threatmodel macOS EN - edamametechnologies/threatmodels GitHub Wiki

macOS Threat Model (EN)

Contents

EDAMAME helper inactive

Threat

Dimension : system services / Severity : 5

EDAMAME's Helper software is not running or requires an update. It's required for complete Security Score analysis and remediation.

Implementation

Tested for Action Elevation
macOS 12 Command line user

Script

helper_check

Remediation

Tested for Action Elevation
macOS 12 Command line user

Script

https://github.com/edamametechnologies/edamame_helper/releases/download

Rollback

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' '/Library/Application\ Support/Edamame/Edamame-Helper/uninstall.sh' | /bin/bash

Response to ping enabled

Threat

Dimension : network / Severity : 3

Tags : CIS Benchmark Level 1,Enable Stealth Mode

Your computer will respond if anything on the network is trying to check its presence. This can be very bad and allow anyone to check your presence and possibly attack your computer.

Implementation

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' '/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode | grep -E "disabled|is off"' | /bin/bash

Remediation

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' '/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on' | /bin/bash

Rollback

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' '/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode off' | /bin/bash

MDM profiles installed

Threat

Dimension : system integrity / Severity : 5

Tags : Personal Posture

You have one or more Mobile Device Management (MDM) profiles installed on your device. This means that your device is or can be remotely administered by a 3rd party. If this is your personal computer, this is a grave threat and the profiles should be removed.

Implementation

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' 'profiles -P | grep profileIdentifier | grep -v digital_health_restrictions | grep -v dateandtime' | /bin/bash

Remediation

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' 'profiles remove -all -forced' | /bin/bash

Rollback

https://support.apple.com/en-us/guide/deployment/depc0aadd3fe/web

JAMF remote administration enabled

Threat

Dimension : system integrity / Severity : 5

Tags : Personal Posture

Your computer is or can be remotely administered by a 3rd party using the JAMF MDM framework. If this is your personal computer, this is a grave threat and JAMF should be removed.

Implementation

Tested for Action Elevation
macOS 12 Command line admin

Script

printf '%s
' 'pgrep jamf' | /bin/bash

Remediation

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' 'jamf removeFramework' | /bin/bash

Rollback

https://www.jamf.com/en

Wake On LAN enabled

Threat

Dimension : network / Severity : 1

Tags : CIS Benchmark Level 1,Disable Wake on Network Access

Wake on LAN is a feature that can wake up your computer automatically when something is attempting to connect to it. This is not something you need in most cases and it can allow an attacker to connect to your computer at any time.

Implementation

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' 'systemsetup getwakeonnetworkaccess | grep -v Off' | /bin/bash

Remediation

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' 'systemsetup -setwakeonnetworkaccess off' | /bin/bash

Rollback

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' 'systemsetup -setwakeonnetworkaccess on' | /bin/bash

Manual Appstore updates

Threat

Dimension : applications / Severity : 3

Tags : CIS Benchmark Level 1,Enable App Store Automatic Update

Applications are constantly updated to fix potential security issues. It's your best interest to get updates as soon as you can through automatic updates.

Implementation

Tested for Action Elevation
macOS 12 Command line globalpreferences

Script

printf '%s
' 'defaults read /Library/Preferences/com.apple.commerce.plist AutoUpdate 2>&1 | grep -v 1' | /bin/bash

Remediation

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' 'defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool true;' 'defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallAppUpdates -bool true;' 'defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool true' | /bin/bash

Rollback

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' 'defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool false;' 'defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallAppUpdates -bool false;' 'defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool false' | /bin/bash

Local firewall disabled

Threat

Dimension : network / Severity : 2

Tags : CIS Benchmark Level 1,Enable Firewall

Your local firewall is disabled. This is fine in a trusted environment but dangerous if you happened to connect to public networks. You should turn it on by default.

