threatmodel macOS EN - edamametechnologies/threatmodels GitHub Wiki

macOS Threat Model (EN)

Contents

EDAMAME helper inactive

Threat

Dimension : system services / Severity : 5

EDAMAME's Helper software is not running or requires an update. It's required for maximum Security Score analysis.

Implementation

Tested for Action Elevation Script
macOS 12 Command line user helper_check

Remediation

Tested for Action Elevation Script
macOS 12 Command line user https://github.com/edamametechnologies/edamame_helper/releases/download

Rollback

Tested for Action Elevation Script
macOS 12 Command line system /Library/Application\ Support/Edamame/Edamame-Helper/uninstall.sh

Response to ping enabled

Threat

Dimension : network / Severity : 3

Tags : CIS Benchmark Level 1,macos_security/sysprefs_firewall_stealth_mode_enable, ISO 27001/2,Communications Security, PCI-DSS,Requirement-1, SOC 2,CC-System Operations

Your computer will respond if anything on the network is trying to check its presence. This can be very bad and allow anyone to check your presence and possibly attack your computer.

Implementation

Tested for Action Elevation Script
macOS 12 Command line admin /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode | grep disabled

Remediation

Tested for Action Elevation Script
macOS 12 Command line system /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on

Rollback

Tested for Action Elevation Script
macOS 12 Command line system /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode off

MDM profiles installed

Threat

Dimension : system integrity / Severity : 5

Tags : Personal Posture

You have one or more Mobile Device Management (MDM) profiles installed on your computer. This means that your computer is or can be remotely administered by a 3rd party. If this is your personal computer, this is a grave threat and the profiles should be removed.

Implementation

Tested for Action Elevation Script
macOS 12 Command line system profiles -P | grep profileIdentifier

Remediation

Tested for Action Elevation Script
macOS 12 Command line system profiles remove -all -forced

Rollback

https://en.wikipedia.org/wiki/Mobile_device_management

JAMF remote administration enabled

Threat

Dimension : system integrity / Severity : 5

Tags : Personal Posture

Your computer is or can be remotely administered by a 3rd party using the JAMF MDM framework. If this is your personal computer, this is a grave threat and JAMF should be removed.

Implementation

Tested for Action Elevation Script
macOS 12 Command line admin pgrep jamf

Remediation

Tested for Action Elevation Script
macOS 12 Command line system jamf removeFramework

Rollback

https://www.jamf.com/en

Wake On LAN enabled

Threat

Dimension : network / Severity : 1

Tags : CIS Benchmark Level 1,macos_security/sysprefs_wake_network_access_disable, ISO 27001/2,Communications Security, PCI-DSS,Requirement-1, SOC 2,CC-System Operations

Wake on LAN is a feature that can wake up your computer automatically when something is attempting to connect to it. This is not something you need in most cases and it can allow an attacker to connect to your computer at any time.

Implementation

Tested for Action Elevation Script
macOS 12 Command line system systemsetup getwakeonnetworkaccess | grep -v Off

Remediation

Tested for Action Elevation Script
macOS 12 Command line system systemsetup -setwakeonnetworkaccess off

Rollback

Tested for Action Elevation Script
macOS 12 Command line system systemsetup -setwakeonnetworkaccess on

Manual Appstore updates

Threat

Dimension : applications / Severity : 3

Tags : CIS Benchmark Level 1,macos_security/sysprefs_software_update_app_update_enforce, ISO 27001/2,Information Systems Acquisition, Development, and Maintenance, PCI-DSS,Requirement-6, SOC 2,CC-System Development and Maintenance

Applications are constantly updated to fix potential security issues. It's your best interest to get updates as soon as you can through automatic updates.

Implementation

Tested for Action Elevation Script
macOS 12 Command line admin defaults read /Library/Preferences/com.apple.commerce.plist AutoUpdate 2>&1 | grep -v 1

Remediation

Tested for Action Elevation Script
macOS 12 Command line system defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool true; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallAppUpdates -bool true

Rollback

Tested for Action Elevation Script
macOS 12 Command line system defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool false; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallAppUpdates -bool false

Local firewall disabled

Threat

Dimension : network / Severity : 2

Tags : CIS Benchmark Level 1,macos_security/sysprefs_firewall_enable, ISO 27001/2,Communications Security, PCI-DSS,Requirement-1, SOC 2,CC-Network Protection

Your local firewall is disabled. This is fine in a trusted environment but dangerous if you happened to connect to public networks. You should turn it on by default.

