threatmodel macOS EN - edamametechnologies/threatmodels GitHub Wiki
macOS Threat Model (EN)
Contents
- EDAMAME helper inactive
- Response to ping enabled
- MDM profiles installed
- JAMF remote administration enabled
- Wake On LAN enabled
- Manual Appstore updates
- Local firewall disabled
- Automatic login enabled
- Remote login enabled
- Remote desktop enabled
- File sharing enabled
- Remote events enabled
- Corporate disk recovery key
- Disk encryption disabled
- Unsigned applications allowed
- Manual system updates
- Screen lock disabled
- No antivirus enabled
- System Integrity Protection disabled
- Guest account enabled
- Root user enabled
- Unprotected system changes
- Potentially compromised email address
- Unverified network environment
- Your OS is not up to date
- Chrome browser not up to date
EDAMAME helper inactive
Threat
Dimension : system services / Severity : 5
EDAMAME's Helper software is not running or requires an update. It's required for maximum Security Score analysis.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | user | helper_check |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | user | https://github.com/edamametechnologies/edamame_helper/releases/download |
Rollback
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | system | /Library/Application\ Support/Edamame/Edamame-Helper/uninstall.sh |
Response to ping enabled
Threat
Dimension : network / Severity : 3
Tags : CIS Benchmark Level 1,macos_security/sysprefs_firewall_stealth_mode_enable, ISO 27001/2,Communications Security, PCI-DSS,Requirement-1, SOC 2,CC-System Operations
Your computer will respond if anything on the network is trying to check its presence. This can be very bad and allow anyone to check your presence and possibly attack your computer.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | admin | /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode | grep disabled |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | system | /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on |
Rollback
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | system | /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode off |
MDM profiles installed
Threat
Dimension : system integrity / Severity : 5
Tags : Personal Posture
You have one or more Mobile Device Management (MDM) profiles installed on your computer. This means that your computer is or can be remotely administered by a 3rd party. If this is your personal computer, this is a grave threat and the profiles should be removed.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | system | profiles -P | grep profileIdentifier |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | system | profiles remove -all -forced |
Rollback
https://en.wikipedia.org/wiki/Mobile_device_management
JAMF remote administration enabled
Threat
Dimension : system integrity / Severity : 5
Tags : Personal Posture
Your computer is or can be remotely administered by a 3rd party using the JAMF MDM framework. If this is your personal computer, this is a grave threat and JAMF should be removed.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | admin | pgrep jamf |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | system | jamf removeFramework |
Rollback
Wake On LAN enabled
Threat
Dimension : network / Severity : 1
Tags : CIS Benchmark Level 1,macos_security/sysprefs_wake_network_access_disable, ISO 27001/2,Communications Security, PCI-DSS,Requirement-1, SOC 2,CC-System Operations
Wake on LAN is a feature that can wake up your computer automatically when something is attempting to connect to it. This is not something you need in most cases and it can allow an attacker to connect to your computer at any time.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | system | systemsetup getwakeonnetworkaccess | grep -v Off |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | system | systemsetup -setwakeonnetworkaccess off |
Rollback
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | system | systemsetup -setwakeonnetworkaccess on |
Manual Appstore updates
Threat
Dimension : applications / Severity : 3
Tags : CIS Benchmark Level 1,macos_security/sysprefs_software_update_app_update_enforce, ISO 27001/2,Information Systems Acquisition, Development, and Maintenance, PCI-DSS,Requirement-6, SOC 2,CC-System Development and Maintenance
Applications are constantly updated to fix potential security issues. It's your best interest to get updates as soon as you can through automatic updates.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | admin | defaults read /Library/Preferences/com.apple.commerce.plist AutoUpdate 2>&1 | grep -v 1 |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | system | defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool true; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallAppUpdates -bool true |
Rollback
