that directory to run these through (pdf)latex" \ 111 | "(use \`make latexpdf' here to do that automatically)." 112 | 113 | latexpdf: 114 | $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex 115 | @echo "Running LaTeX files through pdflatex..." 116 | $(MAKE) -C $(BUILDDIR)/latex all-pdf 117 | @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." 118 | 119 | latexpdfja: 120 | $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex 121 | @echo "Running LaTeX files through platex and dvipdfmx..." 122 | $(MAKE) -C $(BUILDDIR)/latex all-pdf-ja 123 | @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." 124 | 125 | text: 126 | $(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text 127 | @echo 128 | @echo "Build finished. The text files are in $(BUILDDIR)/text." 129 | 130 | man: 131 | $(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man 132 | @echo 133 | @echo "Build finished. The manual pages are in $(BUILDDIR)/man." 134 | 135 | texinfo: 136 | $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo 137 | @echo 138 | @echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo." 139 | @echo "Run \`make' in that directory to run these through makeinfo" \ 140 | "(use \`make info' here to do that automatically)." 141 | 142 | info: 143 | $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo 144 | @echo "Running Texinfo files through makeinfo..." 145 | make -C $(BUILDDIR)/texinfo info 146 | @echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo." 147 | 148 | gettext: 149 | $(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale 150 | @echo 151 | @echo "Build finished. The message catalogs are in $(BUILDDIR)/locale." 152 | 153 | changes: 154 | $(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes 155 | @echo 156 | @echo "The overview file is in $(BUILDDIR)/changes." 157 | 158 | linkcheck: 159 | $(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck 160 | @echo 161 | @echo "Link check complete; look for any errors in the above output " \ 162 | "or in $(BUILDDIR)/linkcheck/output.txt." 163 | 164 | doctest: 165 | $(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest 166 | @echo "Testing of doctests in the sources finished, look at the " \ 167 | "results in $(BUILDDIR)/doctest/output.txt." 168 | 169 | xml: 170 | $(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml 171 | @echo 172 | @echo "Build finished. The XML files are in $(BUILDDIR)/xml." 173 | 174 | pseudoxml: 175 | $(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml 176 | @echo 177 | @echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml." 178 | -------------------------------------------------------------------------------- /OS/MacOS_10.12_Sierra/images/finder_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/MacOS_10.12_Sierra/images/finder_1.png -------------------------------------------------------------------------------- /OS/MacOS_10.12_Sierra/images/settings_desktop_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/MacOS_10.12_Sierra/images/settings_desktop_1.png -------------------------------------------------------------------------------- /OS/MacOS_10.12_Sierra/images/settings_general_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/MacOS_10.12_Sierra/images/settings_general_1.png -------------------------------------------------------------------------------- /OS/MacOS_10.12_Sierra/images/settings_general_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/MacOS_10.12_Sierra/images/settings_general_2.png -------------------------------------------------------------------------------- /OS/MacOS_10.12_Sierra/images/settings_security_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/MacOS_10.12_Sierra/images/settings_security_1.png -------------------------------------------------------------------------------- /OS/MacOS_10.12_Sierra/images/settings_security_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/MacOS_10.12_Sierra/images/settings_security_2.png -------------------------------------------------------------------------------- /OS/MacOS_10.12_Sierra/images/settings_security_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/MacOS_10.12_Sierra/images/settings_security_3.png -------------------------------------------------------------------------------- /OS/MacOS_10.12_Sierra/images/settings_security_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/MacOS_10.12_Sierra/images/settings_security_4.png -------------------------------------------------------------------------------- /OS/MacOS_10.12_Sierra/images/settings_security_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/MacOS_10.12_Sierra/images/settings_security_5.png -------------------------------------------------------------------------------- /OS/MacOS_10.12_Sierra/images/settings_security_6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/MacOS_10.12_Sierra/images/settings_security_6.png -------------------------------------------------------------------------------- /OS/MacOS_10.12_Sierra/images/settings_security_7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/MacOS_10.12_Sierra/images/settings_security_7.png -------------------------------------------------------------------------------- /OS/MacOS_10.12_Sierra/images/settings_security_8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/MacOS_10.12_Sierra/images/settings_security_8.png -------------------------------------------------------------------------------- /OS/MacOS_10.12_Sierra/images/settings_security_9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/MacOS_10.12_Sierra/images/settings_security_9.png -------------------------------------------------------------------------------- /OS/MacOS_10.12_Sierra/images/settings_spotlight_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/MacOS_10.12_Sierra/images/settings_spotlight_1.png -------------------------------------------------------------------------------- /OS/MacOS_10.12_Sierra/images/settings_spotlight_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/MacOS_10.12_Sierra/images/settings_spotlight_2.png -------------------------------------------------------------------------------- /OS/MacOS_10.12_Sierra/images/settings_users_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/MacOS_10.12_Sierra/images/settings_users_1.png -------------------------------------------------------------------------------- /OS/MacOS_10.12_Sierra/images/settings_users_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/MacOS_10.12_Sierra/images/settings_users_2.png -------------------------------------------------------------------------------- /OS/MacOS_10.12_Sierra/images/settings_users_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/MacOS_10.12_Sierra/images/settings_users_3.png -------------------------------------------------------------------------------- /OS/MacOS_10.12_Sierra/index.rst: -------------------------------------------------------------------------------- 1 | MacOS 10.12 Sierra 2 | ------------------ 3 | 4 | According to `Wikipedia `_ Sierra 5 | is *"(version 10.12) is the thirteenth major release of macOS (previously OS X), 6 | Apple Inc.'s desktop and server operating system for Macintosh computers. 7 | The successor to OS X El Capitan, it is the first version of the operating system 8 | issued under the June 2016 rebranding as macOS. Sierra is named after California's 9 | Sierra Nevada mountain range. Its major new features concern Continuity, iCloud, 10 | and windowing, as well as support for Apple Pay and Siri."*. 11 | 12 | .. contents:: 13 | :local: 14 | 15 | Applications 16 | ^^^^^^^^^^^^ 17 | 18 | It is suggested to keep the */Applications/* directory as clean as possible, 19 | having a separate *Applications* directory for your apps. 20 | Just create a folder named “Applications” in your home directory (or where you 21 | like) and install (move) all applications there. Apps installed via App Store or some 22 | special apps cannot live in a custom Applications folder, so you have to keep 23 | them in the original Applications. 24 | 25 | Allow only signed apps 26 | ^^^^^^^^^^^^^^^^^^^^^^ 27 | 28 | It is suggested to never run untrusted code not signed with a proper key. 29 | To allow only apps signed by an authorized developer, go to: 30 | 31 | System Preferences ⇒ Security & Privacy ⇒ General 32 | 33 | Set "Allow apps download from" to "Mac App Store and identified developers" or 34 | if you want to be more strict and you install applications only via App Store 35 | set it to "Mac App Store". 