How to secure and lock down Apple OS X 10.11 (El Capitan) with osxlockdown

Is there is an easy way to audit and lock down (secure) Apple OS X 10.11 (El Capitan) unix operating system?

Yes you can use the osxlockdown tool. It was built to audit, and remediate, security configuration settings on OS X 10.11 (El Capitan). However, this tool may disable functionality in the name of security. Make sure you backup your Macbook/pro/min in advance.

Download osxlockdown

Open the Terminal application and type the following commands:
$ cd
$ mkdir osxlockdown
$ cd osxlockdown
## wget need to be installed using brew ##
$ wget
$ wget

Sample outputs:

--2015-12-31 00:12:33--
Connecting to||:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: [following]
--2015-12-31 00:12:35--
Connecting to||:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12463 (12K) [text/plain]
Saving to: 'commands.json'
commands.json                               100%[==========================================================================================>]  12.17K  --.-KB/s   in 0s     
2015-12-31 00:12:36 (64.2 MB/s) - 'commands.json' saved [12463/12463]

If wget command not installed on Mac, try curl command to grab files:
$ curl -LO
$ curl -LO

Set permissions

Type the following command:
$ chmod +x osxlockdown

How do I check my OS X security settings?

Type the following command:
$ sudo ./osxlockdown
Sample outputs:

Fig.01: osxlockdown command output

How do I secure and fix failed security settings?

You need to run the following command (again, this will secure the system, but will disable many things like AirDrop, Bluetooth, and so on):
$ sudo ./osxlockdown --remediate
Verify it again:
$ sudo ./osxlockdown

Other options

Type the following command:

$ ./osxlockdown --help
Usage of ./osxlockdown:
  -commands_file string
    	JSON file containing the commands and configuration (default "commands.json")
    	Disables printing the rules that passed
    	Disables printing the summary
    	Implements fixes for failed checks. WARNING: Beware this may break things.

Posted by: SXI ADMIN

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.


How to KVM, QEMU start or stop virtual machine from command line (CLI)

KVM or Kernel Based Virtual Machine is a popular virtualization technology. It allows you to run virtual guest machines over a host machine. To start...

How to Docker backup Saving and restoring your volumes

Running a Docker volume backup First, we spin up a temporary container, and we mount the backup folder and the target Docker volume to this container....

How to Start and Enable Firewalld on CentOS 7

In this article, we discuss how to start and enable firewalld. It is highly recommended that you have a firewall protecting your server.Pre-Flight CheckThese...