Implementation

Tested for Action Elevation Script
macOS 12 Command line admin defaults read /Library/Preferences/com.apple.alf globalstate | grep 0

Remediation

Tested for Action Elevation Script
macOS 12 Command line system defaults write /Library/Preferences/com.apple.alf globalstate -int 2

Rollback

Tested for Action Elevation Script
macOS 12 Command line system defaults write /Library/Preferences/com.apple.alf globalstate -int 0 && launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist && launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist&& killall socketfilterfw || true

Automatic login enabled

Threat

Dimension : credentials / Severity : 4

Tags : CIS Benchmark Level 1,macos_security/sysprefs_automatic_login_disable, ISO 27001/2,Access Control, PCI-DSS,Requirement-8, SOC 2,CC-Logical Access

Automatic login could appear as very handy but in fact it's a major security threat: it allows anyone to access your data without knowing your password.

Implementation

Tested for Action Elevation Script
macOS 12 Command line user defaults read /Library/Preferences/com.apple.loginwindow | grep autoLoginUser

Remediation

Tested for Action Elevation Script
macOS 12 Command line system defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser

Rollback

https://www.youtube.com/watch?v=G89On8uvQuQ

Remote login enabled

Threat

Dimension : system integrity / Severity : 4

Tags : CIS Benchmark Level 1,macos_security/sysprefs_ssh_disable, ISO 27001/2,Access Control, PCI-DSS,Requirement-8, SOC 2,CC-System Integrity

Remote login is enabled. This is not necessary unless your are an IT professional. This is unusual and dangerous for most users.

Implementation

Tested for Action Elevation Script
macOS 12 Command line admin systemsetup -getremotelogin | grep On

Remediation

Tested for Action Elevation Script
macOS 12 Command line fulldisk echo yes | systemsetup -setremotelogin off

Rollback

Tested for Action Elevation Script
macOS 12 Command line fulldisk systemsetup -setremotelogin on

Remote desktop enabled

Threat

Dimension : system integrity / Severity : 4

Tags : CIS Benchmark Level 1,macos_security/sysprefs_remote_management_disable, ISO 27001/2,Access Control, PCI-DSS,Requirement-8, SOC 2,CC-System Integrity

Remote desktop is enabled. This is not necessary unless your are an IT professional. This is unusual and dangerous for most users.

Implementation

Tested for Action Elevation Script
macOS 12 Command line admin pgrep ARDAgent

Remediation

Tested for Action Elevation Script
macOS 12 Command line fulldisk /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop

Rollback

Tested for Action Elevation Script
macOS 12 Command line fulldisk sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate

File sharing enabled

Threat

Dimension : system services / Severity : 4

Tags : CIS Benchmark Level 1,macos_security/sysprefs_smbd_disable, ISO 27001/2,Information Security Policies, PCI-DSS,Requirement-9, SOC 2,CC-System Services

File sharing is enabled. While this could be intentional we strongly recommend to turn it off. It's not that easy to configure and can expose your data to unwanted people.

Implementation

Tested for Action Elevation Script
macOS 12 Command line admin launchctl list | grep smbd

Remediation

Tested for Action Elevation Script
macOS 12 Command line system launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist

Rollback

Tested for Action Elevation Script
macOS 12 Command line system launchctl load -w /System/Library/LaunchDaemons/com.apple.smbd.plist && defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist EnabledServices -array disk

Remote events enabled

Threat

Dimension : system integrity / Severity : 4

Tags : CIS Benchmark Level 1,macos_security/sysprefs_rae_disable, ISO 27001/2,Access Control, PCI-DSS,Requirement-6.5, SOC 2,CC-System Integrity

Remote events are enabled. While this could be intentional we strongly recommend to turn it off. It's unnecessary for most users and has been a target for exploit in the recent past.

Implementation

Tested for Action Elevation Script
macOS 12 Command line user launchctl print-disabled system | grep com.apple.AEServer | grep -E 'enabled|false'

Remediation

Tested for Action Elevation Script
macOS 12 Command line fulldisk systemsetup -setremoteappleevents off

Rollback

Tested for Action Elevation Script
macOS 12 Command line fulldisk systemsetup -setremoteappleevents on

Corporate disk recovery key

Threat

Dimension : system integrity / Severity : 4

Tags : Personal Posture

It seems your computer hard disk has been encrypted by your employer. It means that they could potentially decrypt it if you give the computer back to them. You should suppress that possibility.

Implementation

Tested for Action Elevation Script
macOS 12 Command line admin fdesetup hasinstitutionalrecoverykey | grep true

Remediation

https://derflounder.wordpress.com/2019/07/03/managing-macos-mojaves-filevault-2-with-fdesetup/

Rollback

https://derflounder.wordpress.com/2019/07/03/managing-macos-mojaves-filevault-2-with-fdesetup/

Disk encryption disabled

Threat

Dimension : system services / Severity : 4

Tags : CIS Benchmark Level 1,macos_security/sysprefs_filevault_enforce, ISO 27001/2,Information Security Incident Management, PCI-DSS,Requirement-3.4, SOC 2,CC-Data Protection

Your main storage is not encrypted. While there is a little performance impact by enabling it, we really urge you to set it up. Without that anyone physically accessing your computer can access your data.