Implementation

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' '/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate | grep disabled' | /bin/bash

Remediation

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' '/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on' | /bin/bash

Rollback

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' '/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off' | /bin/bash

Automatic login enabled

Threat

Dimension : credentials / Severity : 4

Tags : CIS Benchmark Level 1,Disable automatic login

Automatic login could appear as very handy but in fact it's a major security threat: it allows anyone to access your data without knowing your password.

Implementation

Tested for Action Elevation
macOS 12 Command line globalpreferences

Script

printf '%s
' 'defaults read /Library/Preferences/com.apple.loginwindow | grep autoLoginUser' | /bin/bash

Remediation

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' 'defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser' | /bin/bash

Rollback

Tested for Action Elevation
macOS 12 Command line

Script

x-apple.systempreferences:com.apple.preferences.users

Remote login enabled

Threat

Dimension : system integrity / Severity : 4

Tags : CIS Benchmark Level 1,Disable Remote Login

Remote login is enabled. This is not necessary unless your are an IT professional. This is unusual and dangerous for most users.

Implementation

Tested for Action Elevation
macOS 12 Command line admin

Script

printf '%s
' 'systemsetup -getremotelogin | grep On' | /bin/bash

Remediation

Tested for Action Elevation
macOS 12 Command line fulldisk

Script

printf '%s
' 'echo yes | systemsetup -setremotelogin off' | /bin/bash

Rollback

Tested for Action Elevation
macOS 12 Command line fulldisk

Script

printf '%s
' 'systemsetup -setremotelogin on' | /bin/bash

Remote desktop enabled

Threat

Dimension : system integrity / Severity : 4

Tags : CIS Benchmark Level 1,Disable Remote Desktop Sharing

Remote desktop is enabled. This is not necessary unless your are an IT professional. This is unusual and dangerous for most users.

Implementation

Tested for Action Elevation
macOS 12 Command line admin

Script

printf '%s
' 'pgrep ARDAgent' | /bin/bash

Remediation

Tested for Action Elevation
macOS 12 Command line fulldisk

Script

printf '%s
' '/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop' | /bin/bash

Rollback

Tested for Action Elevation
macOS 12 Command line fulldisk

Script

printf '%s
' '/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate' | /bin/bash

File sharing enabled

Threat

Dimension : system services / Severity : 4

Tags : CIS Benchmark Level 1,Disable File Sharing

File sharing is enabled. While this could be intentional we strongly recommend to turn it off. It's not that easy to configure and can expose your data to unwanted people.

Implementation

Tested for Action Elevation
macOS 12 Command line admin

Script

printf '%s
' 'launchctl list | grep smbd' | /bin/bash

Remediation

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' 'launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist' | /bin/bash

Rollback

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' 'launchctl load -w /System/Library/LaunchDaemons/com.apple.smbd.plist &&' 'defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist EnabledServices -array disk' | /bin/bash

Remote events enabled

Threat

Dimension : system integrity / Severity : 4

Tags : CIS Benchmark Level 1,Disable Remote Apple Events

Remote events are enabled. While this could be intentional we strongly recommend to turn it off. It's unnecessary for most users and has been a target for exploit in the recent past.

Implementation

Tested for Action Elevation
macOS 12 Command line user

Script

printf '%s
' 'launchctl print-disabled system | grep com.apple.AEServer | grep -E '"'"'enabled|false'"'"'' | /bin/bash

Remediation

Tested for Action Elevation
macOS 12 Command line fulldisk

Script

printf '%s
' 'systemsetup -setremoteappleevents off' | /bin/bash

Rollback

Tested for Action Elevation
macOS 12 Command line fulldisk

Script

printf '%s
' 'systemsetup -setremoteappleevents on' | /bin/bash

Corporate disk recovery key

Threat

Dimension : system integrity / Severity : 4

Tags : Personal Posture

It seems your computer hard disk has been encrypted by your employer. It means that they could potentially decrypt it if you give the computer back to them. You should suppress that possibility.