36 | In OS X Sierra is now not possible to choose to run unsigned code, it was in OS 37 | X El Capitan. 38 | 39 | .. image:: images/settings_security_2.png 40 | :align: center 41 | 42 | Check Privacy permissions 43 | ^^^^^^^^^^^^^^^^^^^^^^^^^ 44 | 45 | OS X allows you to track all applications requesting access to some sort of 46 | sensitive data, for example your location or your contacts. 47 | It is suggested to periodically check the list of applications requesting access 48 | to sensitive data and review their permissions. 49 | To show the list of these applications go to: 50 | 51 | System Preferences ⇒ Security & Privacy ⇒ Privacy 52 | 53 | .. image:: images/settings_security_9.png 54 | :align: center 55 | 56 | Destroy FileVault Keys 57 | ^^^^^^^^^^^^^^^^^^^^^^ 58 | 59 | By default File Vault keys are kept when system goes in standby mode. 60 | As suggested by *man pmset*: 61 | 62 | destroyfvkeyonstandby - Destroy File Vault Key when going to standby 63 | mode. By default File vault keys are retained even when system goes to 64 | standby. If the keys are destroyed, user will be prompted to enter the 65 | password while coming out of standby mode.(value: 1 - Destroy, 0 - 66 | Retain) 67 | 68 | It is suggested to configure your system to destroy File Vault keys when enterging 69 | in standy mode with the following command:: 70 | 71 | sudo pmset destroyfvkeyonstandby 1 72 | 73 | Disable Creation of Metadata Files 74 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 75 | 76 | By default OS X creates metadata files in each directory to speed up browsing. 77 | These files could leak metadata, it is suggested to avoid creation of .DS_Store 78 | and AppleDouble files. 79 | 80 | Disable Creation of Metadata Files on Network Volumes with the following command 81 | in a Terminal:: 82 | 83 | defaults write com.apple.desktopservices DSDontWriteNetworkStores -bool true 84 | 85 | Disable Creation of Metadata Files on USB Volumes with the following command 86 | in a Terminal:: 87 | 88 | defaults write com.apple.desktopservices DSDontWriteUSBStores -bool true 89 | 90 | Disable Diagnostics 91 | ^^^^^^^^^^^^^^^^^^^ 92 | 93 | It is suggested to disable diagnostic data and usage data to Apple. 94 | Go to: 95 | 96 | System Preferences ⇒ Security & Privacy ⇒ Privacy ⇒ Diagnostics & Usage 97 | 98 | Un-check "Send diagnostic & usage data to Apple". 99 | Un-check "Share crash data with app developers". 100 | 101 | .. image:: images/settings_security_4.png 102 | :align: center 103 | 104 | Disable Guest user 105 | ^^^^^^^^^^^^^^^^^^ 106 | 107 | Mac OS X comes with a *Guest* user enabled by default, it permits the use of 108 | your device in a restricted environment to anyone. 109 | It is suggested to disable the *Guest* user, go to: 110 | 111 | System Preferences ⇒ Users & Groups ⇒ Guest User 112 | 113 | Un-check "Allow guests to log in to this computer". 114 | 115 | .. image:: images/settings_users_2.png 116 | :align: center 117 | 118 | It is suggested to disable guest access to shared folders, if you are not using 119 | it, go to: 120 | 121 | System Preferences ⇒ Users & Groups ⇒ Guest User 122 | 123 | Un-check "Allow guest users to connect to shared folders". 124 | 125 | .. image:: images/settings_users_3.png 126 | :align: center 127 | 128 | Disable Handoff 129 | ^^^^^^^^^^^^^^^ 130 | 131 | Handoff is a great feature to keep your work in sync between Apple devices. 132 | Due to his implementation it needs to send some data to Apple iCloud to work, so 133 | in some way it is leaking your data. 134 | It is suggested to disable it. 135 | Go to: 136 | 137 | System Preferences ⇒ General 138 | 139 | Un-check "Allow Handoff between this Mac and your iCloud devices". 140 | 141 | .. image:: images/settings_general_2.png 142 | :align: center 143 | 144 | Disable password hints 145 | ^^^^^^^^^^^^^^^^^^^^^^ 146 | 147 | Passwords hints are supposed to help an user to remember his password but could 148 | also help attackers. 149 | It is suggested to disable password hints, go to: 150 | 151 | System Preferences ⇒ Users & Groups ⇒ Login Options 152 | 153 | Un-check "Show password hints". 154 | 155 | .. image:: images/settings_users_1.png 156 | :align: center 157 | 158 | Disable recent items 159 | ^^^^^^^^^^^^^^^^^^^^ 160 | 161 | Recent items are used to track your latest activity, it is also a feature 162 | used in forensics investigation to create the user activity timeline. 163 | It is suggested to not track last recently used items. 164 | Go to: 165 | 166 | System Preferences ⇒ General 167 | 168 | Set “Recent items” to “None”. 169 | 170 | .. image:: images/settings_general_1.png 171 | :align: center 172 | 173 | Disable Localization Services 174 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 175 | 176 | By default Spotlight is allowed to use localization services to help you 177 | offering localized results. 178 | Due to his implementation it needs to send your position to a remote service. 179 | It is suggested to disable this behavior. 180 | Go to: 181 | 182 | System Preferences ⇒ Security & Privacy ⇒ Privacy ⇒ Location Services 183 | 184 | Select "System Services" and click "Details...". 185 | It is suggested to disable localization for all services, if not needed. 186 | 187 | .. image:: images/settings_security_3.png 188 | :align: center 189 | 190 | Disable Spotlight Suggestions 191 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 192 | 193 | By default Spotlight shows suggestions from the Internet, it sends your search 194 | to Apple services and provides results back. 195 | It is suggested to use Spotlight only locally to prevent leaking your search. 196 | To disable Spotlight Suggestions go to: 197 | 198 | System Preferences ⇒ Spotlight 199 | 200 | Un-check "Allow Spotlight Suggestions in Spotlight and Look Up". 201 | 202 | .. image:: images/settings_spotlight_1.png 203 | :align: center 204 | 205 | It is suggested to disable Spotlight Suggestions to avoid leaking your search to 206 | online services used for suggestions, go to: 207 | 208 | System Preferences ⇒ Spotlight 209 | 210 | Un-check "Spotlight Suggestions" from the list of results categories. 211 | 212 | .. image:: images/settings_spotlight_2.png 213 | :align: center 214 | 215 | Enable FileVault 216 | ^^^^^^^^^^^^^^^^ 217 | 218 | It is suggested to enable FileVault to enable full disk encryption on your 219 | device. It should be already enabled by default. 220 | Go to: 221 | 222 | System Preferences ⇒ Security & Privacy ⇒ FileVault 223 | 224 | Enable FileVault. 225 | 226 | Enable Firewall 227 | ^^^^^^^^^^^^^^^ 228 | 229 | It is suggested to enable the Firewall and have it always running. 230 | Go to: 231 | 232 | System Preferences ⇒ Security & Privacy ⇒ Firewall 233 | 234 | Click on "Turn On Firewall". 235 | 236 | .. image:: images/settings_security_5.png 237 | :align: center 238 | 239 | Now click on "Firewall options", a new panel will appear. 240 | Click on "Block all incoming connections". 241 | 242 | .. image:: images/settings_security_6.png 243 | :align: center 244 | 245 | Using "Block all incoming connections" will block all incoming connections to 246 | your host. This will block also all sharing services, such as file sharing, 247 | screen sharing, Messages Bonjour, iTunes music sharing and other features. 248 | If your host is providing any kind of service, this option is not suggested; 249 | you should disable it. 250 | 251 | Enable screen saver 252 | ^^^^^^^^^^^^^^^^^^^ 253 | 254 | It is suggested to enable the screen saver to automatically lock your screen 255 | after a while. 256 | Go to: 257 | 258 | System Preferences ⇒ Desktop & Screen Saver ⇒ Screen Saver 259 | 260 | Set "Start after" to "5 Minutes". 261 | 262 | .. image:: images/settings_desktop_1.png 263 | :align: center 264 | 265 | Empty trash securely 266 | ^^^^^^^^^^^^^^^^^^^^ 267 | 268 | When you delete a file, OS X only deletes the index entry for the file, which 269 | tells the system the file’s contents are free to be overwritten; however, the 270 | data still remains and may be recovered using a forensics software. 271 | It is a good practice to always empty your trash securely. Your data will be 272 | securely wiped from disk in an irreversible way. 273 | In the previous OS X releases there was an option to enable safe delete, Apple 274 | has removed this feature in OS X El Capitan. However, you can use command line 275 | tools. 