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | system | defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool false; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallAppUpdates -bool false |
Local firewall disabled
Threat
Dimension : network / Severity : 2
Tags : CIS Benchmark Level 1,macos_security/sysprefs_firewall_enable, ISO 27001/2,Communications Security, PCI-DSS,Requirement-1, SOC 2,CC-Network Protection
Your local firewall is disabled. This is fine in a trusted environment but dangerous if you happened to connect to public networks. You should turn it on by default.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | admin | defaults read /Library/Preferences/com.apple.alf globalstate | grep 0 |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | system | defaults write /Library/Preferences/com.apple.alf globalstate -int 2 |
Rollback
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | system | defaults write /Library/Preferences/com.apple.alf globalstate -int 0 && launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist && launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist&& killall socketfilterfw || true |
Automatic login enabled
Threat
Dimension : credentials / Severity : 4
Tags : CIS Benchmark Level 1,macos_security/sysprefs_automatic_login_disable, ISO 27001/2,Access Control, PCI-DSS,Requirement-8, SOC 2,CC-Logical Access
Automatic login could appear as very handy but in fact it's a major security threat: it allows anyone to access your data without knowing your password.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | user | defaults read /Library/Preferences/com.apple.loginwindow | grep autoLoginUser |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | system | defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser |
Rollback
https://www.youtube.com/watch?v=G89On8uvQuQ
Remote login enabled
Threat
Dimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,macos_security/sysprefs_ssh_disable, ISO 27001/2,Access Control, PCI-DSS,Requirement-8, SOC 2,CC-System Integrity
Remote login is enabled. This is not necessary unless your are an IT professional. This is unusual and dangerous for most users.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | admin | systemsetup -getremotelogin | grep On |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | fulldisk | echo yes | systemsetup -setremotelogin off |
Rollback
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | fulldisk | systemsetup -setremotelogin on |
Remote desktop enabled
Threat
Dimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,macos_security/sysprefs_remote_management_disable, ISO 27001/2,Access Control, PCI-DSS,Requirement-8, SOC 2,CC-System Integrity
Remote desktop is enabled. This is not necessary unless your are an IT professional. This is unusual and dangerous for most users.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | admin | pgrep ARDAgent |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | fulldisk | /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop |
Rollback
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | fulldisk | sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate |
File sharing enabled
Threat
Dimension : system services / Severity : 4
Tags : CIS Benchmark Level 1,macos_security/sysprefs_smbd_disable, ISO 27001/2,Information Security Policies, PCI-DSS,Requirement-9, SOC 2,CC-System Services
File sharing is enabled. While this could be intentional we strongly recommend to turn it off. It's not that easy to configure and can expose your data to unwanted people.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | admin | launchctl list | grep smbd |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | system | launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist |
Rollback
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | system | launchctl load -w /System/Library/LaunchDaemons/com.apple.smbd.plist && defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist EnabledServices -array disk |
Remote events enabled
Threat
Dimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,macos_security/sysprefs_rae_disable, ISO 27001/2,Access Control, PCI-DSS,Requirement-6.5, SOC 2,CC-System Integrity
Remote events are enabled. While this could be intentional we strongly recommend to turn it off. It's unnecessary for most users and has been a target for exploit in the recent past.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | user | launchctl print-disabled system | grep com.apple.AEServer | grep -E 'enabled|false' |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | fulldisk | systemsetup -setremoteappleevents off |
Rollback
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | fulldisk | systemsetup -setremoteappleevents on |
Corporate disk recovery key
Threat
Dimension : system integrity / Severity : 4
Tags : Personal Posture
It seems your computer hard disk has been encrypted by your employer. It means that they could potentially decrypt it if you give the computer back to them. You should suppress that possibility.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | admin | fdesetup hasinstitutionalrecoverykey | grep true |
Remediation
https://derflounder.wordpress.com/2019/07/03/managing-macos-mojaves-filevault-2-with-fdesetup/
Rollback
https://derflounder.wordpress.com/2019/07/03/managing-macos-mojaves-filevault-2-with-fdesetup/
Disk encryption disabled
Threat
Dimension : system services / Severity : 4
Tags : CIS Benchmark Level 1,macos_security/sysprefs_filevault_enforce, ISO 27001/2,Information Security Incident Management, PCI-DSS,Requirement-3.4, SOC 2,CC-Data Protection
Your main storage is not encrypted. While there is a little performance impact by enabling it, we really urge you to set it up. Without that anyone physically accessing your computer can access your data.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | admin | fdesetup isactive | grep false |
Remediation
https://www.youtube.com/watch?v=ETgLlx3Npqg
Rollback
https://www.youtube.com/watch?v=ETgLlx3Npqg
Unsigned applications allowed
Threat
Dimension : applications / Severity : 4
Tags : CIS Benchmark Level 1,macos_security/os_gatekeeper_enable, ISO 27001/2,Information Systems Acquisition, Development, and Maintenance, PCI-DSS,Requirement-6.6, SOC 2,CC-Application Security
Your computer has been setup to allow unsigned applications to run. This is unusual and dangerous. You should turn this off.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | admin | spctl --status | grep disabled |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | system | spctl --global-enable |
Rollback
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | system | spctl --global-disable |
Manual system updates
Threat
Dimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,macos_security/sysprefs_install_macos_updates_enforce, CIS Benchmark Level 1,macos_security/sysprefs_software_update_download_enforce, ISO 27001/2,Information Systems Acquisition, Development, and Maintenance, PCI-DSS,Requirement-6.1, SOC 2,CC-System Maintenance
System updates are manual. Your really should turn on automatic system updates to get the latest security fixes for your computer.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | admin | defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates 2>&1 | grep -v 1 |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | system | defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool true; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool true; defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true; defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true; softwareupdate --schedule on |
Rollback
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | system | defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool false; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool false; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool false; defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool false; defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool false; softwareupdate --schedule off |
Screen lock disabled
Threat
Dimension : credentials / Severity : 3
Tags : CIS Benchmark Level 1,macos_security/sysprefs_screensaver_ask_for_password_delay_enforce, ISO 27001/2,Access Control, PCI-DSS,Requirement-8.1.8, SOC 2,CC-Access Control
Your computer doesn't have a screensaver enabled with a password. It leaves it open for phsyical access by anyone. This is very dangerous!
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | user | sysadminctl -screenLock status 2>&1 | grep off |
Remediation
https://www.youtube.com/watch?v=C6of13nZTpM
Rollback
https://www.youtube.com/watch?v=C6of13nZTpM
No antivirus enabled
Threat
Dimension : applications / Severity : 4
Tags : ISO 27001/2,Malware Protection, PCI-DSS,Requirement-5, SOC 2,CC-Malware Protection
You don't have any antivirus installed (MalwareBytes, Sentinel One, BitDefender...). We recommend you to enable one.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | admin | if ! { pgrep BDLDaemon >/dev/null || pgrep RTProtectionDaemon >/dev/null || sentinelctl version 2>/dev/null | grep -q "Agent version"; }; then echo noepp; fi |
Remediation
Rollback
https://www.youtube.com/watch?v=1vIf7ujOYdY
System Integrity Protection disabled
Threat
Dimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 1,macos_security/os_sip_enable, ISO 27001/2,System Acquisition, Development and Maintenance, PCI-DSS,Requirement-6.1, SOC 2,CC-System Integrity
System Integrity Protection is a great ability of macOS that prevents any software to change system files and components. To some extent it's a "good enough" antivirus for your Mac. Having it disabled is... unusual and dangerous. It should be enabled by default on your Mac. This content will explain a way to enable it again. Bear with me .. it's somewhat hard to achieve!
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | user | csrutil status | grep disabled |
Remediation
https://www.youtube.com/watch?v=Fx_1OPFzu88
Rollback
https://www.youtube.com/watch?v=StAn0ZHiXTc
Guest account enabled
Threat
Dimension : system services / Severity : 2
Tags : CIS Benchmark Level 1,macos_security/sysprefs_guest_account_disable, ISO 27001/2,Access Control, PCI-DSS,Requirement-8.1.6, SOC 2,CC-Access Control
Guest account is enabled. This is usually fine but it's not that easy to limit access to your data. You should disable it.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | user | sysadminctl -guestAccount status 2>&1 | grep enabled |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | system | sysadminctl -guestAccount off |
Rollback
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | system | sysadminctl -guestAccount on |
Root user enabled
Threat
Dimension : system integrity / Severity : 3
Tags : ISO 27001/2,Access Control, PCI-DSS,Requirement-2.3, SOC 2,CC-Access Control
A special system user has been configured on your computer. This is unusual and should be disabled immediately.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | user | dscl . -read /Users/root Password | grep "**" |
Remediation
https://www.youtube.com/watch?v=Sx8o8C1oqyc
Rollback
https://www.youtube.com/watch?v=Sx8o8C1oqyc
Unprotected system changes
Threat
Dimension : system integrity / Severity : 3
Tags : CIS Benchmark Level 1,macos_security/sysprefs_system_wide_preferences_configure, ISO 27001/2,Access Control, PCI-DSS,Requirement-2.2, SOC 2,CC-Access Control
Your computer system settings can be modified by any users. You should restrict it.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | user | security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep true |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | system | security authorizationdb read system.preferences > /tmp/system.preferences.plist; /usr/libexec/PlistBuddy -c "Set :shared false" /tmp/system.preferences.plist; security authorizationdb write system.preferences < /tmp/system.preferences.plist |
Rollback
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | system | security authorizationdb read system.preferences > /tmp/system.preferences.plist; /usr/libexec/PlistBuddy -c "Set :shared true" /tmp/system.preferences.plist; security authorizationdb write system.preferences < /tmp/system.preferences.plist |
Potentially compromised email address
Threat
Dimension : credentials / Severity : 1
Tags : ISO 27001/2,Information Security Incident Management, PCI-DSS,Requirement-12.10, SOC 2,CC-Incident Response, Personal Posture
Your email address might have recently appeared in a data breach. Please set your email in the Identity tab, review the breaches if any and follow instructions.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | user | pwned -i 365 |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | digitalidentity_manager |
Rollback
https://en.wikipedia.org/wiki/Have_I_Been_Pwned
Unverified network environment
Threat
Dimension : network / Severity : 1
Tags : ISO 27001/2,Information Security Incident Management, PCI-DSS,Requirement-12.10, SOC 2,CC-Incident Response, Personal Posture
The network you are connected to is not a known one. If you are allowed to scan this network, go to the network tab and verify the presence of potentially dangerous devices.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | user | lanscan |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | network_manager |
Rollback
https://en.wikipedia.org/wiki/Port_scanner
Your OS is not up to date
Threat
Dimension : system integrity / Severity : 2
Tags : ISO 27001/2,System Acquisition, Development and Maintenance, PCI-DSS,Requirement-6.2, SOC 2,CC-System Maintenance
Your operating system is not up to date, please proceed to upgrade to get the latest security patches.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | admin | defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist | grep macOS |
Remediation
https://www.youtube.com/watch?v=FG2DXkPA93g&t=124s
Rollback
https://www.youtube.com/watch?v=FG2DXkPA93g&t=124s
Chrome browser not up to date
Threat
Dimension : applications / Severity : 3
Tags : ISO 27001/2,Application Security, PCI-DSS,Requirement-6, SOC 2,CC-System Operations
Your Google Chrome browser is not up to date. Running the latest version ensures you have the latest security features and performance improvements.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
macOS 12 | Command line | user | if defaults read /Applications/Google\ Chrome.app/Contents/Info.plist CFBundleShortVersionString &>/dev/null; then latest_version=$(curl -s "https://formulae.brew.sh/api/cask/google-chrome.json" | awk -F'["]' '{for(i=1;i<=NF;i++) if ($i=="version") {print $(i+2); exit}}'); local_version=$(defaults read /Applications/Google\ Chrome.app/Contents/Info.plist CFBundleShortVersionString); if [ "$latest_version" = "$local_version" ]; then echo ""; else echo "Chrome is not up to date (Installed: $local_version, Latest: $latest_version)"; fi; else echo ""; fi |
Remediation
https://support.google.com/chrome/answer/95414