Implementation

Tested for Action Elevation
macOS 12 Command line admin

Script

printf '%s
' 'fdesetup hasinstitutionalrecoverykey | grep true' | /bin/bash

Remediation

https://derflounder.wordpress.com/2019/07/03/managing-macos-mojaves-filevault-2-with-fdesetup/

Rollback

https://derflounder.wordpress.com/2019/07/03/managing-macos-mojaves-filevault-2-with-fdesetup/

Disk encryption disabled

Threat

Dimension : system services / Severity : 4

Tags : CIS Benchmark Level 1,Enable FileVault, ISO 27001/2,A.8.3.1-Media Protection, SOC 2,CC6.7-Data Protection

Your main storage is not encrypted. While there is a little performance impact by enabling it, we really urge you to set it up. Without that anyone physically accessing your computer can access your data.

Implementation

Tested for Action Elevation
macOS 12 Command line admin

Script

printf '%s
' 'system_profiler SPHardwareDataType | grep -q '"'"'Virtual'"'"' ||' 'fdesetup isactive | grep false' | /bin/bash

Remediation

Tested for Action Elevation
macOS 12 Command line

Script

x-apple.systempreferences:com.apple.preference.security?FileVault

Rollback

Tested for Action Elevation
macOS 12 Command line

Script

x-apple.systempreferences:com.apple.preference.security?FileVault

Unsigned applications allowed

Threat

Dimension : applications / Severity : 4

Tags : CIS Benchmark Level 1,Enable Gatekeeper

Your computer has been setup to allow unsigned applications to run. This is unusual and dangerous. You should turn this off.

Implementation

Tested for Action Elevation
macOS 12 Command line admin

Script

printf '%s
' 'spctl --status | grep disabled' | /bin/bash

Remediation

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' 'spctl --global-enable' | /bin/bash

Rollback

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' 'spctl --global-disable' | /bin/bash

Manual system updates

Threat

Dimension : system integrity / Severity : 4

Tags : CIS Benchmark Level 1,Enable Software Update Automatic Download

System updates are manual. Your really should turn on automatic system updates to get the latest security fixes for your computer.

Implementation

Tested for Action Elevation
macOS 12 Command line globalpreferences

Script

printf '%s
' 'defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates 2>/dev/null | grep -q 1 ||' 'echo macosupdate_disabled' | /bin/bash

Remediation

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' 'defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true;' 'defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool true;' 'defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool true;' 'defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true;' 'defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true;' 'softwareupdate --schedule on' | /bin/bash

Rollback

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' 'defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool false;' 'defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool false;' 'defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool false;' 'defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool false;' 'defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool false;' 'softwareupdate --schedule off' | /bin/bash

Screen lock disabled

Threat

Dimension : credentials / Severity : 3

Tags : CIS Benchmark Level 1,Set inactivity interval, ISO 27001/2,A.11.2.8-Unattended User Equipment, SOC 2,CC6.1-Access Control

Your computer doesn't have a screensaver enabled with a password. It leaves it open for physical access by anyone. This is very dangerous!

Implementation

Tested for Action Elevation
macOS 12 Command line user

Script

printf '%s
' 'sysadminctl -screenLock status 2>&1 | grep off' | /bin/bash

Remediation

Tested for Action Elevation
macOS 12 Command line

Script

x-apple.systempreferences:com.apple.Lock-Screen-Settings.extension

Rollback

Tested for Action Elevation
macOS 12 Command line

Script

x-apple.systempreferences:com.apple.Lock-Screen-Settings.extension

No antivirus enabled

Threat

Dimension : applications / Severity : 4

Tags : ISO 27001/2,A.12.2.1-Malware Controls, SOC 2,CC6.8-Malware Protection

You don't have any antivirus installed (MalwareBytes, Sentinel One, BitDefender...). We recommend you to enable one.

