- Homebrew Good package manager for MacOS (Alternative can be MacPorts)
- Safari Technology Preview More recent WebKit increases compatibility/security.
- Kitty Fast, GPU-accelerated terminal
- BetterTouchTool Customize TouchBar, make it useful
- Keybase Encrypted chat, storage, git and more
- 1Password Password Manager
- Little Snitch Control and block connections
- BlockBlock Control and block apps that install anything persistently (aka re-executes on every boot)
-
-
Save network-alchemist/3976d225121828fcb5cef97d76ad42c8 to your computer and use it in GitHub Desktop.
MacOS Config
Many services (including Netflix) now work with HTML5 and those are security risks. Run in a VM if absolutely needed.
- Disable "Open 'safe' files after downloading", don't need anything to open automatically
- Disable AutoFill, use 1Password for that
- Set Search Engine to DuckDuckGo
- Uncheck "Include Safari Suggestions", "Enable Quick Website Search" and "Preload Top Hit"
- Enable "Show Develop menu"
- Enable "Experimental Features -> Automatic HTTPS Ugrade"
- Disable "Experimental Features -> WebRTC mDNS ICE Candidates"
The <a ping> attribute pings a website when clicking on a link, used for tracking.
Safari:
defaults write com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2HyperlinkAuditingEnabled -bool false
Safari Preview:
defaults write com.apple.SafariTechnologyPreview com.apple.Safari.ContentPageGroupIdentifier.WebKit2HyperlinkAuditingEnabled -bool false
defaults write .GlobalPreferences com.apple.mouse.scaling -1
Fast & Private.
Under "System Preferences -> Network -> (Adapter Name) -> Advanced -> DNS" add the following DNS Servers:
- 1.1.1.1
- 1.0.0.1
- 2606:4700:4700::1111
- 2606:4700:4700::1001
Under "System Preferences -> Securiy & Privacy -> Privacy"
- Disable "Analytics & Improvements -> Share Mac Analytics/Improve Siri & Dictation/Share iCloud Analytics"
- Disable "Advertising -> Limit Ad Tracking" (Click on "Reset Advertising Identifier" while we're at it)
In our shell config: (.zshrc/.bashrc etc)
export HOMEBREW_NO_ANALYTICS=1
export HOMEBREW_NO_INSECURE_REDIRECT=1
export HOMEBREW_CASK_OPTS=--require-sha
defaults write com.apple.screensaver askForPassword -int 1
defaults write com.apple.screensaver askForPasswordDelay -int 0
defaults write NSGlobalDomain AppleShowAllExtensions -bool true
defaults write com.apple.CrashReporter DialogType none
Edit /etc/pam.d/sudo and add to following line near the top:
auth sufficient pam_tid.so
Note that this will break sudo when SSH'ing to your machine, can't TouchID from a remote machine.
Sudo command exports your User's home directory by default, which will execute the home user's .bashrc/.zshrc and other dotfiles as root.
This makes it easier for a malware to execute commands as root.
Comment out the following line in /ets/sudoers:
Defaults env_keep += "HOME MAIL"
To keep the convenience of having your own home directory as root, add to /var/root/.bashrc:
export HOME=/Users/username
Automatically launching the Captive Portal Assistant could lead to a malicious network redirecting to a site with malware. Can still access the captive portal by using a browser and going to a random unsecure HTTP page.
sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active -bool false
Apple is using their own TLS Library, and OpenSSL is deprecated, to get a more up to date version to increase security:
brew install openssl
Add to your shell config:
export PATH="/usr/local/opt/openssl/bin:${PATH}"
export LDFLAGS="-L/usr/local/opt/openssl/lib"
export CPPFLAGS="-I/usr/local/opt/openssl/include"
Most likely needed for software development.
brew install gnupg
Download recommended defaults:
curl -o ~/.gnupg/gpg.conf https://raw.githubusercontent.com/drduh/config/master/gpg.conf
When using your machine for development you'll run into this problem eventually.
Create a file /Library/LaunchDaemons/limit.maxfiles.plist and add the contents:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>limit.maxfiles</string>
<key>ProgramArguments</key>
<array>
<string>launchctl</string>
<string>limit</string>
<string>maxfiles</string>
<string>524288</string>
<string>524288</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>ServiceIPC</key>
<false/>
</dict>
</plist>
Change ownership of the file:
sudo chmod 600 /Library/LaunchDaemons/limit.maxfiles.plist
sudo chown root /Library/LaunchDaemons/limit.maxfiles.plist
Load the file to enable it:
sudo launchctl load -w /Library/LaunchDaemons/limit.maxfiles.plist
Reboot and check if the limit is correctly applied with launchctl limit maxfiles
Disable Quarantine storing metadata of inspected files:
sudo : >! ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
sudo chflags schg ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
Disable collection of what you type: (collects even if suggestions are off)
rm -rfv "~/Library/LanguageModeling/*" "~/Library/Spelling/*" "~/Library/Suggestions/*"
chmod -R 000 ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions
chflags -R uchg ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions
Disable QuickLook Metadata collection:
rm -rfv "~/Library/Application Support/Quick Look/*"
chmod -R 000 "~/Library/Application Support/Quick Look"
chflags -R uchg "~/Library/Application Support/Quick Look"
Disable Siri Analytics:
rm -rfv ~/Library/Assistant/SiriAnalytics.db
chmod -R 000 ~/Library/Assistant/SiriAnalytics.db
chflags -R uchg ~/Library/Assistant/SiriAnalytics.db
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment