kbagher/mac_security_check.sh

## mac_security_check.sh
#!/bin/bash

###### Tasks Requiring Manual Checking ######
# Review Installed Applications:
#   Steps: Open Applications folder and Launchpad.
#   Signs of Compromise: Unfamiliar or unexpected applications installed.
# Check App Permissions:
#   Steps: System Preferences → Security & Privacy → Privacy tab.
#   Signs of Compromise: Unusual permissions granted to unknown applications.
# Audit Browser Extensions:
#   Steps: Check extensions/add-ons in each browser’s settings.
#   Signs of Compromise: Unrecognized extensions or add-ons installed.


# Check System Integrity Protection (SIP):
#   Optimal: SIP is enabled.
#   Suspicious: SIP is disabled.
# Verify Gatekeeper Status:
#   Optimal: Gatekeeper is active.
#   Suspicious: Gatekeeper is disabled.
# Check Firewall Status:
#   Optimal: Firewall is enabled.
#   Suspicious: Firewall is disabled.
# Verify FileVault Status:
#   Optimal: FileVault is enabled.
#   Suspicious: FileVault is disabled.
# Check for Non-standard Boot Arguments:
#   Optimal: No non-standard boot arguments.
#   Suspicious: Unusual boot arguments present.
# List Non-Apple Kernel Extensions:
#   Optimal: No non-Apple kernel extensions.
#   Suspicious: Non-Apple kernel extensions present.

# Define color codes
RED='\033[0;31m'
GREEN='\033[0;32m'
NC='\033[0m' # No Color
LOG_FILE="security_check_log.txt"


# Function to check status
check_status() {
    if [ "$1" -eq 0 ]; then
        echo -e "${GREEN}PASSED${NC}"
    else
        echo -e "${RED}FAILED${NC}"
        echo "$2 test FAILED" >> "$LOG_FILE"
    fi
}

# Start new log file
echo "Security Check Log - $(date)" > "$LOG_FILE"


# System Integrity Protection Status
echo -n "Checking System Integrity Protection (SIP) status... "
sip_status=$(csrutil status)
if [[ $sip_status == *"enabled"* ]]; then
    check_status 0
else
    check_status 1
fi

# Gatekeeper Status
echo -n "Checking Gatekeeper status... "
gatekeeper_status=$(spctl --status)
if [[ $gatekeeper_status == *"enabled"* ]]; then
    check_status 0
else
    check_status 1
fi

# Firewall Status
echo -n "Checking Firewall status... "
firewall_status=$(defaults read /Library/Preferences/com.apple.alf globalstate)
if [ "$firewall_status" -eq 1 ]; then
    check_status 0
else
    check_status 1
fi

# FileVault Status
echo -n "Checking FileVault status... "
filevault_status=$(sudo fdesetup status)
if [[ $filevault_status == *"On"* ]]; then
    check_status 0
else
    check_status 1
fi

# Check for non-standard boot arguments
echo -n "Checking for non-standard boot arguments... "
boot_args=$(nvram -p | grep 'boot-args')
if [ -z "$boot_args" ]; then
    check_status 0
else
    check_status 1
fi

# Check for non-Apple kernel extensions
echo "Checking for non-Apple kernel extensions... "
non_apple_kexts=$(kextstat | grep -v com.apple | sed '1,2d')
if [ -z "$non_apple_kexts" ]; then
    echo -e "${GREEN}No non-Apple kernel extensions detected.${NC}"
else
    echo -e "${RED}Non-Apple Kernel Extensions Detected:${NC}\n$non_apple_kexts"
fi


# Check for Automatic Updates
echo -n "Checking for Automatic Updates... "
auto_update_status=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled 2>/dev/null)
if [ "$auto_update_status" == "1" ]; then
    check_status 0 "Automatic Updates"
elif [ "$auto_update_status" == "0" ]; then
    check_status 1 "Automatic Updates"
else
    echo -e "${RED}Automatic Updates setting not found or not set.${NC}"
    echo "Automatic Updates setting not found or not set." >> "$LOG_FILE"
fi

# Check for Downloaded File Quarantine
echo -n "Checking for Downloaded File Quarantine... "
quarantine_status=$(defaults read com.apple.LaunchServices LSQuarantine 2>/dev/null)
if [ "$quarantine_status" == "1" ]; then
    check_status 0 "Downloaded File Quarantine"
elif [ "$quarantine_status" == "0" ]; then
    check_status 1 "Downloaded File Quarantine"
else
    echo -e "${RED}Downloaded File Quarantine setting not found or not set.${NC}"
    echo "Downloaded File Quarantine setting not found or not set." >> "$LOG_FILE"
fi


# Check for Remote Login (SSH) Status
echo -n "Checking for Remote Login (SSH) status... "
remote_login_status=$(systemsetup -getremotelogin)
if [[ $remote_login_status == *"Off"* ]]; then
    check_status 0 "Remote Login (SSH)"
else
    check_status 1 "Remote Login (SSH)"
fi


echo -e "${GREEN}All security checks completed.${NC}"
	#!/bin/bash

	###### Tasks Requiring Manual Checking ######
	# Review Installed Applications:
	# Steps: Open Applications folder and Launchpad.
	# Signs of Compromise: Unfamiliar or unexpected applications installed.
	# Check App Permissions:
	# Steps: System Preferences → Security & Privacy → Privacy tab.
	# Signs of Compromise: Unusual permissions granted to unknown applications.
	# Audit Browser Extensions:
	# Steps: Check extensions/add-ons in each browser’s settings.
	# Signs of Compromise: Unrecognized extensions or add-ons installed.