Implementation

Tested for Action Elevation
macOS 12 Command line admin

Script

printf '%s
' 'set -euo pipefail' '' 'is_proc()  { pgrep -x "$1" >/dev/null 2>&1; }' 'is_fproc() { pgrep -f "$1" >/dev/null 2>&1; }' '' 'has_crowdstrike() {' '  # CrowdStrike Falcon (system extension + app/CLI)' '  [ -e "/Library/LaunchDaemons/com.crowdstrike.falcon.Agent.plist" ]] && return 0' '  command -v systemextensionsctl >/dev/null 2>&1 && \' '    systemextensionsctl list 2>/dev/null ](/edamametechnologies/threatmodels/wiki/grep--Fq-"com.crowdstrike.falcon.Agent"-&&-return-0'-'--[[--x-"/Applications/Falcon.app/Contents/Resources/falconctl"-) && return 0' '  return 1' '}' '' 'has_carbonblack() {' '  # VMware Carbon Black Cloud / EDR (daemon plist names)' '  [ -e "/Library/LaunchDaemons/com.vmware.carbonblack.cloud.daemon.plist" ]] && return 0' '  [[ -e "/Library/LaunchDaemons/com.carbonblack.daemon.plist" ]] && return 0' '  command -v systemextensionsctl >/dev/null 2>&1 && \' '    systemextensionsctl list 2>/dev/null ](/edamametechnologies/threatmodels/wiki/grep--iq-"carbonblack"-&&-return-0'-'--return-1'-'}'-''-'has_ms_defender()-{'-'--#-Microsoft-Defender-for-Endpoint'-'--if-command--v-mdatp->/dev/null-2>&1;-then'-'----#-Prefer-a-health-probe-if-available'-'----(-mdatp-health---field-real_time_protection_enabled-2>/dev/null-|-grep--qi-"true"-)-&&-return-0'-'----(-mdatp-health---field-healthy-2>/dev/null-|-grep--qi-"true"-)-&&-return-0'-'--fi'-'--is_fproc-"wdavdaemon"-&&-return-0'-'--return-1'-'}'-''-'has_sophos()-{'-'--#-Sophos-Intercept-X-/-Endpoint'-'--is_proc-"SophosScanD"-&&-return-0'-'--is_fproc-"com.sophos"-&&-return-0'-'--return-1'-'}'-''-'has_symantec()-{'-'--#-Symantec-Endpoint-Protection'-'--is_proc-"SymDaemon"-&&-return-0'-'--return-1'-'}'-''-'has_trendmicro()-{'-'--#-Trend-Micro-Apex-One-(macOS)'-'--is_proc-"iCoreService"-&&-return-0'-'--command--v-systemextensionsctl->/dev/null-2>&1-&&-\'-'----systemextensionsctl-list-2>/dev/null-|-grep--Fq-"com.trendmicro.icore.es"-&&-return-0'-'--return-1'-'}'-''-'has_cortex_xdr()-{'-'--#-Palo-Alto-Networks-Cortex-XDR-(aka-Traps)'-'--[[--x-"/Library/Application-Support/PaloAltoNetworks/Traps/bin/cytool"-) && return 0' '  is_fproc "/Library/Application Support/PaloAltoNetworks/Traps/bin/pmd" && return 0' '  [ -e "/Library/LaunchDaemons/com.paloaltonetworks.cortex.pmd.plist" ](/edamametechnologies/threatmodels/wiki/--e-"/Library/LaunchDaemons/com.paloaltonetworks.cortex.pmd.plist"-) && return 