开源软件名称(OpenSource Name):drduh/macOS-Security-and-Privacy-Guide开源软件地址(OpenSource Url):https://github.com/drduh/macOS-Security-and-Privacy-Guide开源编程语言(OpenSource Language):Python 100.0%开源软件介绍(OpenSource Introduction):This guide is a collection of techniques for improving the security and privacy of a modern Apple Macintosh computer ("MacBook") running a recent version of macOS (formerly known as "OS X"). This guide is targeted to power users who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac. A system is only as secure as its administrator is capable of making it. There is no one single technology, software, nor technique to guarantee perfect computer security; a modern operating system and computer is very complex, and requires numerous incremental changes to meaningfully improve one's security and privacy posture. This guide is provided on an 'as is' basis without any warranties of any kind. Only you are responsible if you break anything or get in any sort of trouble by following this guide. To suggest an improvement, please send a pull request or open an issue. This guide is also available in 简体中文.
BasicsStandard security best practices apply:
Preparing and installing macOSThere are several ways to install macOS. The simplest way is to boot into Recovery Mode by holding Packet capture of an unencrypted HTTP conversation during macOS recovery An alternative way to install macOS is to first download the latest version of macOS (Latest: macOS Monterey) from Apple via the App Store and create a custom installable system image. Getting macOSApple's documentation provides details for getting older versions of macOS.
Verifying installation integrityThe macOS installation application is code signed, which should be verified to make sure you received a legitimate copy, using the To verify the code signature and integrity of macOS application bundles: $ pkgutil --check-signature /Applications/Install\ macOS\ Monterey.app
Package "Install macOS Monterey":
Status: signed by a certificate trusted by macOS
Certificate Chain:
1. Software Signing
Expires: 2026-10-24 17:39:41 +0000
SHA256 Fingerprint:
D8 4D B9 6A F8 C2 E6 0A C4 C8 51 A2 1E C4 60 F6 F8 4E 02 35 BE B1
7D 24 A7 87 12 B9 B0 21 ED 57
------------------------------------------------------------------------
2. Apple Code Signing Certification Authority
Expires: 2026-10-24 17:39:41 +0000
SHA256 Fingerprint:
5B DA B1 28 8F C1 68 92 FE F5 0C 65 8D B5 4F 1E 2E 19 CF 8F 71 CC
55 F7 7D E2 B9 5E 05 1E 25 62
------------------------------------------------------------------------
3. Apple Root CA
Expires: 2035-02-09 21:40:36 +0000
SHA256 Fingerprint:
B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C
68 C5 BE 91 B5 A1 10 01 F0 24 Use the $ codesign -dvv /Applications/Install\ macOS\ Monterey.app
Executable=/Applications/Install macOS Monterey.app/Contents/MacOS/InstallAssistant_springboard
Identifier=com.apple.InstallAssistant.macOSMonterey
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20400 size=641 flags=0x2000(library-validation) hashes=13+3 location=embedded
Platform identifier=13
Signature size=4523
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Signed Time=Dec 1, 2021 at 1:10:31 AM
Info.plist entries=32
TeamIdentifier=not set
Sealed Resources version=2 rules=2 files=0
Internal requirements count=1 size=88 Creating a bootable USB installerInstead of booting from the network or using target disk mode, a bootable macOS installer can be made with the To create a bootable USB installer, mount a USB drive, and erase and partition it, then use the $ diskutil list
[Find disk matching correct size, usually the last disk, e.g. /dev/disk2]
$ diskutil unmountDisk /dev/disk2
$ diskutil partitionDisk /dev/disk2 1 JHFS+ Installer 100%
$ cd /Applications/Install\ macOS\ Monterey.app
$ sudo ./Contents/Resources/createinstallmedia --volume /Volumes/Installer --nointeraction
Erasing disk: 0%... 10%... 20%... 30%... 100%
Copying to disk: 0%... 10%... 20%... 30%... 40%... 50%... 60%... 70%... 80%... 90%... 100%
Making disk bootable...
Copying boot files...