276 | 277 | You can use the *rm* command from Terminal to delete files with the *-P* option, 278 | as stated in *man rm* this option is used to: 279 | 280 | Overwrite regular files before deleting them. Files are 281 | overwritten three times, first with the byte pattern 0xff, 282 | then 0x00, and then 0xff again, before they are deleted. 283 | 284 | For example if you what to delete *test.pdf* you should open Terminal and use:: 285 | 286 | $ rm -P test.pdf 287 | 288 | Erase free space 289 | ^^^^^^^^^^^^^^^^ 290 | 291 | In some cases, you might want to run an overwrite task on the free space of a 292 | given drive. 293 | You can use the *diskutil* command line utility, open Terminal and use:: 294 | 295 | diskutil secureErase freespace LEVEL /Volumes/DRIVE_NAME 296 | 297 | In this command, change LEVEL to a number of 0 through 4, the available options 298 | are: 299 | * *0* is a single-pass of zeros 300 | * *1* is a single-pass of random numbers 301 | * *2* is a 7-pass erase 302 | * *3* is a 35-pass erase 303 | * *4* is a 3-pass erase 304 | 305 | Change DRIVE_NAME to the name of the mount point. 306 | 307 | Homebrew hardening 308 | ^^^^^^^^^^^^^^^^^^ 309 | 310 | Homebrew is a quite common third party tool in OS X systems. 311 | 312 | It is suggested to disable anonymous statics collections adding the following 313 | variable to your *.bash_profile* or *.profile* (or your shell configuration) 314 | file:: 315 | 316 | export HOMEBREW_NO_ANALYTICS=1 317 | 318 | It is suggested to disable automatic updates to keep in control of brew 319 | updates, add the following to your *.bash_profile* or *.profile* 320 | (or your shell configuration) file:: 321 | 322 | export HOMEBREW_NO_AUTO_UPDATE=1 323 | 324 | It is suggested to configure brew to do not leak your GitHub username. When 325 | checking out a public repository, by default, your username is always sent. 326 | Add the following to your *.bash_profile* or *.profile* (or your shell 327 | configuration) file:: 328 | 329 | export HOMEBREW_NO_GITHUB_API=1 330 | 331 | Is is suggested to configure brew to avoid protocol downgrades from HTTPS 332 | to HTTP via redirect. 333 | Add the following to your *.bash_profile* or *.profile* (or your shell 334 | configuration) file:: 335 | 336 | export HOMEBREW_NO_INSECURE_REDIRECT=1 337 | 338 | Power off memory during standy 339 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 340 | 341 | By default during stand-by memeory are kept powered on, this is prone to 342 | forensics acquisition of your memory. 343 | As stated in *man pmset*: 344 | 345 | hibernatemode supports values of 0, 3, or 25. Whether or not a hiberna- 346 | tion image gets written is also dependent on the values of standby and 347 | autopoweroff 348 | 349 | For example, on desktops that support standby a hibernation image will be 350 | written after the specified standbydelay time. To disable hibernation 351 | images completely, ensure hibernatemode standby and autopoweroff are all 352 | set to 0. 353 | 354 | hibernatemode = 0 by default on desktops. The system will not back memory 355 | up to persistent storage. The system must wake from the contents of mem- 356 | ory; the system will lose context on power loss. This is, historically, 357 | plain old sleep. 358 | 359 | hibernatemode = 3 by default on portables. The system will store a copy 360 | of memory to persistent storage (the disk), and will power memory during 361 | sleep. The system will wake from memory, unless a power loss forces it to 362 | restore from hibernate image. 363 | 364 | hibernatemode = 25 is only settable via pmset. The system will store a 365 | copy of memory to persistent storage (the disk), and will remove power to 366 | memory. The system will restore from disk image. If you want "hiberna- 367 | tion" - slower sleeps, slower wakes, and better battery life, you should 368 | use this setting. 369 | 370 | It is suggested to power off memory at stand-by with the following command:: 371 | 372 | sudo pmset hibernatemode 25 373 | 374 | Require an administration password 375 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 376 | 377 | Always require an administration password to access system settings. 378 | Go to: 379 | 380 | System Preferences ⇒ Security & Privacy ⇒ Advanced 381 | 382 | Check "Require an administrator password to access system-wide preferences". 383 | 384 | .. image:: images/settings_security_7.png 385 | :align: center 386 | 387 | Require password to un-lock 388 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^ 389 | 390 | Requires password to un-lock from sleep or screen saver. 391 | Go to: 392 | 393 | System Preferences ⇒ Security & Privacy ⇒ General 394 | 395 | Set "Require password immediately after sleep or screen saver begins". 396 | 397 | .. image:: images/settings_security_1.png 398 | :align: center 399 | 400 | Save to Disk by Default 401 | ^^^^^^^^^^^^^^^^^^^^^^^ 402 | 403 | Many applications bundled in OS X, i.e. Text, save by default new documents to 404 | iCloud. 405 | It is suggested to set default save target to be a local disk, not iCloud with 406 | the following command, open Terminal and type:: 407 | 408 | defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false 409 | 410 | Set a Firmware Password 411 | ^^^^^^^^^^^^^^^^^^^^^^^ 412 | 413 | Enabling an optional firmware password offers an increased level of protection. 414 | A firmware password is set on the actual Mac logicboards firmware, it is an EFI 415 | password which prevents your Mac from being booted from an external boot volume, 416 | single user mode, or target disk mode, and it also prevents resetting of PRAM 417 | and the ability to boot into Safe Mode. 418 | Years ago firmware passwords could be easily bypassed by removing memory. 419 | These days Mac's firmware password isn't easily reset. Apple only suggests to 420 | bring your Mac in to an authorized Apple Service Provider and have them do it 421 | there. 422 | 423 | It is suggested to set a firmware password: 424 | 425 | * Power off your Mac and turn it on. 426 | * Activate Recovery Mode (holding down the Command and R keys at boot). 427 | * After a while OS X Utilities will appear. 428 | * Click on the Utilities menu from the menu bar. 429 | * Select Firmware Password Utility. 430 | * Click on 'Turn On Firmware Password' and follow the wizard. 431 | * When done, restart your Mac. 432 | 433 | Show all filename extensions 434 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 435 | 436 | It is a good practice to always show file names extensions. 437 | Start Finder app. 438 | Go to: 439 | 440 | Preferences ⇒ Advanced 441 | 442 | Check "Show all filename extensions". 443 | 444 | .. image:: images/finder_1.png 445 | :align: center 446 | 447 | Show when localization is used 448 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 449 | 450 | System services could ask to use localization data. 451 | It is suggested to show location icon when localization data are requested. 452 | Go to: 453 | 454 | System Preferences ⇒ Security & Privacy ⇒ Privacy ⇒ Location Services 455 | 456 | Select "System Services" and click "Details...". 457 | Check "Show location icon in the menu bar when System Services request your 458 | location". 