Implementation

Tested for Action Elevation Script
macOS 12 Command line admin fdesetup isactive | grep false

Remediation

https://www.youtube.com/watch?v=ETgLlx3Npqg

Rollback

https://www.youtube.com/watch?v=ETgLlx3Npqg

Unsigned applications allowed

Threat

Dimension : applications / Severity : 4

Tags : CIS Benchmark Level 1,macos_security/os_gatekeeper_enable, ISO 27001/2,Information Systems Acquisition, Development, and Maintenance, PCI-DSS,Requirement-6.6, SOC 2,CC-Application Security

Your computer has been setup to allow unsigned applications to run. This is unusual and dangerous. You should turn this off.

Implementation

Tested for Action Elevation Script
macOS 12 Command line admin spctl --status | grep disabled

Remediation

Tested for Action Elevation Script
macOS 12 Command line system spctl --global-enable

Rollback

Tested for Action Elevation Script
macOS 12 Command line system spctl --global-disable

Manual system updates

Threat

Dimension : system integrity / Severity : 4

Tags : CIS Benchmark Level 1,macos_security/sysprefs_install_macos_updates_enforce, CIS Benchmark Level 1,macos_security/sysprefs_software_update_download_enforce, ISO 27001/2,Information Systems Acquisition, Development, and Maintenance, PCI-DSS,Requirement-6.1, SOC 2,CC-System Maintenance

System updates are manual. Your really should turn on automatic system updates to get the latest security fixes for your computer.

Implementation

Tested for Action Elevation Script
macOS 12 Command line admin defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates 2>&1 | grep -v 1

Remediation

Tested for Action Elevation Script
macOS 12 Command line system defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool true; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool true; defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true; defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true; softwareupdate --schedule on

Rollback

Tested for Action Elevation Script
macOS 12 Command line system defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool false; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool false; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool false; defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool false; defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool false; softwareupdate --schedule off

Screen lock disabled

Threat

Dimension : credentials / Severity : 3

Tags : CIS Benchmark Level 1,macos_security/sysprefs_screensaver_ask_for_password_delay_enforce, ISO 27001/2,Access Control, PCI-DSS,Requirement-8.1.8, SOC 2,CC-Access Control

Your computer doesn't have a screensaver enabled with a password. It leaves it open for phsyical access by anyone. This is very dangerous!

Implementation

Tested for Action Elevation Script
macOS 12 Command line user sysadminctl -screenLock status 2>&1 | grep off

Remediation

https://www.youtube.com/watch?v=C6of13nZTpM

Rollback

https://www.youtube.com/watch?v=C6of13nZTpM

No antivirus enabled

Threat

Dimension : applications / Severity : 4

Tags : ISO 27001/2,Malware Protection, PCI-DSS,Requirement-5, SOC 2,CC-Malware Protection

You don't have any antivirus installed (MalwareBytes, Sentinel One, BitDefender...). We recommend you to enable one.

Implementation

Tested for Action Elevation Script
macOS 12 Command line admin if ! { pgrep BDLDaemon >/dev/null || pgrep RTProtectionDaemon >/dev/null || sentinelctl version 2>/dev/null | grep -q "Agent version"; }; then echo noepp; fi

Remediation

https://www.malwarebytes.com/

Rollback

https://www.youtube.com/watch?v=1vIf7ujOYdY

System Integrity Protection disabled

Threat

Dimension : system integrity / Severity : 5

Tags : CIS Benchmark Level 1,macos_security/os_sip_enable, ISO 27001/2,System Acquisition, Development and Maintenance, PCI-DSS,Requirement-6.1, SOC 2,CC-System Integrity

System Integrity Protection is a great ability of macOS that prevents any software to change system files and components. To some extent it's a "good enough" antivirus for your Mac. Having it disabled is... unusual and dangerous. It should be enabled by default on your Mac. This content will explain a way to enable it again. Bear with me .. it's somewhat hard to achieve!

Implementation

Tested for Action Elevation Script
macOS 12 Command line user csrutil status | grep disabled

Remediation

https://www.youtube.com/watch?v=Fx_1OPFzu88

Rollback

https://www.youtube.com/watch?v=StAn0ZHiXTc

Guest account enabled

Threat

Dimension : system services / Severity : 2

Tags : CIS Benchmark Level 1,macos_security/sysprefs_guest_account_disable, ISO 27001/2,Access Control, PCI-DSS,Requirement-8.1.6, SOC 2,CC-Access Control

Guest account is enabled. This is usually fine but it's not that easy to limit access to your data. You should disable it.