Install media now available at "/Volumes/Install macOS Catalina" Apple also has guide on doing this via the GUI Disk Utility Creating an install imageNote Apple's AutoDMG installer does not appear to work across OS versions. If you want to build a 10.14 image, for example, the following steps must be performed on macOS 10.14! To create a custom install image which can be restored to a Mac (using a USB-C cable and target disk mode, for example), use MagerValp/AutoDMG. Manual wayNote The following instructions appear to work only on macOS versions before 10.13. Find Verify file integrity by comparing its SHA-256 hash with others found in InstallESD_Hashes.csv or notpeter/apple-installer-checksums. To determine which macOS versions and builds originally shipped with or are available for a Mac, see HT204319. $ shasum -a 256 InstallESD.dmg Mount and install the operating system to a temporary image: $ hdiutil attach -mountpoint /tmp/InstallESD ./InstallESD.dmg
$ hdiutil create -size 32g -type SPARSE -fs HFS+J -volname "macOS" -uid 0 -gid 80 -mode 1775 /tmp/macos.sparseimage
$ hdiutil attach -mountpoint /tmp/macos -owners on /tmp/macos.sparseimage
$ sudo installer -pkg /tmp/InstallESD/Packages/OSInstall.mpkg -tgt /tmp/macos -verbose
installer: OS Install started.
#############
[...] The installation will take a while, so be patient. Use Once the installation is complete, detach, convert and verify the image: $ hdiutil detach /tmp/macos
"disk4" unmounted.
"disk4" ejected.
$ hdiutil detach /tmp/InstallESD
"disk3" unmounted.
"disk3" ejected.
$ hdiutil convert -format UDZO /tmp/macos.sparseimage -o ~/sierra.dmg
Preparing imaging engine...
[...]
$ asr imagescan --source ~/sierra.dmg The file Target disk modeTo use Target Disk Mode, boot up the Mac you wish to image while holding the If you don't have another Mac, boot to a USB installer, with Use the command Optionally, securely erase the disk with a single pass (if previously FileVault-encrypted, the disk must first be unlocked and mounted as
Partition the disk to Journaled HFS+: $ sudo diskutil unmountDisk /dev/disk2
$ sudo diskutil partitionDisk /dev/disk2 1 JHFS+ macOS 100% Restore the image to the new volume, making sure $ sudo asr restore --source ~/sierra.dmg --target /Volumes/macOS --erase --buffersize 4m
[...]
Erase contents of /dev/disk2s2 (/Volumes/macOS)? [ny]:y
[...] The Disk Utility application may also be used to erase the connected disk and restore To transfer any files, copy them to a shared folder like Finished restore install from USB recovery boot Creating a recovery partitionUnless you have built the image with AutoDMG, or installed macOS to a second partition on the same Mac, you will need to create a recovery partition in order to use full disk encryption. You can do so using MagerValp/Create-Recovery-Partition-Installer or manually by following these steps: Download RecoveryHDUpdate.dmg and verify its integrity: $ shasum -a 256 RecoveryHDUpdate.dmg
f6a4f8ac25eaa6163aa33ac46d40f223f40e58ec0b6b9bf6ad96bdbfc771e12c RecoveryHDUpdate.dmg Attach and expand the installer, then run it - again ensuring $ hdiutil attach RecoveryHDUpdate.dmg
$ pkgutil --expand /Volumes/Mac\ OS\ X\ Lion\ Recovery\ HD\ Update/RecoveryHDUpdate.pkg /tmp/recovery
$ hdiutil attach /tmp/recovery/RecoveryHDUpdate.pkg/RecoveryHDMeta.dmg
$ /tmp/recovery/RecoveryHDUpdate.pkg/Scripts/Tools/dmtest ensureRecoveryPartition /Volumes/macOS/ /Volumes/Recovery\ HD\ Update/BaseSystem.dmg 0 0 /Volumes/Recovery\ HD\ Update/BaseSystem.chunklist
[...]
