Ansible role to harden darwin/macosx system.
Pay attention to test carefully role and fit to your context unless you want to lock yourself. This role is continuous work in progress as security landscape is constantly evolving.
Legal disclaimer! Depending on settings, very detailed activity log can be created. Only apply to your own system else for most countries (ex: Europe), user must have been warned and agreed (usually through internal policy, code of conduct...) Whitelisting and certificates trust removal are part of most impacting tasks.
Alternative tools
It was tested on the following versions:
- 2.0
- 2.2
- 2.6
Target MacOS X: 10.10, 10.11, 10.12 Xcode & cli developer tools might be required for some tools (ex: osxlockdown)
Just include this role in your list. For example
- host: all roles: - juju4.harden-darwin Run
## if ssh key is set $ ansible-playbook -i inventory --limit mymac mac.yml ## else $ ansible-playbook -i inventory --limit mymac mac.yml --ask-pass --ask-sudo-pass ssh must be enabled (Remote Login in Preferences > Sharing)
See defaults/main.yml file for complete set
harden_use_forwarding: false harden_umask: '022' harden_init_aidedb: false harden_unix_fstab_flags: false ## Application firewall harden_darwin_disable_firewall: false harden_darwin_firewall_allow_signedapps: false harden_darwin_firewall_blockall_apps_in: true harden_darwin_fw_program_allowed_in: - /opt/local/sbin/nrpe - /Library/PreferencePanes/DNSCrypt.prefPane/Contents/Resources/usr/sbin/dnscrypt-proxy - /Library/PreferencePanes/DNSCrypt.prefPane/Contents/Resources/usr/bin/hostip harden_darwin_fw_program_blocked_in: - /bin/sh - /usr/bin/perl - /usr/bin/python - /usr/bin/curl - /usr/bin/nc - /usr/sbin/httpd #harden_darwin_user: 'myuser' harden_darwin_disable_bluetooth: true harden_darwin_disable_wpad: true harden_darwin_disable_airdrop: true harden_darwin_disable_iclouddrive: true harden_darwin_disable_captiveportal: true harden_darwin_dnscrypt: true harden_darwin_ransomwhere: false harden_darwin_fixmacosleak: false harden_darwin_osquery: true ## Audit Tools harden_darwin_osxlockdown: 'audit' #harden_darwin_osxlockdown: 'run' harden_darwin_osxconfigcheck: true ## install google santa harden_darwin_santa: true #cat /var/log/santa.log | awk -F'|' '/path=/ { gsub(/path=/, "", $5); print $5 }'| sort | uniq -c | sort -nr | head -10 #decision ALLOW, DISKAPPEAR/DISKDISAPPEAR (usb/dmg) harden_darwin_santa_whitelist_cert: - /bin/sh - /usr/bin/ssh - /opt/X11/bin/xauth - /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python - /Applications/Firefox.app - /Applications/Google\ Chrome.app - /Applications/VirtualBox.app/Contents/MacOS/VirtualBox - /usr/local/bin/osqueryd harden_darwin_santa_whitelist_hash: [] This role has a travis basic test (for github).
Sometimes, ansible failed with following error. Temporary workaround, re-execute or try local playbook execution.
-
failed to create temporary content file: ('The read operation timed out',)ansible/ansible#7606 ansible/ansible#18894 -
Timeout (12s) waiting for privilege escalation promptansible/ansible#14426 ansible/ansible#13278 -
Enabling Santa Lockdown mode have serious impact that you should consider carefully. Any tasks using ephemeral non-signed binary will probably be blocked like Macports selfupdate, most probably homebrew. There is no on-execution allow button. Scripts are whitelisted/blacklisted depending on interpreters and used executables permissions. If you allow python, you allow all python scripts unless it uses a blacklisted binary. Another limitation, pkg file (XAR Archive) are also 'Whitelisted (Scope)' even if not code-signed.
BSD 2-clause