Queridos leitores, não se assustem, o blog não morreu e nem entrou em hiato. Só estou esperando o novo layout ficar pronto para que tenhamos um gás, e fora do normal, de posts e infos para vc’s.

Como isso vai levar mais um tempinho, resolvi compartilhar um post sobre hardening para Mac OSX 10.11, o novo SO da Apple, que está bem bacana.

Antes de sair aplicando/implementando tudo que este guide recomenda, faça um backup do seu precioso e amado Mac.
O legal do time machine é que ele faz isso para vc e funciona, e muito bem, quando vc mais precisa dele.

Voltando ao hardening…

Abaixo segue uma série de dicas, em inglês, que deverão ser seguidas por todos aqueles que possuem Mac e desejam aumentar a segurança de seus estimados computadores..

 

Applications

It is suggested to keep the /Applications/ directory as clean as possible, having a separate directory for your personal apps lets you do that easily. Just create a folder named “Applications” in your home directory (or where you like) and install all applications there. Apps installed via App Store or some special apps cannot live in a custom Applications folder, so you have to keep them in the original path.

Allow only signed apps

Um item controverso, pelo menos para mim, já que instalo os mais diferentes tipos de aplicativos no meu Mac, onde muitos deles não são disponibilizados pela apple store. Vc, que é assim como eu, deverá ficar atento a este requisito de segurança toda vez que tiver que instalar algo em sua máquina.

It is suggested to never run untrusted code not signed with a proper key. To allow only apps signed by an authorized developer, go to:

System Preferences ⇒ Security & Privacy ⇒ General

Set “Allow apps download from” to “Mac App Store and identified developers” or if you want to be more strict and you install applications only via App Store set it to “Mac App Store”.

../../_images/settings_security_21.png

Check Privacy permissions

OS X allows you to track all applications requesting access to some sort of sensitive data, for example your location or your contacts. It is suggested to periodically check the list of applications requesting access to sensitive data and review their permissions. To show the list of these applications go to:

System Preferences ⇒ Security & Privacy ⇒ Privacy
../../_images/settings_security_9.png

Disable Diagnostics

It is suggested to disable diagnostic data and usage data sending to Apple. Go to:

System Preferences ⇒ Security & Privacy ⇒ Privacy ⇒ Diagnostics & Usage

Un-check “Send diagnostic & usage data to Apple”. Un-check “Share crash data with app developers”.

../../_images/settings_security_41.png

Disable Guest user

Deveras, ultra, super, mega, top pica das galáxias importante.. 

Mac OS X comes with a Guest user enabled by default, it permits the use of your device in a restricted environment to anyone. It is suggested to disable the Guest user, go to:

System Preferences ⇒ Users & Groups ⇒ Guest User

Un-check “Allow guests to log in to this computer”.

../../_images/settings_users_2.pngIt is suggested to disable guest access to shared folders, if you are not using it, go to:

System Preferences ⇒ Users & Groups ⇒ Guest User

Un-check “Allow guest users to connect to shared folders”.

../../_images/settings_users_3.png

Disable Handoff

Handoff is a great feature to keep your work in sync between Apple devices. Due to his implementation it needs to send some data to Apple iCloud to work, so in some way it is leaking your data. It is suggested to disable it. Go to:

System Preferences ⇒ General

Un-check “Allow Handoff between this Mac and your iCloud devices”.

../../_images/settings_general_21.png

Disable password hints

Passwords hints are supposed to help an user to remember his password but could also help attackers. It is suggested to disable password hints, go to:

System Preferences ⇒ Users & Groups ⇒ Login Options

Un-check “Show password hints”.

../../_images/settings_users_1.png

Disable recent items

Complicado desabilitar este item, principalmente para aqueles que trabalham com dezenas de planilhas, documentos e papers, seja escrevendo ou analisando, pois este recent itens quebra uma árvore.

Recent items are used to track your latest activity, it is also a feature used in forensics investigation to create the user activity timeline. It is suggested to not track last recently used items. Go to:

System Preferences ⇒ General

Set “Recent items” to “None”.

../../_images/settings_general_11.png

Disable Spotlight localization

By default Spotlight is allowed to use localization services to help you offering localized results. Due to his implementation it needs to send your position to a remote service. It is suggested to disable this behavior. Go to:

System Preferences ⇒ Security & Privacy ⇒ Privacy ⇒ Location Services

Select “System Services” and click “Details…”. Un-check “Safari & Spotlight Suggestions”.

../../_images/settings_security_31.png

Disable Spotlight Suggestions

By default Spotlight shows suggestions from the Internet, it sends your search to Apple services and provides results back. It is suggested to use Spotlight only locally to prevent leaking your search. To disable Spotlight Suggestions go to:

System Preferences ⇒ Spotlight

Un-check “Allow Spotlight Suggestions in Spotlight and Look Up”.

../../_images/settings_spotlight_1.pngIt is suggested to disable results from Bing to avoid leaking your search to Bing, go to:

System Preferences ⇒ Spotlight

Un-check “Bing Web Searches” from the list of results categories.

