4.3.0 with security add-ons and pushup command

HISTORY.md

@@ -3,6 +3,7 @@
 **Table of Contents**  *generated with [DocToc](https://github.com/thlorenz/doctoc)*
 
 - [Release History](#release-history)  
+  - [v4.3.0](#v430)
   - [v4.2.0](#v420)
   - [v4.1.1](#v411)
   - [v4.1.0](#v410)
@@ -22,6 +23,17 @@
 
 # Release History
 
+## v4.3.0
+ * vim installation fix
+ * Enable firewall
+ * Enable firewall stealth mode (no response to ICMP / ping requests)
+ * Disable remote apple events
+ * Disable wake-on modem
+ * Disable wake-on LAN
+ * Disable file-sharing via AFP or SMB
+ * Disable guest account login
+ * `pushup` alias (`git-up`, followed by `git push`)
+
 ## v4.2.0
  * new shell functions: `tre` and `sri`
  * cleanup shell functions (remove unused echo helpers)

README.md

@@ -158,6 +158,15 @@ Here is the current list:
 - Disable smart quotes as they’re annoying when typing code
 - Disable smart dashes as they’re annoying when typing code
 
+## Security
+- Enable firewall
+- Enable firewall stealth mode (no response to ICMP / ping requests)
+- Disable remote apple events
+- Disable wake-on modem
+- Disable wake-on LAN
+- Disable file-sharing via AFP or SMB
+- Disable guest account login
+
 ## Trackpad, mouse, keyboard, Bluetooth accessories, and input
 - Trackpad: enable tap to click for this user and for the login screen
 - Trackpad: map bottom right corner to right-click

config.js

@@ -40,7 +40,7 @@ module.exports = {
     'tree',
     'ttyrec',
     // better, more recent vim
-    'vim --override-system-vi',
+    'vim --with-override-system-vi',
     'watch',
     // Install wget with IRI support
     'wget --enable-iri'

homedir/.shellaliases

@@ -74,6 +74,8 @@ alias port-forward-enable="echo 'rdr pass inet proto tcp from any to any port 23
 alias port-forward-disable="sudo pfctl -F all -f /etc/pf.conf"
 alias port-forward-list="sudo pfctl -s nat"
 
+# push git repo, but first, use git-up to make sure you are in sync and rebased with the remote
+alias pushup="git-up && git push"
 # Set the extended MacOS attributes on a file such that Quicklook will open it as text
 alias qltext='xattr -wx com.apple.FinderInfo "54 45 58 54 21 52 63 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" $1'
 #alias qltext2='osascript -e tell application "Finder" to set file type of ((POSIX file "$1") as alias) to "TEXT"'

install.sh

@@ -280,6 +280,111 @@ bot "Configuring General System UI/UX..."
 running "closing any system preferences to prevent issues with automated changes"
 osascript -e 'tell application "System Preferences" to quit'
 ok
+
+##############################################################################
+# Security                                                                   #
+##############################################################################
+# Based on:
+# https://github.com/drduh/macOS-Security-and-Privacy-Guide
+# https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf
+
+# Enable firewall. Possible values:
+#   0 = off
+#   1 = on for specific sevices
+#   2 = on for essential services
+sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 1
+
+# Enable firewall stealth mode (no response to ICMP / ping requests)
+# Source: https://support.apple.com/kb/PH18642
+#sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -int 1
+sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -int 1
+
+# Enable firewall logging
+#sudo defaults write /Library/Preferences/com.apple.alf loggingenabled -int 1
+
+# Do not automatically allow signed software to receive incoming connections
+#sudo defaults write /Library/Preferences/com.apple.alf allowsignedenabled -bool false
+
+# Log firewall events for 90 days
+#sudo perl -p -i -e 's/rotate=seq compress file_max=5M all_max=50M/rotate=utc compress file_max=5M ttl=90/g' "/etc/asl.conf"
+#sudo perl -p -i -e 's/appfirewall.log file_max=5M all_max=50M/appfirewall.log rotate=utc compress file_max=5M ttl=90/g' "/etc/asl.conf"
+
+# Reload the firewall
+# (uncomment if above is not commented out)
+#launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist
+#sudo launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist
+#sudo launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist
+#launchctl load /System/Library/LaunchAgents/com.apple.alf.useragent.plist
+
+# Disable IR remote control
+#sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false
+
+# Turn Bluetooth off completely
+#sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0
+#sudo launchctl unload /System/Library/LaunchDaemons/com.apple.blued.plist
+#sudo launchctl load /System/Library/LaunchDaemons/com.apple.blued.plist
+
+# Disable wifi captive portal
+#sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false
+
+# Disable remote apple events
+sudo systemsetup -setremoteappleevents off
+
+# Disable remote login
+#sudo systemsetup -setremotelogin off
+
+# Disable wake-on modem
+sudo systemsetup -setwakeonmodem off
+
+# Disable wake-on LAN
+sudo systemsetup -setwakeonnetworkaccess off
+
+# Disable file-sharing via AFP or SMB
+sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist
+sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist
+
+# Display login window as name and password
+#sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true
+
+# Do not show password hints
+#sudo defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0
+
+# Disable guest account login
+sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool false
+
+# Automatically lock the login keychain for inactivity after 6 hours
+#security set-keychain-settings -t 21600 -l ~/Library/Keychains/login.keychain
+
+# Destroy FileVault key when going into standby mode, forcing a re-auth.
+# Source: https://web.archive.org/web/20160114141929/http://training.apple.com/pdf/WP_FileVault2.pdf
+#sudo pmset destroyfvkeyonstandby 1
+
+# Disable Bonjour multicast advertisements
+#sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool true
+
+# Disable the crash reporter
+#defaults write com.apple.CrashReporter DialogType -string "none"
+
+# Disable diagnostic reports
+#sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.SubmitDiagInfo.plist
+
+# Log authentication events for 90 days
+#sudo perl -p -i -e 's/rotate=seq file_max=5M all_max=20M/rotate=utc file_max=5M ttl=90/g' "/etc/asl/com.apple.authd"
+
+# Log installation events for a year
+#sudo perl -p -i -e 's/format=bsd/format=bsd mode=0640 rotate=utc compress file_max=5M ttl=365/g' "/etc/asl/com.apple.install"
+
+# Increase the retention time for system.log and secure.log
+#sudo perl -p -i -e 's/\/var\/log\/wtmp.*$/\/var\/log\/wtmp   \t\t\t640\ \ 31\    *\t\@hh24\ \J/g' "/etc/newsyslog.conf"
+
+# Keep a log of kernel events for 30 days
+#sudo perl -p -i -e 's|flags:lo,aa|flags:lo,aa,ad,fd,fm,-all,^-fa,^-fc,^-cl|g' /private/etc/security/audit_control
+#sudo perl -p -i -e 's|filesz:2M|filesz:10M|g' /private/etc/security/audit_control
+#sudo perl -p -i -e 's|expire-after:10M|expire-after: 30d |g' /private/etc/security/audit_control
+
+# Disable the “Are you sure you want to open this application?” dialog
+defaults write com.apple.LaunchServices LSQuarantine -bool false
+
 ###############################################################################
 # SSD-specific tweaks                                                         #
 ###############################################################################

package.json

@@ -1,6 +1,6 @@
 {
   "name": "dotfiles",
-  "version": "4.2.0",
+  "version": "4.3.0",
   "description": "atomantic dotfiles for osx",
   "main": "index.js",
   "scripts": {