Creating recovery partition: finished Run VirtualizationTo install macOS as a virtual machine (VM) using VMware Fusion, follow the instructions above to create an image. You will not need to download and create a recovery partition manually. For the Installation Method, select Install macOS from the recovery partition. Customize any memory or CPU requirements and complete setup. The guest VM should boot into Recovery Mode by default. Note If the virtual machine does not boot due to a kernel panic, adjust the memory and process resource settings. In Recovery Mode, select a language, then select Utilities > Terminal from the menu bar. In the guest VM, type On the host Mac, type From the host Mac, serve the installable image to the guest VM by editing
On the host Mac, link the image to the default Apache Web server directory:
From the host Mac, start Apache in the foreground:
From the guest VM, install the disk image to the volume over the local network using -bash-3.2# asr restore --source http://172.16.34.1/sierra.dmg --target /Volumes/Macintosh\ HD/ --erase --buffersize 4m
Validating target...done
Validating source...done
Erase contents of /dev/disk0s2 (/Volumes/Macintosh HD)? [ny]: y
Retrieving scan information...done
Validating sizes...done
Restoring ....10....20....30....40....50....60....70....80....90....100
Verifying ....10....20....30....40....50....60....70....80....90....100
Remounting target volume...done When it's finished, stop the Apache Web server on the host Mac by pressing In the guest VM, select Startup Disk from the menubar top-left, select the hard drive and restart. You may wish to disable the Network Adapter in VMware to configure the guest VM initially. Take and Restore from saved guest VM snapshots before and after attempting risky browsing, for example, or use a guest VM to install and operate questionable software. First bootNote Before setting up macOS, consider disconnecting networking and configuring a firewall(s) first. However, late 2016 MacBooks with Touch Bar hardware require online OS activation (also see next section). On first boot, hold When macOS first starts, you'll be greeted by Setup Assistant. When creating the first account, use a strong password without a hint. If you enter your real name at the account setup process, be aware that your computer's name and local hostname will comprise that name (e.g., John Appleseed's MacBook) and thus will appear on local networks and in various preference files. Both should be verified and updated as needed in System Preferences > Sharing or with the following commands after installation:
System activationA few words on the privacy implications of activating "Touch Bar" MacBook devices from your friendly anonymous security researcher:
Admin and standard user accountsThe first user account is always an admin account. Admin accounts are members of the admin group and have access to Utilities like It is considered a best practice by Apple and others (pdf) (p. 41–42) to use a separate standard account for day-to-day work and use the admin account for installations and system configuration. It is not strictly required to ever log into the admin account via the macOS login screen. The system will prompt for authentication when required and Terminal can do the rest. To that end, Apple provides some recommendations for hiding the admin account and its home directory. This can be an elegant solution to avoid having a visible 'ghost' account. The admin account can also be removed from FileVault for additional hardening. Caveats
SetupAccounts can be created and managed in System Preferences. On settled systems, it is generally easier to create a second admin account and then demote the first account. This avoids data migration. Newly installed systems can also just add a standard account. Demoting an account can be done either from the the new admin account in System Preferences – the other account must be logged out – or by executing these commands (it may not be necessary to execute both, see issue #179): $ sudo dscl . -delete /Groups/admin GroupMembership <username>
$ sudo dscl . -delete /Groups/admin GroupMembers <GeneratedUID> To find the “GeneratedUID” of an account: $ dscl . -read /Users/<username> GeneratedUID See also this post for more information about how macOS determines group membership. Full disk encryptionFileVault provides full disk (technically, full volume) encryption on macOS. FileVault encryption protects data at rest and hardens (but not always prevents) someone with physical access from stealing data or tampering with your Mac. With much of the cryptographic operations happening efficiently in hardware, the performance penalty for FileVault is not noticeable. Like all cryptosystems, the security of FileVault greatly depends on the quality of the pseudo random number generator (PRNG).
See Turning on FileVault in System Preferences after installing macOS, rather than creating an encrypted partition for the installation first, is more secure, because more PRNG entropy is available then. Additionally, the PRNG can be manually seeded with entropy by writing to /dev/random before enabling FileVault. This can be done by simply using the Mac for a little while before activating FileVault. It may also be possible to increase entropy with an external source, like OneRNG. See Entropy and Random Number Generators and Fun with encryption and randomness for more information. Enable FileVault with If you can remember the password, there's no reason to save the recovery key. However, all encrypted data will be lost forever if without either the password or recovery key. To learn about how FileVault works, see the paper Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption (pdf) and related presentation (pdf). Also see IEEE Std 1619-2007: The XTS-AES Tweakable Block Cipher (pdf). Optional Enforce system hibernation and evict FileVault keys from memory instead of traditional sleep to memory: $ sudo pmset -a destroyfvkeyonstandby 1
$ sudo pmset -a hibernatemode 25
If you choose to evict FileVault keys in standby mode, you should also modify your standby and power nap settings. Otherwise, your machine may wake while in standby mode and then power off due to the absence of the FileVault key. See issue #124 for more information. These settings can be changed with: $ sudo pmset -a powernap 0
$ sudo pmset -a standby 0
$ sudo pmset -a standbydelay 0
$ sudo pmset -a autopoweroff 0 For more information, see Best Practices for Deploying FileVault 2 (pdf) and paper Lest We Remember: Cold Boot Attacks on Encryption Keys (pdf) Note APFS may make evicting FileVault keys redundant - see discussion and links in issue #283. FirmwareSetting a firmware password p |
2023-10-27
2022-08-15
2022-08-17
2022-09-23
2022-08-13
请发表评论