../../_images/settings_spotlight_2.png

Enable FileVault

Este é o primeiro item que habilito em meu mac e há anos. Três máquinas minhas já foram roubadas, sendo duas delas macbook pro retina. Só aproveitaram a tela e a carcaça.. 

It is suggested to enable FileVault to enable full disk encryption on your device. It should be already enabled by default. Go to:

System Preferences ⇒ Security & Privacy ⇒ FileVault

Enable FileVault.

Enable Firewall

 

It is suggested to enable the Firewall and have it always running. Go to:

System Preferences ⇒ Security & Privacy ⇒ Firewall

Click on “Turn On Firewall”.

../../_images/settings_security_51.pngNow click on “Firewall options”, a new panel will appear. Click on “Block all incoming connections”.

../../_images/settings_security_61.pngUsing “Block all incoming connections” will block all incoming connections to your host. This will block also all sharing services, such as file sharing, screen sharing, Messages Bonjour, iTunes music sharing and other features. If your host is providing any kind of service, this option is not suggested; you should disable it.

Legal, tudo certo, mas e aí, vc não vai monitorar o seu firewall ?

Pois é, a apple não possui um sistema de gerenciamento e monitoração de firewall descente. O Little Snitch é o melhor firewall para Mac, em minha opinião, isso porque ele possui uma excelente tela de gestão. O problema é que ele custa 29.95 euros. Caro né.

Caso vc seja um nerd mão de vaca, como eu, a solução é ter o aplicativo console do seu Mac aberto, tendo como foco o /var/log/appfirewall.log, como demonstrado na imagem abaixo:

Enable screen saver

It is suggested to enable the screen saver to automatically lock your screen after a while. Go to:

System Preferences ⇒ Desktop & Screen Saver ⇒ Screen Saver

Set “Start after” to “5 Minutes”.

../../_images/settings_desktop_11.png

Empty trash securely

When you delete a file, OS X only deletes the index entry for the file, which tells the system the file’s contents are free to be overwritten; however, the data still remains and may be recovered using a forensics software. It is a good practice to always empty your trash securely. Your data will be securely wiped from disk in an irreversible way. In the previous OS X releases there was an option to enable safe delete, Apple has removed this feature in OS X El Capitan. However, you can use command line tools.

You can use the rm command from Terminal to delete files with the -P option, as stated in man rmthis option is used to:

Overwrite regular files before deleting them. Files are
overwritten three times, first with the byte pattern 0xff,
then 0x00, and then 0xff again, before they are deleted.

For example if you what to delete test.pdf you should open Terminal and use:

$ rm -P test.pdf

The srm command is specifically designed for secure deletion from command line, as stated in man srm:

srm  removes each specified file by overwriting, renaming, and truncating
it before unlinking. This prevents other people from undeleting  or
recovering any information about the file from the command line.

For example if you what to delete test.pdf you should open Terminal and use:

$ srm test.pdf

Erase free space

In some cases, you might want to run an overwrite task on the free space of a given drive. You can use the diskutil command line utility, open Terminal and use:

diskutil secureErase freespace LEVEL /Volumes/DRIVE_NAME

In this command, change LEVEL to a number of 0 through 4, the available options are:

  • 0 is a single-pass of zeros
  • 1 is a single-pass of random numbers
  • 2 is a 7-pass erase
  • 3 is a 35-pass erase
  • 4 is a 3-pass erase

Change DRIVE_NAME to the name of the mount point.

Require an administration password

Always require an administration password to access system settings. Go to:

System Preferences ⇒ Security & Privacy ⇒ Advanced

Check “Require an administrator password to access system-wide preferences”.

../../_images/settings_security_71.png

Require password to un-lock

Requires password to un-lock from sleep or screen saver. Go to:

System Preferences ⇒ Security & Privacy ⇒ General

Set “Require password immediately after sleep or screen saver begins”.

../../_images/settings_security_11.png

Show all filename extensions

It is a good practice to always show file names extensions. Start Finder app. Go to:

Preferences ⇒ Advanced

Check “Show all filename extensions”.

../../_images/finder_11.png

Show when localization is used

System services could ask to use localization data. It is suggested to show location icon when localization data are requested. Go to:

System Preferences ⇒ Security & Privacy ⇒ Privacy ⇒ Location Services

Select “System Services” and click “Details…”. Check “Show location icon in the menu bar when System Services request your location”.

../../_images/settings_security_8.png

Users privilege separation

It is suggested to use different accounts for administration and normal use. Create an account with admin privileges for special tasks and maintenance and a regular user for your normal use. Don’t use the same password for both.

Fonte: http://docs.hardentheworld.org/OS/OSX_10.11_El_Capitan/index.html, que por sinal possui coisas/dicas bem bacanas.

P.S.: 100% das dicas apresentadas acima são funcionais nas 2 últimas versões de OS Apple. Fica a dica.