threatmodel macOS EN - edamametechnologies/threatmodels GitHub Wiki
macOS Threat Model (EN)
Contents
- EDAMAME helper inactive
- Response to ping enabled
- MDM profiles installed
- JAMF remote administration enabled
- Wake On LAN enabled
- Manual Appstore updates
- Local firewall disabled
- Automatic login enabled
- Remote login enabled
- Remote desktop enabled
- File sharing enabled
- Remote events enabled
- Corporate disk recovery key
- Disk encryption disabled
- Unsigned applications allowed
- Manual system updates
- Screen lock disabled
- No antivirus enabled
- No password manager installed
- System Integrity Protection disabled
- Guest account enabled
- Root user enabled
- Unprotected system changes
- Potentially compromised email address
- Unverified or unsafe network environment
- Your OS is not up to date
- Chrome browser not up to date
- Business rule not respected
EDAMAME helper inactive
Threat
Dimension : system services / Severity : 5
EDAMAME's Helper software is not running or requires an update. It's required for complete Security Score analysis and remediation.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | user | helper_check |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | user | https://github.com/edamametechnologies/edamame_helper/releases/download |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | system | /Library/Application\ Support/Edamame/Edamame-Helper/uninstall.sh |
Response to ping enabled
Threat
Dimension : network / Severity : 3
Tags : CIS Benchmark Level 1,Enable Stealth Mode
Your computer will respond if anything on the network is trying to check its presence. This can be very bad and allow anyone to check your presence and possibly attack your computer.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | system | /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode | grep disabled |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | system | /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | system | /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode off |
MDM profiles installed
Threat
Dimension : system integrity / Severity : 5
Tags : Personal Posture
You have one or more Mobile Device Management (MDM) profiles installed on your device. This means that your device is or can be remotely administered by a 3rd party. If this is your personal computer, this is a grave threat and the profiles should be removed.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | system | profiles -P | grep profileIdentifier |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | system | profiles remove -all -forced |
Rollback
https://support.apple.com/en-us/guide/deployment/depc0aadd3fe/web
JAMF remote administration enabled
Threat
Dimension : system integrity / Severity : 5
Tags : Personal Posture
Your computer is or can be remotely administered by a 3rd party using the JAMF MDM framework. If this is your personal computer, this is a grave threat and JAMF should be removed.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | admin | pgrep jamf |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | system | jamf removeFramework |
Rollback
https://www.jamf.com/en
Wake On LAN enabled
Threat
Dimension : network / Severity : 1
Tags : CIS Benchmark Level 1,Disable Wake on Network Access
Wake on LAN is a feature that can wake up your computer automatically when something is attempting to connect to it. This is not something you need in most cases and it can allow an attacker to connect to your computer at any time.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | system | systemsetup getwakeonnetworkaccess | grep -v Off |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | system | systemsetup -setwakeonnetworkaccess off |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | system | systemsetup -setwakeonnetworkaccess on |
Manual Appstore updates
Threat
Dimension : applications / Severity : 3
Tags : CIS Benchmark Level 1,Enable App Store Automatic Update
Applications are constantly updated to fix potential security issues. It's your best interest to get updates as soon as you can through automatic updates.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | globalpreferences | defaults read /Library/Preferences/com.apple.commerce.plist AutoUpdate 2>&1 | grep -v 1 |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | system | defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool true; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallAppUpdates -bool true; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool true |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | system | defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool false; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallAppUpdates -bool false; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool false |
Local firewall disabled
Threat
Dimension : network / Severity : 2
Tags : CIS Benchmark Level 1,Enable Firewall
Your local firewall is disabled. This is fine in a trusted environment but dangerous if you happened to connect to public networks. You should turn it on by default.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | system | /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate | grep disabled |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | system | /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | system | /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off |
Automatic login enabled
Threat
Dimension : credentials / Severity : 4
Tags : CIS Benchmark Level 1,Disable automatic login
Automatic login could appear as very handy but in fact it's a major security threat: it allows anyone to access your data without knowing your password.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | globalpreferences | defaults read /Library/Preferences/com.apple.loginwindow | grep autoLoginUser |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | system | defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | x-apple.systempreferences:com.apple.preferences.users |
Remote login enabled
Threat
Dimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,Disable Remote Login
Remote login is enabled. This is not necessary unless your are an IT professional. This is unusual and dangerous for most users.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | admin | systemsetup -getremotelogin | grep On |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | fulldisk | echo yes | systemsetup -setremotelogin off |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | fulldisk | systemsetup -setremotelogin on |
Remote desktop enabled
Threat
Dimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,Disable Remote Desktop Sharing
Remote desktop is enabled. This is not necessary unless your are an IT professional. This is unusual and dangerous for most users.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | admin | pgrep ARDAgent |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | fulldisk | /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | fulldisk | /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate |
File sharing enabled
Threat
Dimension : system services / Severity : 4
Tags : CIS Benchmark Level 1,Disable File Sharing
File sharing is enabled. While this could be intentional we strongly recommend to turn it off. It's not that easy to configure and can expose your data to unwanted people.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | admin | launchctl list | grep smbd |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | system | launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | system | launchctl load -w /System/Library/LaunchDaemons/com.apple.smbd.plist && defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist EnabledServices -array disk |
Remote events enabled
Threat
Dimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,Disable Remote Apple Events
Remote events are enabled. While this could be intentional we strongly recommend to turn it off. It's unnecessary for most users and has been a target for exploit in the recent past.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | user | launchctl print-disabled system | grep com.apple.AEServer | grep -E 'enabled|false' |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | fulldisk | systemsetup -setremoteappleevents off |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | fulldisk | systemsetup -setremoteappleevents on |
Corporate disk recovery key
Threat
Dimension : system integrity / Severity : 4
Tags : Personal Posture
It seems your computer hard disk has been encrypted by your employer. It means that they could potentially decrypt it if you give the computer back to them. You should suppress that possibility.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | admin | fdesetup hasinstitutionalrecoverykey | grep true |
Remediation
https://derflounder.wordpress.com/2019/07/03/managing-macos-mojaves-filevault-2-with-fdesetup/
Rollback
https://derflounder.wordpress.com/2019/07/03/managing-macos-mojaves-filevault-2-with-fdesetup/
Disk encryption disabled
Threat
Dimension : system services / Severity : 4
Tags : CIS Benchmark Level 1,Enable FileVault, ISO 27001/2,A.8.3.1-Media Protection, SOC 2,CC6.7-Data Protection
Your main storage is not encrypted. While there is a little performance impact by enabling it, we really urge you to set it up. Without that anyone physically accessing your computer can access your data.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | admin | system_profiler SPHardwareDataType | grep -q 'Virtual' || fdesetup isactive | grep false |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | x-apple.systempreferences:com.apple.preference.security?FileVault |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | x-apple.systempreferences:com.apple.preference.security?FileVault |
Unsigned applications allowed
Threat
Dimension : applications / Severity : 4
Tags : CIS Benchmark Level 1,Enable Gatekeeper
Your computer has been setup to allow unsigned applications to run. This is unusual and dangerous. You should turn this off.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | admin | spctl --status | grep disabled |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | system | spctl --global-enable |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | system | spctl --global-disable |
Manual system updates
Threat
Dimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,Enable Software Update Automatic Download
System updates are manual. Your really should turn on automatic system updates to get the latest security fixes for your computer.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | globalpreferences | defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates 2>/dev/null | grep -q 1 || echo macosupdate_disabled |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | system | defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool true; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool true; defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true; defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true; softwareupdate --schedule on |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | system | defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool false; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool false; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool false; defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool false; defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool false; softwareupdate --schedule off |
Screen lock disabled
Threat
Dimension : credentials / Severity : 3
Tags : CIS Benchmark Level 1,Set inactivity interval, ISO 27001/2,A.11.2.8-Unattended User Equipment, SOC 2,CC6.1-Access Control
Your computer doesn't have a screensaver enabled with a password. It leaves it open for physical access by anyone. This is very dangerous!
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | user | sysadminctl -screenLock status 2>&1 | grep off |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | x-apple.systempreferences:com.apple.Lock-Screen-Settings.extension |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | x-apple.systempreferences:com.apple.Lock-Screen-Settings.extension |
No antivirus enabled
Threat
Dimension : applications / Severity : 4
Tags : ISO 27001/2,A.12.2.1-Malware Controls, SOC 2,CC6.8-Malware Protection
You don't have any antivirus installed (MalwareBytes, Sentinel One, BitDefender...). We recommend you to enable one.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | admin | if ! { pgrep BDLDaemon >/dev/null || pgrep RTProtectionDaemon >/dev/null || sentinelctl version 2>/dev/null | grep -q "SentinelOne"; }; then echo epp_disabled; fi |
Remediation
https://www.malwarebytes.com/
Rollback
https://www.apple.com/fr/macos/security/
No password manager installed
Threat
Dimension : credentials / Severity : 4
You don't have any password manager installed. It's recommended to install one.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | admin | ([ -d "/Applications/1Password 7.app" ] || [ -d "/Applications/LastPass.app" ] || [ -d "/Applications/KeePassXC.app" ] || [ -d "/Applications/Bitwarden.app" ] || command -v pass || command -v op || command -v lpass || command -v keepassxc || command -v bw) >/dev/null 2>&1 || echo "No password manager installed" |
Remediation
https://en.wikipedia.org/wiki/Password_manager
Rollback
System Integrity Protection disabled
Threat
Dimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 1,Ensure System Integrity Protection is enabled
System Integrity Protection is a great ability of macOS that prevents any software to change system files and components. To some extent it's a 'good enough' antivirus for your Mac. Having it disabled is... unusual and dangerous. It should be enabled by default on your Mac. This content will explain a way to enable it again. Bear with me .. it's somewhat hard to achieve!