0' '  return 1' '}' '' 'has_jamf_protect() {' '  is_proc "JamfProtectAgent" && return 0' '  # protectctl exists but may not be on PATH everywhere' '  if [ -x "/usr/local/bin/protectctl" ](/edamametechnologies/threatmodels/wiki/--x-"/usr/local/bin/protectctl"-); then /usr/local/bin/protectctl version >/dev/null 2>&1 && return 0; fi' '  if command -v protectctl >/dev/null 2>&1; then protectctl version >/dev/null 2>&1 && return 0; fi' '  return 1' '}' '' 'has_cylance() {' '  # Cylance / BlackBerry Protect' '  [ -e "/Library/LaunchDaemons/com.cylance.agent_service.plist" ](/edamametechnologies/threatmodels/wiki/--e-"/Library/LaunchDaemons/com.cylance.agent_service.plist"-) && return 0' '  is_fproc "CylanceSvc" && return 0' '  return 1' '}' '' 'has_eset() {' '  # ESET Endpoint Security for macOS' '  is_proc "esets_daemon" && return 0' '  return 1' '}' '' 'has_bitdefender() { is_proc "BDLDaemon" && return 0; return 1; }   # Bitdefender' 'has_malwarebytes() { is_proc "RTProtectionDaemon" && return 0; return 1; } # Malwarebytes' 'has_sentinelone() { command -v sentinelctl >/dev/null 2>&1 && sentinelctl version 2>/dev/null | grep -q "SentinelOne" && return 0; return 1; }' '' 'has_xprotect() {' '  # Apple XProtect Remediator (built-in)' '  if command -v xprotect >/dev/null 2>&1; then' '    xprotect status 2>/dev/null | grep -Fq "launch scans: enabled" || return 1' '    xprotect status 2>/dev/null | grep -Fq "background scans: enabled" || return 1' '    return 0' '  fi' '' '  # Fallback for older macOS versions where only the XProtect process exists' '  is_fproc "xprotect" && return 0' '  is_proc "XProtect" && return 0' '  return 1' '}' '' 'has_any_edr() {' '  has_bitdefender      && return 0' '  has_malwarebytes     && return 0' '  has_sentinelone      && return 0' '  has_crowdstrike      && return 0' '  has_carbonblack      && return 0' '  has_ms_defender      && return 0' '  has_sophos           && return 0' '  has_symantec         && return 0' '  has_trendmicro       && return 0' '  has_cortex_xdr       && return 0' '  has_jamf_protect     && return 0' '  has_cylance          && return 0' '  has_eset             && return 0' '  has_xprotect         && return 0  # treat “good XProtect status” as EPP present' '  return 1' '}' '' 'if ! has_any_edr; then' '  echo "epp_disabled"' 'fi' | /bin/bash

