Jump to content
Nytro

Hardening OS X EL Captain

Recommended Posts

Posted

Table of Content

  1. Introduction
  2. Authentication
    1. Ensure Security of Standard and Default Accounts
    2. Users Privilege Separation
    3. Ensure Password Security
    4. Enforce Password Security
    5. Two Factor Authentication
    6. Automatic Login and User Lists
    7. Guest Accounts
    8. Restrict Sudoers file
    9. Automatically Lock the Login Keychain
  3. General Configuration
    1. Gatekeeper
    2. Disable Diagnostics
    3. Disable Handoff
    4. Tracking Services
    5. FileVault
    6. Firewall
    7. Require Administrator Password
    8. Screensaver and Un-locking
    9. Filename Extensions
    10. System Updates
    11. Prevent Safari from Opening Known File Types
    12. Set Strict Global Umask
  4. Technical Configuration
    1. Disable Bluetooth
    2. Firmware Password
    3. Setuid and Setgid
    4. Disable Core Dumps
  5. Network and Communication Security
    1. Advanced Firewall
    2. Disable Wake on Lan
    3. Disable Apple File Protocol (AFP)
    4. Disable Unnecessary Services
    5. Disable Sharing
    6. Harden TCP/IP Kernel Parameters
    7. Enable Network Time Synchronization via NTP
    8. Disable Bonjour (mDNS)
  6. Recommended Applications
    1. Little Snitch
    2. Micro Snitch
    3. BlockBlock
    4. Lockdown
    5. RansomWhere?
    6. Dylib Hijack Scanner
    7. Lynis

 

Introduction

 

ERNW has compiled the most relevant settings for OS X 10.11 El Captain into this compilation of security recommendations. This document is supposed to provide a solid base of hardening measures to enhance the system security and still remaining commonly applyable. Settings which might have severe impact on the functionality of the operating system and need a lot of further testing are not part of this checklist or marked as optional. We have marked each recommended setting in this checklist either with “mandatory” or “optional” to make a clear statement, which setting is a MUST (mandatory) or a SHOULD (optional) from our point of view. “Optional” also means that we recommend to apply this setting, but there may be required functionality on the system that will become unavailable once the setting is applied. Important: This Guide will force you to Disable SIP (System Integrity Protection) a few times. After the hardening is done, please make sure you enable SIP again.

 

Articol complet: https://github.com/ernw/hardening/blob/master/operating_system/osx/10.11/ERNW_Hardening_OS_X_EL_Captain.md

  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...