459 | 460 | .. image:: images/settings_security_8.png 461 | :align: center 462 | 463 | Users privilege separation 464 | ^^^^^^^^^^^^^^^^^^^^^^^^^^ 465 | 466 | It is suggested to use different accounts for administration and normal use. 467 | Create an account with admin privileges for special tasks and maintenance and a 468 | regular user for your normal use. 469 | Don't use the same password for both. 470 | 471 | References 472 | ^^^^^^^^^^ 473 | 474 | * https://github.com/herrbischoff/awesome-osx-command-line 475 | * https://www.frameloss.org/2011/09/18/firewire-attacks-against-mac-os-lion-filevault-2-encryption/ -------------------------------------------------------------------------------- /OS/OSX_10.10_Yosemite/images/finder_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.10_Yosemite/images/finder_1.png -------------------------------------------------------------------------------- /OS/OSX_10.10_Yosemite/images/finder_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.10_Yosemite/images/finder_2.png -------------------------------------------------------------------------------- /OS/OSX_10.10_Yosemite/images/settings_desktop_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.10_Yosemite/images/settings_desktop_1.png -------------------------------------------------------------------------------- /OS/OSX_10.10_Yosemite/images/settings_general_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.10_Yosemite/images/settings_general_1.png -------------------------------------------------------------------------------- /OS/OSX_10.10_Yosemite/images/settings_general_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.10_Yosemite/images/settings_general_2.png -------------------------------------------------------------------------------- /OS/OSX_10.10_Yosemite/images/settings_security_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.10_Yosemite/images/settings_security_1.png -------------------------------------------------------------------------------- /OS/OSX_10.10_Yosemite/images/settings_security_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.10_Yosemite/images/settings_security_2.png -------------------------------------------------------------------------------- /OS/OSX_10.10_Yosemite/images/settings_security_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.10_Yosemite/images/settings_security_3.png -------------------------------------------------------------------------------- /OS/OSX_10.10_Yosemite/images/settings_security_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.10_Yosemite/images/settings_security_4.png -------------------------------------------------------------------------------- /OS/OSX_10.10_Yosemite/images/settings_security_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.10_Yosemite/images/settings_security_5.png -------------------------------------------------------------------------------- /OS/OSX_10.10_Yosemite/images/settings_security_6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.10_Yosemite/images/settings_security_6.png -------------------------------------------------------------------------------- /OS/OSX_10.10_Yosemite/images/settings_security_7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.10_Yosemite/images/settings_security_7.png -------------------------------------------------------------------------------- /OS/OSX_10.10_Yosemite/index.rst: -------------------------------------------------------------------------------- 1 | Mac OSX 10.10 Yosemite 2 | ---------------------- 3 | 4 | According to `Wikipedia `_ Yosemite is *"OS X Yosemite (version 10.10) is 5 | the eleventh major release of OS X, Apple Inc.'s desktop and server operating system for Macintosh computers"*. 6 | 7 | .. contents:: 8 | :local: 9 | 10 | Applications 11 | ^^^^^^^^^^^^ 12 | 13 | It is suggested to keep the /Applications/ directory as clean as possible, and having a separate directory for your 14 | personal apps lets you do that easily. 15 | Just create a folder named “Applications” in your home directory (or where you like). 16 | 17 | Allow only signed apps 18 | ^^^^^^^^^^^^^^^^^^^^^^ 19 | 20 | It is suggested to never run untrusted code not signed with a proper key. 21 | To allow only apps signed by an authorized developer, go to: 22 | 23 | System Preferences ⇒ Security & Privacy ⇒ General 24 | 25 | Set "Allow apps download from" to "Mac App Store and identified developers". 26 | 27 | .. image:: images/settings_security_2.png 28 | :align: center 29 | 30 | Disable Diagnostics 31 | ^^^^^^^^^^^^^^^^^^^ 32 | 33 | It is suggested to disable diagnostic data and usage data sending to Apple. 34 | Go to: 35 | 36 | System Preferences ⇒ Security & Privacy ⇒ Privacy ⇒ Diagnostics & Usage 37 | 38 | 39 | Uncheck "Send diagnostic & usage data to Apple". 40 | Uncheck "Share crash data with app developers". 41 | 42 | .. image:: images/settings_security_4.png 43 | :align: center 44 | 45 | Disable Handoff 46 | ^^^^^^^^^^^^^^^ 47 | 48 | Handoff is a great feature to keep your work in sync but it needs to send some data to Apple to work. It is suggested to 49 | disable it. 50 | Go to: 51 | 52 | System Preferences ⇒ General 53 | 54 | Uncheck "Allow Handoff between this Mac and your iCloud devices". 55 | 56 | .. image:: images/settings_general_2.png 57 | :align: center 58 | 59 | Disable recent items 60 | ^^^^^^^^^^^^^^^^^^^^ 61 | 62 | Do not track last recently used items. 63 | Go to: 64 | 65 | System Preferences ⇒ General 66 | 67 | Set “Recent items” to “None”. 68 | 69 | .. image:: images/settings_general_1.png 70 | :align: center 71 | 72 | Disable Spotlight localization 73 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 74 | 75 | By default Spotlight is allowed to use localization services to help you offering localized results. 76 | Go to: 77 | 78 | System Preferences ⇒ Security & Privacy ⇒ Privacy ⇒ Location Services 79 | 80 | Select "System Services" and click "Details...". 81 | Uncheck "Spotlight Suggestions". 82 | 83 | .. image:: images/settings_security_3.png 84 | :align: center 85 | 86 | Enable FileVault 87 | ^^^^^^^^^^^^^^^^ 88 | 89 | It is suggested to enable FileVault to enable full disk encryption on your device. It should be already enabled by default. 90 | Go to: 91 | 92 | System Preferences ⇒ Security & Privacy ⇒ FileVault 93 | 94 | Enable FileVault. 95 | 96 | Enable Firewall 97 | ^^^^^^^^^^^^^^^ 98 | 99 | It is suggested to enable the Firewall and always have one running. 100 | Go to: 101 | 102 | System Preferences ⇒ Security & Privacy ⇒ Firewall 103 | 104 | Click on "Turn On Firewall". 105 | 106 | .. image:: images/settings_security_5.png 107 | :align: center 108 | 109 | Now click on "Firewall options", a new panel will appear. 110 | Click on "Block all incoming connections". 111 | 112 | .. image:: images/settings_security_6.png 113 | :align: center 114 | 115 | Enable screen saver 116 | ^^^^^^^^^^^^^^^^^^^ 117 | 118 | It is suggested to enable the screen saver to automatically lock your screen after a while. 119 | Go to: 120 | 121 | System Preferences ⇒ Desktop & Screen Saver ⇒ Screen Saver 122 | 123 | Set "Start after" to "5 Minutes". 124 | 125 | .. image:: images/settings_desktop_1.png 126 | :align: center 127 | 128 | Empty trash securely 129 | ^^^^^^^^^^^^^^^^^^^^ 130 | 131 | It is a good practice to always empty your trash securely. 132 | Start Finder app. 133 | Go to: 134 | 135 | Preferences ⇒ Advanced 136 | 137 | Check "Empty trash securely". 138 | 139 | .. image:: images/finder_2.png 140 | :align: center 141 | 142 | Require an administration password 143 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 144 | 145 | Always require an administration password to access system settings. 146 | Go to: 147 | 148 | System Preferences ⇒ Security & Privacy ⇒ Advanced 149 | 150 | Check "Require an administrator password to access system-wide preferences". 151 | 152 | .. image:: images/settings_security_7.png 153 | :align: center 154 | 155 | Require password to un-lock 156 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^ 157 | 158 | Requires password to un-lock from sleep or screen saver. 159 | Go to: 160 | 161 | System Preferences ⇒ Security & Privacy ⇒ General 162 | 163 | Set "Require password immediately after sleep or screen saver begins". 164 | 165 | .. image:: images/settings_security_1.png 166 | :align: center 167 | 168 | Show all filename extensions 169 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 170 | 171 | It is a good practice to always show file names extensions. 172 | Start Finder app. 173 | Go to: 174 | 175 | Preferences ⇒ Advanced 176 | 177 | Check "Show all filename extensions". 178 | 179 | .. image:: images/finder_1.png 180 | :align: center 181 | 182 | Users privilege separation 183 | ^^^^^^^^^^^^^^^^^^^^^^^^^^ 184 | 185 | It is suggested to use different accounts for administration and daily activities. 