Remediation

https://www.malwarebytes.com/

Rollback

https://www.apple.com/fr/macos/security/

No password manager installed

Threat

Dimension : credentials / Severity : 4

You don't have any password manager installed. It's recommended to install one.

Implementation

Tested for Action Elevation
macOS 12 Command line admin

Script

printf '%s
' 'set -euo pipefail' '' 'ensure_home() {' '  if [ -n "${HOME:-}" && -d "${HOME}" ]]; then' '    return' '  fi' '' '  local user' '  user="$(id -un)"' '' '  # macOS: prefer dscl lookup' '  if HOME="$(/usr/bin/dscl . -read "/Users/${user}" NFSHomeDirectory 2>/dev/null ](/edamametechnologies/threatmodels/wiki/awk-'"'"'{print-$2}'"'"')";-then'-'----if-[[--n-"${HOME}"-&&--d-"${HOME}"-); then' '      return' '    fi' '  fi' '' '  # Fallback to tilde expansion' '  if HOME="$(eval echo "~${user}")" && [ -n "${HOME}" && -d "${HOME}" ]]; then' '    return' '  fi' '' '  # Absolute last resort' '  HOME="/var/root"' '}' '' 'ensure_home' '' 'found_pm=0' '' '# --- Native (desktop or App Store “container” apps incl. Safari extensions) ---' 'app_paths=(' '  "/Applications/1Password.app"' '  "/Applications/1Password 7.app"      # legacy' '  "/Applications/1Password7.app"       # legacy naming' '  "/Applications/1Password for Safari.app"' '  "/Applications/Bitwarden.app"' '  "/Applications/LastPass.app"' '  "/Applications/LastPass for Safari.app"' '  "/Applications/Dashlane.app"' '  "/Applications/Keeper Password Manager.app"' '  "/Applications/Keeper for Safari.app"' '  "/Applications/Enpass.app"' '  "/Applications/KeePassXC.app"' '  "/Applications/NordPass.app"' '  "/Applications/RoboForm.app"' '  "/Applications/Zoho Vault.app"' '  "/Applications/Proton Pass.app"' '  "$HOME/Applications/Chrome Apps.localized/Google Password Manager.app"' ')' '' 'for p in "${app_paths[@]}"; do' '  if [[ -d "$p" ]]; then' '    found_pm=1; break' '  fi' 'done' '' '# --- Chromium-family extensions (Chrome, Edge, Brave, Vivaldi) ---' '# Known extension IDs' 'chrome_ids=(' '  "aeblfdkhhhdcdjpifhhbdiojplfjncoa"   # 1Password – Password Manager (stable)' '  "khgocmkkpikpnmmkgmdnfckapcdkgfaf"   # 1Password Beta' '  "nngceckbapebfimnlniiiahkandclblb"   # Bitwarden' '  "hdokiejnpimakedhajhdlcegeplioahd"   # LastPass' '  "fdjamakpfbbddfjaooikfcpapjohcfmg"   # Dashlane' '  "bfogiafebfohielmmehodmfbbebbbpei"   # Keeper' '  "igkpcodhieompeloncfnbekccinhapdb"   # Zoho Vault' '  "eiaeiblijfjekdanodkjadfinkhbfgcd"   # NordPass' '  "pnlccmojcmeohlpggmfnbbiapkmbliob"   # RoboForm' '  "oboonakemofpalcgghocfoadofidjkkk"   # KeePassXC-Browser' '  "kmcfomidfpdkfieipokbalgegidffkal"   # Enpass' '  "ghmbeldphafepmbegfdlkpapadhbakde"   # Proton Pass' ')' '' 'chromium_bases=(' '  "$HOME/Library/Application Support/Google/Chrome"' '  "$HOME/Library/Application Support/Microsoft Edge"' '  "$HOME/Library/Application Support/BraveSoftware/Brave-Browser"' '  "$HOME/Library/Application Support/Vivaldi"' ')' '' 'if [[ $found_pm -eq 0 ]]; then' '  for base in "${chromium_bases[@]}"; do' '    [[ -d "$base" ]] ](/edamametechnologies/threatmodels/wiki/|-continue'-'----for-profile-in-"$base"/*;-do'-'------[[--d-"$profile/Extensions"-) || continue' '      for id in "${chrome_ids[@]}"; do' '        if [ -d "$profile/Extensions/$id" ]]; then' '          found_pm=1; break' '        fi' '      done' '      [[ $found_pm -eq 1 ]] && break' '    done' '    [[ $found_pm -eq 1 ]] && break' '  done' 'fi' '' '# --- Firefox extensions (look for known names in extensions.json) ---' 'if [[ $found_pm -eq 0 ]]; then' '  ff_root="$HOME/Library/Application Support/Firefox/Profiles"' '  if [[ -d "$ff_root" ]]; then' '    for prof in "$ff_root"/*; do' '      ej="$prof/extensions.json"' '      if [[ -f "$ej" ]] && \' '         grep -Eiq '"'"'"name".*"(1Password](/edamametechnologies/threatmodels/wiki/Bitwarden|LastPass|Dashlane|Keeper|Enpass|NordPass|Zoho-Vault|Proton-Pass|KeePassXC)"'"'"'-"$ej";-then'-'--------found_pm=1;-break'-'------fi'-'----done'-'--fi'-'fi'-''-'#-----Result----'-'if-[[-$found_pm--eq-0-); then' '  echo "No password manager installed"' 'fi' | /bin/bash

Remediation

https://en.wikipedia.org/wiki/Password_manager

Rollback

https://en.wikipedia.org/wiki/Password_manager

System Integrity Protection disabled

Threat

Dimension : system integrity / Severity : 5

Tags : CIS Benchmark Level 1,Ensure System Integrity Protection is enabled

System Integrity Protection is a great ability of macOS that prevents any software to change system files and components. To some extent it's a 'good enough' antivirus for your Mac. Having it disabled is... unusual and dangerous. It should be enabled by default on your Mac. This content will explain a way to enable it again. Bear with me .. it's somewhat hard to achieve!

