Nytro Posted August 24, 2016 Report Posted August 24, 2016 Table of Content Introduction Authentication Ensure Security of Standard and Default Accounts Users Privilege Separation Ensure Password Security Enforce Password Security Two Factor Authentication Automatic Login and User Lists Guest Accounts Restrict Sudoers file Automatically Lock the Login Keychain General Configuration Gatekeeper Disable Diagnostics Disable Handoff Tracking Services FileVault Firewall Require Administrator Password Screensaver and Un-locking Filename Extensions System Updates Prevent Safari from Opening Known File Types Set Strict Global Umask Technical Configuration Disable Bluetooth Firmware Password Setuid and Setgid Disable Core Dumps Network and Communication Security Advanced Firewall Disable Wake on Lan Disable Apple File Protocol (AFP) Disable Unnecessary Services Disable Sharing Harden TCP/IP Kernel Parameters Enable Network Time Synchronization via NTP Disable Bonjour (mDNS) Recommended Applications Little Snitch Micro Snitch BlockBlock Lockdown RansomWhere? Dylib Hijack Scanner Lynis Introduction ERNW has compiled the most relevant settings for OS X 10.11 El Captain into this compilation of security recommendations. This document is supposed to provide a solid base of hardening measures to enhance the system security and still remaining commonly applyable. Settings which might have severe impact on the functionality of the operating system and need a lot of further testing are not part of this checklist or marked as optional. We have marked each recommended setting in this checklist either with “mandatory” or “optional” to make a clear statement, which setting is a MUST (mandatory) or a SHOULD (optional) from our point of view. “Optional” also means that we recommend to apply this setting, but there may be required functionality on the system that will become unavailable once the setting is applied. Important: This Guide will force you to Disable SIP (System Integrity Protection) a few times. After the hardening is done, please make sure you enable SIP again. Articol complet: https://github.com/ernw/hardening/blob/master/operating_system/osx/10.11/ERNW_Hardening_OS_X_EL_Captain.md 1 Quote