mOSL v3.2.1 releases: audit and fix macOS Mojave (10.14.x) security settings
macOS Lockdown (mOSL)
Bash script to audit and fix macOS Mojave (10.14.x) security settings
- Always run the latest release, not the code in master!
- This script will only ever support the latest macOS release
- This script requires your password to invoke some commands with sudo
The main goal is to enforce already secure defaults and apply more strict non-default options.
It aims to reduce attack surface but it is pragmatic in this pursuit. The author utilizes Bluetooth for services such as Handoff so it is left enabled.
There is no specific focus on enhancing privacy.
Full Disk AccessPermission
In macOS Mojave certain application data is protected by the OS. For example, if Example.app wishes to access Contacts.app data Example.app must be given explicit permission via System Preferences > Security & Privacy > Privacy. However, some application data cannot be accessed via specific permission. Access to this data requires Full Disk Access permission.
mOSL requires that Terminal.app be given the Full Disk Access permission. It needs this permission to audit/fix the following settings:
- disable mail remote content
These are currently the only settings which require Full Disk Access.
It is not possible to programmatically get or prompt for this permission, it must be manually given by the user.
To give Terminal.app Full Disk Access:
System Preferences > Security & Privacy > Privacy > Full Disk Access > Add Terminal.app
Once you are done with mOSL you can revoke Full Disk Access for Terminal.app. There’s a small checkbox next to Terminal which you can uncheck to revoke the permission without entirely removing Terminal.app from the list.
More info on macOS’s new permission model:
- Working with Mojave’s Privacy Protection by Howard Oakley
- TCC Round Up by Carl Ashley
- WWDC 2018 Session 702 Your Apps and the Future of macOS Security
Settings that can be audited/ fixed:
 enable automatic system updates
 enable automatic app store updates
 enable gatekeeper
 enable firewall
 enable admin password preferences
 enable terminal secure entry
 enable sip
 enable filevault
 disable firewall builin software
 disable firewall downloaded signed
 disable ipv6
 disable mail remote content
 disable remote apple events
 disable remote login
 disable auto open safe downloads
 set airdrop contacts only
 set appstore update check daily
 set firmware password
 check kext loading consent
 check efi integrity
 check if standard user
fix: Removed reference to
no_fix_commandsvariable which would cause
fixmode to error with
unbound variablewhen calling
Copyright (c) 2018 0xmachos