186 | Create an account with admin privileges for special tasks and maintenance and a normal user for your daily use. 187 | -------------------------------------------------------------------------------- /OS/OSX_10.11_El_Capitan/images/finder_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.11_El_Capitan/images/finder_1.png -------------------------------------------------------------------------------- /OS/OSX_10.11_El_Capitan/images/settings_desktop_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.11_El_Capitan/images/settings_desktop_1.png -------------------------------------------------------------------------------- /OS/OSX_10.11_El_Capitan/images/settings_general_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.11_El_Capitan/images/settings_general_1.png -------------------------------------------------------------------------------- /OS/OSX_10.11_El_Capitan/images/settings_general_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.11_El_Capitan/images/settings_general_2.png -------------------------------------------------------------------------------- /OS/OSX_10.11_El_Capitan/images/settings_security_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.11_El_Capitan/images/settings_security_1.png -------------------------------------------------------------------------------- /OS/OSX_10.11_El_Capitan/images/settings_security_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.11_El_Capitan/images/settings_security_2.png -------------------------------------------------------------------------------- /OS/OSX_10.11_El_Capitan/images/settings_security_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.11_El_Capitan/images/settings_security_3.png -------------------------------------------------------------------------------- /OS/OSX_10.11_El_Capitan/images/settings_security_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.11_El_Capitan/images/settings_security_4.png -------------------------------------------------------------------------------- /OS/OSX_10.11_El_Capitan/images/settings_security_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.11_El_Capitan/images/settings_security_5.png -------------------------------------------------------------------------------- /OS/OSX_10.11_El_Capitan/images/settings_security_6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.11_El_Capitan/images/settings_security_6.png -------------------------------------------------------------------------------- /OS/OSX_10.11_El_Capitan/images/settings_security_7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.11_El_Capitan/images/settings_security_7.png -------------------------------------------------------------------------------- /OS/OSX_10.11_El_Capitan/images/settings_security_8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.11_El_Capitan/images/settings_security_8.png -------------------------------------------------------------------------------- /OS/OSX_10.11_El_Capitan/images/settings_security_9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.11_El_Capitan/images/settings_security_9.png -------------------------------------------------------------------------------- /OS/OSX_10.11_El_Capitan/images/settings_spotlight_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.11_El_Capitan/images/settings_spotlight_1.png -------------------------------------------------------------------------------- /OS/OSX_10.11_El_Capitan/images/settings_spotlight_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.11_El_Capitan/images/settings_spotlight_2.png -------------------------------------------------------------------------------- /OS/OSX_10.11_El_Capitan/images/settings_users_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.11_El_Capitan/images/settings_users_1.png -------------------------------------------------------------------------------- /OS/OSX_10.11_El_Capitan/images/settings_users_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.11_El_Capitan/images/settings_users_2.png -------------------------------------------------------------------------------- /OS/OSX_10.11_El_Capitan/images/settings_users_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jekil/hardentheworld/9a3698fb5e25a4f54a2c7aba3c9c865a15d8bd81/OS/OSX_10.11_El_Capitan/images/settings_users_3.png -------------------------------------------------------------------------------- /OS/OSX_10.11_El_Capitan/index.rst: -------------------------------------------------------------------------------- 1 | Mac OSX 10.11 El Capitan 2 | ------------------------ 3 | 4 | According to `Wikipedia `_ El 5 | Capitan is *"(version 10.11) is the twelfth major release of OS X, Apple Inc.'s 6 | desktop and server operating system for Macintosh computers. It is the successor 7 | to OS X Yosemite and focuses mainly on performance, stability and security. 8 | Following the California landmark-based naming scheme introduced with OS X 9 | Mavericks, El Capitan was named after a rock formation in Yosemite National 10 | Park."*. 11 | 12 | .. contents:: 13 | :local: 14 | 15 | Applications 16 | ^^^^^^^^^^^^ 17 | 18 | It is suggested to keep the */Applications/* directory as clean as possible, 19 | having a separate directory for your personal apps lets you do that easily. 20 | Just create a folder named “Applications” in your home directory (or where you 21 | like) and install all applications there. Apps installed via App Store or some 22 | special apps cannot live in a custom Applications folder, so you have to keep 23 | them in the original path. 24 | 25 | Allow only signed apps 26 | ^^^^^^^^^^^^^^^^^^^^^^ 27 | 28 | It is suggested to never run untrusted code not signed with a proper key. 29 | To allow only apps signed by an authorized developer, go to: 30 | 31 | System Preferences ⇒ Security & Privacy ⇒ General 32 | 33 | Set "Allow apps download from" to "Mac App Store and identified developers" or 34 | if you want to be more strict and you install applications only via App Store 35 | set it to "Mac App Store". 36 | 37 | .. image:: images/settings_security_2.png 38 | :align: center 39 | 40 | Check Privacy permissions 41 | ^^^^^^^^^^^^^^^^^^^^^^^^^ 42 | 43 | OS X allows you to track all applications requesting access to some sort of 44 | sensitive data, for example your location or your contacts. 45 | It is suggested to periodically check the list of applications requesting access 46 | to sensitive data and review their permissions. 47 | To show the list of these applications go to: 48 | 49 | System Preferences ⇒ Security & Privacy ⇒ Privacy 50 | 51 | .. image:: images/settings_security_9.png 52 | :align: center 53 | 54 | Destroy FileVault Keys 55 | ^^^^^^^^^^^^^^^^^^^^^^ 56 | 57 | By default File Vault keys are kept when system goes in standby mode. 58 | As suggested by *man pmset*: 59 | 60 | destroyfvkeyonstandby - Destroy File Vault Key when going to standby 61 | mode. By default File vault keys are retained even when system goes to 62 | standby. If the keys are destroyed, user will be prompted to enter the 63 | password while coming out of standby mode.(value: 1 - Destroy, 0 - 64 | Retain) 65 | 66 | It is suggested to configure your system to destroy File Vault keys when enterging 67 | in standy mode with the following command:: 68 | 69 | sudo pmset destroyfvkeyonstandby 1 70 | 71 | Disable Bonjour 72 | ^^^^^^^^^^^^^^^ 73 | 74 | According to `Wikipedia `_ 75 | Bonjour is *"Apple's implementation of Zero-configuration networking (Zeroconf), 76 | a group of technologies that includes service discovery, address assignment, and 77 | hostname resolution. Bonjour locates devices such as printers, other computers, 78 | and the services that those devices offer on a local network using multicast 79 | Domain Name System (mDNS) service records".* 80 | 81 | Bonjour sends some data about your OS on the network, so in some cases, in a not 82 | trusted network you would like to disable it. 83 | 84 | To disable Bonjour use the following command in a Terminal:: 85 | 86 | sudo defaults write /System/Library/LaunchDaemons/com.apple.mDNSResponder ProgramArguments -array-add "-NoMulticastAdvertisements" 87 | 88 | To enable Bonjour use the following command in a Terminal:: 89 | 90 | sudo defaults write /System/Library/LaunchDaemons/com.apple.mDNSResponder ProgramArguments -array "/usr/sbin/mDNSResponder" "-launchd" 91 | 92 | Disable Creation of Metadata Files 93 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 94 | 95 | By default OS X creates metadata files in each directory to speed up browsing. 96 | These files could leak metadata, it is suggested to avoid creation of .DS_Store 97 | and AppleDouble files. 98 | 99 | Disable Creation of Metadata Files on Network Volumes with the following command 100 | in a Terminal:: 101 | 102 | defaults write com.apple.desktopservices DSDontWriteNetworkStores -bool true 103 | 104 | Disable Creation of Metadata Files on USB Volumes with the following command 105 | in a Terminal:: 106 | 107 | defaults write com.apple.desktopservices DSDontWriteUSBStores -bool true 108 | 109 | Disable Diagnostics 110 | ^^^^^^^^^^^^^^^^^^^ 111 | 112 | It is suggested to disable diagnostic data and usage data sending to Apple. 