threatmodel macOS EN - edamametechnologies/threatmodels GitHub Wiki
- EDAMAME helper inactive
- Response to ping enabled
- MDM profiles installed
- JAMF remote administration enabled
- Wake On LAN enabled
- Manual Appstore updates
- Local firewall disabled
- Automatic login enabled
- Remote login enabled
- Remote desktop enabled
- File sharing enabled
- Remote events enabled
- Corporate disk recovery key
- Disk encryption disabled
- Unsigned applications allowed
- Manual system updates
- Screen lock disabled
- No antivirus enabled
- No password manager installed
- System Integrity Protection disabled
- Guest account enabled
- Root user enabled
- Unprotected system changes
- Potentially compromised email address
- Unverified or unsafe network environment
- Unverified or anomalous traffic
- Your OS is not up to date
- Chrome browser not up to date
- Business rule not respected
- CLI not restricted for standard users
Dimension : system services / Severity : 5
EDAMAME's Helper software is not running or requires an update. It's required for complete Security Score analysis and remediation.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | user |
Script
helper_check| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | user |
Script
https://github.com/edamametechnologies/edamame_helper/releases/download| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
/Library/Application\ Support/Edamame/Edamame-Helper/uninstall.shDimension : network / Severity : 3
Tags : CIS Benchmark Level 1,Enable Stealth Mode
Your computer will respond if anything on the network is trying to check its presence. This can be very bad and allow anyone to check your presence and possibly attack your computer.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode | grep -E "disabled|is off"| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode offDimension : system integrity / Severity : 5
Tags : Personal Posture
You have one or more Mobile Device Management (MDM) profiles installed on your device. This means that your device is or can be remotely administered by a 3rd party. If this is your personal computer, this is a grave threat and the profiles should be removed.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
profiles -P | grep profileIdentifier | grep -v digital_health_restrictions | grep -v dateandtime| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
profiles remove -all -forcedhttps://support.apple.com/en-us/guide/deployment/depc0aadd3fe/webDimension : system integrity / Severity : 5
Tags : Personal Posture
Your computer is or can be remotely administered by a 3rd party using the JAMF MDM framework. If this is your personal computer, this is a grave threat and JAMF should be removed.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | admin |
Script
pgrep jamf| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
jamf removeFrameworkhttps://www.jamf.com/enDimension : network / Severity : 1
Tags : CIS Benchmark Level 1,Disable Wake on Network Access
Wake on LAN is a feature that can wake up your computer automatically when something is attempting to connect to it. This is not something you need in most cases and it can allow an attacker to connect to your computer at any time.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
systemsetup getwakeonnetworkaccess | grep -v Off| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
systemsetup -setwakeonnetworkaccess off| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
systemsetup -setwakeonnetworkaccess onDimension : applications / Severity : 3
Tags : CIS Benchmark Level 1,Enable App Store Automatic Update
Applications are constantly updated to fix potential security issues. It's your best interest to get updates as soon as you can through automatic updates.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | globalpreferences |
Script
defaults read /Library/Preferences/com.apple.commerce.plist AutoUpdate 2>&1 | grep -v 1| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool true; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallAppUpdates -bool true; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool true| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool false; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallAppUpdates -bool false; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool falseDimension : network / Severity : 2
Tags : CIS Benchmark Level 1,Enable Firewall
Your local firewall is disabled. This is fine in a trusted environment but dangerous if you happened to connect to public networks. You should turn it on by default.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate | grep disabled| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate offDimension : credentials / Severity : 4
Tags : CIS Benchmark Level 1,Disable automatic login
Automatic login could appear as very handy but in fact it's a major security threat: it allows anyone to access your data without knowing your password.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | globalpreferences |
Script
defaults read /Library/Preferences/com.apple.loginwindow | grep autoLoginUser| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line |
Script
x-apple.systempreferences:com.apple.preferences.usersDimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,Disable Remote Login
Remote login is enabled. This is not necessary unless your are an IT professional. This is unusual and dangerous for most users.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | admin |
Script
systemsetup -getremotelogin | grep On| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | fulldisk |
Script
echo yes | systemsetup -setremotelogin off| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | fulldisk |
Script
systemsetup -setremotelogin onDimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,Disable Remote Desktop Sharing
Remote desktop is enabled. This is not necessary unless your are an IT professional. This is unusual and dangerous for most users.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | admin |
Script
pgrep ARDAgent| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | fulldisk |
Script
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | fulldisk |
Script
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activateDimension : system services / Severity : 4
Tags : CIS Benchmark Level 1,Disable File Sharing
