0

macOS-Security-and-Privacy-Guide

在 macOS 上保护和改善隐私的指南。(Guide to securing and improving privacy on macOS.)

官方網站
Github 資源庫
主要指標

Github星跟蹤圖

This guide is a collection of techniques for improving the security and privacy of a modern Apple Macintosh computer ("MacBook") running a recent version of macOS (formerly known as "OS X").

This guide is targeted to power users who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac.

A system is only as secure as its administrator is capable of making it. There is no one single technology, software, nor technique to guarantee perfect computer security; a modern operating system and computer is very complex, and requires numerous incremental changes to meaningfully improve one's security and privacy posture.

This guide is provided on an 'as is' basis without any warranties of any kind. Only you are responsible if you break anything or get in any sort of trouble by following this guide.

To suggest an improvement, please send a pull request or open an issue.

This guide is also available in 简体中文.

Basics

Standard security best practices apply:

  • Create a threat model

    • What are you trying to protect and from whom? Is your adversary a three letter agency (if so, you may want to consider using OpenBSD instead); a nosy eavesdropper on the network; or a determined apt orchestrating a campaign against you?
    • Recognize threats and how to reduce attack surface against them.

  • Keep the system up to date

    • Patch the base operating system and all third party software.
    • macOS system updates can be completed using the App Store application, or the softwareupdate command-line utility - neither requires registering an Apple account. Updates can also be downloaded directly from Apple's support site.
    • Subscribe to announcement mailing lists like Apple security-announce.

  • Encrypt sensitive data at rest

    • In addition to full disk encryption, consider creating one or several encrypted partitions or volumes to store passwords, cryptographic keys, personal documents, etc. at rest.
    • This will mitigate damage in case of compromise and data theft.

  • Assure data availability

    • Create regular backups of your data and be ready to format and re-install the operating system in case of compromise.
    • Always encrypt locally before copying backups to external media or the "cloud".
    • Verify backups work by testing them regularly, for example by accessing certain files or performing a hash based comparison.

  • Click carefully

    • Ultimately, the security of a system can be reduced to its administrator.
    • Care should be taken when installing new software. Always prefer free and open source software (which macOS is not).

Preparing and installing macOS

There are several ways to install macOS.

The simplest way is to boot into Recovery Mode by holding Command and R keys at boot. A system image can be downloaded and applied directly from Apple. However, this way exposes the serial number and other identifying information over the network in plain text, which may not be desired for privacy reasons.

Packet capture of an unencrypted HTTP conversation during macOS recovery

An alternative way to install macOS is to first download macOS Mojave from the App Store or elsewhere, and create a custom installable system image.

Verifying installation integrity

The macOS installation application is code signed, which should be verified to make sure you received a legitimate copy, using the pkgutil --check-signature or codesign -dvv commands.

To verify the code signature and integrity of macOS application bundles:

$ pkgutil --check-signature /Applications/Install\ macOS\ Catalina.app
Package "Install macOS Catalina":
   Status: signed by a certificate trusted by Mac OS X
   Certificate Chain:
    1. Software Signing
       SHA1 fingerprint: 01 3E 27 87 74 8A 74 10 3D 62 D2 CD BF 77 A1 34 55 17 C4 82
       -----------------------------------------------------------------------------
    2. Apple Code Signing Certification Authority
       SHA1 fingerprint: 1D 01 00 78 A6 1F 4F A4 69 4A FF 4D B1 AC 26 6C E1 B4 59 46
       -----------------------------------------------------------------------------
    3. Apple Root CA
       SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60

Use the codesign command to examine an application's code signature:

$ codesign -dvv /Applications/Install\ macOS\ Catalina.app
Executable=/Applications/Install macOS Catalina.app/Contents/MacOS/InstallAssistant_springboard
Identifier=com.apple.InstallAssistant.Catalina
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=276 flags=0x2000(library-validation) hashes=3+3 location=embedded
Platform identifier=9
Signature size=4628
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Info.plist entries=33
TeamIdentifier=not set
Sealed Resources version=2 rules=13 files=234
Internal requirements count=1 size=84

Creating a bootable USB installer

Instead of booting from the network or using target disk mode, a bootable macOS installer can be made with the createinstallmedia utility included in Contents/Resources folder of the installer application bundle. See Create a bootable installer for macOS, or run the utility without arguments to see how it works.

To create a bootable USB installer, mount a USB drive, and erase and partition it, then use the createinstallmedia utility:

$ diskutil list
[Find disk matching correct size, usually the last disk, e.g. /dev/disk2]

$ diskutil unmountDisk /dev/disk2

$ diskutil partitionDisk /dev/disk2 1 JHFS+ Installer 100%

$ cd /Applications/Install\ macOS\ Catalina.app

$ sudo ./Contents/Resources/createinstallmedia --volume /Volumes/Installer --nointeraction
Erasing disk: 0%... 10%... 20%... 30%... 100%
Copying to disk: 0%... 10%... 20%... 30%... 40%... 50%... 60%... 70%... 80%... 90%... 100%
Making disk bootable...
Copying boot files...
Install media now available at "/Volumes/Install macOS Catalina"

Creating an install image

Note Apple's AutoDMG installer does not appear to work across OS versions. If you want to build a 10.14 image, for example, the following steps must be performed on macOS 10.14!

To create a custom install image which can be restored to a Mac (using a USB-C cable and target disk mode, for example), use MagerValp/AutoDMG.

Manual way

Note The following instructions appear to work only on macOS versions before 10.13.

Find InstallESD.dmg which is inside the installation application. Locate it in Terminal or with Finder, right click on the application bundle, select Show Package Contents and navigate to Contents > SharedSupport to find the file InstallESD.dmg

Verify file integrity by comparing its SHA-256 hash with others found in InstallESD_Hashes.csv or notpeter/apple-installer-checksums.