113 | Go to: 114 | 115 | System Preferences ⇒ Security & Privacy ⇒ Privacy ⇒ Diagnostics & Usage 116 | 117 | Un-check "Send diagnostic & usage data to Apple". 118 | Un-check "Share crash data with app developers". 119 | 120 | .. image:: images/settings_security_4.png 121 | :align: center 122 | 123 | Disable Guest user 124 | ^^^^^^^^^^^^^^^^^^ 125 | 126 | Mac OS X comes with a *Guest* user enabled by default, it permits the use of 127 | your device in a restricted environment to anyone. 128 | It is suggested to disable the *Guest* user, go to: 129 | 130 | System Preferences ⇒ Users & Groups ⇒ Guest User 131 | 132 | Un-check "Allow guests to log in to this computer". 133 | 134 | .. image:: images/settings_users_2.png 135 | :align: center 136 | 137 | It is suggested to disable guest access to shared folders, if you are not using 138 | it, go to: 139 | 140 | System Preferences ⇒ Users & Groups ⇒ Guest User 141 | 142 | Un-check "Allow guest users to connect to shared folders". 143 | 144 | .. image:: images/settings_users_3.png 145 | :align: center 146 | 147 | Disable Handoff 148 | ^^^^^^^^^^^^^^^ 149 | 150 | Handoff is a great feature to keep your work in sync between Apple devices. 151 | Due to his implementation it needs to send some data to Apple iCloud to work, so 152 | in some way it is leaking your data. 153 | It is suggested to disable it. 154 | Go to: 155 | 156 | System Preferences ⇒ General 157 | 158 | Un-check "Allow Handoff between this Mac and your iCloud devices". 159 | 160 | .. image:: images/settings_general_2.png 161 | :align: center 162 | 163 | Disable password hints 164 | ^^^^^^^^^^^^^^^^^^^^^^ 165 | 166 | Passwords hints are supposed to help an user to remember his password but could 167 | also help attackers. 168 | It is suggested to disable password hints, go to: 169 | 170 | System Preferences ⇒ Users & Groups ⇒ Login Options 171 | 172 | Un-check "Show password hints". 173 | 174 | .. image:: images/settings_users_1.png 175 | :align: center 176 | 177 | Disable recent items 178 | ^^^^^^^^^^^^^^^^^^^^ 179 | 180 | Recent items are used to track your latest activity, it is also a feature 181 | used in forensics investigation to create the user activity timeline. 182 | It is suggested to not track last recently used items. 183 | Go to: 184 | 185 | System Preferences ⇒ General 186 | 187 | Set “Recent items” to “None”. 188 | 189 | .. image:: images/settings_general_1.png 190 | :align: center 191 | 192 | Disable Spotlight localization 193 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 194 | 195 | By default Spotlight is allowed to use localization services to help you 196 | offering localized results. 197 | Due to his implementation it needs to send your position to a remote service. 198 | It is suggested to disable this behavior. 199 | Go to: 200 | 201 | System Preferences ⇒ Security & Privacy ⇒ Privacy ⇒ Location Services 202 | 203 | Select "System Services" and click "Details...". 204 | Un-check "Safari & Spotlight Suggestions". 205 | 206 | .. image:: images/settings_security_3.png 207 | :align: center 208 | 209 | Disable Spotlight Suggestions 210 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 211 | 212 | By default Spotlight shows suggestions from the Internet, it sends your search 213 | to Apple services and provides results back. 214 | It is suggested to use Spotlight only locally to prevent leaking your search. 215 | To disable Spotlight Suggestions go to: 216 | 217 | System Preferences ⇒ Spotlight 218 | 219 | Un-check "Allow Spotlight Suggestions in Spotlight and Look Up". 220 | 221 | .. image:: images/settings_spotlight_1.png 222 | :align: center 223 | 224 | It is suggested to disable results from Bing to avoid leaking your search to 225 | Bing, go to: 226 | 227 | System Preferences ⇒ Spotlight 228 | 229 | Un-check "Bing Web Searches" from the list of results categories. 230 | 231 | .. image:: images/settings_spotlight_2.png 232 | :align: center 233 | 234 | Enable FileVault 235 | ^^^^^^^^^^^^^^^^ 236 | 237 | It is suggested to enable FileVault to enable full disk encryption on your 238 | device. It should be already enabled by default. 239 | Go to: 240 | 241 | System Preferences ⇒ Security & Privacy ⇒ FileVault 242 | 243 | Enable FileVault. 244 | 245 | Enable Firewall 246 | ^^^^^^^^^^^^^^^ 247 | 248 | It is suggested to enable the Firewall and have it always running. 249 | Go to: 250 | 251 | System Preferences ⇒ Security & Privacy ⇒ Firewall 252 | 253 | Click on "Turn On Firewall". 254 | 255 | .. image:: images/settings_security_5.png 256 | :align: center 257 | 258 | Now click on "Firewall options", a new panel will appear. 259 | Click on "Block all incoming connections". 260 | 261 | .. image:: images/settings_security_6.png 262 | :align: center 263 | 264 | Using "Block all incoming connections" will block all incoming connections to 265 | your host. This will block also all sharing services, such as file sharing, 266 | screen sharing, Messages Bonjour, iTunes music sharing and other features. 267 | If your host is providing any kind of service, this option is not suggested; 268 | you should disable it. 269 | 270 | Enable screen saver 271 | ^^^^^^^^^^^^^^^^^^^ 272 | 273 | It is suggested to enable the screen saver to automatically lock your screen 274 | after a while. 275 | Go to: 276 | 277 | System Preferences ⇒ Desktop & Screen Saver ⇒ Screen Saver 278 | 279 | Set "Start after" to "5 Minutes". 280 | 281 | .. image:: images/settings_desktop_1.png 282 | :align: center 283 | 284 | Empty trash securely 285 | ^^^^^^^^^^^^^^^^^^^^ 286 | 287 | When you delete a file, OS X only deletes the index entry for the file, which 288 | tells the system the file’s contents are free to be overwritten; however, the 289 | data still remains and may be recovered using a forensics software. 290 | It is a good practice to always empty your trash securely. Your data will be 291 | securely wiped from disk in an irreversible way. 292 | In the previous OS X releases there was an option to enable safe delete, Apple 293 | has removed this feature in OS X El Capitan. However, you can use command line 294 | tools. 295 | 296 | You can use the *rm* command from Terminal to delete files with the *-P* option, 297 | as stated in *man rm* this option is used to: 298 | 299 | Overwrite regular files before deleting them. Files are 300 | overwritten three times, first with the byte pattern 0xff, 301 | then 0x00, and then 0xff again, before they are deleted. 302 | 303 | For example if you what to delete *test.pdf* you should open Terminal and use:: 304 | 305 | $ rm -P test.pdf 306 | 307 | The *srm* command is specifically designed for secure deletion from command 308 | line, as stated in *man srm*: 309 | 310 | srm removes each specified file by overwriting, renaming, and truncating 311 | it before unlinking. This prevents other people from undeleting or 312 | recovering any information about the file from the command line. 313 | 314 | For example if you what to delete *test.pdf* you should open Terminal and use:: 315 | 316 | $ srm test.pdf 317 | 318 | Erase free space 319 | ^^^^^^^^^^^^^^^^ 320 | 321 | In some cases, you might want to run an overwrite task on the free space of a 322 | given drive. 323 | You can use the *diskutil* command line utility, open Terminal and use:: 324 | 325 | diskutil secureErase freespace LEVEL /Volumes/DRIVE_NAME 326 | 327 | In this command, change LEVEL to a number of 0 through 4, the available options 328 | are: 329 | * *0* is a single-pass of zeros 330 | * *1* is a single-pass of random numbers 331 | * *2* is a 7-pass erase 332 | * *3* is a 35-pass erase 333 | * *4* is a 3-pass erase 334 | 335 | Change DRIVE_NAME to the name of the mount point. 336 | 337 | Power off memory during standy 338 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 339 | 340 | By default during stand-by memeory are kept powered on, this is prone to 341 | forensics acquisition of your memory. 342 | As stated in *man pmset*: 343 | 344 | hibernatemode supports values of 0, 3, or 25. Whether or not a hiberna- 345 | tion image gets written is also dependent on the values of standby and 346 | autopoweroff 347 | 348 | For example, on desktops that support standby a hibernation image will be 349 | written after the specified standbydelay time. To disable hibernation 350 | images completely, ensure hibernatemode standby and autopoweroff are all 351 | set to 0. 