image.md

Image macOS

See drduh macOS Security and Privacy Guide for more details.

1. Set firmware password. sudo firmwarepasswd -setpasswd -setmode command.
2. AutoDMG imaging no longer works. Instead install clean macOS using a USB bootable installer. User, and custom packages now have to be configured after install.
3. Make bootable USB. Download latest macOS from App Store, erase and format a USB to HFS+ and use the latest script to create the bootable installer.
4. On Mac, hold option down on restart, then choose the Install macOS boot disk.
5. Use Disk Utility to erase Macintosh HD and reformat to APFS.
6. Exit Disk Utility and reinstall macOS back to Macintosh HD.
7. Restart into Mac, create temp account, don't agree to location, siri, or diagnostics.
8. Once through Mac setup flow and on desktop, use custom packages to create standard users, login to standard user account, and delete temp account.
9. Continue setup using bootstrap.sh (or Manual Setup below) and install with standard account. After initial setup, use command chmod_admin in .adrw-functions to reduce privileges back to Standard.

Manual Setup

1. Change system ComputerName and LocalHostName to remove personal information

$ sudo scutil --set ComputerName { name }

$ sudo scutil --set LocalHostName { name }

1. Manually seed entropy with random letters then crtl-d using cat > /dev/random
2. Enable FileVault through GUI or sudo fdesetup enable

Firewall

1. Enable firewall, logging, and stealth mode (doesn't respond to ICMP ping requests or closed TCP/UDP ports)

$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on

1. Stop both built-in and download software from being automatically whitelisted

$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned off

$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off

1. Third party firewalls

• Little Snitch
• Hands Off
• Radio Silence
• Security Growler

No More Phone Home

1. Disable Spotlight Suggestions and Allow Spotlight Suggestions in Look up in Settings/Spotlight
2. Disable Include Safari Suggestions in Safari / Preferences / Search
3. Consider

• homecall.sh script from macOS-home-call-drop
• fix-macosx.com for more resources

Homebrew

1. Install Command Line Tools, simply type git to prompt or use xcode-select --install
2. Use main.sh script to install

• oh-my-zsh as default shell
• mac-defaults.sh to change Mac settings (show all files, increase keyboard repeate rate...)
• copy-dotfiles.sh to move .vimrc
• Homebrew into ~/homebrew folder to maintain security of /usr/local (more)
• install.sh install dev tools, apps through brew cask, and apps through mac app store

Generate SSH Keys

1. ssh-keygen -t rsa -b 4096 -C "[email protected]"
2. pbcopy < ~/.ssh/id_rsa.pub save to clipboard and then to GitHub account

DNS

1. Append consolidated host file for broad low level blocking of ad and malware networks