	# Check System Integrity Protection (SIP):
	# Optimal: SIP is enabled.
	# Suspicious: SIP is disabled.
	# Verify Gatekeeper Status:
	# Optimal: Gatekeeper is active.
	# Suspicious: Gatekeeper is disabled.
	# Check Firewall Status:
	# Optimal: Firewall is enabled.
	# Suspicious: Firewall is disabled.
	# Verify FileVault Status:
	# Optimal: FileVault is enabled.
	# Suspicious: FileVault is disabled.
	# Check for Non-standard Boot Arguments:
	# Optimal: No non-standard boot arguments.
	# Suspicious: Unusual boot arguments present.
	# List Non-Apple Kernel Extensions:
	# Optimal: No non-Apple kernel extensions.
	# Suspicious: Non-Apple kernel extensions present.

	# Define color codes
	RED='\033[0;31m'
	GREEN='\033[0;32m'
	NC='\033[0m' # No Color
	LOG_FILE="security_check_log.txt"


	# Function to check status
	check_status() {
	if [ "$1" -eq 0 ]; then
	echo -e "${GREEN}PASSED${NC}"
	else
	echo -e "${RED}FAILED${NC}"
	echo "$2 test FAILED" >> "$LOG_FILE"
	fi
	}

	# Start new log file
	echo "Security Check Log - $(date)" > "$LOG_FILE"


	# System Integrity Protection Status
	echo -n "Checking System Integrity Protection (SIP) status... "
	sip_status=$(csrutil status)
	if [[ $sip_status == "enabled" ]]; then
	check_status 0
	else
	check_status 1
	fi

	# Gatekeeper Status
	echo -n "Checking Gatekeeper status... "
	gatekeeper_status=$(spctl --status)
	if [[ $gatekeeper_status == "enabled" ]]; then
	check_status 0
	else
	check_status 1
	fi

	# Firewall Status
	echo -n "Checking Firewall status... "
	firewall_status=$(defaults read /Library/Preferences/com.apple.alf globalstate)
	if [ "$firewall_status" -eq 1 ]; then
	check_status 0
	else
	check_status 1
	fi

	# FileVault Status
	echo -n "Checking FileVault status... "
	filevault_status=$(sudo fdesetup status)
	if [[ $filevault_status == "On" ]]; then
	check_status 0
	else
	check_status 1
	fi

	# Check for non-standard boot arguments
	echo -n "Checking for non-standard boot arguments... "
	boot_args=$(nvram -p \| grep 'boot-args')
	if [ -z "$boot_args" ]; then
	check_status 0
	else
	check_status 1
	fi

	# Check for non-Apple kernel extensions
	echo "Checking for non-Apple kernel extensions... "
	non_apple_kexts=$(kextstat \| grep -v com.apple \| sed '1,2d')
	if [ -z "$non_apple_kexts" ]; then
	echo -e "${GREEN}No non-Apple kernel extensions detected.${NC}"
	else
	echo -e "${RED}Non-Apple Kernel Extensions Detected:${NC}\n$non_apple_kexts"
	fi


	# Check for Automatic Updates
	echo -n "Checking for Automatic Updates... "
	auto_update_status=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled 2>/dev/null)
	if [ "$auto_update_status" == "1" ]; then
	check_status 0 "Automatic Updates"
	elif [ "$auto_update_status" == "0" ]; then
	check_status 1 "Automatic Updates"
	else
	echo -e "${RED}Automatic Updates setting not found or not set.${NC}"
	echo "Automatic Updates setting not found or not set." >> "$LOG_FILE"
	fi

	# Check for Downloaded File Quarantine
	echo -n "Checking for Downloaded File Quarantine... "
	quarantine_status=$(defaults read com.apple.LaunchServices LSQuarantine 2>/dev/null)
	if [ "$quarantine_status" == "1" ]; then
	check_status 0 "Downloaded File Quarantine"
	elif [ "$quarantine_status" == "0" ]; then
	check_status 1 "Downloaded File Quarantine"
	else
	echo -e "${RED}Downloaded File Quarantine setting not found or not set.${NC}"
	echo "Downloaded File Quarantine setting not found or not set." >> "$LOG_FILE"
	fi


	# Check for Remote Login (SSH) Status
	echo -n "Checking for Remote Login (SSH) status... "
	remote_login_status=$(systemsetup -getremotelogin)
	if [[ $remote_login_status == "Off" ]]; then
	check_status 0 "Remote Login (SSH)"
	else
	check_status 1 "Remote Login (SSH)"
	fi


	echo -e "${GREEN}All security checks completed.${NC}"