352 | 353 | hibernatemode = 0 by default on desktops. The system will not back memory 354 | up to persistent storage. The system must wake from the contents of mem- 355 | ory; the system will lose context on power loss. This is, historically, 356 | plain old sleep. 357 | 358 | hibernatemode = 3 by default on portables. The system will store a copy 359 | of memory to persistent storage (the disk), and will power memory during 360 | sleep. The system will wake from memory, unless a power loss forces it to 361 | restore from hibernate image. 362 | 363 | hibernatemode = 25 is only settable via pmset. The system will store a 364 | copy of memory to persistent storage (the disk), and will remove power to 365 | memory. The system will restore from disk image. If you want "hiberna- 366 | tion" - slower sleeps, slower wakes, and better battery life, you should 367 | use this setting. 368 | 369 | It is suggested to power off memory at stand-by with the following command:: 370 | 371 | sudo pmset hibernatemode 25 372 | 373 | Require an administration password 374 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 375 | 376 | Always require an administration password to access system settings. 377 | Go to: 378 | 379 | System Preferences ⇒ Security & Privacy ⇒ Advanced 380 | 381 | Check "Require an administrator password to access system-wide preferences". 382 | 383 | .. image:: images/settings_security_7.png 384 | :align: center 385 | 386 | Require password to un-lock 387 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^ 388 | 389 | Requires password to un-lock from sleep or screen saver. 390 | Go to: 391 | 392 | System Preferences ⇒ Security & Privacy ⇒ General 393 | 394 | Set "Require password immediately after sleep or screen saver begins". 395 | 396 | .. image:: images/settings_security_1.png 397 | :align: center 398 | 399 | Save to Disk by Default 400 | ^^^^^^^^^^^^^^^^^^^^^^^ 401 | 402 | Many applications bundled in OS X, i.e. Text, save by default new documents to 403 | iCloud. 404 | It is suggested to set default save target to be a local disk, not iCloud with 405 | the following command, open Terminal and type:: 406 | 407 | defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false 408 | 409 | Set a Firmware Password 410 | ^^^^^^^^^^^^^^^^^^^^^^^ 411 | 412 | Enabling an optional firmware password offers an increased level of protection. 413 | A firmware password is set on the actual Mac logicboards firmware, it is an EFI 414 | password which prevents your Mac from being booted from an external boot volume, 415 | single user mode, or target disk mode, and it also prevents resetting of PRAM 416 | and the ability to boot into Safe Mode. 417 | Years ago firmware passwords could be easily bypassed by removing memory. 418 | These days Mac's firmware password isn't easily reset. Apple only suggests to 419 | bring your Mac in to an authorized Apple Service Provider and have them do it 420 | there. 421 | 422 | It is suggested to set a firmware password: 423 | 424 | * Power off your Mac and turn it on. 425 | * Activate Recovery Mode (holding down the Command and R keys at boot). 426 | * After a while OS X Utilities will appear. 427 | * Click on the Utilities menu from the menu bar. 428 | * Select Firmware Password Utility. 429 | * Click on 'Turn On Firmware Password' and follow the wizard. 430 | * When done, restart your Mac. 431 | 432 | Show all filename extensions 433 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 434 | 435 | It is a good practice to always show file names extensions. 436 | Start Finder app. 437 | Go to: 438 | 439 | Preferences ⇒ Advanced 440 | 441 | Check "Show all filename extensions". 442 | 443 | .. image:: images/finder_1.png 444 | :align: center 445 | 446 | Show when localization is used 447 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 448 | 449 | System services could ask to use localization data. 450 | It is suggested to show location icon when localization data are requested. 451 | Go to: 452 | 453 | System Preferences ⇒ Security & Privacy ⇒ Privacy ⇒ Location Services 454 | 455 | Select "System Services" and click "Details...". 456 | Check "Show location icon in the menu bar when System Services request your 457 | location". 458 | 459 | .. image:: images/settings_security_8.png 460 | :align: center 461 | 462 | Users privilege separation 463 | ^^^^^^^^^^^^^^^^^^^^^^^^^^ 464 | 465 | It is suggested to use different accounts for administration and normal use. 466 | Create an account with admin privileges for special tasks and maintenance and a 467 | regular user for your normal use. 468 | Don't use the same password for both. 469 | 470 | References 471 | ^^^^^^^^^^ 472 | 473 | * https://github.com/herrbischoff/awesome-osx-command-line 474 | * http://www.frameloss.org/2011/09/18/firewire-attacks-against-mac-os-lion-filevault-2-encryption/ 475 | -------------------------------------------------------------------------------- /OS/index.rst: -------------------------------------------------------------------------------- 1 | ************************** 2 | Operating System Hardening 3 | ************************** 4 | 5 | This chapter is about OS hardening. 6 | 7 | .. toctree:: 8 | :maxdepth: 1 9 | :glob: 10 | 11 | */index -------------------------------------------------------------------------------- /README.rst: -------------------------------------------------------------------------------- 1 | index.rst -------------------------------------------------------------------------------- /conf.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | import sys 4 | import os 5 | import alabaster 6 | from datetime import datetime 7 | 8 | # If extensions (or modules to document with autodoc) are in another directory, 9 | # add these directories to sys.path here. If the directory is relative to the 10 | # documentation root, use os.path.abspath to make it absolute, like shown here. 11 | #sys.path.insert(0, os.path.abspath('.')) 12 | 13 | # -- General configuration ----------------------------------------------------- 14 | 15 | # If your documentation needs a minimal Sphinx version, state it here. 16 | #needs_sphinx = '1.0' 17 | 18 | # Add any Sphinx extension module names here, as strings. They can be extensions 19 | # coming with Sphinx (named 'sphinx.ext.*') or your custom ones. 20 | extensions = ['alabaster'] 21 | 22 | # Add any paths that contain templates here, relative to this directory. 23 | templates_path = ['_templates'] 24 | 25 | # The suffix of source filenames. 26 | source_suffix = '.rst' 27 | 28 | # The encoding of source files. 29 | #source_encoding = 'utf-8-sig' 30 | 31 | # The master toctree document. 32 | master_doc = 'index' 33 | 34 | # General information about the project. 35 | project = u'Harden the World' 36 | year = datetime.now().year 37 | copyright = u'2014-{0}, Alessandro Tanasi (@jekil)'.format(year) 38 | 39 | # The version info for the project you're documenting, acts as replacement for 40 | # |version| and |release|, also used in various other places throughout the 41 | # built documents. 42 | # 43 | # The short X.Y version. 44 | version = '0.1' 45 | # The full version, including alpha/beta/rc tags. 46 | release = '0.1' 47 | 48 | # The language for content autogenerated by Sphinx. Refer to documentation 49 | # for a list of supported languages. 50 | #language = None 51 | 52 | # There are two options for replacing |today|: either, you set today to some 53 | # non-false value, then it is used: 54 | #today = '' 55 | # Else, today_fmt is used as the format for a strftime call. 56 | #today_fmt = '%B %d, %Y' 57 | 58 | # List of patterns, relative to source directory, that match files and 59 | # directories to ignore when looking for source files. 60 | exclude_patterns = ['_build'] 61 | 62 | # The reST default role (used for this markup: `text`) to use for all documents. 63 | #default_role = None 64 | 65 | # If true, '()' will be appended to :func: etc. cross-reference text. 66 | #add_function_parentheses = True 67 | 68 | # If true, the current module name will be prepended to all description 69 | # unit titles (such as .. function::). 70 | #add_module_names = True 71 | 72 | # If true, sectionauthor and moduleauthor directives will be shown in the 73 | # output. They are ignored by default. 74 | #show_authors = False 75 | 76 | # The name of the Pygments (syntax highlighting) style to use. 77 | pygments_style = 'sphinx' 78 | 79 | # A list of ignored prefixes for module index sorting. 