To determine which macOS versions and builds originally shipped with or are available for a Mac, see HT204319.

$ shasum -a 256 InstallESD.dmg

Mount and install the operating system to a temporary image:

$ hdiutil attach -mountpoint /tmp/InstallESD ./InstallESD.dmg

$ hdiutil create -size 32g -type SPARSE -fs HFS+J -volname "macOS" -uid 0 -gid 80 -mode 1775 /tmp/macos.sparseimage

$ hdiutil attach -mountpoint /tmp/macos -owners on /tmp/macos.sparseimage

$ sudo installer -pkg /tmp/InstallESD/Packages/OSInstall.mpkg -tgt /tmp/macos -verbose
installer: OS Install started.
#############
[...]

The installation will take a while, so be patient. Use tail -F /var/log/install.log in another terminal to monitor progress and check for errors.

Once the installation is complete, detach, convert and verify the image:

$ hdiutil detach /tmp/macos
"disk4" unmounted.
"disk4" ejected.

$ hdiutil detach /tmp/InstallESD
"disk3" unmounted.
"disk3" ejected.

$ hdiutil convert -format UDZO /tmp/macos.sparseimage -o ~/sierra.dmg
Preparing imaging engine...
[...]

$ asr imagescan --source ~/sierra.dmg

The file sierra.dmg is now ready to be applied over Target Disk Mode, from a bootable USB installer, booting from the network or recovery mode. The image could be further customized to include provisioned users, installed applications, preferences, for example.

Target disk mode

To use Target Disk Mode, boot up the Mac you wish to image while holding the T key and connect it to another Mac using a USB-C, Thunderbolt or Firewire cable.

If you don't have another Mac, boot to a USB installer, with sierra.dmg and other required files copied to it, by holding the Option key at boot.

Use the command diskutil list to identify the disk of the connected Mac, usually /dev/disk2

Optionally, securely erase the disk with a single pass (if previously FileVault-encrypted, the disk must first be unlocked and mounted as /dev/disk3s2):

$ sudo diskutil secureErase freespace 1 /dev/disk3s2

Partition the disk to Journaled HFS+:

$ sudo diskutil unmountDisk /dev/disk2

$ sudo diskutil partitionDisk /dev/disk2 1 JHFS+ macOS 100%

Restore the image to the new volume, making sure /dev/disk2 is the disk being erased:

$ sudo asr restore --source ~/sierra.dmg --target /Volumes/macOS --erase --buffersize 4m
[...]
Erase contents of /dev/disk2s2 (/Volumes/macOS)? [ny]:y
[...]

The Disk Utility application may also be used to erase the connected disk and restore sierra.dmg to the newly created partition.

To transfer any files, copy them to a shared folder like /Users/Shared on the mounted disk image, e.g. cp Xcode_8.0.dmg /Volumes/macOS/Users/Shared

Finished restore install from USB recovery boot

Creating a recovery partition

Unless you have built the image with AutoDMG, or installed macOS to a second partition on the same Mac, you will need to create a recovery partition in order to use full disk encryption. You can do so using MagerValp/Create-Recovery-Partition-Installer or manually by following these steps:

Download RecoveryHDUpdate.dmg and verify its integrity:

$ shasum -a 256 RecoveryHDUpdate.dmg
f6a4f8ac25eaa6163aa33ac46d40f223f40e58ec0b6b9bf6ad96bdbfc771e12c  RecoveryHDUpdate.dmg

Attach and expand the installer, then run it - again ensuring /Volumes/macOS path is the newly created partition on the connected disk:

$ hdiutil attach RecoveryHDUpdate.dmg

$ pkgutil --expand /Volumes/Mac\ OS\ X\ Lion\ Recovery\ HD\ Update/RecoveryHDUpdate.pkg /tmp/recovery

$ hdiutil attach /tmp/recovery/RecoveryHDUpdate.pkg/RecoveryHDMeta.dmg

$ /tmp/recovery/RecoveryHDUpdate.pkg/Scripts/Tools/dmtest ensureRecoveryPartition /Volumes/macOS/ /Volumes/Recovery\ HD\ Update/BaseSystem.dmg 0 0 /Volumes/Recovery\ HD\ Update/BaseSystem.chunklist
[...]
Creating recovery partition: finished

Run diskutil list again to make sure Recovery HD now exists on /dev/disk2. Eject the disk with hdiutil unmount /Volumes/macOS and power down the target disk mode-booted Mac.

Virtualization

To install macOS as a virtual machine (VM) using VMware Fusion, follow the instructions above to create an image. You will not need to download and create a recovery partition manually.

For the Installation Method, select Install macOS from the recovery partition. Customize any memory or CPU requirements and complete setup. The guest VM should boot into Recovery Mode by default.

Note If the virtual machine does not boot due to a kernel panic, adjust the memory and process resource settings.

In Recovery Mode, select a language, then select Utilities > Terminal from the menu bar.

In the guest VM, type `ifconfig

主要指標

概覽
名稱與所有者drduh/macOS-Security-and-Privacy-Guide
主編程語言
編程語言Python (語言數: 0)
平台Web browsers
許可證MIT License
所有者活动
創建於2015-08-31 03:36:35
推送於2025-04-18 01:15:18
最后一次提交2025-04-18 01:15:14
發布數0
用户参与
星數21.7k
關注者數676
派生數1.5k
提交數1k
已啟用問題?
問題數265
打開的問題數2
拉請求數206
打開的拉請求數0
關閉的拉請求數22
项目设置
已啟用Wiki?
已存檔?
是復刻?
已鎖定?
是鏡像?
是私有?