Implementation

Tested for Action Elevation Script
macOS 12 Command line user sysadminctl -guestAccount status 2>&1 | grep enabled

Remediation

Tested for Action Elevation Script
macOS 12 Command line system sysadminctl -guestAccount off

Rollback

Tested for Action Elevation Script
macOS 12 Command line system sysadminctl -guestAccount on

Root user enabled

Threat

Dimension : system integrity / Severity : 3

Tags : ISO 27001/2,Access Control, PCI-DSS,Requirement-2.3, SOC 2,CC-Access Control

A special system user has been configured on your computer. This is unusual and should be disabled immediately.

Implementation

Tested for Action Elevation Script
macOS 12 Command line user dscl . -read /Users/root Password | grep "**"

Remediation

https://www.youtube.com/watch?v=Sx8o8C1oqyc

Rollback

https://www.youtube.com/watch?v=Sx8o8C1oqyc

Unprotected system changes

Threat

Dimension : system integrity / Severity : 3

Tags : CIS Benchmark Level 1,macos_security/sysprefs_system_wide_preferences_configure, ISO 27001/2,Access Control, PCI-DSS,Requirement-2.2, SOC 2,CC-Access Control

Your computer system settings can be modified by any users. You should restrict it.

Implementation

Tested for Action Elevation Script
macOS 12 Command line user security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep true

Remediation

Tested for Action Elevation Script
macOS 12 Command line system security authorizationdb read system.preferences > /tmp/system.preferences.plist; /usr/libexec/PlistBuddy -c "Set :shared false" /tmp/system.preferences.plist; security authorizationdb write system.preferences < /tmp/system.preferences.plist

Rollback

Tested for Action Elevation Script
macOS 12 Command line system security authorizationdb read system.preferences > /tmp/system.preferences.plist; /usr/libexec/PlistBuddy -c "Set :shared true" /tmp/system.preferences.plist; security authorizationdb write system.preferences < /tmp/system.preferences.plist

Potentially compromised email address

Threat

Dimension : credentials / Severity : 1

Tags : ISO 27001/2,Information Security Incident Management, PCI-DSS,Requirement-12.10, SOC 2,CC-Incident Response, Personal Posture

Your email address might have recently appeared in a data breach. Please set your email in the Identity tab, review the breaches if any and follow instructions.

Implementation

Tested for Action Elevation Script
macOS 12 Command line user pwned -i 365

Remediation

Tested for Action Elevation Script
macOS 12 Command line digitalidentity_manager

Rollback

https://en.wikipedia.org/wiki/Have_I_Been_Pwned

Unverified network environment

Threat

Dimension : network / Severity : 1

Tags : ISO 27001/2,Information Security Incident Management, PCI-DSS,Requirement-12.10, SOC 2,CC-Incident Response, Personal Posture

The network you are connected to is not a known one. If you are allowed to scan this network, go to the network tab and verify the presence of potentially dangerous devices.

Implementation

Tested for Action Elevation Script
macOS 12 Command line user lanscan

Remediation

Tested for Action Elevation Script
macOS 12 Command line network_manager

Rollback

https://en.wikipedia.org/wiki/Port_scanner

Your OS is not up to date

Threat

Dimension : system integrity / Severity : 2

Tags : ISO 27001/2,System Acquisition, Development and Maintenance, PCI-DSS,Requirement-6.2, SOC 2,CC-System Maintenance

Your operating system is not up to date, please proceed to upgrade to get the latest security patches.

Implementation

Tested for Action Elevation Script
macOS 12 Command line admin defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist | grep macOS

Remediation

https://www.youtube.com/watch?v=FG2DXkPA93g&t=124s

Rollback

https://www.youtube.com/watch?v=FG2DXkPA93g&t=124s

Chrome browser not up to date

Threat

Dimension : applications / Severity : 3

Tags : ISO 27001/2,Application Security, PCI-DSS,Requirement-6, SOC 2,CC-System Operations

Your Google Chrome browser is not up to date. Running the latest version ensures you have the latest security features and performance improvements.

Implementation

Tested for Action Elevation Script
macOS 12 Command line user if defaults read /Applications/Google\ Chrome.app/Contents/Info.plist CFBundleShortVersionString &>/dev/null; then latest_version=$(curl -s "https://formulae.brew.sh/api/cask/google-chrome.json" | awk -F'["]' '{for(i=1;i<=NF;i++) if ($i=="version") {print $(i+2); exit}}'); local_version=$(defaults read /Applications/Google\ Chrome.app/Contents/Info.plist CFBundleShortVersionString); if [ "$latest_version" = "$local_version" ]; then echo ""; else echo "Chrome is not up to date (Installed: $local_version, Latest: $latest_version)"; fi; else echo ""; fi

Remediation

https://support.google.com/chrome/answer/95414

Rollback

https://support.google.com/chrome/a/answer/6350036