File sharing is enabled. While this could be intentional we strongly recommend to turn it off. It's not that easy to configure and can expose your data to unwanted people.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | admin |
Script
launchctl list | grep smbd| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
launchctl load -w /System/Library/LaunchDaemons/com.apple.smbd.plist && defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist EnabledServices -array diskDimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,Disable Remote Apple Events
Remote events are enabled. While this could be intentional we strongly recommend to turn it off. It's unnecessary for most users and has been a target for exploit in the recent past.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | user |
Script
launchctl print-disabled system | grep com.apple.AEServer | grep -E 'enabled|false'| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | fulldisk |
Script
systemsetup -setremoteappleevents off| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | fulldisk |
Script
systemsetup -setremoteappleevents onDimension : system integrity / Severity : 4
Tags : Personal Posture
It seems your computer hard disk has been encrypted by your employer. It means that they could potentially decrypt it if you give the computer back to them. You should suppress that possibility.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | admin |
Script
fdesetup hasinstitutionalrecoverykey | grep truehttps://derflounder.wordpress.com/2019/07/03/managing-macos-mojaves-filevault-2-with-fdesetup/https://derflounder.wordpress.com/2019/07/03/managing-macos-mojaves-filevault-2-with-fdesetup/Dimension : system services / Severity : 4
Tags : CIS Benchmark Level 1,Enable FileVault, ISO 27001/2,A.8.3.1-Media Protection, SOC 2,CC6.7-Data Protection
Your main storage is not encrypted. While there is a little performance impact by enabling it, we really urge you to set it up. Without that anyone physically accessing your computer can access your data.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | admin |
Script
system_profiler SPHardwareDataType | grep -q 'Virtual' || fdesetup isactive | grep false| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line |
Script
x-apple.systempreferences:com.apple.preference.security?FileVault| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line |
Script
x-apple.systempreferences:com.apple.preference.security?FileVaultDimension : applications / Severity : 4
Tags : CIS Benchmark Level 1,Enable Gatekeeper
Your computer has been setup to allow unsigned applications to run. This is unusual and dangerous. You should turn this off.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | admin |
Script
spctl --status | grep disabled| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
spctl --global-enable| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
spctl --global-disableDimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,Enable Software Update Automatic Download
System updates are manual. Your really should turn on automatic system updates to get the latest security fixes for your computer.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | globalpreferences |
Script
defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates 2>/dev/null | grep -q 1 || echo macosupdate_disabled| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool true; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool true; defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true; defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true; softwareupdate --schedule on| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool false; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool false; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool false; defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool false; defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool false; softwareupdate --schedule offDimension : credentials / Severity : 3
Tags : CIS Benchmark Level 1,Set inactivity interval, ISO 27001/2,A.11.2.8-Unattended User Equipment, SOC 2,CC6.1-Access Control
Your computer doesn't have a screensaver enabled with a password. It leaves it open for physical access by anyone. This is very dangerous!
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | user |
Script
sysadminctl -screenLock status 2>&1 | grep off| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line |
Script
x-apple.systempreferences:com.apple.Lock-Screen-Settings.extension| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line |
Script
x-apple.systempreferences:com.apple.Lock-Screen-Settings.extensionDimension : applications / Severity : 4
Tags : ISO 27001/2,A.12.2.1-Malware Controls, SOC 2,CC6.8-Malware Protection
You don't have any antivirus installed (MalwareBytes, Sentinel One, BitDefender...). We recommend you to enable one.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | admin |
Script
if ! ( pgrep BDLDaemon >/dev/null || pgrep RTProtectionDaemon >/dev/null || sentinelctl version 2>/dev/null | grep -q "SentinelOne" || ( xprotect status 2>/dev/null | grep -q "launch scans: enabled" && xprotect status 2>/dev/null | grep -q "background scans: enabled" ) ); then echo "epp_disabled"; fi;https://www.malwarebytes.com/https://www.apple.com/fr/macos/security/Dimension : credentials / Severity : 4
You don't have any password manager installed. It's recommended to install one.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | admin |
Script
([ -d "/Applications/1Password.app" ] || [ -d "/Applications/LastPass.app" ] || [ -d "/Applications/KeePassXC.app" ] || [ -d "/Applications/1Password7.app" ] || [ -d "$HOME/Applications/Chrome Apps.localized/Google Password Manager.app" ] || [ -d "/Applications/Bitwarden.app" ]) >/dev/null 2>&1 || echo "No password manager installed"https://en.wikipedia.org/wiki/Password_managerDimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 1,Ensure System Integrity Protection is enabled
System Integrity Protection is a great ability of macOS that prevents any software to change system files and components. To some extent it's a 'good enough' antivirus for your Mac. Having it disabled is... unusual and dangerous. It should be enabled by default on your Mac. This content will explain a way to enable it again. Bear with me .. it's somewhat hard to achieve!