Implementation

Tested for Action Elevation
macOS 12 Command line user

Script

printf '%s
' 'csrutil status | grep disabled' | /bin/bash

Remediation

https://support.apple.com/en-us/HT204899

Rollback

https://support.apple.com/en-us/HT204899

Guest account enabled

Threat

Dimension : system services / Severity : 2

Tags : CIS Benchmark Level 1,Disable Guest account

Guest account is enabled. This is usually fine but it's not that easy to limit access to your data. You should disable it.

Implementation

Tested for Action Elevation
macOS 12 Command line user

Script

printf '%s
' 'sysadminctl -guestAccount status 2>&1 | grep enabled' | /bin/bash

Remediation

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' 'sysadminctl -guestAccount off' | /bin/bash

Rollback

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' 'sysadminctl -guestAccount on' | /bin/bash

Root user enabled

Threat

Dimension : system integrity / Severity : 3

Tags : CIS Benchmark Level 1,Disable root account

A special system user has been configured on your computer. This is unusual and should be disabled immediately.

Implementation

Tested for Action Elevation
macOS 12 Command line user

Script

printf '%s
' 'dscl . -read /Users/root Password | grep '"'"'\*\*'"'"'' | /bin/bash

Remediation

https://support.apple.com/HT204012

Rollback

https://support.apple.com/HT204012

Unprotected system changes

Threat

Dimension : system integrity / Severity : 3

Tags : CIS Benchmark Level 1,Enable system wide preferences

Your computer system settings can be modified by any users. You should restrict it.

Implementation

Tested for Action Elevation
macOS 12 Command line user

Script

printf '%s
' 'security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep true' | /bin/bash

Remediation

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' 'security authorizationdb read system.preferences > /tmp/system.preferences.plist;' '/usr/libexec/PlistBuddy -c "Set :shared false" /tmp/system.preferences.plist;' 'security authorizationdb write system.preferences < /tmp/system.preferences.plist' | /bin/bash

Rollback

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' 'security authorizationdb read system.preferences > /tmp/system.preferences.plist;' '/usr/libexec/PlistBuddy -c "Set :shared true" /tmp/system.preferences.plist;' 'security authorizationdb write system.preferences < /tmp/system.preferences.plist' | /bin/bash

Potentially compromised email address

Threat

Dimension : credentials / Severity : 1

Tags : Personal Posture

Check if your email address might have recently appeared in a data breach.

Implementation

Tested for Action Elevation
macOS 12 Command line user

Script

pwned -i 365

Remediation

Tested for Action Elevation
macOS 12 Command line

Script

digitalidentity_manager

Rollback

https://haveibeenpwned.com/

Unverified or unsafe network environment

Threat

Dimension : network / Severity : 1

Tags : Personal Posture

The network you are connected to is not a known one or it contains unsafe devices. If you are allowed to scan this network, go to the network tab and verify the presence of potentially dangerous devices.

Implementation

Tested for Action Elevation
macOS 12 Command line user

Script

lanscan

Remediation

Tested for Action Elevation
macOS 12 Command line

Script

network_manager

Rollback

Tested for Action Elevation
macOS 12 Command line

Script

network_manager

Unverified or anomalous traffic

Threat

Dimension : network / Severity : 1

Tags : Personal Posture

The egress network traffic is not verified or contains anomalous traffic.

Implementation

Tested for Action Elevation
macOS 12 Command line user

Script

egresscan

Remediation

Tested for Action Elevation
macOS 12 Command line

Script

session_manager

Rollback

Tested for Action Elevation
macOS 12 Command line

Script

session_manager

Your OS is not up to date

Threat

Dimension : system integrity / Severity : 2

Tags : CIS Benchmark Level 1,Enable Software Update

Your operating system is not up to date, please proceed to upgrade to get the latest security patches.