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | user | csrutil status | grep disabled |
Remediation
https://support.apple.com/en-us/HT204899
Rollback
https://support.apple.com/en-us/HT204899
Guest account enabled
Threat
Dimension : system services / Severity : 2
Tags : CIS Benchmark Level 1,Disable Guest account
Guest account is enabled. This is usually fine but it's not that easy to limit access to your data. You should disable it.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | user | sysadminctl -guestAccount status 2>&1 | grep enabled |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | system | sysadminctl -guestAccount off |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | system | sysadminctl -guestAccount on |
Root user enabled
Threat
Dimension : system integrity / Severity : 3
Tags : CIS Benchmark Level 1,Disable root account
A special system user has been configured on your computer. This is unusual and should be disabled immediately.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | user | dscl . -read /Users/root Password | grep '\*\*' |
Remediation
https://support.apple.com/HT204012
Rollback
https://support.apple.com/HT204012
Unprotected system changes
Threat
Dimension : system integrity / Severity : 3
Tags : CIS Benchmark Level 1,Enable system wide preferences
Your computer system settings can be modified by any users. You should restrict it.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | user | security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep true |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | system | security authorizationdb read system.preferences > /tmp/system.preferences.plist; /usr/libexec/PlistBuddy -c "Set :shared false" /tmp/system.preferences.plist; security authorizationdb write system.preferences < /tmp/system.preferences.plist |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | system | security authorizationdb read system.preferences > /tmp/system.preferences.plist; /usr/libexec/PlistBuddy -c "Set :shared true" /tmp/system.preferences.plist; security authorizationdb write system.preferences < /tmp/system.preferences.plist |
Potentially compromised email address
Threat
Dimension : credentials / Severity : 1
Tags : Personal Posture
Check if your email address might have recently appeared in a data breach.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | user | pwned -i 365 |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | digitalidentity_manager |
Rollback
https://haveibeenpwned.com/
Unverified or unsafe network environment
Threat
Dimension : network / Severity : 1
Tags : Personal Posture
The network you are connected to is not a known one or it contains unsafe devices. If you are allowed to scan this network, go to the network tab and verify the presence of potentially dangerous devices.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | user | lanscan |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | network_manager |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | network_manager |
Your OS is not up to date
Threat
Dimension : system integrity / Severity : 2
Tags : CIS Benchmark Level 1,Enable Software Update
Your operating system is not up to date, please proceed to upgrade to get the latest security patches.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | globalpreferences | defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist | grep macOS |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | x-apple.systempreferences:com.apple.preferences.softwareupdate |
Rollback
https://www.macworld.com/article/673171/how-to-install-older-versions-of-macos-or-os-x.html
Chrome browser not up to date
Threat
Dimension : applications / Severity : 3
Your Google Chrome browser is not up to date. Running the latest version ensures you have the latest security features and performance improvements.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | user | defaults read /Applications/Google\ Chrome.app/Contents/Info.plist CFBundleShortVersionString &>/dev/null && { local_version=$(defaults read /Applications/Google\ Chrome.app/Contents/Info.plist CFBundleShortVersionString); latest_version=$(curl -s "https://formulae.brew.sh/api/cask/google-chrome.json" | sed -n 's/.*\"version\": \"\([^\"]*\)\".*/\1/p'); if [ "$(printf '%s\n%s\n' "$local_version" "$latest_version" | sort -V | tail -n1)" = "$latest_version" ] && [ "$local_version" != "$latest_version" ]; then echo "Chrome is not up to date (Installed: $local_version, Latest: $latest_version)"; fi; } |
Remediation
https://support.google.com/chrome/answer/95414
Rollback
https://support.google.com/chrome/a/answer/6350036
Business rule not respected
Threat
Dimension : applications / Severity : 1
One or more business rules are not respected. Please check the command output for more details.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| macOS 12 | Command line | user | business_rules |
Remediation
Refer to the business rules documentation for more details.
Rollback
Refer to the business rules documentation for more details.