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | user |
Script
csrutil status | grep disabledhttps://support.apple.com/en-us/HT204899https://support.apple.com/en-us/HT204899Dimension : system services / Severity : 2
Tags : CIS Benchmark Level 1,Disable Guest account
Guest account is enabled. This is usually fine but it's not that easy to limit access to your data. You should disable it.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | user |
Script
sysadminctl -guestAccount status 2>&1 | grep enabled| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
sysadminctl -guestAccount off| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
sysadminctl -guestAccount onDimension : system integrity / Severity : 3
Tags : CIS Benchmark Level 1,Disable root account
A special system user has been configured on your computer. This is unusual and should be disabled immediately.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | user |
Script
dscl . -read /Users/root Password | grep '\*\*'https://support.apple.com/HT204012https://support.apple.com/HT204012Dimension : system integrity / Severity : 3
Tags : CIS Benchmark Level 1,Enable system wide preferences
Your computer system settings can be modified by any users. You should restrict it.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | user |
Script
security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep true| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
security authorizationdb read system.preferences > /tmp/system.preferences.plist; /usr/libexec/PlistBuddy -c "Set :shared false" /tmp/system.preferences.plist; security authorizationdb write system.preferences < /tmp/system.preferences.plist| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
security authorizationdb read system.preferences > /tmp/system.preferences.plist; /usr/libexec/PlistBuddy -c "Set :shared true" /tmp/system.preferences.plist; security authorizationdb write system.preferences < /tmp/system.preferences.plistDimension : credentials / Severity : 1
Tags : Personal Posture
Check if your email address might have recently appeared in a data breach.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | user |
Script
pwned -i 365| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line |
Script
digitalidentity_managerhttps://haveibeenpwned.com/Dimension : network / Severity : 1
Tags : Personal Posture
The network you are connected to is not a known one or it contains unsafe devices. If you are allowed to scan this network, go to the network tab and verify the presence of potentially dangerous devices.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | user |
Script
lanscan| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line |
Script
network_manager| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line |
Script
network_managerDimension : network / Severity : 1
Tags : Personal Posture
The egress network traffic is not verified or contains anomalous traffic.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | user |
Script
egresscan| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line |
Script
session_manager| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line |
Script
session_managerDimension : system integrity / Severity : 2
Tags : CIS Benchmark Level 1,Enable Software Update
Your operating system is not up to date, please proceed to upgrade to get the latest security patches.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | globalpreferences |
Script
defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist | grep macOS| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line |
Script
x-apple.systempreferences:com.apple.preferences.softwareupdatehttps://www.macworld.com/article/673171/how-to-install-older-versions-of-macos-or-os-x.htmlDimension : applications / Severity : 3
Your Google Chrome browser is not up to date. Running the latest version ensures you have the latest security features and performance improvements.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | user |
Script
defaults read /Applications/Google\ Chrome.app/Contents/Info.plist CFBundleShortVersionString &>/dev/null && { local_version=$(defaults read /Applications/Google\ Chrome.app/Contents/Info.plist CFBundleShortVersionString); latest_version=$(curl -s "https://formulae.brew.sh/api/cask/google-chrome.json" | sed -n 's/.*\"version\": \"\([^\"]*\)\".*/\1/p'); if [ "$(printf '%s
%s
' "$local_version" "$latest_version" | sort -V | tail -n1)" = "$latest_version" ] && [ "$local_version" != "$latest_version" ]; then echo "Chrome is not up to date (Installed: $local_version, Latest: $latest_version)"; fi; }https://support.google.com/chrome/answer/95414https://support.google.com/chrome/a/answer/6350036Dimension : applications / Severity : 1
One or more business rules are not respected. Please check the command output for more details. To enable business rules, set the EDAMAME_BUSINESS_RULES_CMD environment variable. See: https://github.com/edamametechnologies/edamame_posture_cli?tab=readme-ov-file#business-rules
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | user |
Script
business_rulesRefer to the business rules documentation for more details.Refer to the business rules documentation for more details.Dimension : system integrity / Severity : 3
Tags : Personal Posture
Command-line interface (CLI) access is not restricted for standard users. Non-administrator users can access interactive shell environments, which may allow unauthorized system modifications or circumvention of security policies.
| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | admin |
Script
grep -q "BEGIN RESTRICT_ZSH_NONADMINS" /etc/zshrc || echo CLI not restricted| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
grep -q "BEGIN RESTRICT_ZSH_NONADMINS" /etc/zshrc || cat <<'EOF' >> /etc/zshrc
# BEGIN RESTRICT_ZSH_NONADMINS
## Prevent non-admin users from using interactive zsh shells
if [[ -t 1 ]]; then
if ! id -Gn | grep -qw admin; then
echo ""
echo "Command-line access is restricted by your administrator."
osascript -e "display alert \"Access Restricted\" message \"Command-line tools are blocked for standard users.\" buttons {\"OK\"}" 2>/dev/null || true
exit 1
fi
fi
# END RESTRICT_ZSH_NONADMINS
EOF| Tested for | Action | Elevation |
|---|---|---|
| macOS 12 | Command line | system |
Script
python3 - <<'PY'
skip = False
lines = []
with open("/etc/zshrc") as src:
for line in src:
if "BEGIN RESTRICT_ZSH_NONADMINS" in line:
skip = True
continue
if "END RESTRICT_ZSH_NONADMINS" in line:
skip = False
continue
if not skip:
lines.append(line)
with open("/etc/zshrc", "w") as dst:
dst.writelines(lines)
print("[OK] zsh block removed")
PY