Implementation

Tested for Action Elevation
macOS 12 Command line globalpreferences

Script

printf '%s
' 'defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist | grep macOS' | /bin/bash

Remediation

Tested for Action Elevation
macOS 12 Command line

Script

x-apple.systempreferences:com.apple.preferences.softwareupdate

Rollback

https://www.macworld.com/article/673171/how-to-install-older-versions-of-macos-or-os-x.html

Chrome browser not up to date

Threat

Dimension : applications / Severity : 3

Your Google Chrome browser is not up to date. Running the latest version ensures you have the latest security features and performance improvements.

Implementation

Tested for Action Elevation
macOS 12 Command line user

Script

printf '%s
' 'defaults read /Applications/Google\ Chrome.app/Contents/Info.plist CFBundleShortVersionString &>/dev/null &&' '{ local_version=$(defaults read /Applications/Google\ Chrome.app/Contents/Info.plist CFBundleShortVersionString);' 'latest_version=$(curl -s "https://formulae.brew.sh/api/cask/google-chrome.json" | sed -n '"'"'s/.*\"version\": \"\([^\"]*\)\".*/\1/p'"'"');' 'if [ "$(printf '"'"'%s
%s
'"'"' "$local_version" "$latest_version" | sort -V | tail -n1)" = "$latest_version" ] &&' '[ "$local_version" != "$latest_version" ];' 'then echo "Chrome is not up to date (Installed: $local_version, Latest: $latest_version)";' 'fi;' '}' | /bin/bash

Remediation

https://support.google.com/chrome/answer/95414

Rollback

https://support.google.com/chrome/a/answer/6350036

Business rule not respected

Threat

Dimension : applications / Severity : 1

One or more business rules are not respected. Please check the command output for more details. To enable business rules, set the EDAMAME_BUSINESS_RULES_CMD environment variable. See: https://github.com/edamametechnologies/edamame_posture_cli?tab=readme-ov-file#business-rules

Implementation

Tested for Action Elevation
macOS 12 Command line user

Script

business_rules

Remediation

Refer to the business rules documentation for more details.

Rollback

Refer to the business rules documentation for more details.

CLI not restricted for standard users

Threat

Dimension : system integrity / Severity : 3

Tags : Personal Posture

Command-line interface (CLI) access is not restricted for standard users. Non-administrator users can access interactive shell environments, which may allow unauthorized system modifications or circumvention of security policies.

Implementation

Tested for Action Elevation
macOS 12 Command line admin

Script

printf '%s
' 'grep -q "BEGIN RESTRICT_ZSH_NONADMINS" /etc/zshrc ||' 'echo CLI not restricted' | /bin/bash

Remediation

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' 'grep -q "BEGIN RESTRICT_ZSH_NONADMINS" /etc/zshrc ||' 'cat <<'"'"'EOF'"'"' >> /etc/zshrc' '# BEGIN RESTRICT_ZSH_NONADMINS' '## Prevent non-admin users from using interactive zsh shells' 'if [ -t 1 ](/edamametechnologies/threatmodels/wiki/--t-1-);' 'then' '  if ! id -Gn | grep -qw admin;' 'then' '    echo ""' '    echo "Command-line access is restricted by your administrator."' '    osascript -e "display alert \"Access Restricted\" message \"Command-line tools are blocked for standard users.\" buttons {\"OK\"}" 2>/dev/null ||' 'true' '    exit 1' '  fi' 'fi' '# END RESTRICT_ZSH_NONADMINS' 'EOF' | /bin/bash

Rollback

Tested for Action Elevation
macOS 12 Command line system

Script

printf '%s
' 'python3 - <<'"'"'PY'"'"'' 'skip = False' 'lines = []' 'with open("/etc/zshrc") as src:' '    for line in src:' '        if "BEGIN RESTRICT_ZSH_NONADMINS" in line:' '            skip = True' '            continue' '        if "END RESTRICT_ZSH_NONADMINS" in line:' '            skip = False' '            continue' '        if not skip:' '            lines.append(line)' 'with open("/etc/zshrc", "w") as dst:' '    dst.writelines(lines)' 'print("[OK] zsh block removed")' 'PY' | /bin/bash