80 | #modindex_common_prefix = [] 81 | 82 | # If true, keep warnings as "system message" paragraphs in the built documents. 83 | #keep_warnings = False 84 | 85 | 86 | # -- Options for HTML output --------------------------------------------------- 87 | 88 | # The theme to use for HTML and HTML Help pages. See the documentation for 89 | # a list of builtin themes. 90 | html_theme = 'alabaster' 91 | 92 | # Theme options are theme-specific and customize the look and feel of a theme 93 | # further. For a list of options available for each theme, see the 94 | # documentation. 95 | html_theme_options = { 96 | #'logo': 'logo.png', 97 | #'logo_name': True, 98 | #'logo_text_align': 'center', 99 | 'description': "Hardening guidelines", 100 | 'github_user': 'jekil', 101 | 'github_repo': 'hardentheworld', 102 | 'travis_button': False, 103 | #'gratipay_user': 'jekil', 104 | 'analytics_id': 'UA-2317228-21', 105 | #'link': '#3782BE', 106 | #'link_hover': '#3782BE', 107 | } 108 | 109 | # Add any paths that contain custom themes here, relative to this directory. 110 | html_theme_path = [alabaster.get_path()] 111 | 112 | # The name for this set of Sphinx documents. If None, it defaults to 113 | # " v documentation". 114 | #html_title = None 115 | 116 | # A shorter title for the navigation bar. Default is the same as html_title. 117 | #html_short_title = None 118 | 119 | # The name of an image file (relative to this directory) to place at the top 120 | # of the sidebar. 121 | #html_logo = "_images/logo_small.png" 122 | 123 | # The name of an image file (within the static path) to use as favicon of the 124 | # docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 125 | # pixels large. 126 | #html_favicon = None 127 | 128 | # Add any paths that contain custom static files (such as style sheets) here, 129 | # relative to this directory. They are copied after the builtin static files, 130 | # so a file named "default.css" will overwrite the builtin "default.css". 131 | html_static_path = ['_static'] 132 | 133 | # If not '', a 'Last updated on:' timestamp is inserted at every page bottom, 134 | # using the given strftime format. 135 | #html_last_updated_fmt = '%b %d, %Y' 136 | 137 | # If true, SmartyPants will be used to convert quotes and dashes to 138 | # typographically correct entities. 139 | #html_use_smartypants = True 140 | 141 | # Custom sidebar templates, maps document names to template names. 142 | html_sidebars = { 143 | '**': [ 144 | 'about.html', 145 | 'navigation.html', 146 | 'searchbox.html', 147 | #'donate.html', 148 | ] 149 | } 150 | 151 | # Additional templates that should be rendered to pages, maps page names to 152 | # template names. 153 | #html_additional_pages = {} 154 | 155 | # If false, no module index is generated. 156 | #html_domain_indices = True 157 | 158 | # If false, no index is generated. 159 | #html_use_index = True 160 | 161 | # If true, the index is split into individual pages for each letter. 162 | #html_split_index = False 163 | 164 | # If true, links to the reST sources are added to the pages. 165 | #html_show_sourcelink = True 166 | 167 | # If true, "Created using Sphinx" is shown in the HTML footer. Default is True. 168 | #html_show_sphinx = True 169 | 170 | # If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. 171 | #html_show_copyright = True 172 | 173 | # If true, an OpenSearch description file will be output, and all pages will 174 | # contain a tag referring to it. The value of this option must be the 175 | # base URL from which the finished HTML is served. 176 | #html_use_opensearch = '' 177 | 178 | # This is the file name suffix for HTML files (e.g. ".xhtml"). 179 | #html_file_suffix = None 180 | 181 | # Output file base name for HTML help builder. 182 | htmlhelp_basename = 'HardenTheWorld' 183 | 184 | 185 | # -- Options for LaTeX output -------------------------------------------------- 186 | 187 | latex_elements = { 188 | # The paper size ('letterpaper' or 'a4paper'). 189 | #'papersize': 'letterpaper', 190 | 191 | # The font size ('10pt', '11pt' or '12pt'). 192 | #'pointsize': '10pt', 193 | 194 | # Additional stuff for the LaTeX preamble. 195 | #'preamble': '', 196 | } 197 | 198 | # Grouping the document tree into LaTeX files. List of tuples 199 | # (source start file, target name, title, author, documentclass [howto/manual]). 200 | latex_documents = [ 201 | ('index', 'HardenTheWorld.tex', u'Harden the World', u'', 'manual'), 202 | ] 203 | 204 | # The name of an image file (relative to this directory) to place at the top of 205 | # the title page. 206 | #latex_logo = "_images/logo.png" 207 | 208 | # For "manual" documents, if this is true, then toplevel headings are parts, 209 | # not chapters. 210 | #latex_use_parts = False 211 | 212 | # If true, show page references after internal links. 213 | #latex_show_pagerefs = False 214 | 215 | # If true, show URL addresses after external links. 216 | #latex_show_urls = False 217 | 218 | # Documents to append as an appendix to all manuals. 219 | #latex_appendices = [] 220 | 221 | # If false, no module index is generated. 222 | #latex_domain_indices = True 223 | 224 | 225 | # -- Options for manual page output -------------------------------------------- 226 | 227 | # One entry per manual page. List of tuples 228 | # (source start file, name, description, authors, manual section). 229 | man_pages = [ 230 | ('index', 'hardentheworld', u'Harden the World', 231 | [u'Alessandro Tanasi'], 1) 232 | ] 233 | 234 | # If true, show URL addresses after external links. 235 | #man_show_urls = False 236 | 237 | 238 | # -- Options for Texinfo output ------------------------------------------------ 239 | 240 | # Grouping the document tree into Texinfo files. List of tuples 241 | # (source start file, target name, title, author, 242 | # dir menu entry, description, category) 243 | texinfo_documents = [ 244 | ('index', 'Harden the World', u'Harden the World', 245 | u'Alessandro Tanasi', 'Harden the World', 'One line description of project.', 246 | 'Miscellaneous'), 247 | ] 248 | 249 | # Documents to append as an appendix to all manuals. 250 | #texinfo_appendices = [] 251 | 252 | # If false, no module index is generated. 253 | #texinfo_domain_indices = True 254 | 255 | # How to display URL addresses: 'footnote', 'no', or 'inline'. 256 | #texinfo_show_urls = 'footnote' 257 | 258 | # If true, do not generate a @detailmenu in the "Top" node's menu. 259 | #texinfo_no_detailmenu = False 260 | -------------------------------------------------------------------------------- /index.rst: -------------------------------------------------------------------------------- 1 | ***************** 2 | About the project 3 | ***************** 4 | 5 | Every day many people, including me, waste time googling for procedures, configurations and a way to harden their 6 | services. 7 | So I created Harden the World in the hope to start a community project focused on developing common guidelines and best practices to deploy secure configurations. 8 | This repository contains hardening guidelines for devices, applications and OSs. 9 | 10 | **Project home**: ``_ 11 | 12 | **Project repository**: ``_ 13 | 14 | ******** 15 | Contents 16 | ******** 17 | 18 | .. toctree:: 19 | :maxdepth: 2 20 | :glob: 21 | 22 | */index 23 | 24 | ************ 25 | Contributing 26 | ************ 27 | 28 | Every kind of contribution is really appreciated! Feature requests, suggestions, 29 | fixes or documentation contributions are welcome. 30 | Please send a patch with your contribution using Github `pull requests `_ or 31 | just get in touch with me. 32 | 33 | Feedback 34 | -------- 35 | 36 | Please send questions, comments, suggestions or rants to alessandro@tanasi.it (`@jekil `_). 37 | 38 | ******* 39 | License 40 | ******* 41 | 42 | Harden the world project is licensed: `Creative Commons Attribution 4.0 International `_. 43 | 44 | You are free to: 45 | 46 | * **Share** — copy and redistribute the material in any medium or format 47 | * **Adapt** — remix, transform, and build upon the material for any purpose, even commercially. 48 | 49 | Under the following terms: 50 | 51 | * **Attribution** — You must give appropriate credit, provide a link to the license, and indicate if changes were made. 52 | You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. 53 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | alabaster==0.7.12 --------------------------------------------------------------------------------